diff --git a/policy-F16.patch b/policy-F16.patch index ee7f839..23d0811 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -281,7 +281,7 @@ index 358ce7c..e5dc022 100644 + ') dnl end enable_mcs diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if -index e66c296..61f738b 100644 +index e66c296..993a1e9 100644 --- a/policy/modules/admin/acct.if +++ b/policy/modules/admin/acct.if @@ -78,3 +78,21 @@ interface(`acct_manage_data',` @@ -295,7 +295,7 @@ index e66c296..61f738b 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -1566,7 +1566,7 @@ index c633aea..d1e56f6 100644 ifdef(`hide_broken_symptoms',` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..2718561 100644 +index af55369..6059aed 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1625,17 +1625,17 @@ index af55369..2718561 100644 optional_policy(` - rpm_manage_tmp_files(prelink_t) + gnome_dontaudit_read_config(prelink_t) -+') -+ -+optional_policy(` -+ nsplugin_manage_rw_files(prelink_t) ') optional_policy(` - unconfined_domain(prelink_t) -+ rpm_manage_tmp_files(prelink_t) ++ nsplugin_manage_rw_files(prelink_t) ') ++optional_policy(` ++ rpm_manage_tmp_files(prelink_t) ++') ++ +#optional_policy(` +# unconfined_domain(prelink_t) +#') @@ -1651,11 +1651,13 @@ index af55369..2718561 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +163,26 @@ optional_policy(` +@@ -148,17 +163,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) - init_exec(prelink_cron_system_t) ++ fs_search_cgroup_dirs(prelink_cron_system_t) ++ + init_telinit(prelink_cron_system_t) libs_exec_ld_so(prelink_cron_system_t) @@ -3217,7 +3219,7 @@ index 0000000..1f468aa +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..e921f24 +index 0000000..ae9c0c5 --- /dev/null +++ b/policy/modules/apps/chrome.if @@ -0,0 +1,107 @@ @@ -3317,7 +3319,7 @@ index 0000000..e921f24 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -3691,7 +3693,7 @@ index 0000000..ce498b3 + diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if new file mode 100644 -index 0000000..7fe26f3 +index 0000000..2bd5790 --- /dev/null +++ b/policy/modules/apps/firewallgui.if @@ -0,0 +1,41 @@ @@ -3725,7 +3727,7 @@ index 0000000..7fe26f3 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -3873,10 +3875,10 @@ index 00a19e3..55075f9 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..3587c52 100644 +index f5afe78..3ca01ec 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,605 @@ +@@ -1,44 +1,623 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -4085,7 +4087,7 @@ index f5afe78..3587c52 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -4103,7 +4105,7 @@ index f5afe78..3587c52 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -4263,6 +4265,24 @@ index f5afe78..3587c52 100644 + +######################################## +## ++## Dontaudit read/write to generic cache home files (.cache) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`gnome_dontaudit_rw_generic_cache_files',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ dontaudit $1 cache_home_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## +## read gnome homedir content (.config) +## +## @@ -4501,7 +4521,7 @@ index f5afe78..3587c52 100644 ## ## ## -@@ -46,37 +607,37 @@ interface(`gnome_role',` +@@ -46,37 +625,37 @@ interface(`gnome_role',` ## ## # @@ -4551,7 +4571,7 @@ index f5afe78..3587c52 100644 ## ## ## -@@ -84,37 +645,37 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +663,37 @@ template(`gnome_read_gconf_config',` ## ## # @@ -4600,7 +4620,7 @@ index f5afe78..3587c52 100644 ## ## ## -@@ -122,17 +683,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +701,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -4622,7 +4642,7 @@ index f5afe78..3587c52 100644 ## ## ## -@@ -140,51 +701,335 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +719,335 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -4913,7 +4933,7 @@ index f5afe78..3587c52 100644 +## +## +# -+interface(`gnome_user_home_dir_filetrans',` ++interface(`gnome_filetrans_home_content',` + +gen_require(` + type config_home_t; @@ -4950,7 +4970,7 @@ index f5afe78..3587c52 100644 +## +## +# -+interface(`gnome_admin_home_dir_filetrans',` ++interface(`gnome_filetrans_admin_home_content',` + +gen_require(` + type config_home_t; @@ -5914,7 +5934,7 @@ index f63c4c2..bf59895 100644 policykit_dbus_chat(kdumpgui_t) ') diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if -index 12b772f..b67cf26 100644 +index 12b772f..1d203dc 100644 --- a/policy/modules/apps/livecd.if +++ b/policy/modules/apps/livecd.if @@ -41,6 +41,8 @@ interface(`livecd_run',` @@ -5934,7 +5954,7 @@ index 12b772f..b67cf26 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -6172,7 +6192,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..19de023 100644 +index 9a6d67d..c499e03 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -6338,7 +6358,7 @@ index 9a6d67d..19de023 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -9645,10 +9665,10 @@ index 0000000..6878d68 + diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..8791119 +index 0000000..a6cb11d --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,338 @@ +@@ -0,0 +1,336 @@ + +policy_module(telepathy, 1.0.0) + @@ -9665,6 +9685,14 @@ index 0000000..8791119 +## +gen_tunable(telepathy_tcp_connect_generic_network_ports, false) + ++## ++##

++## Allow the Telepathy connection managers ++## to connect to any network port. ++##

++##
++gen_tunable(telepathy_connect_all_ports, true) ++ +attribute telepathy_domain; +attribute telepathy_executable; + @@ -9697,7 +9725,6 @@ index 0000000..8791119 +# + +allow telepathy_msn_t self:process setsched; -+allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_msn_t self:unix_dgram_socket { write create connect }; + +manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -9717,6 +9744,7 @@ index 0000000..8791119 +corenet_tcp_connect_msnp_port(telepathy_msn_t) +corenet_tcp_connect_sametime_port(telepathy_msn_t) +corenet_tcp_connect_ssdp_port(telepathy_msn_t) ++corenet_tcp_connect_sip_port(telepathy_msn_t) + +corecmd_exec_bin(telepathy_msn_t) +corecmd_exec_shell(telepathy_msn_t) @@ -9725,8 +9753,6 @@ index 0000000..8791119 +files_read_etc_files(telepathy_msn_t) +files_read_usr_files(telepathy_msn_t) + -+auth_use_nsswitch(telepathy_msn_t) -+ +init_read_state(telepathy_msn_t) + +libs_exec_ldconfig(telepathy_msn_t) @@ -9735,8 +9761,6 @@ index 0000000..8791119 + +miscfiles_read_all_certs(telepathy_msn_t) + -+sysnet_read_config(telepathy_msn_t) -+ +userdom_read_all_users_state(telepathy_msn_t) + +optional_policy(` @@ -9755,7 +9779,6 @@ index 0000000..8791119 +# Telepathy Gabble local policy. +# + -+allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_gabble_t self:tcp_socket { listen accept }; +allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto }; + @@ -9785,9 +9808,9 @@ index 0000000..8791119 +files_read_config_files(telepathy_gabble_t) +files_read_usr_files(telepathy_gabble_t) + -+miscfiles_read_all_certs(telepathy_gabble_t) ++fs_getattr_all_fs(telepathy_gabble_t) + -+sysnet_read_config(telepathy_gabble_t) ++miscfiles_read_all_certs(telepathy_gabble_t) + +optional_policy(` + dbus_system_bus_client(telepathy_gabble_t) @@ -9812,8 +9835,6 @@ index 0000000..8791119 +# Telepathy Idle local policy. +# + -+allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms; -+ +corenet_sendrecv_ircd_client_packets(telepathy_idle_t) +corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) +corenet_tcp_connect_ircd_port(telepathy_idle_t) @@ -9822,8 +9843,6 @@ index 0000000..8791119 + +files_read_etc_files(telepathy_idle_t) + -+sysnet_read_config(telepathy_idle_t) -+ +####################################### +# +# Telepathy Mission-Control local policy. @@ -9851,8 +9870,6 @@ index 0000000..8791119 + fs_manage_cifs_files(telepathy_mission_control_t) +') + -+auth_use_nsswitch(telepathy_mission_control_t) -+ +# ~/.cache/.mc_connections. +optional_policy(` + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) @@ -9870,8 +9887,6 @@ index 0000000..8791119 +# +# Telepathy Salut local policy. +# -+ -+allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_salut_t self:tcp_socket { accept listen }; + +manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) @@ -9883,8 +9898,6 @@ index 0000000..8791119 + +files_read_etc_files(telepathy_salut_t) + -+sysnet_read_config(telepathy_salut_t) -+ +optional_policy(` + dbus_system_bus_client(telepathy_salut_t) + @@ -9897,19 +9910,17 @@ index 0000000..8791119 +# +# Telepathy Sofiasip local policy. +# -+ -+allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; +allow telepathy_sofiasip_t self:tcp_socket { listen }; + +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) +corenet_tcp_connect_sip_port(telepathy_sofiasip_t) +corenet_udp_bind_all_ports(telepathy_sofiasip_t) ++corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) ++corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) + +kernel_request_load_module(telepathy_sofiasip_t) + -+sysnet_read_config(telepathy_sofiasip_t) -+ +####################################### +# +# Telepathy Sunshine local policy. @@ -9959,9 +9970,9 @@ index 0000000..8791119 + +fs_search_auto_mountpoints(telepathy_domain) + -+miscfiles_read_localization(telepathy_domain) ++auth_use_nsswitch(telepathy_domain) + -+sysnet_dns_name_resolve(telepathy_domain) ++miscfiles_read_localization(telepathy_domain) + +# This interface does not facilitate files_search_tmp which appears to be a bug. +userdom_stream_connect(telepathy_domain) @@ -9972,12 +9983,19 @@ index 0000000..8791119 + corenet_sendrecv_generic_client_packets(telepathy_domain) +') + ++tunable_policy(`telepathy_connect_all_ports', ` ++ corenet_tcp_connect_all_ports(telepathy_domain) ++ corenet_tcp_sendrecv_all_ports(telepathy_domain) ++ corenet_udp_sendrecv_all_ports(telepathy_domain) ++') ++ +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(telepathy_domain) +') + +optional_policy(` -+ nis_use_ypbind(telepathy_domain) ++ gnome_read_generic_cache_files(telepathy_domain) ++ gnome_write_generic_cache_files(telepathy_domain) +') + +optional_policy(` @@ -10720,9 +10738,18 @@ index 34c9d01..0d54b2c 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..24018ce 100644 +index 9e9263a..32826ad 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if +@@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -1049,6 +1049,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -11119,7 +11146,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..f8b1eee 100644 +index e9313fb..ddb84e0 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -11208,6 +11235,15 @@ index e9313fb..f8b1eee 100644 ## Dontaudit getattr on generic block devices. ## ## +@@ -628,7 +683,7 @@ interface(`dev_rw_generic_blk_files',` + ## + ## + ## +-## Domain to dontaudit access. ++## Domain to not audit. + ## + ## + # @@ -715,7 +770,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` ######################################## @@ -11493,6 +11529,15 @@ index e9313fb..f8b1eee 100644 ## Delete all block device files. ## ## +@@ -2663,7 +2914,7 @@ interface(`dev_write_misc',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -3192,24 +3443,6 @@ interface(`dev_rw_printer',` ######################################## @@ -12410,7 +12455,7 @@ index 3ff4f60..89ffda6 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index aad8c52..e957e76 100644 +index aad8c52..53b0624 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',` @@ -12448,7 +12493,7 @@ index aad8c52..e957e76 100644 ## ## ## -@@ -630,7 +649,7 @@ interface(`domain_getattr_all_domains',` +@@ -630,11 +649,11 @@ interface(`domain_getattr_all_domains',` ######################################## ## @@ -12457,6 +12502,11 @@ index aad8c52..e957e76 100644 ## ## ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -886,6 +905,24 @@ interface(`domain_getsched_all_domains',` ######################################## @@ -12526,7 +12576,7 @@ index aad8c52..e957e76 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -12866,7 +12916,7 @@ index 16108f6..de3c68f 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..4f3ff26 100644 +index 958ca84..1204be0 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -12987,7 +13037,7 @@ index 958ca84..4f3ff26 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -13038,7 +13088,7 @@ index 958ca84..4f3ff26 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -13053,6 +13103,15 @@ index 958ca84..4f3ff26 100644 ########################################## ## ## Manage generic directories in /etc +@@ -2379,7 +2504,7 @@ interface(`files_read_etc_files',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -2453,6 +2578,24 @@ interface(`files_delete_etc_files',` ######################################## @@ -13127,7 +13186,7 @@ index 958ca84..4f3ff26 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -13195,7 +13254,7 @@ index 958ca84..4f3ff26 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -13354,6 +13413,24 @@ index 958ca84..4f3ff26 100644 ######################################## ## ## Allow the specified type to associate +@@ -3774,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -3846,7 +4200,7 @@ interface(`files_list_tmp',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # @@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13379,12 +13456,13 @@ index 958ca84..4f3ff26 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -3914,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,25 +4286,33 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## +-## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -13393,52 +13471,91 @@ index 958ca84..4f3ff26 100644 +## This is added to support java policy. +##

+##
+ ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`files_manage_generic_tmp_files',` ++interface(`files_execmod_tmp',` + gen_require(` +- type tmp_t; ++ attribute tmpfile; + ') + +- manage_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file execmod; + ') + + ######################################## + ## +-## Read symbolic links in the tmp directory (/tmp). ++## Manage temporary files and directories in /tmp. + ## + ## + ## +@@ -3940,17 +4320,35 @@ interface(`files_manage_generic_tmp_files',` + ## + ## + # +-interface(`files_read_generic_tmp_symlinks',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` + type tmp_t; + ') + +- read_lnk_files_pattern($1, tmp_t, tmp_t) ++ manage_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Read and write generic named sockets in the tmp directory (/tmp). ++## Read symbolic links in the tmp directory (/tmp). ++## +## +## +## Domain allowed access. +## +## +# -+interface(`files_execmod_tmp',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` -+ attribute tmpfile; ++ type tmp_t; + ') + -+ allow $1 tmpfile:file execmod; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) +') + +######################################## +## - ## Manage temporary files and directories in /tmp. ++## Read and write generic named sockets in the tmp directory (/tmp). ## ## -@@ -3968,7 +4366,7 @@ interface(`files_rw_generic_tmp_sockets',` + ## +@@ -3968,6 +4366,84 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Set the attributes of all tmp directories. +## Relabel a dir from the type used in /tmp. - ## - ## - ## -@@ -3976,17 +4374,95 @@ interface(`files_rw_generic_tmp_sockets',` - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- attribute tmpfile; ++ gen_require(` + type tmp_t; - ') - -- allow $1 tmpfile:dir { search_dir_perms setattr }; ++ ') ++ + relabelfrom_dirs_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## List all tmp directories. ++') ++ ++######################################## ++## +## Relabel a file from the type used in /tmp. +## +## @@ -13499,28 +13616,27 @@ index 958ca84..4f3ff26 100644 + +######################################## +## -+## Set the attributes of all tmp directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_all_tmp_dirs',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:dir { search_dir_perms setattr }; -+') -+ -+######################################## -+## -+## List all tmp directories. + ## Set the attributes of all tmp directories. + ## + ## +@@ -4009,7 +4485,7 @@ interface(`files_list_all_tmp',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -4047,7 +4523,7 @@ interface(`files_getattr_all_tmp_files',` ## ## ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # @@ -4103,7 +4579,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -14128,7 +14244,7 @@ index 958ca84..4f3ff26 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -14261,7 +14377,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..79b4c0f 100644 +index dfe361a..1c83074 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -14310,7 +14426,7 @@ index dfe361a..79b4c0f 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -14770,6 +14886,24 @@ index dfe361a..79b4c0f 100644 ') ######################################## +@@ -2587,7 +2911,7 @@ interface(`fs_search_removable',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -2623,7 +2947,7 @@ interface(`fs_read_removable_files',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # @@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## @@ -14778,7 +14912,7 @@ index dfe361a..79b4c0f 100644 +## +## +## -+## Domain not to audit. ++## Domain to not audit. +## +## +# @@ -14905,7 +15039,7 @@ index dfe361a..79b4c0f 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -14931,6 +15065,15 @@ index dfe361a..79b4c0f 100644 ') ######################################## +@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',` + ## + ##

+ ## Allow the specified domain to +-## et the attributes of all filesystems. ++## get the attributes of all filesystems. + ## Example attributes: + ##

+ ##
    @@ -4681,3 +5101,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; @@ -14943,7 +15086,7 @@ index dfe361a..79b4c0f 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -15043,7 +15186,7 @@ index e49c148..4d6bbf4 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 069d36c..78a81b3 100644 +index 069d36c..8cbeefb 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` @@ -15108,6 +15251,15 @@ index 069d36c..78a81b3 100644 ') ######################################## +@@ -2254,7 +2293,7 @@ interface(`kernel_read_unlabeled_state',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -2436,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## @@ -15226,7 +15378,7 @@ index 069d36c..78a81b3 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 5001b89..fef153d 100644 +index 5001b89..e1fe78d 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -15266,7 +15418,7 @@ index 5001b89..fef153d 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -268,19 +275,28 @@ files_list_root(kernel_t) +@@ -268,19 +275,40 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -15292,10 +15444,22 @@ index 5001b89..fef153d 100644 ') + ++optional_policy(` ++ apache_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ gnome_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ kerberos_filetrans_home_content(kernel_t) ++') ++ optional_policy(` hotplug_search_config(kernel_t) ') -@@ -296,6 +312,11 @@ optional_policy(` +@@ -296,6 +324,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -15303,16 +15467,29 @@ index 5001b89..fef153d 100644 +') + +optional_policy(` ++ mta_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ ssh_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) ') optional_policy(` -@@ -357,6 +378,10 @@ optional_policy(` +@@ -357,6 +398,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') +optional_policy(` ++ virt_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` + xserver_xdm_manage_spool(kernel_t) ++ xserver_filetrans_home_content(kernel_t) +') + ######################################## @@ -15874,7 +16051,7 @@ index 3994e57..a1923fe 100644 + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index f3acfee..0082923 100644 +index f3acfee..5260651 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` @@ -16022,6 +16199,15 @@ index f3acfee..0082923 100644 ') ######################################## +@@ -903,7 +982,7 @@ interface(`term_getattr_all_user_ptys',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',` ') @@ -16114,6 +16300,15 @@ index f3acfee..0082923 100644 ') ######################################## +@@ -1467,7 +1570,7 @@ interface(`term_use_all_user_ttys',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -1475,3 +1578,382 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) @@ -16623,7 +16818,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..95ff489 100644 +index 2be17d2..ddb6f0a 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,51 @@ policy_module(staff, 2.2.0) @@ -16678,7 +16873,7 @@ index 2be17d2..95ff489 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +66,140 @@ optional_policy(` +@@ -27,25 +66,139 @@ optional_policy(` ') optional_policy(` @@ -16701,7 +16896,6 @@ index 2be17d2..95ff489 100644 +optional_policy(` + gnome_role(staff_r, staff_t) + gnome_role_gkeyringd(staff, staff_r, staff_t) -+ permissive staff_gkeyringd_t; +') + +optional_policy(` @@ -16752,7 +16946,7 @@ index 2be17d2..95ff489 100644 optional_policy(` + qemu_run(staff_t, staff_r) + virt_manage_tmpfs_files(staff_t) -+ virt_user_home_dir_filetrans(staff_t) ++ virt_filetrans_home_content(staff_t) +') + +optional_policy(` @@ -16821,7 +17015,7 @@ index 2be17d2..95ff489 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -89,10 +243,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +242,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16832,7 +17026,7 @@ index 2be17d2..95ff489 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +287,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +286,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16843,7 +17037,7 @@ index 2be17d2..95ff489 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +318,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +317,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -16852,7 +17046,7 @@ index 2be17d2..95ff489 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 4a8d146..65a8661 100644 +index 4a8d146..4fb9455 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,55 @@ ifndef(`enable_mls',` @@ -16906,7 +17100,7 @@ index 4a8d146..65a8661 100644 +userdom_manage_user_tmp_blk_files(sysadm_t) + +optional_policy(` -+ ssh_admin_home_dir_filetrans(sysadm_t) ++ ssh_filetrans_admin_home_content(sysadm_t) +') ifdef(`direct_sysadm_daemon',` @@ -17133,7 +17327,7 @@ index 4a8d146..65a8661 100644 optional_policy(` - wireshark_role(sysadm_r, sysadm_t) + virt_stream_connect(sysadm_t) -+ virt_user_home_dir_filetrans(sysadm_t) ++ virt_filetrans_home_content(sysadm_t) ') optional_policy(` @@ -17157,7 +17351,7 @@ index 4a8d146..65a8661 100644 optional_policy(` gnome_role(sysadm_r, sysadm_t) -+ gnome_admin_home_dir_filetrans(sysadm_t) ++ gnome_filetrans_admin_home_content(sysadm_t) ') optional_policy(` @@ -17932,7 +18126,7 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..4c5f006 +index 0000000..4cf791b --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,525 @@ @@ -18035,7 +18229,7 @@ index 0000000..4c5f006 +sysnet_etc_filetrans_config(unconfined_t, yp.conf) + +optional_policy(` -+ ssh_admin_home_dir_filetrans(unconfined_t) ++ ssh_filetrans_admin_home_content(unconfined_t) +') + +mcs_killall(unconfined_t) @@ -18237,7 +18431,7 @@ index 0000000..4c5f006 + optional_policy(` + gnomeclock_dbus_chat(unconfined_usertype) + gnome_dbus_chat_gconfdefault(unconfined_usertype) -+ gnome_admin_home_dir_filetrans(unconfined_usertype) ++ gnome_filetrans_admin_home_content(unconfined_usertype) + ') + + optional_policy(` @@ -18383,7 +18577,7 @@ index 0000000..4c5f006 + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) -+ virt_user_home_dir_filetrans(unconfined_t) ++ virt_filetrans_home_content(unconfined_t) +') + +optional_policy(` @@ -22673,7 +22867,7 @@ index 0000000..18f37e2 +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if new file mode 100644 -index 0000000..3964548 +index 0000000..d1fd21d --- /dev/null +++ b/policy/modules/services/bugzilla.if @@ -0,0 +1,80 @@ @@ -22705,7 +22899,7 @@ index 0000000..3964548 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -24616,10 +24810,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..e79f653 +index 0000000..13278c0 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,96 @@ +@@ -0,0 +1,106 @@ +policy_module(colord,1.0.0) + +######################################## @@ -24637,10 +24831,16 @@ index 0000000..e79f653 +type colord_tmp_t; +files_tmp_file(colord_tmp_t) + ++type colord_tmpfs_t; ++files_tmpfs_file(colord_tmpfs_t) ++ +######################################## +# +# colord local policy +# ++ ++allow colord_t self:process signal; ++ +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:udp_socket create_socket_perms; @@ -24650,6 +24850,10 @@ index 0000000..e79f653 +manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) +files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) + ++manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) ++manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) ++fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file }) ++ +manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) @@ -24717,7 +24921,7 @@ index 0000000..e79f653 + udev_read_db(colord_t) +') diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if -index fd15dfe..ad224fa 100644 +index fd15dfe..0716ee4 100644 --- a/policy/modules/services/consolekit.if +++ b/policy/modules/services/consolekit.if @@ -5,9 +5,9 @@ @@ -24741,7 +24945,7 @@ index fd15dfe..ad224fa 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -25947,7 +26151,7 @@ index 305ddf4..777091a 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..cda064a 100644 +index 0f28095..a3a6265 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -26059,11 +26263,12 @@ index 0f28095..cda064a 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) +userdom_rw_user_tmp_files(cupsd_config_t) ++userdom_read_user_tmp_symlinks(cupsd_config_t) cups_stream_connect(cupsd_config_t) @@ -26072,7 +26277,7 @@ index 0f28095..cda064a 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +465,10 @@ optional_policy(` +@@ -453,6 +466,10 @@ optional_policy(` ') optional_policy(` @@ -26083,7 +26288,7 @@ index 0f28095..cda064a 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +483,10 @@ optional_policy(` +@@ -467,6 +484,10 @@ optional_policy(` ') optional_policy(` @@ -26094,7 +26299,7 @@ index 0f28095..cda064a 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -26114,7 +26319,7 @@ index 0f28095..cda064a 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -26125,7 +26330,7 @@ index 0f28095..cda064a 100644 ######################################## # # HPLIP local policy -@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -26134,7 +26339,7 @@ index 0f28095..cda064a 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -26142,7 +26347,7 @@ index 0f28095..cda064a 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -26156,7 +26361,7 @@ index 0f28095..cda064a 100644 optional_policy(` dbus_system_bus_client(hplip_t) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if -index c43ff4c..a9783e3 100644 +index c43ff4c..6ca9a6b 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -1,5 +1,23 @@ @@ -26168,7 +26373,7 @@ index c43ff4c..a9783e3 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -28777,7 +28982,7 @@ index f28f64b..18c3c33 100644 optional_policy(` diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if -index f590a1f..87f6bfb 100644 +index f590a1f..3cc3f80 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -5,9 +5,9 @@ @@ -28812,7 +29017,7 @@ index f590a1f..87f6bfb 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -29377,7 +29582,7 @@ index 54f0737..2b552c5 100644 +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if -index 458aac6..03645a9 100644 +index 458aac6..8e83609 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if @@ -1 +1,539 @@ @@ -29763,7 +29968,7 @@ index 458aac6..03645a9 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -31376,7 +31581,7 @@ index 3525d24..923e979 100644 /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..414cfb4 100644 +index 604f67b..04309ea 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -31505,7 +31710,7 @@ index 604f67b..414cfb4 100644 ') allow $1 kadmind_t:process { ptrace signal_perms }; -@@ -378,3 +374,110 @@ interface(`kerberos_admin',` +@@ -378,3 +374,108 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -31609,8 +31814,6 @@ index 604f67b..414cfb4 100644 + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal1) + + kerberos_etc_filetrans_keytab($1, krb5.keytab) -+ # this is defined in userdom_login_user_template -+ #kerberos_filetrans_home_content($1) + kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, host_0) @@ -33091,7 +33294,7 @@ index 0000000..68ad33f +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if new file mode 100644 -index 0000000..f60483e +index 0000000..ec2832c --- /dev/null +++ b/policy/modules/services/mock.if @@ -0,0 +1,272 @@ @@ -33254,7 +33457,7 @@ index 0000000..f60483e +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -35678,7 +35881,7 @@ index 2324d9e..8069487 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..8f8c519 100644 +index 0619395..863ba2d 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -35739,7 +35942,15 @@ index 0619395..8f8c519 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -133,30 +155,37 @@ logging_send_syslog_msg(NetworkManager_t) +@@ -100,6 +122,7 @@ dev_read_rand(NetworkManager_t) + dev_read_urand(NetworkManager_t) + dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) + dev_getattr_all_chr_files(NetworkManager_t) ++dev_rw_wireless(NetworkManager_t) + + fs_getattr_all_fs(NetworkManager_t) + fs_search_auto_mountpoints(NetworkManager_t) +@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) @@ -35779,7 +35990,7 @@ index 0619395..8f8c519 100644 ') optional_policy(` -@@ -172,14 +201,21 @@ optional_policy(` +@@ -172,14 +202,21 @@ optional_policy(` ') optional_policy(` @@ -35802,7 +36013,7 @@ index 0619395..8f8c519 100644 ') ') -@@ -202,6 +238,17 @@ optional_policy(` +@@ -202,6 +239,17 @@ optional_policy(` ') optional_policy(` @@ -35820,7 +36031,7 @@ index 0619395..8f8c519 100644 iptables_domtrans(NetworkManager_t) ') -@@ -219,6 +266,11 @@ optional_policy(` +@@ -219,6 +267,11 @@ optional_policy(` ') optional_policy(` @@ -35832,7 +36043,7 @@ index 0619395..8f8c519 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -263,6 +315,7 @@ optional_policy(` +@@ -263,6 +316,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -38809,7 +39020,7 @@ index 46bee12..37bd751 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..8bf015c 100644 +index 06e37d4..38fe95a 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -39047,7 +39258,16 @@ index 06e37d4..8bf015c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +564,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -507,6 +552,8 @@ optional_policy(` + # Postfix qmgr local policy + # + ++allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms; ++ + stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + + rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) +@@ -519,7 +566,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -39056,7 +39276,7 @@ index 06e37d4..8bf015c 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +584,7 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +586,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -39065,7 +39285,7 @@ index 06e37d4..8bf015c 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -588,10 +633,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +635,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -39082,7 +39302,7 @@ index 06e37d4..8bf015c 100644 ') optional_policy(` -@@ -611,8 +662,8 @@ optional_policy(` +@@ -611,8 +664,8 @@ optional_policy(` # Postfix virtual local policy # @@ -39092,7 +39312,7 @@ index 06e37d4..8bf015c 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +681,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +683,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -45101,7 +45321,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..de9d29e 100644 +index 22adaca..0ecf6e4 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -45418,7 +45638,7 @@ index 22adaca..de9d29e 100644 ') ###################################### -@@ -735,3 +795,61 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +795,62 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -45452,7 +45672,7 @@ index 22adaca..de9d29e 100644 +## +## +# -+interface(`ssh_admin_home_dir_filetrans',` ++interface(`ssh_filetrans_admin_home_content',` + gen_require(` + type ssh_home_t; + ') @@ -45472,7 +45692,8 @@ index 22adaca..de9d29e 100644 +## +## +# -+interface(`ssh_user_home_dir_filetrans',` ++interface(`ssh_filetrans_home_content',` ++ + gen_require(` + type ssh_home_t; + ') @@ -47064,7 +47285,7 @@ index 2124b6a..9682c44 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..05a7054 100644 +index 7c5d8d8..16f69c9 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -13,14 +13,15 @@ @@ -47249,7 +47470,7 @@ index 7c5d8d8..05a7054 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -47494,7 +47715,7 @@ index 7c5d8d8..05a7054 100644 +## +## +# -+interface(`virt_user_home_dir_filetrans',` ++interface(`virt_filetrans_home_content',` + gen_require(` + type virt_home_t; + ') @@ -48245,10 +48466,10 @@ index 0000000..b9104b7 +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 -index 0000000..a7de540 +index 0000000..90b8072 --- /dev/null +++ b/policy/modules/services/vnstatd.te -@@ -0,0 +1,73 @@ +@@ -0,0 +1,78 @@ +policy_module(vnstatd, 1.0.0) + +######################################## @@ -48286,10 +48507,15 @@ index 0000000..a7de540 +manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) + ++kernel_read_network_state(vnstatd_t) ++kernel_read_system_state(vnstatd_t) ++ +domain_use_interactive_fds(vnstatd_t) + +files_read_etc_files(vnstatd_t) + ++fs_getattr_xattr_fs(vnstatd_t) ++ +logging_send_syslog_msg(vnstatd_t) + +miscfiles_read_localization(vnstatd_t) @@ -48496,7 +48722,7 @@ index 6f1e3c7..a3986f4 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..ade50fd 100644 +index 130ced9..463447d 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -48806,7 +49032,7 @@ index 130ced9..ade50fd 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -48934,7 +49160,7 @@ index 130ced9..ade50fd 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -49146,7 +49372,7 @@ index 130ced9..ade50fd 100644 ') ######################################## -@@ -1243,10 +1462,397 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1462,431 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -49541,13 +49767,47 @@ index 130ced9..ade50fd 100644 + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) + -+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .k5login) -+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d) ++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d) ++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts) ++# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig) ++') ++ ++######################################## ++## ++## Transition to xserver named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_filetrans_home_content',` ++ gen_require(` ++ type xdm_home_t; ++ type xauth_home_t; ++ type iceauth_home_t; ++ type user_home_t; ++ type user_fonts_t; ++ type user_fonts_cache_t; ++ type user_fonts_config_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, .dmrc) ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, .xsession-errors) ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, .DCOP) ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, .ICEauthority) ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, .Xauthority) ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, .xauth) ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, .Xauth) ++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .fonts.conf) ++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, .fonts.d) + userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts) + userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig) ++ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, auto) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 6c01261..8cb530b 100644 +index 6c01261..1a345d6 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -49869,7 +50129,7 @@ index 6c01261..8cb530b 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -302,20 +415,38 @@ optional_policy(` +@@ -302,20 +415,34 @@ optional_policy(` # XDM Local policy # @@ -49899,11 +50159,7 @@ index 6c01261..8cb530b 100644 + +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) -+userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .DCOP) -+userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .ICEauthority) -+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauthority) -+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .xauth) -+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauth) ++xserver_filetrans_home_content(xdm_t) + +#Handle mislabeled files in homedir +userdom_delete_user_home_content_files(xdm_t) @@ -49912,7 +50168,7 @@ index 6c01261..8cb530b 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -323,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t) +@@ -323,43 +450,62 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -49981,7 +50237,7 @@ index 6c01261..8cb530b 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -368,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -368,18 +514,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -50009,7 +50265,7 @@ index 6c01261..8cb530b 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -391,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -391,18 +545,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -50033,7 +50289,7 @@ index 6c01261..8cb530b 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -411,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -411,18 +569,24 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -50061,7 +50317,7 @@ index 6c01261..8cb530b 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -433,9 +601,23 @@ files_list_mnt(xdm_t) +@@ -433,9 +597,23 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -50085,7 +50341,7 @@ index 6c01261..8cb530b 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -444,28 +626,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -444,28 +622,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -50124,7 +50380,7 @@ index 6c01261..8cb530b 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -474,9 +664,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -474,9 +660,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -50155,7 +50411,7 @@ index 6c01261..8cb530b 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -492,6 +703,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -492,6 +699,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -50170,7 +50426,7 @@ index 6c01261..8cb530b 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -505,11 +724,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -505,11 +720,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -50192,7 +50448,7 @@ index 6c01261..8cb530b 100644 ') optional_policy(` -@@ -517,7 +746,43 @@ optional_policy(` +@@ -517,7 +742,43 @@ optional_policy(` ') optional_policy(` @@ -50237,7 +50493,7 @@ index 6c01261..8cb530b 100644 ') optional_policy(` -@@ -527,6 +792,16 @@ optional_policy(` +@@ -527,6 +788,16 @@ optional_policy(` ') optional_policy(` @@ -50254,7 +50510,7 @@ index 6c01261..8cb530b 100644 hostname_exec(xdm_t) ') -@@ -544,28 +819,65 @@ optional_policy(` +@@ -544,28 +815,65 @@ optional_policy(` ') optional_policy(` @@ -50329,7 +50585,7 @@ index 6c01261..8cb530b 100644 ') optional_policy(` -@@ -577,6 +889,14 @@ optional_policy(` +@@ -577,6 +885,14 @@ optional_policy(` ') optional_policy(` @@ -50344,7 +50600,7 @@ index 6c01261..8cb530b 100644 xfs_stream_connect(xdm_t) ') -@@ -601,7 +921,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -601,7 +917,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -50353,7 +50609,7 @@ index 6c01261..8cb530b 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -615,8 +935,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -615,8 +931,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -50369,7 +50625,7 @@ index 6c01261..8cb530b 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -635,12 +962,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -635,12 +958,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -50391,7 +50647,7 @@ index 6c01261..8cb530b 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -648,6 +982,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -648,6 +978,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -50399,7 +50655,7 @@ index 6c01261..8cb530b 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -674,7 +1009,6 @@ dev_rw_apm_bios(xserver_t) +@@ -674,7 +1005,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -50407,7 +50663,7 @@ index 6c01261..8cb530b 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -684,11 +1018,17 @@ dev_wx_raw_memory(xserver_t) +@@ -684,11 +1014,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -50425,7 +50681,7 @@ index 6c01261..8cb530b 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -699,8 +1039,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -699,8 +1035,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -50439,7 +50695,7 @@ index 6c01261..8cb530b 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -713,8 +1058,6 @@ init_getpgid(xserver_t) +@@ -713,8 +1054,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -50448,7 +50704,7 @@ index 6c01261..8cb530b 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -722,11 +1065,12 @@ logging_send_audit_msgs(xserver_t) +@@ -722,11 +1061,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -50463,7 +50719,7 @@ index 6c01261..8cb530b 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -780,16 +1124,36 @@ optional_policy(` +@@ -780,16 +1120,36 @@ optional_policy(` ') optional_policy(` @@ -50501,7 +50757,7 @@ index 6c01261..8cb530b 100644 unconfined_domtrans(xserver_t) ') -@@ -798,6 +1162,10 @@ optional_policy(` +@@ -798,6 +1158,10 @@ optional_policy(` ') optional_policy(` @@ -50512,7 +50768,7 @@ index 6c01261..8cb530b 100644 xfs_stream_connect(xserver_t) ') -@@ -813,10 +1181,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -813,10 +1177,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -50526,7 +50782,7 @@ index 6c01261..8cb530b 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -824,7 +1192,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -824,7 +1188,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -50535,7 +50791,7 @@ index 6c01261..8cb530b 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -837,6 +1205,9 @@ init_use_fds(xserver_t) +@@ -837,6 +1201,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -50545,7 +50801,7 @@ index 6c01261..8cb530b 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -844,6 +1215,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -844,6 +1211,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -50557,7 +50813,7 @@ index 6c01261..8cb530b 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -852,11 +1228,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -852,11 +1224,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -50574,7 +50830,7 @@ index 6c01261..8cb530b 100644 ') optional_policy(` -@@ -864,6 +1243,10 @@ optional_policy(` +@@ -864,6 +1239,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -50585,7 +50841,7 @@ index 6c01261..8cb530b 100644 ######################################## # # Rules common to all X window domains -@@ -907,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -907,7 +1286,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -50594,7 +50850,7 @@ index 6c01261..8cb530b 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -961,11 +1344,31 @@ allow x_domain self:x_resource { read write }; +@@ -961,11 +1340,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -50626,7 +50882,7 @@ index 6c01261..8cb530b 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -987,18 +1390,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -987,18 +1386,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -52256,7 +52512,7 @@ index 354ce93..f97fbb7 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..e83c909 100644 +index cc83689..e4f13ca 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,41 @@ interface(`init_script_domain',` @@ -52529,7 +52785,7 @@ index cc83689..e83c909 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -52542,7 +52798,7 @@ index cc83689..e83c909 100644 ') ######################################## -@@ -688,19 +843,24 @@ interface(`init_telinit',` +@@ -688,19 +843,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -52559,6 +52815,7 @@ index cc83689..e83c909 100644 type init_t; ') ++ ps_process_pattern($1, init_t) + allow $1 init_t:process signal; # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -52568,7 +52825,16 @@ index cc83689..e83c909 100644 ') ') -@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',` +@@ -730,7 +891,7 @@ interface(`init_rw_initctl',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -773,18 +934,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -52592,7 +52858,7 @@ index cc83689..e83c909 100644 ') ') -@@ -800,23 +961,45 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -52615,11 +52881,11 @@ index cc83689..e83c909 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -52632,17 +52898,13 @@ index cc83689..e83c909 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') + ') + + corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## -@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',` + ') + + ######################################## +@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -52657,7 +52919,7 @@ index cc83689..e83c909 100644 files_search_etc($1) ') -@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1268,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -52682,7 +52944,7 @@ index cc83689..e83c909 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1337,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -52696,7 +52958,7 @@ index cc83689..e83c909 100644 ') ######################################## -@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1577,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -52724,7 +52986,7 @@ index cc83689..e83c909 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1684,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -52750,7 +53012,7 @@ index cc83689..e83c909 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1761,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -52775,7 +53037,7 @@ index cc83689..e83c909 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1934,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -52784,7 +53046,7 @@ index cc83689..e83c909 100644 ') ######################################## -@@ -1715,6 +1974,74 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -52859,7 +53121,7 @@ index cc83689..e83c909 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2076,139 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -52898,7 +53160,7 @@ index cc83689..e83c909 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -53000,7 +53262,7 @@ index cc83689..e83c909 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..5429a16 100644 +index ea29513..22a5fdd 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -53126,10 +53388,13 @@ index ea29513..5429a16 100644 files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: -@@ -151,10 +195,13 @@ mls_file_read_all_levels(init_t) +@@ -151,10 +195,16 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) ++mls_socket_read_all_levels(init_t) ++mls_socket_write_all_levels(init_t) ++ +mls_rangetrans_source(initrc_t) selinux_set_all_booleans(init_t) @@ -53141,7 +53406,7 @@ index ea29513..5429a16 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +209,15 @@ init_domtrans_script(init_t) +@@ -162,12 +212,15 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -53157,7 +53422,7 @@ index ea29513..5429a16 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +228,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +231,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -53166,7 +53431,7 @@ index ea29513..5429a16 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',` +@@ -186,12 +239,119 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -53286,7 +53551,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -199,10 +356,25 @@ optional_policy(` +@@ -199,10 +359,25 @@ optional_policy(` ') optional_policy(` @@ -53312,7 +53577,7 @@ index ea29513..5429a16 100644 unconfined_domain(init_t) ') -@@ -212,7 +384,7 @@ optional_policy(` +@@ -212,7 +387,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -53321,7 +53586,7 @@ index ea29513..5429a16 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +416,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -53337,7 +53602,7 @@ index ea29513..5429a16 100644 init_write_initctl(initrc_t) -@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +436,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -53374,7 +53639,7 @@ index ea29513..5429a16 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +469,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -53382,7 +53647,7 @@ index ea29513..5429a16 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +482,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -53390,7 +53655,7 @@ index ea29513..5429a16 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +490,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -53406,7 +53671,7 @@ index ea29513..5429a16 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +508,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -53414,7 +53679,7 @@ index ea29513..5429a16 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +516,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -53426,7 +53691,7 @@ index ea29513..5429a16 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +535,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -53440,7 +53705,7 @@ index ea29513..5429a16 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +550,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -53449,7 +53714,7 @@ index ea29513..5429a16 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +564,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -53457,7 +53722,7 @@ index ea29513..5429a16 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +576,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -53465,7 +53730,7 @@ index ea29513..5429a16 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +597,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -53487,7 +53752,7 @@ index ea29513..5429a16 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +660,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -53498,7 +53763,7 @@ index ea29513..5429a16 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +681,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +684,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -53507,7 +53772,7 @@ index ea29513..5429a16 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +696,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +699,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -53515,7 +53780,7 @@ index ea29513..5429a16 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +726,29 @@ ifdef(`distro_redhat',` +@@ -522,8 +729,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -53545,7 +53810,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -531,10 +756,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +759,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -53568,7 +53833,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -549,6 +786,39 @@ ifdef(`distro_suse',` +@@ -549,6 +789,39 @@ ifdef(`distro_suse',` ') ') @@ -53608,7 +53873,7 @@ index ea29513..5429a16 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +831,8 @@ optional_policy(` +@@ -561,6 +834,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -53617,7 +53882,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -577,6 +849,7 @@ optional_policy(` +@@ -577,6 +852,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -53625,7 +53890,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -589,6 +862,11 @@ optional_policy(` +@@ -589,6 +865,11 @@ optional_policy(` ') optional_policy(` @@ -53637,7 +53902,7 @@ index ea29513..5429a16 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +883,13 @@ optional_policy(` +@@ -605,9 +886,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -53651,7 +53916,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -649,6 +931,11 @@ optional_policy(` +@@ -649,6 +934,11 @@ optional_policy(` ') optional_policy(` @@ -53663,7 +53928,7 @@ index ea29513..5429a16 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +993,13 @@ optional_policy(` +@@ -706,7 +996,13 @@ optional_policy(` ') optional_policy(` @@ -53677,7 +53942,7 @@ index ea29513..5429a16 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1022,10 @@ optional_policy(` +@@ -729,6 +1025,10 @@ optional_policy(` ') optional_policy(` @@ -53688,7 +53953,7 @@ index ea29513..5429a16 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1035,20 @@ optional_policy(` +@@ -738,10 +1038,20 @@ optional_policy(` ') optional_policy(` @@ -53709,7 +53974,7 @@ index ea29513..5429a16 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1057,10 @@ optional_policy(` +@@ -750,6 +1060,10 @@ optional_policy(` ') optional_policy(` @@ -53720,7 +53985,7 @@ index ea29513..5429a16 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1082,6 @@ optional_policy(` +@@ -771,8 +1085,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -53729,7 +53994,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -781,14 +1090,21 @@ optional_policy(` +@@ -781,14 +1093,21 @@ optional_policy(` ') optional_policy(` @@ -53751,7 +54016,7 @@ index ea29513..5429a16 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1116,6 @@ optional_policy(` +@@ -800,7 +1119,6 @@ optional_policy(` ') optional_policy(` @@ -53759,7 +54024,7 @@ index ea29513..5429a16 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1125,24 @@ optional_policy(` +@@ -810,11 +1128,24 @@ optional_policy(` ') optional_policy(` @@ -53785,7 +54050,7 @@ index ea29513..5429a16 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1152,25 @@ optional_policy(` +@@ -824,6 +1155,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -53811,7 +54076,7 @@ index ea29513..5429a16 100644 ') optional_policy(` -@@ -849,3 +1196,42 @@ optional_policy(` +@@ -849,3 +1199,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -55429,7 +55694,7 @@ index c7cfb62..ee89659 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..179ca63 100644 +index 9b5a9ed..869d51c 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -19,6 +19,11 @@ type auditd_log_t; @@ -55529,7 +55794,7 @@ index 9b5a9ed..179ca63 100644 corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) -@@ -265,10 +291,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -265,10 +291,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -55539,6 +55804,7 @@ index 9b5a9ed..179ca63 100644 +logging_send_audit_msgs(audisp_remote_t) + +auth_use_nsswitch(audisp_remote_t) ++auth_append_login_records(audisp_remote_t) miscfiles_read_localization(audisp_remote_t) @@ -55549,7 +55815,7 @@ index 9b5a9ed..179ca63 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -338,11 +373,12 @@ optional_policy(` +@@ -338,11 +374,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -55564,7 +55830,7 @@ index 9b5a9ed..179ca63 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -360,6 +396,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -360,6 +397,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -55572,7 +55838,7 @@ index 9b5a9ed..179ca63 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -369,9 +406,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -369,9 +407,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -55588,7 +55854,7 @@ index 9b5a9ed..179ca63 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,8 +455,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) +@@ -412,8 +456,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -55602,7 +55868,7 @@ index 9b5a9ed..179ca63 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -432,6 +480,7 @@ term_write_console(syslogd_t) +@@ -432,6 +481,7 @@ term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -55610,7 +55876,7 @@ index 9b5a9ed..179ca63 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -480,6 +529,10 @@ optional_policy(` +@@ -480,6 +530,10 @@ optional_policy(` ') optional_policy(` @@ -55621,7 +55887,7 @@ index 9b5a9ed..179ca63 100644 postgresql_stream_connect(syslogd_t) ') -@@ -488,6 +541,10 @@ optional_policy(` +@@ -488,6 +542,10 @@ optional_policy(` ') optional_policy(` @@ -56243,7 +56509,7 @@ index 72c746e..9f9124f 100644 +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 8b5c196..6dc92dd 100644 +index 8b5c196..f66d272 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,16 @@ interface(`mount_domtrans',` @@ -56263,7 +56529,7 @@ index 8b5c196..6dc92dd 100644 ') ######################################## -@@ -45,12 +55,77 @@ interface(`mount_run',` +@@ -45,8 +55,73 @@ interface(`mount_run',` role $2 types mount_t; optional_policy(` @@ -56286,11 +56552,11 @@ index 8b5c196..6dc92dd 100644 + + optional_policy(` + samba_run_smbmount(mount_t, $2) - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. @@ -56331,17 +56597,13 @@ index 8b5c196..6dc92dd 100644 +interface(`mount_read_pid_files',` + gen_require(` + type mount_var_run_t; -+ ') + ') + + allow $1 mount_var_run_t:file read_file_perms; + files_search_pids($1) -+') -+ -+######################################## -+## - ## Execute mount in the caller domain. - ## - ## + ') + + ######################################## @@ -84,9 +159,11 @@ interface(`mount_exec',` interface(`mount_signal',` gen_require(` @@ -56445,7 +56707,7 @@ index 8b5c196..6dc92dd 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -56867,17 +57129,22 @@ index 15832c7..43f0a0b 100644 + +userdom_use_inherited_user_terminals(showmount_t) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te -index cbbda4a..83c5ce7 100644 +index cbbda4a..8dcc346 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te -@@ -25,4 +25,6 @@ files_read_etc_files(netlabel_mgmt_t) +@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t) + + files_read_etc_files(netlabel_mgmt_t) ++term_use_all_inherited_terms(netlabel_mgmt_t) ++ seutil_use_newrole_fds(netlabel_mgmt_t) -userdom_use_user_terminals(netlabel_mgmt_t) +term_use_all_terms(netlabel_mgmt_t) + +userdom_use_inherited_user_terminals(netlabel_mgmt_t) ++ diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 4d06ae3..ebd5ed4 100644 --- a/policy/modules/system/pcmcia.te @@ -58000,7 +58267,7 @@ index 694fd94..334e80e 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index ff80d0a..ec91ad9 100644 +index ff80d0a..95e705c 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` @@ -58209,7 +58476,7 @@ index ff80d0a..ec91ad9 100644 +## +## +## -+## The domain sending the SIGCHLD. ++## Domain to not audit. +## +## +# @@ -58515,7 +58782,7 @@ index 0000000..c7476cb + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..4dfe28c +index 0000000..71398e5 --- /dev/null +++ b/policy/modules/system/systemd.if @@ -0,0 +1,246 @@ @@ -58615,7 +58882,7 @@ index 0000000..4dfe28c +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -59400,7 +59667,7 @@ index ce2fbb9..8b34dbc 100644 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 416e668..352e672 100644 +index 416e668..9f3c1c1 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,27 +12,34 @@ @@ -59451,7 +59718,7 @@ index 416e668..352e672 100644 + domain_mmap_low($1) + -+ mls_file_read_all_levels($1) ++ mcs_file_read_all($1) + + ubac_process_exempt($1) + @@ -60151,7 +60418,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..78f35d2 100644 +index 28b88de..d933851 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -60466,7 +60733,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -62131,7 +62398,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -62149,7 +62416,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -62764,7 +63031,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -62782,7 +63049,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -62800,7 +63067,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -62818,7 +63085,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -62876,7 +63143,7 @@ index 28b88de..78f35d2 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -63092,7 +63359,7 @@ index 28b88de..78f35d2 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index df29ca1..e9e85d7 100644 +index df29ca1..54e3feb 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0) @@ -63145,7 +63412,7 @@ index df29ca1..e9e85d7 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +98,63 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +98,66 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -63204,13 +63471,16 @@ index df29ca1..e9e85d7 100644 +dontaudit unpriv_userdomain self:dir setattr; + +optional_policy(` -+ gnome_user_home_dir_filetrans(userdomain) ++ gnome_filetrans_home_content(userdomain) +') + +optional_policy(` -+ ssh_user_home_dir_filetrans(userdomain) ++ ssh_filetrans_home_content(userdomain) +') + ++optional_policy(` ++ xserver_filetrans_home_content(userdomain) ++') diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index a865da7..a5ed06e 100644 --- a/policy/modules/system/xen.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index d15dee3..436ed55 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 18%{?dist} +Release: 19%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,14 @@ exit 0 %endif %changelog +* Tue May 3 2011 Miroslav Grepl 3.9.16-19 +- Forard port changes from F15 for telepathy +- NetworkManager should be allowed to use /dev/rfkill +- Fix dontaudit messages to say Domain to not audit +- Allow telepathy domains to read/write gnome_cache files +- Allow telepathy domains to call getpw +- Fixes for colord and vnstatd policy + * Wed Apr 27 2011 Miroslav Grepl 3.9.16-18 - Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch