diff --git a/container-selinux.tgz b/container-selinux.tgz index 3861472..f1a0fe3 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ecefc64..b1dd7bd 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -17432,7 +17432,7 @@ index d7c11a0b3..f521a50f8 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb43..2aa8d9ff4 100644 +index 8416beb43..0444eacf4 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -18316,7 +18316,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -1839,174 +2234,989 @@ interface(`fs_unmount_fusefs',` +@@ -1839,115 +2234,875 @@ interface(`fs_unmount_fusefs',` ## ## # @@ -18413,55 +18413,66 @@ index 8416beb43..2aa8d9ff4 100644 # -interface(`fs_dontaudit_list_fusefs',` +interface(`fs_ecryptfs_domtrans',` -+ gen_require(` + gen_require(` +- type fusefs_t; + type ecryptfs_t; -+ ') -+ + ') + +- dontaudit $1 fusefs_t:dir list_dir_perms; + allow $1 ecryptfs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, ecryptfs_t, $2) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete directories +-## on a FUSEFS filesystem. +## Mount a FUSE filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_manage_fusefs_dirs',` +interface(`fs_mount_fusefs',` gen_require(` type fusefs_t; ') -- dontaudit $1 fusefs_t:dir list_dir_perms; +- allow $1 fusefs_t:dir manage_dir_perms; + allow $1 fusefs_t:filesystem mount; ') ######################################## ## --## Create, read, write, and delete directories +-## Do not audit attempts to create, read, +-## write, and delete directories -## on a FUSEFS filesystem. +## Unmount a FUSE filesystem. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_dirs',` +interface(`fs_unmount_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ + gen_require(` + type fusefs_t; + ') + +- dontaudit $1 fusefs_t:dir manage_dir_perms; + allow $1 fusefs_t:filesystem unmount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read, a FUSEFS filesystem. +## Mounton a FUSEFS filesystem. +## +## @@ -18597,6 +18608,25 @@ index 8416beb43..2aa8d9ff4 100644 + +######################################## +## ++## mmap files on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_mmap_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:file map; ++') ++ ++######################################## ++## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. +## @@ -19167,98 +19197,6 @@ index 8416beb43..2aa8d9ff4 100644 +## +## Unmount an iso9660 filesystem, which +## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_unmount_iso9660_fs',` -+ gen_require(` -+ type iso9660_t; -+ ') -+ -+ allow $1 iso9660_t:filesystem unmount; -+') -+ -+######################################## -+## -+## Get the attributes of an iso9660 -+## filesystem, which is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_getattr_iso9660_fs',` -+ gen_require(` -+ type iso9660_t; -+ ') -+ -+ allow $1 iso9660_t:filesystem getattr; -+') -+ -+######################################## -+## -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_manage_fusefs_dirs',` -+interface(`fs_getattr_iso9660_files',` - gen_require(` -- type fusefs_t; -+ type iso9660_t; - ') - -- allow $1 fusefs_t:dir manage_dir_perms; -+ allow $1 iso9660_t:dir list_dir_perms; -+ allow $1 iso9660_t:file getattr; - ') - - ######################################## - ## --## Do not audit attempts to create, read, --## write, and delete directories --## on a FUSEFS filesystem. -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_dirs',` -+interface(`fs_read_iso9660_files',` - gen_require(` -- type fusefs_t; -+ type iso9660_t; - ') - -- dontaudit $1 fusefs_t:dir manage_dir_perms; -+ allow $1 iso9660_t:dir list_dir_perms; -+ read_files_pattern($1, iso9660_t, iso9660_t) -+ read_lnk_files_pattern($1, iso9660_t, iso9660_t) - ') - -+ - ######################################## - ## --## Read, a FUSEFS filesystem. -+## Mount kdbus filesystems. ## ## ## @@ -19268,44 +19206,45 @@ index 8416beb43..2aa8d9ff4 100644 -## # -interface(`fs_read_fusefs_files',` -+interface(`fs_mount_kdbus', ` ++interface(`fs_unmount_iso9660_fs',` gen_require(` - type fusefs_t; -+ type kdbusfs_t; ++ type iso9660_t; ') - read_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 kdbusfs_t:filesystem mount; ++ allow $1 iso9660_t:filesystem unmount; ') ######################################## ## -## Execute files on a FUSEFS filesystem. -+## Remount kdbus filesystems. ++## Get the attributes of an iso9660 ++## filesystem, which is usually used on CDs. ## ## ## - ## Domain allowed access. - ## +@@ -1956,57 +3111,59 @@ interface(`fs_read_fusefs_files',` ## --## + ## # -interface(`fs_exec_fusefs_files',` -+interface(`fs_remount_kdbus', ` ++interface(`fs_getattr_iso9660_fs',` gen_require(` - type fusefs_t; -+ type kdbusfs_t; ++ type iso9660_t; ') - exec_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 kdbusfs_t:filesystem remount; ++ allow $1 iso9660_t:filesystem getattr; ') ######################################## ## -## Create, read, write, and delete files -## on a FUSEFS filesystem. -+## Unmount kdbus filesystems. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. ## ## ## @@ -19315,14 +19254,15 @@ index 8416beb43..2aa8d9ff4 100644 -## # -interface(`fs_manage_fusefs_files',` -+interface(`fs_unmount_kdbus', ` ++interface(`fs_getattr_iso9660_files',` gen_require(` - type fusefs_t; -+ type kdbusfs_t; ++ type iso9660_t; ') - manage_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 kdbusfs_t:filesystem unmount; ++ allow $1 iso9660_t:dir list_dir_perms; ++ allow $1 iso9660_t:file getattr; ') ######################################## @@ -19330,7 +19270,8 @@ index 8416beb43..2aa8d9ff4 100644 -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -+## Get attributes of kdbus filesystems. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. ## ## ## @@ -19340,154 +19281,130 @@ index 8416beb43..2aa8d9ff4 100644 ## # -interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_getattr_kdbus',` ++interface(`fs_read_iso9660_files',` gen_require(` - type fusefs_t; -+ type kdbusfs_t; ++ type iso9660_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; -+ allow $1 kdbusfs_t:filesystem getattr; ++ allow $1 iso9660_t:dir list_dir_perms; ++ read_files_pattern($1, iso9660_t, iso9660_t) ++ read_lnk_files_pattern($1, iso9660_t, iso9660_t) ') ++ ######################################## ## -## Read symbolic links on a FUSEFS filesystem. -+## Search kdbusfs directories. ++## Mount kdbus filesystems. ## ## ## -@@ -2014,19 +3224,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,19 +3171,17 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # -interface(`fs_read_fusefs_symlinks',` -+interface(`fs_search_kdbus_dirs',` ++interface(`fs_mount_kdbus', ` gen_require(` - type fusefs_t; + type kdbusfs_t; -+ ') - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ allow $1 kdbusfs_t:filesystem mount; ') ######################################## ## -## Get the attributes of an hugetlbfs -## filesystem. -+## Relabel kdbusfs directories. ++## Remount kdbus filesystems. ## ## ## -@@ -2034,17 +3245,18 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2034,17 +3189,17 @@ interface(`fs_read_fusefs_symlinks',` ## ## # -interface(`fs_getattr_hugetlbfs',` -+interface(`fs_relabel_kdbus_dirs',` ++interface(`fs_remount_kdbus', ` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; -+ ') - allow $1 hugetlbfs_t:filesystem getattr; -+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ allow $1 kdbusfs_t:filesystem remount; ') ######################################## ## -## List hugetlbfs. -+## List kdbusfs directories. ++## Unmount kdbus filesystems. ## ## ## -@@ -2052,17 +3264,38 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +3207,17 @@ interface(`fs_getattr_hugetlbfs',` ## ## # -interface(`fs_list_hugetlbfs',` -+interface(`fs_list_kdbus_dirs',` ++interface(`fs_unmount_kdbus', ` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ') - allow $1 hugetlbfs_t:dir list_dir_perms; -+ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+####################################### -+## -+## Do not audit attempts to search kdbusfs directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_search_kdbus_dirs', ` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ dontaudit $1 kdbusfs_t:dir search_dir_perms; -+ dev_dontaudit_search_sysfs($1) ++ allow $1 kdbusfs_t:filesystem unmount; ') ######################################## ## -## Manage hugetlbfs dirs. -+## Delete kdbusfs directories. ++## Get attributes of kdbus filesystems. ## ## ## -@@ -2070,17 +3303,19 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +3225,17 @@ interface(`fs_list_hugetlbfs',` ## ## # -interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_delete_kdbus_dirs', ` ++interface(`fs_getattr_kdbus',` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ allow $1 kdbusfs_t:filesystem getattr; ') ######################################## ## -## Read and write hugetlbfs files. -+## Manage kdbusfs directories. ++## Search kdbusfs directories. ## ## ## -@@ -2088,35 +3323,41 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +3243,39 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # -interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_manage_kdbus_dirs',` ++interface(`fs_search_kdbus_dirs',` gen_require(` - type hugetlbfs_t; -- ') + type kdbusfs_t; ++ + ') - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ ') -+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -19495,7 +19412,7 @@ index 8416beb43..2aa8d9ff4 100644 ######################################## ## -## Allow the type to associate to hugetlbfs filesystems. -+## Read kdbusfs files. ++## Relabel kdbusfs directories. ## -## +## @@ -19506,7 +19423,7 @@ index 8416beb43..2aa8d9ff4 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_read_kdbus_files',` ++interface(`fs_relabel_kdbus_dirs',` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; @@ -19514,91 +19431,92 @@ index 8416beb43..2aa8d9ff4 100644 ') - allow $1 hugetlbfs_t:filesystem associate; -+ read_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ') ######################################## ## -## Search inotifyfs filesystem. -+## Write kdbusfs files. ++## List kdbusfs directories. ## ## ## -@@ -2124,17 +3365,19 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,89 +3283,78 @@ interface(`fs_associate_hugetlbfs',` ## ## # -interface(`fs_search_inotifyfs',` -+interface(`fs_write_kdbus_files', ` ++interface(`fs_list_kdbus_dirs',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') - ######################################## +-######################################## ++####################################### ## -## List inotifyfs filesystem. -+## Read and write kdbusfs files. ++## Do not audit attempts to search kdbusfs directories. ## ## - ## -@@ -2142,17 +3385,23 @@ interface(`fs_search_inotifyfs',` - ## +-## +-## Domain allowed access. +-## ++## ++## Domain to not audit. ++## ## # -interface(`fs_list_inotifyfs',` -+interface(`fs_rw_kdbus_files',` - gen_require(` +- gen_require(` - type inotifyfs_t; -+ type kdbusfs_t; -+ - ') +- ') ++interface(`fs_dontaudit_search_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ dontaudit $1 kdbusfs_t:dir search_dir_perms; ++ dev_dontaudit_search_sysfs($1) ') ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Do not audit attempts to open, -+## get attributes, read and write -+## cgroup files. ++## Delete kdbusfs directories. ## ## ## -@@ -2160,53 +3409,39 @@ interface(`fs_list_inotifyfs',` +-## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_dontaudit_rw_kdbus_files',` ++interface(`fs_delete_kdbus_dirs', ` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ dontaudit $1 kdbusfs_t:file rw_file_perms; ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## Manage kdbusfs files. ++## Manage kdbusfs directories. ## ## ## @@ -19622,17 +19540,16 @@ index 8416beb43..2aa8d9ff4 100644 -## # -interface(`fs_hugetlbfs_filetrans',` -+interface(`fs_manage_kdbus_files',` ++interface(`fs_manage_kdbus_dirs',` gen_require(` - type hugetlbfs_t; +- ') + type kdbusfs_t; -+ - ') - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ manage_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -19641,394 +19558,284 @@ index 8416beb43..2aa8d9ff4 100644 ## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -+## Mount on kdbusfs directories. ++## Read kdbusfs files. ## ## ## -@@ -2214,19 +3449,18 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3362,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # -interface(`fs_mount_iso9660_fs',` -+interface(`fs_mounton_kdbus', ` ++interface(`fs_read_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; ++ ') - allow $1 iso9660_t:filesystem mount; -+ allow $1 kdbusfs_t:dir mounton; ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') -+ ######################################## ## -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -+## Mount a NFS filesystem. ++## Write kdbusfs files. ## ## ## -@@ -2234,18 +3468,18 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3384,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # -interface(`fs_remount_iso9660_fs',` -+interface(`fs_mount_nfs',` ++interface(`fs_write_kdbus_files', ` gen_require(` - type iso9660_t; -+ type nfs_t; ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem remount; -+ allow $1 nfs_t:filesystem mount; ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -+## Remount a NFS filesystem. This allows -+## some mount options to be changed. ++## Read and write kdbusfs files. ## ## ## -@@ -2253,58 +3487,54 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3404,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # -interface(`fs_unmount_iso9660_fs',` -+interface(`fs_remount_nfs',` ++interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; -+ type nfs_t; ++ type kdbusfs_t; ++ ') - allow $1 iso9660_t:filesystem unmount; -+ allow $1 nfs_t:filesystem remount; ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -+## Unmount a NFS filesystem. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`fs_getattr_iso9660_fs',` -+interface(`fs_unmount_nfs',` ++interface(`fs_dontaudit_rw_kdbus_files',` gen_require(` - type iso9660_t; -+ type nfs_t; ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem getattr; -+ allow $1 nfs_t:filesystem unmount; ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Get the attributes of a NFS filesystem. ++## Manage kdbusfs files. ## ## ## - ## Domain allowed access. +@@ -2292,19 +3446,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## -+## # -interface(`fs_getattr_iso9660_files',` -+interface(`fs_getattr_nfs',` ++interface(`fs_manage_kdbus_files',` gen_require(` - type iso9660_t; -+ type nfs_t; ++ type kdbusfs_t; ++ ') - allow $1 iso9660_t:dir list_dir_perms; - allow $1 iso9660_t:file getattr; -+ allow $1 nfs_t:filesystem getattr; ++ manage_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Set the attributes of nfs directories. ++## Mount on kdbusfs directories. ## ## ## -@@ -2312,19 +3542,17 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3468,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # -interface(`fs_read_iso9660_files',` -+interface(`fs_setattr_nfs_dirs',` ++interface(`fs_mounton_kdbus', ` gen_require(` - type iso9660_t; -+ type nfs_t; ++ type kdbusfs_t; ') - allow $1 iso9660_t:dir list_dir_perms; - read_files_pattern($1, iso9660_t, iso9660_t) - read_lnk_files_pattern($1, iso9660_t, iso9660_t) -+ allow $1 nfs_t:dir setattr; - ') - - ######################################## - ## --## Mount a NFS filesystem. -+## Search directories on a NFS filesystem. - ## - ## - ## -@@ -2332,18 +3560,17 @@ interface(`fs_read_iso9660_files',` - ## - ## - # --interface(`fs_mount_nfs',` -+interface(`fs_search_nfs',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:filesystem mount; -+ allow $1 nfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Remount a NFS filesystem. This allows --## some mount options to be changed. -+## List NFS filesystem. - ## - ## - ## -@@ -2351,240 +3578,243 @@ interface(`fs_mount_nfs',` - ## - ## - # --interface(`fs_remount_nfs',` -+interface(`fs_list_nfs',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:filesystem remount; -+ allow $1 nfs_t:dir list_dir_perms; ++ allow $1 kdbusfs_t:dir mounton; ') ++ ######################################## ## --## Unmount a NFS filesystem. -+## Do not audit attempts to list the contents -+## of directories on a NFS filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`fs_unmount_nfs',` -+interface(`fs_dontaudit_list_nfs',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:filesystem unmount; -+ dontaudit $1 nfs_t:dir list_dir_perms; - ') + ## Mount a NFS filesystem. +@@ -2398,6 +3553,24 @@ interface(`fs_getattr_nfs',` ######################################## ## --## Get the attributes of a NFS filesystem. -+## Mounton a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_getattr_nfs',` -+interface(`fs_mounton_nfs',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:filesystem getattr; -+ allow $1 nfs_t:dir mounton; - ') - - ######################################## - ## --## Search directories on a NFS filesystem. -+## Read files on a NFS filesystem. ++## Set the attributes of nfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_setattr_nfs_dirs',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:dir setattr; ++') ++ ++######################################## ++## + ## Search directories on a NFS filesystem. ## ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_search_nfs',` -+interface(`fs_read_nfs_files',` - gen_require(` +@@ -2485,6 +3658,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') -- allow $1 nfs_t:dir search_dir_perms; + fs_search_auto_mountpoints($1) -+ allow $1 nfs_t:dir list_dir_perms; -+ read_files_pattern($1, nfs_t, nfs_t) + allow $1 nfs_t:dir list_dir_perms; + read_files_pattern($1, nfs_t, nfs_t) ') - - ######################################## - ## --## List NFS filesystem. -+## Do not audit attempts to read -+## files on a NFS filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. +@@ -2518,73 +3692,148 @@ interface(`fs_dontaudit_read_nfs_files',` ## ## # --interface(`fs_list_nfs',` -+interface(`fs_dontaudit_read_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -+ dontaudit $1 nfs_t:file read_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to list the contents --## of directories on a NFS filesystem. -+## Read files on a NFS filesystem. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_list_nfs',` +-interface(`fs_write_nfs_files',` +interface(`fs_write_nfs_files',` - gen_require(` - type nfs_t; - ') - -- dontaudit $1 nfs_t:dir list_dir_perms; ++ gen_require(` ++ type nfs_t; ++ ') ++ + fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Mounton a NFS filesystem. ++') ++ ++######################################## ++## +## Execute files on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_mounton_nfs',` ++# +interface(`fs_exec_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir mounton; ++ gen_require(` ++ type nfs_t; ++ ') ++ + allow $1 nfs_t:dir list_dir_perms; + exec_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Read files on a NFS filesystem. ++') ++ ++######################################## ++## +## Make general progams in nfs an entrypoint for +## the specified domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## The domain for which nfs_t is an entrypoint. - ## - ## --## - # --interface(`fs_read_nfs_files',` ++## ++## ++# +interface(`fs_nfs_entry_type',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- read_files_pattern($1, nfs_t, nfs_t) ++ gen_require(` ++ type nfs_t; ++ ') ++ + domain_entry_file($1, nfs_t) - ') - - ######################################## - ## --## Do not audit attempts to read --## files on a NFS filesystem. ++') ++ ++######################################## ++## +## Make general progams in NFS an entrypoint for +## the specified domain. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## The domain for which nfs_t is an entrypoint. - ## - ## - # --interface(`fs_dontaudit_read_nfs_files',` ++## ++## ++# +interface(`fs_nfs_entrypoint',` - gen_require(` - type nfs_t; - ') - -- dontaudit $1 nfs_t:file read_file_perms; ++ gen_require(` ++ type nfs_t; ++ ') ++ + allow $1 nfs_t:file entrypoint; - ') - - ######################################## - ## --## Read files on a NFS filesystem. ++') ++ ++######################################## ++## +## Append files +## on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_write_nfs_files',` ++# +interface(`fs_append_nfs_files',` gen_require(` type nfs_t; @@ -20112,7 +19919,7 @@ index 8416beb43..2aa8d9ff4 100644 ') ######################################## -@@ -2603,7 +3833,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3852,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -20121,7 +19928,7 @@ index 8416beb43..2aa8d9ff4 100644 ') ######################################## -@@ -2627,7 +3857,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3876,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -20130,7 +19937,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -2719,6 +3949,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3968,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -20196,7 +20003,7 @@ index 8416beb43..2aa8d9ff4 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +4030,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +4049,7 @@ interface(`fs_search_removable',` ## ## ## @@ -20205,7 +20012,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## # -@@ -2777,7 +4066,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +4085,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -20214,7 +20021,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## # -@@ -2970,6 +4259,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4278,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -20222,7 +20029,7 @@ index 8416beb43..2aa8d9ff4 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4300,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,11 +4319,31 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -20230,7 +20037,31 @@ index 8416beb43..2aa8d9ff4 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4341,7 @@ interface(`fs_manage_nfs_symlinks',` + ######################################## + ## ++## mmap files on a NFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_mmap_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file map; ++') ++ ++######################################## ++## + ## Do not audit attempts to create, + ## read, write, and delete files + ## on a NFS filesystem. +@@ -3050,6 +4379,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -20238,7 +20069,7 @@ index 8416beb43..2aa8d9ff4 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4429,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4467,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -20263,7 +20094,7 @@ index 8416beb43..2aa8d9ff4 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3239,15 +4549,198 @@ interface(`fs_search_nfsd_fs',` +@@ -3239,15 +4587,198 @@ interface(`fs_search_nfsd_fs',` # interface(`fs_list_nfsd_fs',` gen_require(` @@ -20465,7 +20296,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3255,35 +4748,35 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,35 +4786,35 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20510,7 +20341,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3291,12 +4784,12 @@ interface(`fs_rw_nfsd_fs',` +@@ -3291,12 +4822,12 @@ interface(`fs_rw_nfsd_fs',` ## ## # @@ -20526,7 +20357,7 @@ index 8416beb43..2aa8d9ff4 100644 ') ######################################## -@@ -3392,7 +4885,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4923,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20535,7 +20366,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3429,7 +4922,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4960,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20544,7 +20375,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3447,7 +4940,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4978,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20553,7 +20384,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3779,6 +5272,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5310,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20578,7 +20409,7 @@ index 8416beb43..2aa8d9ff4 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5326,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5364,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20603,7 +20434,7 @@ index 8416beb43..2aa8d9ff4 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5437,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5475,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20612,7 +20443,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3916,17 +5445,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5483,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20633,7 +20464,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3934,17 +5463,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5501,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20654,7 +20485,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3952,17 +5481,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5519,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20694,7 +20525,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -3970,31 +5518,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5556,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20750,7 +20581,7 @@ index 8416beb43..2aa8d9ff4 100644 ') ######################################## -@@ -4057,23 +5622,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5660,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -20927,7 +20758,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4081,18 +5793,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5831,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -20950,7 +20781,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4100,54 +5812,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5850,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -21017,7 +20848,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4155,17 +5866,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5904,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -21039,7 +20870,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4173,17 +5885,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5923,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -21061,7 +20892,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4191,37 +5904,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5942,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -21107,7 +20938,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4229,18 +5941,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5979,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -21129,7 +20960,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4248,18 +5960,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5998,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -21153,7 +20984,7 @@ index 8416beb43..2aa8d9ff4 100644 ## ## ## -@@ -4267,32 +5980,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +6018,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -21192,7 +21023,7 @@ index 8416beb43..2aa8d9ff4 100644 ') ######################################## -@@ -4407,6 +6119,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6157,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -21218,7 +21049,7 @@ index 8416beb43..2aa8d9ff4 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6234,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6272,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -21227,7 +21058,7 @@ index 8416beb43..2aa8d9ff4 100644 ') ######################################## -@@ -4549,7 +6282,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6320,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -21236,7 +21067,7 @@ index 8416beb43..2aa8d9ff4 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6329,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6367,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -21263,7 +21094,7 @@ index 8416beb43..2aa8d9ff4 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6424,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6462,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21289,7 +21120,7 @@ index 8416beb43..2aa8d9ff4 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6684,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6722,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -36205,7 +36036,7 @@ index e4376aa98..2c98c5647 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index f6743ea19..8c64a7e19 100644 +index f6743ea19..743d661ec 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) @@ -36246,8 +36077,8 @@ index f6743ea19..8c64a7e19 100644 term_setattr_all_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) -+term_setattr_usb_ttys(getty_t) +term_use_console(getty_t) ++term_use_usb_ttys(getty_t) auth_rw_login_records(getty_t) +auth_use_nsswitch(getty_t) @@ -38371,7 +38202,7 @@ index 79a45f62e..0244681f0 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..09d9144cb 100644 +index 17eda2480..fecc37500 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38583,7 +38414,7 @@ index 17eda2480..09d9144cb 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +243,103 @@ domain_signal_all_domains(init_t) +@@ -139,45 +243,105 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -38613,6 +38444,8 @@ index 17eda2480..09d9144cb 100644 files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) +files_dontaudit_mounton_modules_object(init_t) ++files_manage_mnt_dirs(init_t) ++files_manage_mnt_files(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log @@ -38680,12 +38513,12 @@ index 17eda2480..09d9144cb 100644 +miscfiles_filetrans_named_content(init_t) + +udev_manage_rules_files(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_transition_login_userdomain(init_t) +userdom_noatsecure_login_userdomain(init_t) +userdom_sigchld_login_userdomain(init_t) @@ -38694,7 +38527,7 @@ index 17eda2480..09d9144cb 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +348,295 @@ ifdef(`distro_gentoo',` +@@ -186,29 +350,303 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38788,9 +38621,14 @@ index 17eda2480..09d9144cb 100644 + postfix_list_spool(init_t) + mta_read_config(init_t) + mta_manage_aliases(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) ++ raid_relabel_mdadm_var_run_content(init_t) + ') + + optional_policy(` + systemd_allow_mount_dir(init_t) +') + @@ -38953,14 +38791,13 @@ index 17eda2480..09d9144cb 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + lldpad_relabel_tmpfs(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) +') + @@ -38983,23 +38820,27 @@ index 17eda2480..09d9144cb 100644 +') + +optional_policy(` -+ networkmanager_stream_connect(init_t) -+ networkmanager_stream_connect(initrc_t) ++ mount_rw_pid_files(init_t) +') + +optional_policy(` -+ plymouthd_stream_connect(init_t) -+ plymouthd_exec_plymouth(init_t) -+ plymouthd_filetrans_named_content(init_t) ++ networkmanager_stream_connect(init_t) ++ networkmanager_stream_connect(initrc_t) ') optional_policy(` - nscd_use(init_t) ++ plymouthd_stream_connect(init_t) ++ plymouthd_exec_plymouth(init_t) ++ plymouthd_filetrans_named_content(init_t) ++') ++ ++optional_policy(` + ssh_getattr_server_keys(init_t) ') optional_policy(` -@@ -216,7 +644,35 @@ optional_policy(` +@@ -216,7 +654,35 @@ optional_policy(` ') optional_policy(` @@ -39036,7 +38877,7 @@ index 17eda2480..09d9144cb 100644 ') ######################################## -@@ -225,9 +681,9 @@ optional_policy(` +@@ -225,9 +691,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -39048,7 +38889,7 @@ index 17eda2480..09d9144cb 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +714,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +724,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -39065,7 +38906,7 @@ index 17eda2480..09d9144cb 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +739,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +749,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -39108,7 +38949,7 @@ index 17eda2480..09d9144cb 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +776,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +786,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -39120,7 +38961,7 @@ index 17eda2480..09d9144cb 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +788,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +798,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -39131,7 +38972,7 @@ index 17eda2480..09d9144cb 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +799,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +809,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -39141,7 +38982,7 @@ index 17eda2480..09d9144cb 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +808,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +818,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -39149,7 +38990,7 @@ index 17eda2480..09d9144cb 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +815,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +825,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -39157,7 +38998,7 @@ index 17eda2480..09d9144cb 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +823,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +833,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -39175,7 +39016,7 @@ index 17eda2480..09d9144cb 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +841,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +851,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -39189,7 +39030,7 @@ index 17eda2480..09d9144cb 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +856,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +866,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -39203,7 +39044,7 @@ index 17eda2480..09d9144cb 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +869,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +879,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -39214,7 +39055,7 @@ index 17eda2480..09d9144cb 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +882,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +892,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -39222,7 +39063,7 @@ index 17eda2480..09d9144cb 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +901,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +911,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -39246,7 +39087,7 @@ index 17eda2480..09d9144cb 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +934,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +944,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -39254,7 +39095,7 @@ index 17eda2480..09d9144cb 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +968,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +978,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -39265,7 +39106,7 @@ index 17eda2480..09d9144cb 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +992,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +1002,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -39274,7 +39115,7 @@ index 17eda2480..09d9144cb 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +1007,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +1017,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -39282,7 +39123,7 @@ index 17eda2480..09d9144cb 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1028,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1038,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -39290,7 +39131,7 @@ index 17eda2480..09d9144cb 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1038,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1048,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -39335,7 +39176,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -559,14 +1083,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1093,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -39367,7 +39208,7 @@ index 17eda2480..09d9144cb 100644 ') ') -@@ -577,6 +1118,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1128,39 @@ ifdef(`distro_suse',` ') ') @@ -39407,7 +39248,7 @@ index 17eda2480..09d9144cb 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1163,8 @@ optional_policy(` +@@ -589,6 +1173,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -39416,7 +39257,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -610,6 +1186,7 @@ optional_policy(` +@@ -610,6 +1196,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -39424,7 +39265,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -626,6 +1203,17 @@ optional_policy(` +@@ -626,6 +1213,17 @@ optional_policy(` ') optional_policy(` @@ -39442,7 +39283,7 @@ index 17eda2480..09d9144cb 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1230,13 @@ optional_policy(` +@@ -642,9 +1240,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -39456,7 +39297,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -657,15 +1249,11 @@ optional_policy(` +@@ -657,15 +1259,11 @@ optional_policy(` ') optional_policy(` @@ -39474,7 +39315,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -686,6 +1274,15 @@ optional_policy(` +@@ -686,6 +1284,15 @@ optional_policy(` ') optional_policy(` @@ -39490,7 +39331,7 @@ index 17eda2480..09d9144cb 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1323,7 @@ optional_policy(` +@@ -726,6 +1333,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -39498,7 +39339,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -743,7 +1341,13 @@ optional_policy(` +@@ -743,7 +1351,13 @@ optional_policy(` ') optional_policy(` @@ -39513,7 +39354,7 @@ index 17eda2480..09d9144cb 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1370,10 @@ optional_policy(` +@@ -766,6 +1380,10 @@ optional_policy(` ') optional_policy(` @@ -39524,7 +39365,7 @@ index 17eda2480..09d9144cb 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1383,20 @@ optional_policy(` +@@ -775,10 +1393,20 @@ optional_policy(` ') optional_policy(` @@ -39545,7 +39386,7 @@ index 17eda2480..09d9144cb 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1405,10 @@ optional_policy(` +@@ -787,6 +1415,10 @@ optional_policy(` ') optional_policy(` @@ -39556,7 +39397,7 @@ index 17eda2480..09d9144cb 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1430,6 @@ optional_policy(` +@@ -808,8 +1440,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39565,7 +39406,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -818,6 +1438,10 @@ optional_policy(` +@@ -818,6 +1448,10 @@ optional_policy(` ') optional_policy(` @@ -39576,7 +39417,7 @@ index 17eda2480..09d9144cb 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1451,12 @@ optional_policy(` +@@ -827,10 +1461,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39589,7 +39430,7 @@ index 17eda2480..09d9144cb 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1483,62 @@ optional_policy(` +@@ -857,21 +1493,62 @@ optional_policy(` ') optional_policy(` @@ -39653,7 +39494,7 @@ index 17eda2480..09d9144cb 100644 ') optional_policy(` -@@ -887,6 +1554,10 @@ optional_policy(` +@@ -887,6 +1564,10 @@ optional_policy(` ') optional_policy(` @@ -39664,7 +39505,7 @@ index 17eda2480..09d9144cb 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1568,218 @@ optional_policy(` +@@ -897,3 +1578,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -40188,7 +40029,7 @@ index 0d4c8d35e..537aa4274 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd0417..27a5d0650 100644 +index 312cd0417..07a92cc93 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -40201,7 +40042,7 @@ index 312cd0417..27a5d0650 100644 type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) -@@ -67,29 +70,43 @@ type setkey_exec_t; +@@ -67,29 +70,44 @@ type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; @@ -40244,13 +40085,14 @@ index 312cd0417..27a5d0650 100644 -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) +manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) ++allow ipsec_t ipsec_key_file_t:file map; + +manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t) +logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log") manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) +@@ -101,6 +119,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) @@ -40258,7 +40100,7 @@ index 312cd0417..27a5d0650 100644 # pluto runs an updown script (by calling popen()!) as this is by default # a shell script, we need to find a way to make things work without -@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) +@@ -110,10 +129,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; @@ -40271,7 +40113,7 @@ index 312cd0417..27a5d0650 100644 kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; -@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +147,24 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -40303,7 +40145,7 @@ index 312cd0417..27a5d0650 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,22 +180,32 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -40338,7 +40180,7 @@ index 312cd0417..27a5d0650 100644 optional_policy(` seutil_sigchld_newrole(ipsec_t) -@@ -182,19 +214,30 @@ optional_policy(` +@@ -182,19 +215,30 @@ optional_policy(` udev_read_db(ipsec_t) ') @@ -40373,7 +40215,7 @@ index 312cd0417..27a5d0650 100644 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +252,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -40389,7 +40231,7 @@ index 312cd0417..27a5d0650 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +292,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -40406,7 +40248,7 @@ index 312cd0417..27a5d0650 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +311,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -40415,7 +40257,7 @@ index 312cd0417..27a5d0650 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +327,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -40423,7 +40265,7 @@ index 312cd0417..27a5d0650 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +337,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -40435,7 +40277,7 @@ index 312cd0417..27a5d0650 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +348,28 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -40469,7 +40311,7 @@ index 312cd0417..27a5d0650 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +392,10 @@ optional_policy(` +@@ -322,6 +393,10 @@ optional_policy(` ') optional_policy(` @@ -40480,7 +40322,7 @@ index 312cd0417..27a5d0650 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +409,7 @@ optional_policy(` +@@ -335,7 +410,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -40489,7 +40331,7 @@ index 312cd0417..27a5d0650 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +445,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -40509,7 +40351,7 @@ index 312cd0417..27a5d0650 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +475,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -40522,7 +40364,7 @@ index 312cd0417..27a5d0650 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +512,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -42680,7 +42522,7 @@ index 4e9488463..2db173f77 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..6ae1e2663 100644 +index 59b04c1a2..e9545b961 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -42974,7 +42816,7 @@ index 59b04c1a2..6ae1e2663 100644 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) -@@ -389,30 +457,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +457,49 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -42984,6 +42826,7 @@ index 59b04c1a2..6ae1e2663 100644 + +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) ++allow syslogd_t syslogd_var_lib_t:file map; files_search_var_lib(syslogd_t) -# manage pid file @@ -43026,7 +42869,7 @@ index 59b04c1a2..6ae1e2663 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +508,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +509,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -43035,7 +42878,7 @@ index 59b04c1a2..6ae1e2663 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +520,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +521,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -43069,7 +42912,7 @@ index 59b04c1a2..6ae1e2663 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +559,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +560,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -43087,7 +42930,7 @@ index 59b04c1a2..6ae1e2663 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +581,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +582,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -43103,7 +42946,7 @@ index 59b04c1a2..6ae1e2663 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +613,7 @@ optional_policy(` +@@ -497,6 +614,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -43111,7 +42954,7 @@ index 59b04c1a2..6ae1e2663 100644 ') optional_policy(` -@@ -507,15 +624,44 @@ optional_policy(` +@@ -507,15 +625,44 @@ optional_policy(` ') optional_policy(` @@ -43156,7 +42999,7 @@ index 59b04c1a2..6ae1e2663 100644 ') optional_policy(` -@@ -526,3 +672,29 @@ optional_policy(` +@@ -526,3 +673,29 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -48771,10 +48614,10 @@ index 000000000..121b42208 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 000000000..5871e072d +index 000000000..dc06d3b3f --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1880 @@ +@@ -0,0 +1,1898 @@ +## SELinux policy for systemd components + +###################################### @@ -49377,6 +49220,24 @@ index 000000000..5871e072d + +######################################## +## ++## Execute a domain transition to run systemd_rfkill. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_rfkill_domtrans',` ++ gen_require(` ++ type systemd_rfkill_t, systemd_rfkill_exec_t; ++ ') ++ ++ domtrans_pattern($1, systemd_rfkill_exec_t, systemd_rfkill_t) ++') ++ ++######################################## ++## +## Execute a domain transition to run systemd_notify. +## +## @@ -50657,10 +50518,10 @@ index 000000000..5871e072d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..bb880db4a +index 000000000..598ce3fca --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1040 @@ +@@ -0,0 +1,1041 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50708,6 +50569,7 @@ index 000000000..bb880db4a +systemd_unit_file(systemd_hwdb_unit_file_t) + +systemd_domain_template(systemd_networkd) ++init_nnp_daemon_domain(systemd_networkd_t) + +type systemd_networkd_unit_file_t; +systemd_unit_file(systemd_networkd_unit_file_t) @@ -58290,7 +58152,7 @@ index 9dc60c6c0..562afbe9a 100644 + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38dc7..e4733e828 100644 +index f4ac38dc7..f3819687f 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -58379,7 +58241,7 @@ index f4ac38dc7..e4733e828 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,396 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,397 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -58521,6 +58383,7 @@ index f4ac38dc7..e4733e828 100644 + fs_manage_nfs_dirs(userdom_home_manager_type) + fs_manage_nfs_files(userdom_home_manager_type) + fs_manage_nfs_symlinks(userdom_home_manager_type) ++ fs_mmap_nfs_files(userdom_home_manager_type) +') + +tunable_policy(`use_samba_home_dirs',` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b4a2b26..de01743 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..4a8367de4 100644 +index eb50f070f..c23bb4b86 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -806,7 +806,7 @@ index eb50f070f..4a8367de4 100644 domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) -@@ -176,29 +199,44 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +199,46 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -826,6 +826,7 @@ index eb50f070f..4a8367de4 100644 fs_getattr_all_dirs(abrt_t) -fs_list_inotifyfs(abrt_t) fs_read_fusefs_files(abrt_t) ++fs_mmap_fusefs_files(abrt_t) fs_read_noxattr_fs_files(abrt_t) fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) @@ -836,6 +837,7 @@ index eb50f070f..4a8367de4 100644 +storage_dontaudit_read_fixed_disk(abrt_t) logging_read_generic_logs(abrt_t) ++logging_mmap_journal(abrt_t) +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) +logging_read_syslog_pid(abrt_t) @@ -854,7 +856,7 @@ index eb50f070f..4a8367de4 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +244,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +246,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -871,7 +873,7 @@ index eb50f070f..4a8367de4 100644 ') optional_policy(` -@@ -222,6 +256,37 @@ optional_policy(` +@@ -222,6 +258,37 @@ optional_policy(` ') optional_policy(` @@ -909,7 +911,7 @@ index eb50f070f..4a8367de4 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,18 +299,25 @@ optional_policy(` +@@ -234,18 +301,25 @@ optional_policy(` ') optional_policy(` @@ -938,7 +940,7 @@ index eb50f070f..4a8367de4 100644 optional_policy(` sosreport_domtrans(abrt_t) -@@ -253,9 +325,21 @@ optional_policy(` +@@ -253,9 +327,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -961,7 +963,7 @@ index eb50f070f..4a8367de4 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +350,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +352,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -976,7 +978,7 @@ index eb50f070f..4a8367de4 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +369,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +371,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -984,7 +986,7 @@ index eb50f070f..4a8367de4 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +378,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +380,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -1005,7 +1007,7 @@ index eb50f070f..4a8367de4 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +399,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +401,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1032,7 +1034,7 @@ index eb50f070f..4a8367de4 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +435,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +437,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1046,7 +1048,7 @@ index eb50f070f..4a8367de4 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +453,11 @@ optional_policy(` +@@ -343,10 +455,11 @@ optional_policy(` ####################################### # @@ -1060,7 +1062,7 @@ index eb50f070f..4a8367de4 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +476,90 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +478,90 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1155,7 +1157,7 @@ index eb50f070f..4a8367de4 100644 ####################################### # -@@ -404,25 +567,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +569,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1218,7 +1220,7 @@ index eb50f070f..4a8367de4 100644 ') ####################################### -@@ -430,10 +628,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +630,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -3300,10 +3302,10 @@ index 000000000..36251b926 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 000000000..28cdddda9 +index 000000000..547ee89dd --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,274 @@ +@@ -0,0 +1,275 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3333,6 +3335,7 @@ index 000000000..28cdddda9 +typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ; +typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t }; +init_daemon_domain(antivirus_t, antivirus_exec_t) ++init_nnp_daemon_domain(antivirus_t) + +type antivirus_initrc_exec_t; +typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t }; @@ -5631,7 +5634,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..0a7b49bbb 100644 +index 6649962b6..b7ac74501 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -7890,7 +7893,7 @@ index 6649962b6..0a7b49bbb 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1681,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7989,6 +7992,7 @@ index 6649962b6..0a7b49bbb 100644 +') + +read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++allow httpd_t httpd_content_type:file map; + +tunable_policy(`httpd_builtin_scripting',` + allow httpd_t httpd_content_type:dir search_dir_perms; @@ -21744,7 +21748,7 @@ index 3023be7f6..5afde8039 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813ccb..0ea3e3d6a 100644 +index c91813ccb..dd52ab6ad 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -22021,7 +22025,7 @@ index c91813ccb..0ea3e3d6a 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,23 +289,31 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,23 +289,33 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -22038,7 +22042,8 @@ index c91813ccb..0ea3e3d6a 100644 -miscfiles_read_localization(cupsd_t) -miscfiles_read_fonts(cupsd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_t) -- ++miscfiles_legacy_read_localization(cupsd_t) + seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) @@ -22058,7 +22063,7 @@ index c91813ccb..0ea3e3d6a 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -272,6 +325,8 @@ optional_policy(` +@@ -272,6 +327,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -22067,7 +22072,7 @@ index c91813ccb..0ea3e3d6a 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -279,11 +334,17 @@ optional_policy(` +@@ -279,11 +336,17 @@ optional_policy(` ') optional_policy(` @@ -22085,7 +22090,7 @@ index c91813ccb..0ea3e3d6a 100644 ') ') -@@ -296,8 +357,8 @@ optional_policy(` +@@ -296,8 +359,8 @@ optional_policy(` ') optional_policy(` @@ -22095,7 +22100,7 @@ index c91813ccb..0ea3e3d6a 100644 ') optional_policy(` -@@ -306,7 +367,6 @@ optional_policy(` +@@ -306,7 +369,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -22103,7 +22108,7 @@ index c91813ccb..0ea3e3d6a 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -316,6 +376,10 @@ optional_policy(` +@@ -316,6 +378,10 @@ optional_policy(` ') optional_policy(` @@ -22114,7 +22119,7 @@ index c91813ccb..0ea3e3d6a 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) -@@ -326,7 +390,7 @@ optional_policy(` +@@ -326,7 +392,7 @@ optional_policy(` ') optional_policy(` @@ -22123,7 +22128,7 @@ index c91813ccb..0ea3e3d6a 100644 ') optional_policy(` -@@ -334,7 +398,11 @@ optional_policy(` +@@ -334,7 +400,11 @@ optional_policy(` ') optional_policy(` @@ -22136,7 +22141,7 @@ index c91813ccb..0ea3e3d6a 100644 ') ######################################## -@@ -342,12 +410,11 @@ optional_policy(` +@@ -342,12 +412,11 @@ optional_policy(` # Configuration daemon local policy # @@ -22152,7 +22157,7 @@ index c91813ccb..0ea3e3d6a 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -367,23 +434,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -367,23 +436,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -22180,7 +22185,7 @@ index c91813ccb..0ea3e3d6a 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +459,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +461,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -22201,7 +22206,7 @@ index c91813ccb..0ea3e3d6a 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,17 +476,16 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,17 +478,16 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -22223,7 +22228,7 @@ index c91813ccb..0ea3e3d6a 100644 optional_policy(` term_use_generic_ptys(cupsd_config_t) ') -@@ -449,9 +507,12 @@ optional_policy(` +@@ -449,9 +509,12 @@ optional_policy(` ') optional_policy(` @@ -22237,7 +22242,7 @@ index c91813ccb..0ea3e3d6a 100644 ') optional_policy(` -@@ -467,6 +528,10 @@ optional_policy(` +@@ -467,6 +530,10 @@ optional_policy(` ') optional_policy(` @@ -22248,7 +22253,7 @@ index c91813ccb..0ea3e3d6a 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +552,6 @@ optional_policy(` +@@ -487,10 +554,6 @@ optional_policy(` # Lpd local policy # @@ -22259,7 +22264,7 @@ index c91813ccb..0ea3e3d6a 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +569,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +571,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -22277,7 +22282,7 @@ index c91813ccb..0ea3e3d6a 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +598,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +600,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -22287,7 +22292,7 @@ index c91813ccb..0ea3e3d6a 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -549,9 +607,9 @@ optional_policy(` +@@ -549,9 +609,9 @@ optional_policy(` # Pdf local policy # @@ -22299,7 +22304,7 @@ index c91813ccb..0ea3e3d6a 100644 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +624,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +626,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -22328,11 +22333,13 @@ index c91813ccb..0ea3e3d6a 100644 - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') -- --optional_policy(` ++userdom_home_manager(cups_pdf_t) + + optional_policy(` - lpd_manage_spool(cups_pdf_t) --') -- ++ gnome_read_config(cups_pdf_t) + ') + -######################################## -# -# HPLIP local policy @@ -22434,13 +22441,11 @@ index c91813ccb..0ea3e3d6a 100644 - lpd_read_config(hplip_t) - lpd_manage_spool(hplip_t) -') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` +- +-optional_policy(` - seutil_sigchld_newrole(hplip_t) -+ gnome_read_config(cups_pdf_t) - ') - +-') +- -optional_policy(` - snmp_read_snmp_var_lib_files(hplip_t) -') @@ -22451,7 +22456,7 @@ index c91813ccb..0ea3e3d6a 100644 ######################################## # -@@ -735,7 +668,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +670,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -22459,7 +22464,7 @@ index c91813ccb..0ea3e3d6a 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +677,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +679,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -22473,7 +22478,7 @@ index c91813ccb..0ea3e3d6a 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +689,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +691,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -22482,7 +22487,7 @@ index c91813ccb..0ea3e3d6a 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +701,4 @@ optional_policy(` +@@ -773,3 +703,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -27568,7 +27573,7 @@ index d5badb755..c2431fc73 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e66..958d6c8df 100644 +index 0aabc7e66..6786b1a40 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -27760,7 +27765,7 @@ index 0aabc7e66..958d6c8df 100644 init_getattr_utmp(dovecot_t) -@@ -171,45 +170,44 @@ auth_use_nsswitch(dovecot_t) +@@ -171,45 +170,45 @@ auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) @@ -27788,6 +27793,7 @@ index 0aabc7e66..958d6c8df 100644 - fs_manage_cifs_symlinks(dovecot_t) +optional_policy(` + mta_manage_home_rw(dovecot_t) ++ mta_mmap_home_rw(dovecot_t) + mta_manage_spool(dovecot_t) ') @@ -27824,7 +27830,7 @@ index 0aabc7e66..958d6c8df 100644 sendmail_domtrans(dovecot_t) ') -@@ -227,49 +225,73 @@ optional_policy(` +@@ -227,49 +226,73 @@ optional_policy(` ######################################## # @@ -27908,7 +27914,7 @@ index 0aabc7e66..958d6c8df 100644 ') optional_policy(` -@@ -277,53 +299,79 @@ optional_policy(` +@@ -277,53 +300,79 @@ optional_policy(` ') optional_policy(` @@ -28007,7 +28013,7 @@ index 0aabc7e66..958d6c8df 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +380,6 @@ optional_policy(` +@@ -332,5 +381,6 @@ optional_policy(` ') optional_policy(` @@ -41535,7 +41541,7 @@ index 1a354203e..8101022be 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020faa9..58233a218 100644 +index ca020faa9..4afdcc8f9 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -41572,7 +41578,7 @@ index ca020faa9..58233a218 100644 allow iscsid_t self:netlink_socket create_socket_perms; allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; allow iscsid_t self:netlink_route_socket nlmsg_write; -@@ -55,20 +58,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) +@@ -55,20 +58,23 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file }) @@ -41595,12 +41601,13 @@ index ca020faa9..58233a218 100644 kernel_read_system_state(iscsid_t) -kernel_setsched(iscsid_t) +kernel_dontaudit_setsched(iscsid_t) ++kernel_request_load_module(iscsid_t) -corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,22 +90,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,22 +91,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -50510,10 +50517,10 @@ index 327f3f726..d6ae4eab6 100644 + ') ') diff --git a/mandb.te b/mandb.te -index e6136fd37..56fa2cfc1 100644 +index e6136fd37..afaa79b11 100644 --- a/mandb.te +++ b/mandb.te -@@ -10,19 +10,40 @@ roleattribute system_r mandb_roles; +@@ -10,22 +10,46 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -50546,6 +50553,7 @@ index e6136fd37..56fa2cfc1 100644 +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) +can_exec(mandb_t, mandb_exec_t) ++allow mandb_t mandb_cache_t:file map; + +userdom_search_user_home_dirs(mandb_t) +allow mandb_t mandb_home_t:file read_file_perms; @@ -50556,7 +50564,12 @@ index e6136fd37..56fa2cfc1 100644 kernel_read_kernel_sysctls(mandb_t) kernel_read_system_state(mandb_t) -@@ -33,11 +54,14 @@ dev_search_sysfs(mandb_t) ++auth_read_passwd(mandb_t) ++ + corecmd_exec_bin(mandb_t) + corecmd_exec_shell(mandb_t) + +@@ -33,11 +57,14 @@ dev_search_sysfs(mandb_t) domain_use_interactive_fds(mandb_t) @@ -51050,10 +51063,18 @@ index 1d4eb19b8..650014e0f 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index 29b752160..68ec663c2 100644 +index 29b752160..8c41e59db 100644 --- a/memcached.te +++ b/memcached.te -@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) +@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1) + type memcached_t; + type memcached_exec_t; + init_daemon_domain(memcached_t, memcached_exec_t) ++init_nnp_daemon_domain(memcached_t) + + type memcached_initrc_exec_t; + init_script_file(memcached_initrc_exec_t) +@@ -20,7 +21,7 @@ files_pid_file(memcached_var_run_t) # Local policy # @@ -51062,7 +51083,7 @@ index 29b752160..68ec663c2 100644 dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket { accept listen }; -@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t) +@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t) auth_use_nsswitch(memcached_t) @@ -55833,7 +55854,7 @@ index f42896cbf..fce39c1ce 100644 +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac5a..cd52baf59 100644 +index ed81cac5a..4ea31b5e2 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -55985,13 +56006,11 @@ index ed81cac5a..cd52baf59 100644 ') -####################################### -+###################################### - ## +-## -## Read mta mail home files. -+## Dontaudit read and write an leaked file descriptors - ## - ## - ## +-## +-## +-## -## Domain allowed access. -## -## @@ -56026,13 +56045,15 @@ index ed81cac5a..cd52baf59 100644 -') - -######################################## --## ++###################################### + ## -## Create specified objects in user home -## directories with the generic mail -## home type. --## --## --## ++## Dontaudit read and write an leaked file descriptors + ## + ## + ## -## Domain allowed access. -## -## @@ -56789,7 +56810,7 @@ index ed81cac5a..cd52baf59 100644 ## ## ## -@@ -1081,3 +1067,209 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1067,228 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -56866,6 +56887,24 @@ index ed81cac5a..cd52baf59 100644 + +#################################### +## ++## ALlow domain to mmap mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_mmap_home_rw',` ++ gen_require(` ++ type mail_home_rw_t; ++ ') ++ ++ allow $1 mail_home_rw_t:file map; ++') ++ ++#################################### ++## +## ALlow domain to read mail content in the homedir +## +## @@ -56881,6 +56920,7 @@ index ed81cac5a..cd52baf59 100644 + + userdom_search_user_home_dirs($1) + read_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ list_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) + read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + + ifdef(`distro_redhat',` @@ -76570,7 +76610,7 @@ index c0e878537..3070aa066 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) diff --git a/postfix.if b/postfix.if -index ded95ec3a..210018ce4 100644 +index ded95ec3a..30d57cf13 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -76738,11 +76778,12 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -143,16 +132,15 @@ interface(`postfix_read_config',` +@@ -143,16 +132,16 @@ interface(`postfix_read_config',` type postfix_etc_t; ') + read_files_pattern($1, postfix_etc_t, postfix_etc_t) ++ list_dirs_pattern($1, postfix_etc_t, postfix_etc_t) + read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) files_search_etc($1) - allow $1 postfix_etc_t:dir list_dir_perms; @@ -76759,7 +76800,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',` +@@ -180,6 +169,7 @@ interface(`postfix_config_filetrans',` type postfix_etc_t; ') @@ -76767,7 +76808,7 @@ index ded95ec3a..210018ce4 100644 filetrans_pattern($1, postfix_etc_t, $2, $3, $4) ') -@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` +@@ -205,7 +195,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` ######################################## ## @@ -76777,7 +76818,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',` +@@ -221,30 +212,28 @@ interface(`postfix_rw_local_pipes',` allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; ') @@ -76820,7 +76861,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',` +@@ -252,18 +241,18 @@ interface(`postfix_read_local_state',` ## ## # @@ -76844,7 +76885,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',` +@@ -277,14 +266,13 @@ interface(`postfix_read_master_state',` ') kernel_search_proc($1) @@ -76862,7 +76903,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',` +@@ -335,15 +323,13 @@ interface(`postfix_domtrans_map',` type postfix_map_t, postfix_map_exec_t; ') @@ -76880,7 +76921,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',` +@@ -359,17 +345,17 @@ interface(`postfix_domtrans_map',` # interface(`postfix_run_map',` gen_require(` @@ -76902,7 +76943,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -380,16 +365,35 @@ interface(`postfix_run_map',` +@@ -380,16 +366,35 @@ interface(`postfix_run_map',` interface(`postfix_domtrans_master',` gen_require(` type postfix_master_t, postfix_master_exec_t; @@ -76941,7 +76982,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -402,21 +406,18 @@ interface(`postfix_exec_master',` +@@ -402,21 +407,18 @@ interface(`postfix_exec_master',` type postfix_master_exec_t; ') @@ -76964,7 +77005,7 @@ index ded95ec3a..210018ce4 100644 # interface(`postfix_stream_connect_master',` gen_require(` -@@ -428,8 +429,7 @@ interface(`postfix_stream_connect_master',` +@@ -428,8 +430,7 @@ interface(`postfix_stream_connect_master',` ######################################## ## @@ -76974,7 +77015,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -437,15 +437,18 @@ interface(`postfix_stream_connect_master',` +@@ -437,15 +438,18 @@ interface(`postfix_stream_connect_master',` ## ## # @@ -76997,7 +77038,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -458,14 +461,13 @@ interface(`postfix_domtrans_postdrop',` +@@ -458,14 +462,13 @@ interface(`postfix_domtrans_postdrop',` type postfix_postdrop_t, postfix_postdrop_exec_t; ') @@ -77013,7 +77054,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -478,30 +480,85 @@ interface(`postfix_domtrans_postqueue',` +@@ -478,30 +481,85 @@ interface(`postfix_domtrans_postqueue',` type postfix_postqueue_t, postfix_postqueue_exec_t; ') @@ -77109,7 +77150,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -514,13 +571,12 @@ interface(`postfix_exec_postqueue',` +@@ -514,13 +572,12 @@ interface(`postfix_exec_postqueue',` type postfix_postqueue_exec_t; ') @@ -77124,7 +77165,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -533,13 +589,13 @@ interface(`postfix_create_private_sockets',` +@@ -533,13 +590,13 @@ interface(`postfix_create_private_sockets',` type postfix_private_t; ') @@ -77140,7 +77181,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -552,13 +608,14 @@ interface(`postfix_manage_private_sockets',` +@@ -552,13 +609,14 @@ interface(`postfix_manage_private_sockets',` type postfix_private_t; ') @@ -77157,7 +77198,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -571,14 +628,12 @@ interface(`postfix_domtrans_smtp',` +@@ -571,14 +629,12 @@ interface(`postfix_domtrans_smtp',` type postfix_smtp_t, postfix_smtp_exec_t; ') @@ -77173,7 +77214,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -586,7 +641,7 @@ interface(`postfix_domtrans_smtp',` +@@ -586,7 +642,7 @@ interface(`postfix_domtrans_smtp',` ## ## # @@ -77182,7 +77223,7 @@ index ded95ec3a..210018ce4 100644 gen_require(` attribute postfix_spool_type; ') -@@ -607,11 +662,11 @@ interface(`postfix_getattr_all_spool_files',` +@@ -607,11 +663,11 @@ interface(`postfix_getattr_all_spool_files',` # interface(`postfix_search_spool',` gen_require(` @@ -77196,7 +77237,7 @@ index ded95ec3a..210018ce4 100644 ') ######################################## -@@ -626,11 +681,11 @@ interface(`postfix_search_spool',` +@@ -626,11 +682,11 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -77210,7 +77251,7 @@ index ded95ec3a..210018ce4 100644 ') ######################################## -@@ -645,17 +700,16 @@ interface(`postfix_list_spool',` +@@ -645,17 +701,16 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -77231,7 +77272,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -665,11 +719,50 @@ interface(`postfix_read_spool_files',` +@@ -665,11 +720,50 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -77284,7 +77325,7 @@ index ded95ec3a..210018ce4 100644 ') ######################################## -@@ -693,8 +786,8 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -693,8 +787,8 @@ interface(`postfix_domtrans_user_mail_handler',` ######################################## ## @@ -77295,7 +77336,7 @@ index ded95ec3a..210018ce4 100644 ## ## ## -@@ -710,38 +803,137 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -710,38 +804,137 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin',` gen_require(` @@ -86725,7 +86766,7 @@ index 5806046b1..2a4769ff4 100644 + /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index 951db7f1b..00e699da4 100644 +index 951db7f1b..65666b765 100644 --- a/raid.if +++ b/raid.if @@ -1,9 +1,8 @@ @@ -86807,27 +86848,22 @@ index 951db7f1b..00e699da4 100644 ## ## ## -@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',` +@@ -57,47 +79,131 @@ interface(`raid_run_mdadm',` ## ## # --interface(`raid_manage_mdadm_pid',` +interface(`raid_read_mdadm_pid',` - gen_require(` - type mdadm_var_run_t; - ') - -- files_search_pids($1) -- allow $1 mdadm_var_run_t:file manage_file_perms; ++ gen_require(` ++ type mdadm_var_run_t; ++ ') ++ + read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an mdadm environment. ++') ++ ++######################################## ++## +## Create, read, write, and delete the mdadm pid files. - ## ++## +## +##

    +## Create, read, write, and delete the mdadm pid files. @@ -86836,24 +86872,24 @@ index 951db7f1b..00e699da4 100644 +## Added for use in the init module. +##

    +##
    - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## Domain allowed access. ++## ++## +# -+interface(`raid_manage_mdadm_pid',` -+ gen_require(` -+ type mdadm_var_run_t; -+ ') -+ + interface(`raid_manage_mdadm_pid',` + gen_require(` + type mdadm_var_run_t; + ') + +- files_search_pids($1) + # FIXME: maybe should have a type_transition. not + # clear what this is doing, from the original + # mdadm policy -+ allow $1 mdadm_var_run_t:file manage_file_perms; -+') -+ + allow $1 mdadm_var_run_t:file manage_file_perms; + ') + +####################################### +## +## Check access to the mdadm executable. @@ -86873,9 +86909,31 @@ index 951db7f1b..00e699da4 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; +') + + ######################################## + ## +-## All of the rules required to +-## administrate an mdadm environment. ++## Read mdadm config files. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`raid_read_conf_files',` ++ gen_require(` ++ type mdadm_conf_t; ++ ') ++ ++ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t) ++') ++ +######################################## +## -+## Read mdadm config files. ++## Manage mdadm config files. +## +## ## @@ -86886,7 +86944,7 @@ index 951db7f1b..00e699da4 100644 -## # -interface(`raid_admin_mdadm',` -+interface(`raid_read_conf_files',` ++interface(`raid_manage_conf_files',` gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; + type mdadm_conf_t; @@ -86894,12 +86952,12 @@ index 951db7f1b..00e699da4 100644 - allow $1 mdadm_t:process { ptrace signal_perms }; - ps_process_pattern($1, mdadm_t) -+ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t) ++ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t) +') + +######################################## +## -+## Manage mdadm config files. ++## Transition to mdadm named content +## +## +## @@ -86907,7 +86965,7 @@ index 951db7f1b..00e699da4 100644 +## +## +# -+interface(`raid_manage_conf_files',` ++interface(`raid_filetrans_named_content',` + gen_require(` + type mdadm_conf_t; + ') @@ -86916,29 +86974,29 @@ index 951db7f1b..00e699da4 100644 - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; - allow $2 system_r; -+ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t) ++ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") ++ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") +') - files_search_pids($1) - admin_pattern($1, mdadm_var_run_t) +######################################## +## -+## Transition to mdadm named content ++## Relabel from mdadm_var_run_t sock file. +## +## +## -+## Domain allowed access. ++## Domain allowed access. +## +## +# -+interface(`raid_filetrans_named_content',` ++interface(`raid_relabel_mdadm_var_run_content',` + gen_require(` -+ type mdadm_conf_t; ++ type mdadm_var_run_t; + ') - raid_run_mdadm($2, $1) -+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") -+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ++ allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms; ') diff --git a/raid.te b/raid.te index c99753f2c..082d5f686 100644 @@ -106130,7 +106188,7 @@ index 1499b0bbf..e695a62f3 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e3578..ece033330 100644 +index cc58e3578..0c421b171 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -106566,7 +106624,7 @@ index cc58e3578..ece033330 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,19 +352,31 @@ optional_policy(` +@@ -243,19 +352,32 @@ optional_policy(` ') optional_policy(` @@ -106596,10 +106654,11 @@ index cc58e3578..ece033330 100644 - sendmail_rw_pipes(spamc_t) sendmail_stub(spamc_t) + sendmail_rw_pipes(spamc_t) ++ mta_read_home_rw(spamc_t) ') optional_policy(` -@@ -267,48 +388,54 @@ optional_policy(` +@@ -267,48 +389,54 @@ optional_policy(` ######################################## # @@ -106674,7 +106733,7 @@ index cc58e3578..ece033330 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +444,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +445,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -106691,7 +106750,7 @@ index cc58e3578..ece033330 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +460,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +461,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -106796,7 +106855,7 @@ index cc58e3578..ece033330 100644 ') optional_policy(` -@@ -421,21 +532,13 @@ optional_policy(` +@@ -421,21 +533,13 @@ optional_policy(` ') optional_policy(` @@ -106820,7 +106879,7 @@ index cc58e3578..ece033330 100644 ') optional_policy(` -@@ -443,8 +546,8 @@ optional_policy(` +@@ -443,8 +547,8 @@ optional_policy(` ') optional_policy(` @@ -106830,7 +106889,7 @@ index cc58e3578..ece033330 100644 ') optional_policy(` -@@ -455,7 +558,17 @@ optional_policy(` +@@ -455,7 +559,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -106849,7 +106908,7 @@ index cc58e3578..ece033330 100644 ') optional_policy(` -@@ -463,9 +576,10 @@ optional_policy(` +@@ -463,9 +577,10 @@ optional_policy(` ') optional_policy(` @@ -106861,7 +106920,7 @@ index cc58e3578..ece033330 100644 ') optional_policy(` -@@ -474,32 +588,31 @@ optional_policy(` +@@ -474,32 +589,31 @@ optional_policy(` ######################################## # @@ -106903,7 +106962,7 @@ index cc58e3578..ece033330 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +621,26 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +622,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -112488,10 +112547,10 @@ index 000000000..368e18842 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 000000000..f124882af +index 000000000..80e71067a --- /dev/null +++ b/tlp.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,95 @@ +policy_module(tlp, 1.0.0) + +######################################## @@ -112581,6 +112640,10 @@ index 000000000..f124882af +') + +optional_policy(` ++ systemd_rfkill_domtrans(tlp_t) ++') ++ ++optional_policy(` + udev_domtrans(tlp_t) +') diff --git a/tmpreaper.te b/tmpreaper.te @@ -117985,7 +118048,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..3fde9b1cd 100644 +index f03dcf567..6467b8676 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -118950,7 +119013,7 @@ index f03dcf567..3fde9b1cd 100644 ') optional_policy(` -@@ -691,99 +653,449 @@ optional_policy(` +@@ -691,99 +653,450 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -119160,6 +119223,7 @@ index f03dcf567..3fde9b1cd 100644 +manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) +manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) +fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file }) ++allow virt_domain svirt_tmpfs_t:file map; + +manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) @@ -119451,7 +119515,7 @@ index f03dcf567..3fde9b1cd 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1106,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1107,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -119478,7 +119542,7 @@ index f03dcf567..3fde9b1cd 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1126,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1127,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -119512,7 +119576,7 @@ index f03dcf567..3fde9b1cd 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1163,20 @@ optional_policy(` +@@ -856,14 +1164,20 @@ optional_policy(` ') optional_policy(` @@ -119534,7 +119598,7 @@ index f03dcf567..3fde9b1cd 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1201,66 @@ optional_policy(` +@@ -888,49 +1202,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -119619,7 +119683,7 @@ index f03dcf567..3fde9b1cd 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1272,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1273,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -119639,7 +119703,7 @@ index f03dcf567..3fde9b1cd 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,15 +1293,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,15 +1294,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -119658,7 +119722,7 @@ index f03dcf567..3fde9b1cd 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -982,186 +1307,307 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -982,186 +1308,307 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -120095,7 +120159,7 @@ index f03dcf567..3fde9b1cd 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1620,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -120110,7 +120174,7 @@ index f03dcf567..3fde9b1cd 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1638,7 @@ optional_policy(` +@@ -1192,7 +1639,7 @@ optional_policy(` ######################################## # @@ -120119,7 +120183,7 @@ index f03dcf567..3fde9b1cd 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1647,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1648,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 413882a..b26ba55 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 303%{?dist} +Release: 304%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,35 @@ exit 0 %endif %changelog +* Tue Nov 21 2017 Lukas Vrabec - 3.13.1-304 +- Add interface raid_relabel_mdadm_var_run_content() +- Fix iscsi SELinux module +- Allow spamc_t domain to read home mail content BZ(1414366) +- Allow sendmail_t to list postfix config dirs BZ(1514868) +- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153) +- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877) +- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304) +- Allow cupsd_t domain to localization BZ(1514350) +- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451) +- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301) +- Allow abrt_t domain to mmap fusefs_t files BZ(1515169) +- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867) +- Allow httpd_t domain to mmap all httpd content type BZ(1514866) +- Allow mandb_t to read /etc/passwd BZ(1514903) +- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093) +- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975) +- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263) +- Allow systemd to read/write to mount_var_run_t files BZ(1515373) +- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373) +- Allow home managers to mmap nfs_t files BZ(1514372) +- Add interface fs_mmap_nfs_files() +- Allow systemd-mount to create new directory for mountpoint BZ(1514880) +- Allow getty to use usbttys +- Add interface systemd_rfkill_domtrans() +- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403) +- Add interface fs_mmap_fusefs_files() +- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251) + * Thu Nov 16 2017 Lukas Vrabec - 3.13.1-303 - Allow pcp_pmlogger to send logs to journal BZ(1512367) - Merge pull request #40 from lslebodn/kcm_kerberos