diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2efeb50..b74e6f2 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3042,7 +3042,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..38a8a2d 100644 +index 644d4d7..51181b8 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3229,7 +3229,7 @@ index 644d4d7..38a8a2d 100644 +/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/systemd/system-sleep/(.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) @@ -8257,7 +8257,7 @@ index 6529bd9..831344c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..adafd25 100644 +index 6a1e4d1..c691385 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -8296,6 +8296,15 @@ index 6a1e4d1..adafd25 100644 ') ######################################## +@@ -128,7 +103,7 @@ interface(`domain_entry_file',` + ') + + allow $1 $2:file entrypoint; +- allow $1 $2:file { mmap_file_perms ioctl lock }; ++ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans }; + + typeattribute $2 entry_type; + @@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` ######################################## @@ -9055,7 +9064,7 @@ index c2c6e05..be423a7 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..fe6d89c 100644 +index 64ff4d7..3e91f7d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11585,7 +11594,7 @@ index 64ff4d7..fe6d89c 100644 ') allow $1 var_t:dir search_dir_perms; -@@ -6562,3 +7839,474 @@ interface(`files_unconfined',` +@@ -6562,3 +7839,491 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -12060,6 +12069,23 @@ index 64ff4d7..fe6d89c 100644 + allow $1 file_type:service all_service_perms; +') + ++######################################## ++## ++## Get the status of etc_t files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_status_etc',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ allow $1 etc_t:service status; ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 148d87a..822f6be 100644 --- a/policy/modules/kernel/files.te @@ -16648,10 +16674,10 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..3577c24 100644 +index 5da7870..1a2de40 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1) +@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1) role staff_r; userdom_unpriv_user_template(staff) @@ -16683,6 +16709,7 @@ index 5da7870..3577c24 100644 +dev_read_kmsg(staff_t) + +domain_read_all_domains_state(staff_t) ++domain_getsched_all_domains(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) + @@ -16719,7 +16746,7 @@ index 5da7870..3577c24 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +78,102 @@ optional_policy(` +@@ -23,11 +79,102 @@ optional_policy(` ') optional_policy(` @@ -16823,7 +16850,7 @@ index 5da7870..3577c24 100644 ') optional_policy(` -@@ -35,15 +181,31 @@ optional_policy(` +@@ -35,15 +182,31 @@ optional_policy(` ') optional_policy(` @@ -16857,7 +16884,7 @@ index 5da7870..3577c24 100644 ') optional_policy(` -@@ -52,10 +214,55 @@ optional_policy(` +@@ -52,10 +215,55 @@ optional_policy(` ') optional_policy(` @@ -16913,7 +16940,7 @@ index 5da7870..3577c24 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +272,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +273,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16924,7 +16951,7 @@ index 5da7870..3577c24 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +281,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +282,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -16935,7 +16962,7 @@ index 5da7870..3577c24 100644 ') optional_policy(` -@@ -101,10 +300,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +301,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16946,7 +16973,7 @@ index 5da7870..3577c24 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +320,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +321,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16957,7 +16984,7 @@ index 5da7870..3577c24 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +332,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +333,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16968,7 +16995,7 @@ index 5da7870..3577c24 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +363,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +364,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -17020,10 +17047,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..c461b2b 100644 +index 88d0028..c3275cb 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,81 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -17056,6 +17083,7 @@ index 88d0028..c461b2b 100644 + +files_read_kernel_modules(sysadm_t) +files_filetrans_named_content(sysadm_t) ++files_status_etc(sysadm_t) + +fs_mount_fusefs(sysadm_t) + @@ -17115,7 +17143,7 @@ index 88d0028..c461b2b 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +97,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -17130,7 +17158,7 @@ index 88d0028..c461b2b 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +106,9 @@ optional_policy(` +@@ -71,9 +107,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -17141,7 +17169,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -87,6 +122,7 @@ optional_policy(` +@@ -87,6 +123,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -17149,7 +17177,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -110,11 +146,17 @@ optional_policy(` +@@ -110,11 +147,17 @@ optional_policy(` ') optional_policy(` @@ -17167,7 +17195,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -122,11 +164,19 @@ optional_policy(` +@@ -122,11 +165,19 @@ optional_policy(` ') optional_policy(` @@ -17189,7 +17217,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -140,6 +190,10 @@ optional_policy(` +@@ -140,6 +191,10 @@ optional_policy(` ') optional_policy(` @@ -17200,7 +17228,7 @@ index 88d0028..c461b2b 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +210,11 @@ optional_policy(` +@@ -156,11 +211,11 @@ optional_policy(` ') optional_policy(` @@ -17214,7 +17242,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -179,6 +233,13 @@ optional_policy(` +@@ -179,6 +234,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -17228,7 +17256,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -186,15 +247,20 @@ optional_policy(` +@@ -186,15 +248,20 @@ optional_policy(` ') optional_policy(` @@ -17252,7 +17280,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -214,22 +280,20 @@ optional_policy(` +@@ -214,22 +281,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -17281,7 +17309,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -241,14 +305,27 @@ optional_policy(` +@@ -241,14 +306,27 @@ optional_policy(` ') optional_policy(` @@ -17309,7 +17337,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -256,10 +333,20 @@ optional_policy(` +@@ -256,10 +334,20 @@ optional_policy(` ') optional_policy(` @@ -17330,7 +17358,7 @@ index 88d0028..c461b2b 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +357,36 @@ optional_policy(` +@@ -270,31 +358,36 @@ optional_policy(` ') optional_policy(` @@ -17374,7 +17402,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -319,12 +411,18 @@ optional_policy(` +@@ -319,12 +412,18 @@ optional_policy(` ') optional_policy(` @@ -17394,7 +17422,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -349,7 +447,18 @@ optional_policy(` +@@ -349,7 +448,18 @@ optional_policy(` ') optional_policy(` @@ -17414,7 +17442,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -360,19 +469,15 @@ optional_policy(` +@@ -360,19 +470,15 @@ optional_policy(` ') optional_policy(` @@ -17436,7 +17464,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -384,10 +489,6 @@ optional_policy(` +@@ -384,10 +490,6 @@ optional_policy(` ') optional_policy(` @@ -17447,7 +17475,7 @@ index 88d0028..c461b2b 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +496,9 @@ optional_policy(` +@@ -395,6 +497,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -17457,7 +17485,7 @@ index 88d0028..c461b2b 100644 ') optional_policy(` -@@ -402,31 +506,34 @@ optional_policy(` +@@ -402,31 +507,34 @@ optional_policy(` ') optional_policy(` @@ -17498,7 +17526,7 @@ index 88d0028..c461b2b 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +546,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +547,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17509,7 +17537,7 @@ index 88d0028..c461b2b 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +566,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +567,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23933,10 +23961,10 @@ index 1b6619e..be02b96 100644 + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..cd80b96 100644 +index c6fdab7..af71c62 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te -@@ -6,12 +6,33 @@ attribute application_domain_type; +@@ -6,15 +6,40 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; @@ -23957,11 +23985,11 @@ index c6fdab7..cd80b96 100644 + afs_rw_udp_sockets(application_domain_type) +') + -+optional_policy(` + optional_policy(` + cfengine_append_inherited_log(application_domain_type) +') + - optional_policy(` ++optional_policy(` + cron_rw_inherited_user_spool_files(application_domain_type) cron_sigchld(application_domain_type) ') @@ -23971,6 +23999,13 @@ index c6fdab7..cd80b96 100644 ssh_rw_stream_sockets(application_domain_type) ') + optional_policy(` ++ screen_sigchld(application_domain_type) ++') ++ ++optional_policy(` + sudo_sigchld(application_domain_type) + ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 28ad538..ebe81bf 100644 --- a/policy/modules/system/authlogin.fc @@ -28588,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..468dc31 100644 +index 9e54bf9..9a068f6 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28756,7 +28791,18 @@ index 9e54bf9..468dc31 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t) +@@ -322,6 +349,10 @@ optional_policy(` + ') + + optional_policy(` ++ l2tpd_read_pid_files(ipsec_mgmt_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(ipsec_mgmt_t) + ') + +@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -28776,7 +28822,7 @@ index 9e54bf9..468dc31 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -28789,7 +28835,7 @@ index 9e54bf9..468dc31 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -28889,7 +28935,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 5dfa44b..2502d06 100644 +index 5dfa44b..4abf7fd 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -28971,7 +29017,7 @@ index 5dfa44b..2502d06 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -28980,13 +29026,19 @@ index 5dfa44b..2502d06 100644 ') optional_policy(` - firstboot_use_fds(iptables_t) - firstboot_rw_pipes(iptables_t) -+ firewalld_dontaudit_write_tmp_files(iptables_t) +@@ -110,6 +114,11 @@ optional_policy(` ') optional_policy(` -@@ -124,6 +129,12 @@ optional_policy(` ++ firewalld_read_config(iptables_t) ++ firewalld_dontaudit_write_tmp_files(iptables_t) ++') ++ ++optional_policy(` + modutils_run_insmod(iptables_t, iptables_roles) + ') + +@@ -124,6 +133,12 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -28999,7 +29051,7 @@ index 5dfa44b..2502d06 100644 ') optional_policy(` -@@ -135,9 +146,9 @@ optional_policy(` +@@ -135,9 +150,9 @@ optional_policy(` ') optional_policy(` @@ -34933,10 +34985,10 @@ index b7686d5..431d2f1 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..4e12420 +index 0000000..2cd29ba --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,42 @@ +@@ -0,0 +1,43 @@ +/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) + @@ -34952,6 +35004,7 @@ index 0000000..4e12420 +/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) + +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) +/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0) @@ -36218,10 +36271,10 @@ index 0000000..6862d53 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..87474b2 +index 0000000..b43a6c1 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,647 @@ +@@ -0,0 +1,654 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -36285,6 +36338,9 @@ index 0000000..87474b2 +type power_unit_file_t; +systemd_unit_file(power_unit_file_t) + ++type systemd_vconsole_unit_file_t; ++systemd_unit_file(systemd_vconsole_unit_file_t) ++ +# executable for systemctl +type systemd_systemctl_exec_t; +corecmd_executable_file(systemd_systemctl_exec_t) @@ -36696,9 +36752,13 @@ index 0000000..87474b2 + +dev_write_kmsg(systemd_localed_t) + ++init_dbus_chat(systemd_localed_t) ++ +logging_stream_connect_syslog(systemd_localed_t) +logging_send_syslog_msg(systemd_localed_t) + ++allow systemd_localed_t systemd_vconsole_unit_file_t:service start; ++ +miscfiles_manage_localization(systemd_localed_t) +miscfiles_etc_filetrans_localization(systemd_localed_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ae88cc0..69b3776 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4528,7 +4528,7 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..69725f8 100644 +index 1a82e29..ffff859 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5837,7 +5837,7 @@ index 1a82e29..69725f8 100644 ') optional_policy(` -@@ -857,6 +1024,16 @@ optional_policy(` +@@ -857,19 +1024,35 @@ optional_policy(` ') optional_policy(` @@ -5854,7 +5854,9 @@ index 1a82e29..69725f8 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,11 +1042,16 @@ optional_policy(` + optional_policy(` + smokeping_read_lib_files(httpd_t) ++ smokeping_read_pid_files(httpd_t) ') optional_policy(` @@ -5871,7 +5873,7 @@ index 1a82e29..69725f8 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1059,170 @@ optional_policy(` +@@ -877,65 +1060,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6064,7 +6066,7 @@ index 1a82e29..69725f8 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1231,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1232,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6219,7 +6221,7 @@ index 1a82e29..69725f8 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1315,104 @@ optional_policy(` +@@ -1077,172 +1316,104 @@ optional_policy(` ') ') @@ -6455,7 +6457,7 @@ index 1a82e29..69725f8 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1420,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1421,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6552,7 +6554,7 @@ index 1a82e29..69725f8 100644 ######################################## # -@@ -1315,8 +1495,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1496,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6569,7 +6571,7 @@ index 1a82e29..69725f8 100644 ') ######################################## -@@ -1324,49 +1511,36 @@ optional_policy(` +@@ -1324,49 +1512,36 @@ optional_policy(` # User content local policy # @@ -6633,7 +6635,7 @@ index 1a82e29..69725f8 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1550,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1551,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -23095,7 +23097,7 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..598e4ee 100644 +index 0872e50..95bb886 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -23172,11 +23174,12 @@ index 0872e50..598e4ee 100644 shorewall_domtrans(fail2ban_t) ') -@@ -129,22 +142,24 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) +dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; ++allow fail2ban_client_t fail2ban_var_run_t:dir write; stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) kernel_read_system_state(fail2ban_client_t) @@ -23192,7 +23195,7 @@ index 0872e50..598e4ee 100644 -files_read_usr_files(fail2ban_client_t) files_search_pids(fail2ban_client_t) -+auth_read_passwd(fail2ban_client_t) ++auth_use_nsswitch(fail2ban_client_t) + logging_getattr_all_logs(fail2ban_client_t) logging_search_all_logs(fail2ban_client_t) @@ -29464,11 +29467,66 @@ index 5aab5d0..5967395 100644 mta_send_mail(innd_t) +diff --git a/iodine.fc b/iodine.fc +index ca07a87..6ea129c 100644 +--- a/iodine.fc ++++ b/iodine.fc +@@ -1,3 +1,5 @@ + /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) + ++/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0) ++ + /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) +diff --git a/iodine.if b/iodine.if +index a0bfbd0..6f5dbdf 100644 +--- a/iodine.if ++++ b/iodine.if +@@ -2,6 +2,30 @@ + + ######################################## + ## ++## Execute iodined server in the iodined domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`iodined_systemctl',` ++ gen_require(` ++ type iodined_t; ++ type iodined_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 iodined_unit_file_t:file read_file_perms; ++ allow $1 iodined_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, iodined_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an iodined environment + ## diff --git a/iodine.te b/iodine.te -index 94ec5f8..801417b 100644 +index 94ec5f8..8556c27 100644 --- a/iodine.te +++ b/iodine.te -@@ -43,7 +43,6 @@ corenet_udp_sendrecv_dns_port(iodined_t) +@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) + type iodined_initrc_exec_t; + init_script_file(iodined_initrc_exec_t) + ++type iodined_unit_file_t; ++systemd_unit_file(iodined_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t) corecmd_exec_shell(iodined_t) @@ -33530,7 +33588,7 @@ index 73e2803..2fc7570 100644 files_search_pids($1) admin_pattern($1, l2tpd_var_run_t) diff --git a/l2tp.te b/l2tp.te -index 19f2b97..fbc0e48 100644 +index 19f2b97..bbbda10 100644 --- a/l2tp.te +++ b/l2tp.te @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) @@ -33542,7 +33600,13 @@ index 19f2b97..fbc0e48 100644 allow l2tpd_t self:fifo_file rw_fifo_file_perms; allow l2tpd_t self:netlink_socket create_socket_perms; allow l2tpd_t self:rawip_socket create_socket_perms; -@@ -47,6 +47,8 @@ files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) +@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) + manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) + manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) + manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) +-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) ++files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) + manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) @@ -33551,7 +33615,7 @@ index 19f2b97..fbc0e48 100644 corenet_all_recvfrom_unlabeled(l2tpd_t) corenet_all_recvfrom_netlabel(l2tpd_t) corenet_raw_sendrecv_generic_if(l2tpd_t) -@@ -75,19 +77,35 @@ corecmd_exec_bin(l2tpd_t) +@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t) dev_read_urand(l2tpd_t) @@ -33561,10 +33625,12 @@ index 19f2b97..fbc0e48 100644 term_use_generic_ptys(l2tpd_t) term_use_ptmx(l2tpd_t) - logging_send_syslog_msg(l2tpd_t) +-logging_send_syslog_msg(l2tpd_t) ++auth_read_passwd(l2tpd_t) -miscfiles_read_localization(l2tpd_t) -- ++logging_send_syslog_msg(l2tpd_t) + sysnet_dns_name_resolve(l2tpd_t) optional_policy(` @@ -38615,7 +38681,7 @@ index 6194b80..f54f1e8 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..5222893 100644 +index 6a306ee..4440013 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -38889,12 +38955,12 @@ index 6a306ee..5222893 100644 - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -39024,34 +39090,34 @@ index 6a306ee..5222893 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) -+') -+ -+optional_policy(` -+ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ lpd_domtrans_lpr(mozilla_t) ++ java_domtrans(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ nscd_socket_use(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) ++ nscd_socket_use(mozilla_t) ++') ++ ++optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -39059,7 +39125,7 @@ index 6a306ee..5222893 100644 ') optional_policy(` -@@ -300,221 +324,182 @@ optional_policy(` +@@ -300,221 +324,183 @@ optional_policy(` ######################################## # @@ -39142,12 +39208,12 @@ index 6a306ee..5222893 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -39161,6 +39227,7 @@ index 6a306ee..5222893 100644 corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) +corecmd_dontaudit_access_all_executables(mozilla_plugin_t) ++corecmd_getattr_all_executables(mozilla_plugin_t) -corenet_all_recvfrom_netlabel(mozilla_plugin_t) -corenet_all_recvfrom_unlabeled(mozilla_plugin_t) @@ -39316,12 +39383,12 @@ index 6a306ee..5222893 100644 -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -+systemd_read_logind_sessions_files(mozilla_plugin_t) - +- -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -39381,7 +39448,7 @@ index 6a306ee..5222893 100644 ') optional_policy(` -@@ -523,36 +508,48 @@ optional_policy(` +@@ -523,36 +509,48 @@ optional_policy(` ') optional_policy(` @@ -39422,18 +39489,18 @@ index 6a306ee..5222893 100644 optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) + lpd_run_lpr(mozilla_plugin_t, mozilla_roles) ++') ++ ++optional_policy(` ++ mplayer_exec(mozilla_plugin_t) ++ mplayer_manage_generic_home_content(mozilla_plugin_t) ++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ') optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_manage_generic_home_content(mozilla_plugin_t) - mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") -+ mplayer_exec(mozilla_plugin_t) -+ mplayer_manage_generic_home_content(mozilla_plugin_t) -+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") -+') -+ -+optional_policy(` + pulseaudio_exec(mozilla_plugin_t) + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) @@ -39443,7 +39510,7 @@ index 6a306ee..5222893 100644 ') optional_policy(` -@@ -560,7 +557,7 @@ optional_policy(` +@@ -560,7 +558,7 @@ optional_policy(` ') optional_policy(` @@ -39452,7 +39519,7 @@ index 6a306ee..5222893 100644 ') optional_policy(` -@@ -568,108 +565,118 @@ optional_policy(` +@@ -568,108 +566,124 @@ optional_policy(` ') optional_policy(` @@ -39481,22 +39548,23 @@ index 6a306ee..5222893 100644 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -- ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -- ++allow mozilla_plugin_config_t self:fifo_file rw_file_perms; ++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; + -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") -+allow mozilla_plugin_config_t self:fifo_file rw_file_perms; -+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; ++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") @@ -39506,31 +39574,35 @@ index 6a306ee..5222893 100644 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") -+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) - --filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +dev_read_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) +dev_dontaudit_rw_dri(mozilla_plugin_config_t) --can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +fs_search_auto_mountpoints(mozilla_plugin_config_t) +fs_list_inotifyfs(mozilla_plugin_config_t) --ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --kernel_read_system_state(mozilla_plugin_config_t) --kernel_request_load_module(mozilla_plugin_config_t) +-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +-kernel_read_system_state(mozilla_plugin_config_t) +-kernel_request_load_module(mozilla_plugin_config_t) ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) ++userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file }) + corecmd_exec_bin(mozilla_plugin_config_t) corecmd_exec_shell(mozilla_plugin_config_t) @@ -43717,7 +43789,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 44ad3b7..c738393 100644 +index 44ad3b7..ce55650 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -43775,7 +43847,26 @@ index 44ad3b7..c738393 100644 ######################################## # -@@ -110,7 +115,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +@@ -96,11 +101,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; + allow nagios_t nagios_etc_t:file read_file_perms; + allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; + +-allow nagios_t nagios_log_t:dir setattr_dir_perms; +-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +-logging_log_filetrans(nagios_t, nagios_log_t, file) ++#allow nagios_t nagios_log_t:dir setattr_dir_perms; ++#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t) ++logging_log_filetrans(nagios_t, nagios_log_t, { dir file }) + + manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) + manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) +@@ -110,7 +117,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) @@ -43785,7 +43876,7 @@ index 44ad3b7..c738393 100644 manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -@@ -123,7 +129,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -123,7 +131,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -43793,7 +43884,7 @@ index 44ad3b7..c738393 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,7 +148,6 @@ domain_read_all_domains_state(nagios_t) +@@ -143,7 +150,6 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -43801,7 +43892,7 @@ index 44ad3b7..c738393 100644 files_search_spool(nagios_t) fs_getattr_all_fs(nagios_t) -@@ -153,8 +157,6 @@ auth_use_nsswitch(nagios_t) +@@ -153,8 +159,6 @@ auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) @@ -43810,7 +43901,7 @@ index 44ad3b7..c738393 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -178,6 +180,7 @@ optional_policy(` +@@ -178,6 +182,7 @@ optional_policy(` # # CGI local policy # @@ -43818,7 +43909,7 @@ index 44ad3b7..c738393 100644 optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -229,9 +232,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +@@ -229,9 +234,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) @@ -43829,7 +43920,7 @@ index 44ad3b7..c738393 100644 corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -253,7 +256,6 @@ domain_use_interactive_fds(nrpe_t) +@@ -253,7 +258,6 @@ domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) @@ -43837,7 +43928,7 @@ index 44ad3b7..c738393 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +264,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,8 +266,6 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -43846,7 +43937,7 @@ index 44ad3b7..c738393 100644 userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -310,15 +310,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -310,15 +312,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -43865,7 +43956,7 @@ index 44ad3b7..c738393 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +345,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,6 +347,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -43875,7 +43966,7 @@ index 44ad3b7..c738393 100644 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) -@@ -357,9 +360,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +362,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -43889,7 +43980,7 @@ index 44ad3b7..c738393 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -391,6 +396,7 @@ optional_policy(` +@@ -391,6 +398,7 @@ optional_policy(` optional_policy(` mysql_stream_connect(nagios_services_plugin_t) @@ -43897,7 +43988,7 @@ index 44ad3b7..c738393 100644 ') optional_policy(` -@@ -411,6 +417,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -411,6 +419,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -43905,7 +43996,7 @@ index 44ad3b7..c738393 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +427,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,10 +429,10 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -43918,7 +44009,7 @@ index 44ad3b7..c738393 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -442,11 +449,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,11 +451,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -46666,7 +46757,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index dde7f42..82e97aa 100644 +index dde7f42..b3662dd 100644 --- a/nsd.te +++ b/nsd.te @@ -1,4 +1,4 @@ @@ -46734,7 +46825,7 @@ index dde7f42..82e97aa 100644 corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -@@ -72,16 +65,16 @@ corenet_tcp_sendrecv_all_ports(nsd_t) +@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) corenet_udp_sendrecv_all_ports(nsd_t) corenet_tcp_bind_generic_node(nsd_t) corenet_udp_bind_generic_node(nsd_t) @@ -46745,6 +46836,7 @@ index dde7f42..82e97aa 100644 +corenet_sendrecv_dns_server_packets(nsd_t) dev_read_sysfs(nsd_t) ++dev_read_urand(nsd_t) domain_use_interactive_fds(nsd_t) @@ -46753,25 +46845,16 @@ index dde7f42..82e97aa 100644 fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) -@@ -90,12 +83,16 @@ auth_use_nsswitch(nsd_t) +@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t) logging_send_syslog_msg(nsd_t) -miscfiles_read_localization(nsd_t) -+sysnet_dns_name_resolve(nsd_t) - +- userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) - optional_policy(` -+ nis_use_ypbind(nsd_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(nsd_t) - ') - -@@ -105,23 +102,24 @@ optional_policy(` +@@ -105,23 +97,24 @@ optional_policy(` ######################################## # @@ -46804,7 +46887,7 @@ index dde7f42..82e97aa 100644 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -@@ -133,29 +131,41 @@ kernel_read_system_state(nsd_crond_t) +@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) @@ -46822,7 +46905,6 @@ index dde7f42..82e97aa 100644 +corenet_tcp_connect_all_ports(nsd_crond_t) +corenet_sendrecv_all_client_packets(nsd_crond_t) -+# for SSP dev_read_urand(nsd_crond_t) domain_dontaudit_read_all_domains_state(nsd_crond_t) @@ -46835,22 +46917,10 @@ index dde7f42..82e97aa 100644 logging_send_syslog_msg(nsd_crond_t) -miscfiles_read_localization(nsd_crond_t) -+ -+sysnet_read_config(nsd_crond_t) - +- userdom_dontaudit_search_user_home_dirs(nsd_crond_t) optional_policy(` - cron_system_entry(nsd_crond_t, nsd_exec_t) - ') -+ -+optional_policy(` -+ nis_use_ypbind(nsd_crond_t) -+') -+ -+optional_policy(` -+ nscd_read_pid(nsd_crond_t) -+') diff --git a/nslcd.fc b/nslcd.fc index 402100e..ce913b2 100644 --- a/nslcd.fc @@ -48450,7 +48520,7 @@ index 57c0161..54bd4d7 100644 + ps_process_pattern($1, swift_t) ') diff --git a/nut.te b/nut.te -index 0c9deb7..98a02f8 100644 +index 0c9deb7..ebfaeb8 100644 --- a/nut.te +++ b/nut.te @@ -1,4 +1,4 @@ @@ -48562,12 +48632,12 @@ index 0c9deb7..98a02f8 100644 +allow nut_upsmon_t self:tcp_socket create_socket_perms; + +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) -+ + +# pid file +manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) - ++ +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) @@ -48607,7 +48677,7 @@ index 0c9deb7..98a02f8 100644 mta_send_mail(nut_upsmon_t) optional_policy(` -@@ -124,14 +118,27 @@ optional_policy(` +@@ -124,14 +118,29 @@ optional_policy(` ######################################## # @@ -48621,6 +48691,8 @@ index 0c9deb7..98a02f8 100644 +allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; ++ ++can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) +read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) + @@ -48637,7 +48709,7 @@ index 0c9deb7..98a02f8 100644 corecmd_exec_bin(nut_upsdrvctl_t) dev_read_sysfs(nut_upsdrvctl_t) -@@ -139,22 +146,34 @@ dev_read_urand(nut_upsdrvctl_t) +@@ -139,22 +148,34 @@ dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) term_use_unallocated_ttys(nut_upsdrvctl_t) @@ -51312,7 +51384,7 @@ index 9b15730..eedd136 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..ba9ff22 100644 +index 508fedf..f025b03 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -51335,7 +51407,7 @@ index 508fedf..ba9ff22 100644 type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) -@@ -24,20 +21,28 @@ logging_log_file(openvswitch_log_t) +@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t) type openvswitch_var_run_t; files_pid_file(openvswitch_var_run_t) @@ -51350,9 +51422,8 @@ index 508fedf..ba9ff22 100644 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; -+allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource }; -+allow openvswitch_t openvswitch_t : capability { sys_module }; -+allow openvswitch_t openvswitch_t : capability2 { block_suspend }; ++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; ++allow openvswitch_t self:capability2 block_suspend; +allow openvswitch_t self:process { fork setsched setrlimit signal }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; -allow openvswitch_t self:rawip_socket create_socket_perms; @@ -51372,7 +51443,7 @@ index 508fedf..ba9ff22 100644 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -45,9 +50,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l +@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -51383,7 +51454,7 @@ index 508fedf..ba9ff22 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -57,33 +60,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -65092,10 +65163,19 @@ index c5ad6de..c67dbef 100644 /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..42caa6c 100644 +index 3698b51..7b56492 100644 --- a/rabbitmq.te +++ b/rabbitmq.te -@@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t) +@@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) + manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) + manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) + ++ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t) ++ + can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) + + domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) +@@ -54,6 +56,8 @@ kernel_read_system_state(rabbitmq_beam_t) corecmd_exec_bin(rabbitmq_beam_t) corecmd_exec_shell(rabbitmq_beam_t) @@ -65104,20 +65184,20 @@ index 3698b51..42caa6c 100644 corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) corenet_all_recvfrom_netlabel(rabbitmq_beam_t) corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) -@@ -68,20 +70,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -68,20 +72,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) -dev_read_sysfs(rabbitmq_beam_t) +corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t) +corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t) ++ ++auth_read_passwd(rabbitmq_beam_t) -files_read_etc_files(rabbitmq_beam_t) -+auth_read_passwd(rabbitmq_beam_t) ++fs_getattr_all_fs(rabbitmq_beam_t) -miscfiles_read_localization(rabbitmq_beam_t) -+fs_getattr_xattr_fs(rabbitmq_beam_t) -+ +dev_read_sysfs(rabbitmq_beam_t) +dev_read_urand(rabbitmq_beam_t) @@ -65137,7 +65217,7 @@ index 3698b51..42caa6c 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +109,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +111,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -65493,7 +65573,7 @@ index 951db7f..6d6ec1d 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..0e15502 100644 +index 2c1730b..e9c20b8 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t; @@ -65506,7 +65586,7 @@ index 2c1730b..0e15502 100644 type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) -@@ -25,23 +28,28 @@ dev_associate(mdadm_var_run_t) +@@ -25,23 +28,31 @@ dev_associate(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -65516,11 +65596,12 @@ index 2c1730b..0e15502 100644 +allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; - ++allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ +manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) +manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) +files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file) -+ + manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) @@ -65529,6 +65610,8 @@ index 2c1730b..0e15502 100644 -files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file }) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) +dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) ++ ++can_exec(mdadm_t, mdadm_exec_t) kernel_getattr_core_if(mdadm_t) kernel_read_system_state(mdadm_t) @@ -65539,13 +65622,15 @@ index 2c1730b..0e15502 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +57,23 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +60,25 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_read_crash(mdadm_t) ++dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) dev_read_raw_memory(mdadm_t) ++dev_read_kvm(mdadm_t) +dev_read_nvram(mdadm_t) +dev_read_generic_files(mdadm_t) @@ -65565,7 +65650,7 @@ index 2c1730b..0e15502 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,16 +82,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +87,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -65582,10 +65667,10 @@ index 2c1730b..0e15502 100644 logging_send_syslog_msg(mdadm_t) -miscfiles_read_localization(mdadm_t) -- ++systemd_exec_systemctl(mdadm_t) + userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) - userdom_dontaudit_use_user_terminals(mdadm_t) diff --git a/razor.fc b/razor.fc index 6723f4d..6e26673 100644 --- a/razor.fc @@ -73867,7 +73952,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..fccf544 100644 +index 57c034b..ea8d79d 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -74138,7 +74223,7 @@ index 57c034b..fccf544 100644 ') optional_policy(` -@@ -245,38 +236,48 @@ optional_policy(` +@@ -245,44 +236,56 @@ optional_policy(` ') optional_policy(` @@ -74199,7 +74284,15 @@ index 57c034b..fccf544 100644 manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) -@@ -292,6 +293,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) + + manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) + manage_files_pattern(smbd_t, samba_share_t, samba_share_t) ++manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t) ++manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t) + manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) + allow smbd_t samba_share_t:filesystem { getattr quotaget }; + +@@ -292,6 +295,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -74208,7 +74301,7 @@ index 57c034b..fccf544 100644 manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) -@@ -301,11 +304,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +@@ -301,11 +306,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) @@ -74224,7 +74317,7 @@ index 57c034b..fccf544 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -315,43 +318,33 @@ kernel_read_kernel_sysctls(smbd_t) +@@ -315,43 +320,33 @@ kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -74279,7 +74372,7 @@ index 57c034b..fccf544 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -360,44 +353,54 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +355,54 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -74345,7 +74438,7 @@ index 57c034b..fccf544 100644 ') tunable_policy(`samba_domain_controller',` -@@ -413,20 +416,10 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +418,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -74368,7 +74461,7 @@ index 57c034b..fccf544 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -435,6 +428,7 @@ tunable_policy(`samba_share_nfs',` +@@ -435,6 +430,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -74376,7 +74469,7 @@ index 57c034b..fccf544 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -442,17 +436,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -442,17 +438,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -74394,7 +74487,7 @@ index 57c034b..fccf544 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -473,6 +456,11 @@ optional_policy(` +@@ -473,6 +458,11 @@ optional_policy(` ') optional_policy(` @@ -74406,7 +74499,7 @@ index 57c034b..fccf544 100644 lpd_exec_lpr(smbd_t) ') -@@ -493,9 +481,33 @@ optional_policy(` +@@ -493,9 +483,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -74441,7 +74534,7 @@ index 57c034b..fccf544 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +518,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +520,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -74456,7 +74549,7 @@ index 57c034b..fccf544 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +534,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +536,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -74480,7 +74573,7 @@ index 57c034b..fccf544 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +551,40 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +553,40 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -74545,7 +74638,7 @@ index 57c034b..fccf544 100644 ') optional_policy(` -@@ -600,17 +597,24 @@ optional_policy(` +@@ -600,17 +599,24 @@ optional_policy(` ######################################## # @@ -74574,7 +74667,7 @@ index 57c034b..fccf544 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -620,16 +624,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +626,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -74592,7 +74685,7 @@ index 57c034b..fccf544 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +637,23 @@ optional_policy(` +@@ -637,22 +639,23 @@ optional_policy(` ######################################## # @@ -74624,7 +74717,7 @@ index 57c034b..fccf544 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +662,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +664,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -74660,7 +74753,7 @@ index 57c034b..fccf544 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +689,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +691,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -74752,7 +74845,7 @@ index 57c034b..fccf544 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +768,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +770,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -74776,7 +74869,7 @@ index 57c034b..fccf544 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +782,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +784,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -74819,7 +74912,7 @@ index 57c034b..fccf544 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +812,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +814,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -74833,7 +74926,7 @@ index 57c034b..fccf544 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -837,13 +839,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +@@ -837,13 +841,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; @@ -74853,7 +74946,7 @@ index 57c034b..fccf544 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +857,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +859,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -74864,7 +74957,7 @@ index 57c034b..fccf544 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +868,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +870,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -74894,7 +74987,7 @@ index 57c034b..fccf544 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +891,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +893,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -74915,7 +75008,7 @@ index 57c034b..fccf544 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +909,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +911,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -74926,7 +75019,7 @@ index 57c034b..fccf544 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,18 +917,24 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,18 +919,24 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -74953,7 +75046,7 @@ index 57c034b..fccf544 100644 optional_policy(` ctdbd_stream_connect(winbind_t) -@@ -936,7 +942,12 @@ optional_policy(` +@@ -936,7 +944,12 @@ optional_policy(` ') optional_policy(` @@ -74966,7 +75059,7 @@ index 57c034b..fccf544 100644 ') optional_policy(` -@@ -952,31 +963,29 @@ optional_policy(` +@@ -952,31 +965,29 @@ optional_policy(` # Winbind helper local policy # @@ -75004,7 +75097,7 @@ index 57c034b..fccf544 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +999,38 @@ optional_policy(` +@@ -990,25 +1001,38 @@ optional_policy(` ######################################## # @@ -76839,7 +76932,7 @@ index ac04d27..b73334e 100644 +/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/screen.if b/screen.if -index c21ddcc..ee00be2 100644 +index c21ddcc..4dd623e 100644 --- a/screen.if +++ b/screen.if @@ -1,4 +1,4 @@ @@ -76934,7 +77027,7 @@ index c21ddcc..ee00be2 100644 tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -@@ -87,3 +85,22 @@ template(`screen_role_template',` +@@ -87,3 +85,41 @@ template(`screen_role_template',` fs_nfs_domtrans($1_screen_t, $3) ') ') @@ -76957,6 +77050,25 @@ index c21ddcc..ee00be2 100644 + + can_exec($1, screen_exec_t) +') ++ ++######################################## ++## ++## Send a SIGCHLD signal to the screen domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`screen_sigchld',` ++ gen_require(` ++ attribute screen_domain; ++ ') ++ ++ allow $1 screen_domain:process sigchld; ++') ++ diff --git a/screen.te b/screen.te index f095081..ee69aa7 100644 --- a/screen.te @@ -85142,10 +85254,10 @@ index 0000000..74cd27c +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..780a62e +index 0000000..07820b6 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,144 @@ +@@ -0,0 +1,145 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -85263,6 +85375,7 @@ index 0000000..780a62e +optional_policy(` + # .config + gnome_dontaudit_search_config(thumb_t) ++ gnome_dontaudit_write_config_files(thumb_t) + gnome_append_generic_cache_files(thumb_t) + gnome_read_generic_data_home_files(thumb_t) + gnome_dontaudit_rw_generic_cache_files(thumb_t) @@ -87805,10 +87918,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..e97572f 100644 +index c30da4c..898ce74 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,86 @@ +@@ -1,52 +1,87 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -87818,6 +87931,7 @@ index c30da4c..e97572f 100644 +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -87935,7 +88049,7 @@ index c30da4c..e97572f 100644 +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..7877729 100644 +index 9dec06c..378880d 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -89384,7 +89498,7 @@ index 9dec06c..7877729 100644 ## ## ## -@@ -1091,95 +997,168 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +997,169 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -89420,6 +89534,7 @@ index 9dec06c..7877729 100644 + optional_policy(` + gnome_config_filetrans($1, virt_home_t, dir, "libvirt") + gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") + gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") + gnome_data_filetrans($1, svirt_home_t, dir, "images") ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2fcda05..7ecc0d1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 59%{?dist} +Release: 62%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,39 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jul 9 2013 Miroslav Grepl 3.12.1-62 +- Fix definition of sandbox.disabled to sandbox.pp.disabled + +* Mon Jul 8 2013 Miroslav Grepl 3.12.1-61 +- Allow mdamd to execute systemctl +- Allow mdadm to read /dev/kvm +- Allow ipsec_mgmt_t to read l2tpd pid content + +* Mon Jul 8 2013 Miroslav Grepl 3.12.1-60 +- Allow nsd_t to read /dev/urand +- Allow mdadm_t to read framebuffer +- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t +- Allow mozilla_plugin_config_t to create tmp files +- Cleanup openvswitch policy +- Allow mozilla plugin to getattr on all executables +- Allow l2tpd_t to create fifo_files in /var/run +- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory +- Allow mdadm to connecto its own unix_stream_socket +- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. +- Allow apache to access smokeping pid files +- Allow rabbitmq_beam_t to getattr on all filesystems +- Add systemd support for iodined +- Allow nup_upsdrvctl_t to execute its entrypoint +- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch +- add labeling for ~/.cache/libvirt-sandbox +- Add interface to allow domains transitioned to by confined users to send sigchld to screen program +- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab +- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service +- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. +- Allow staff to getsched all domains, required to run htop +- Add port definition for redis port +- fix selinuxuser_use_ssh_chroot boolean + * Wed Jul 3 2013 Miroslav Grepl 3.12.1-59 - Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info