diff --git a/policy-F15.patch b/policy-F15.patch index e59db95..d97462d 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1,13 +1,3 @@ -diff --git a/Changelog b/Changelog -index 6f31b1e..e2cd6fb 100644 ---- a/Changelog -+++ b/Changelog -@@ -1,3 +1,5 @@ -+- Cron pam_namespace and pam_loginuid support from Harry Ciao. -+- Xserver update for startx from Sven Vermeulen. - - Fix MLS constraint for contains permission from Harry Ciao. - - Apache user webpages fix from Dominick Grift. - - Change default build.conf to modular policy from Stephen Smalley. diff --git a/Makefile b/Makefile index b8486a0..bec48d7 100644 --- a/Makefile @@ -271,86 +261,56 @@ index e66c296..61f738b 100644 + + dontaudit $1 acct_data_t:dir list_dir_perms; +') -diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if -index 90d5203..1392679 100644 ---- a/policy/modules/admin/alsa.if -+++ b/policy/modules/admin/alsa.if -@@ -21,6 +21,32 @@ interface(`alsa_domtrans',` +diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te +index 46d467c..d841424 100644 +--- a/policy/modules/admin/amanda.te ++++ b/policy/modules/admin/amanda.te +@@ -200,12 +200,14 @@ files_search_pids(amanda_recover_t) - ######################################## - ## -+## Execute a domain transition to run -+## Alsa, and allow the specified role -+## the Alsa domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+# -+interface(`alsa_run',` -+ gen_require(` -+ type alsa_t; -+ ') -+ -+ alsa_domtrans($1) -+ role $2 types alsa_t; -+') -+ -+######################################## -+## - ## Read and write Alsa semaphores. - ## - ## -diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te -index a7c7971..d073f49 100644 ---- a/policy/modules/admin/alsa.te -+++ b/policy/modules/admin/alsa.te -@@ -11,7 +11,10 @@ init_system_domain(alsa_t, alsa_exec_t) - role system_r types alsa_t; - - type alsa_etc_rw_t; --files_type(alsa_etc_rw_t) -+files_config_file(alsa_etc_rw_t) -+ -+type alsa_tmp_t; -+files_tmp_file(alsa_tmp_t) + auth_use_nsswitch(amanda_recover_t) - type alsa_var_lib_t; - files_type(alsa_var_lib_t) -@@ -39,6 +42,13 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) +-fstools_domtrans(amanda_t) +-fstools_signal(amanda_t) +- + logging_search_logs(amanda_recover_t) - can_exec(alsa_t, alsa_exec_t) + miscfiles_read_localization(amanda_recover_t) -+manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) -+manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) -+files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) -+userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) -+userdom_dontaudit_setattr_user_tmp(alsa_t) + userdom_use_user_terminals(amanda_recover_t) + userdom_search_user_home_content(amanda_recover_t) + -+ - manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) - manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) - files_search_var_lib(alsa_t) ++optional_policy(` ++ fstools_domtrans(amanda_t) ++ fstools_signal(amanda_t) ++') diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te -index e81bdbd..63ab279 100644 +index e81bdbd..dd1522d 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te -@@ -30,6 +30,7 @@ modutils_domtrans_insmod(anaconda_t) - modutils_domtrans_depmod(anaconda_t) +@@ -26,10 +26,8 @@ libs_domtrans_ldconfig(anaconda_t) + + logging_send_syslog_msg(anaconda_t) +-modutils_domtrans_insmod(anaconda_t) +-modutils_domtrans_depmod(anaconda_t) +- seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -@@ -51,7 +52,7 @@ optional_policy(` +@@ -38,6 +36,10 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(anaconda_t) ++ modutils_domtrans_depmod(anaconda_t) ++') ++optional_policy(` + rpm_domtrans(anaconda_t) + rpm_domtrans_script(anaconda_t) + ') +@@ -51,7 +53,7 @@ optional_policy(` ') optional_policy(` @@ -389,7 +349,7 @@ index 63eb96b..17a9f6d 100644 ## ## Execute bootloader interactively and do diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index d3da8f2..9799904 100644 +index d3da8f2..a9c9ff2 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -23,7 +23,7 @@ role system_r types bootloader_t; @@ -401,6 +361,28 @@ index d3da8f2..9799904 100644 # # The temp file is used for initrd creation; +@@ -121,8 +121,6 @@ logging_rw_generic_logs(bootloader_t) + + miscfiles_read_localization(bootloader_t) + +-modutils_domtrans_insmod_uncond(bootloader_t) +- + seutil_read_bin_policy(bootloader_t) + seutil_read_loadpolicy(bootloader_t) + seutil_dontaudit_search_config(bootloader_t) +@@ -162,8 +160,10 @@ ifdef(`distro_redhat',` + files_manage_isid_type_blk_files(bootloader_t) + files_manage_isid_type_chr_files(bootloader_t) + +- # for mke2fs +- mount_domtrans(bootloader_t) ++ optional_policy(` ++ # for mke2fs ++ mount_domtrans(bootloader_t) ++ ') + + optional_policy(` + unconfined_domain(bootloader_t) @@ -171,6 +171,10 @@ ifdef(`distro_redhat',` ') @@ -412,6 +394,14 @@ index d3da8f2..9799904 100644 fstools_exec(bootloader_t) ') +@@ -197,6 +201,7 @@ optional_policy(` + modutils_exec_insmod(bootloader_t) + modutils_exec_depmod(bootloader_t) + modutils_exec_update_mods(bootloader_t) ++ modutils_domtrans_insmod_uncond(bootloader_t) + ') + + optional_policy(` diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if index 2c2cdb6..73b3814 100644 --- a/policy/modules/admin/brctl.if @@ -506,6 +496,29 @@ index cd5e005..24f73ca 100644 ') optional_policy(` +diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te +index 5e062bc..8854858 100644 +--- a/policy/modules/admin/ddcprobe.te ++++ b/policy/modules/admin/ddcprobe.te +@@ -42,10 +42,14 @@ libs_read_lib_files(ddcprobe_t) + + miscfiles_read_localization(ddcprobe_t) + +-modutils_read_module_deps(ddcprobe_t) +- + userdom_use_user_terminals(ddcprobe_t) + userdom_use_all_users_fds(ddcprobe_t) + +-#reh why? this does not seem even necessary to function properly +-kudzu_getattr_exec_files(ddcprobe_t) ++optional_policy(` ++ #reh why? this does not seem even necessary to function properly ++ kudzu_getattr_exec_files(ddcprobe_t) ++') ++ ++optional_policy(` ++ modutils_read_module_deps(ddcprobe_t) ++') diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 72bc6d8..ed02103 100644 --- a/policy/modules/admin/dmesg.te @@ -532,7 +545,7 @@ index 72bc6d8..ed02103 100644 ') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te -index 6776b69..86cff15 100644 +index 6776b69..a1482b0 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -18,7 +18,7 @@ role system_r types dpkg_t; @@ -544,6 +557,50 @@ index 6776b69..86cff15 100644 type dpkg_tmp_t; files_tmp_file(dpkg_tmp_t) +@@ -193,14 +193,19 @@ domain_signull_all_domains(dpkg_t) + files_read_etc_runtime_files(dpkg_t) + files_exec_usr_files(dpkg_t) + miscfiles_read_localization(dpkg_t) +-modutils_domtrans_depmod(dpkg_t) +-modutils_domtrans_insmod(dpkg_t) + seutil_domtrans_loadpolicy(dpkg_t) + seutil_domtrans_setfiles(dpkg_t) + userdom_use_all_users_fds(dpkg_t) ++ + optional_policy(` + mta_send_mail(dpkg_t) + ') ++ ++optional_policy(` ++ modutils_domtrans_depmod(dpkg_t) ++ modutils_domtrans_insmod(dpkg_t) ++') ++ + optional_policy(` + usermanage_domtrans_groupadd(dpkg_t) + usermanage_domtrans_useradd(dpkg_t) +@@ -299,9 +304,6 @@ logging_send_syslog_msg(dpkg_script_t) + + miscfiles_read_localization(dpkg_script_t) + +-modutils_domtrans_depmod(dpkg_script_t) +-modutils_domtrans_insmod(dpkg_script_t) +- + seutil_domtrans_loadpolicy(dpkg_script_t) + seutil_domtrans_setfiles(dpkg_script_t) + +@@ -321,6 +323,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_depmod(dpkg_script_t) ++ modutils_domtrans_insmod(dpkg_script_t) ++') ++ ++optional_policy(` + mta_send_mail(dpkg_script_t) + ') + diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index 8fa451c..bc5bfc4 100644 --- a/policy/modules/admin/firstboot.if @@ -575,10 +632,22 @@ index 8fa451c..bc5bfc4 100644 ## ## diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te -index c4d8998..6f193f8 100644 +index c4d8998..dbdc14c 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te -@@ -103,6 +103,10 @@ optional_policy(` +@@ -75,11 +75,6 @@ logging_send_syslog_msg(firstboot_t) + + miscfiles_read_localization(firstboot_t) + +-modutils_domtrans_insmod(firstboot_t) +-modutils_domtrans_depmod(firstboot_t) +-modutils_read_module_config(firstboot_t) +-modutils_read_module_deps(firstboot_t) +- + userdom_use_user_terminals(firstboot_t) + # Add/remove user home directories + userdom_manage_user_home_content_dirs(firstboot_t) +@@ -103,8 +98,18 @@ optional_policy(` ') optional_policy(` @@ -588,8 +657,16 @@ index c4d8998..6f193f8 100644 +optional_policy(` nis_use_ypbind(firstboot_t) ') ++optional_policy(` ++ modutils_domtrans_insmod(firstboot_t) ++ modutils_domtrans_depmod(firstboot_t) ++ modutils_read_module_config(firstboot_t) ++ modutils_read_module_deps(firstboot_t) ++') -@@ -125,6 +129,7 @@ optional_policy(` + optional_policy(` + samba_rw_config(firstboot_t) +@@ -125,6 +130,7 @@ optional_policy(` ') optional_policy(` @@ -626,26 +703,51 @@ index 4198ff5..df3f4d6 100644 #################################### ## ## Manage kdump configuration file. +diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te +index 4f7bd3c..3405a10 100644 +--- a/policy/modules/admin/kudzu.te ++++ b/policy/modules/admin/kudzu.te +@@ -111,11 +111,6 @@ logging_send_syslog_msg(kudzu_t) + miscfiles_read_hwdata(kudzu_t) + miscfiles_read_localization(kudzu_t) + +-modutils_read_module_config(kudzu_t) +-modutils_read_module_deps(kudzu_t) +-modutils_rename_module_config(kudzu_t) +-modutils_delete_module_config(kudzu_t) +-modutils_domtrans_insmod(kudzu_t) + + sysnet_read_config(kudzu_t) + +@@ -128,6 +123,14 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_read_module_config(kudzu_t) ++ modutils_read_module_deps(kudzu_t) ++ modutils_rename_module_config(kudzu_t) ++ modutils_delete_module_config(kudzu_t) ++ modutils_domtrans_insmod(kudzu_t) ++') ++ ++optional_policy(` + nscd_socket_use(kudzu_t) + ') + diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..a874b65 100644 +index 7090dae..ce5af6e 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t) +@@ -119,14 +119,10 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -+userdom_dontaudit_list_admin_dir(logrotate_t) - - cron_system_entry(logrotate_t, logrotate_exec_t) - cron_search_spool(logrotate_t) - +- +-cron_system_entry(logrotate_t, logrotate_exec_t) +-cron_search_spool(logrotate_t) +- -mta_send_mail(logrotate_t) -+#mta_send_mail(logrotate_t) -+mta_base_mail_template(logrotate) -+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) -+role system_r types logrotate_mail_t; -+logging_read_all_logs(logrotate_mail_t) -+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) ++userdom_dontaudit_list_admin_dir(logrotate_t) ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; @@ -653,6 +755,41 @@ index 7090dae..a874b65 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) +@@ -166,6 +162,11 @@ optional_policy(` + ') + + optional_policy(` ++ cron_system_entry(logrotate_t, logrotate_exec_t) ++ cron_search_spool(logrotate_t) ++') ++ ++optional_policy(` + cups_domtrans(logrotate_t) + ') + +@@ -203,7 +204,6 @@ optional_policy(` + psad_domtrans(logrotate_t) + ') + +- + optional_policy(` + samba_exec_log(logrotate_t) + ') +@@ -228,3 +228,14 @@ optional_policy(` + optional_policy(` + varnishd_manage_log(logrotate_t) + ') ++ ++####################################### ++# ++# logrotate_mail local policy ++# ++ ++mta_base_mail_template(logrotate) ++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) ++role system_r types logrotate_mail_t; ++logging_read_all_logs(logrotate_mail_t) ++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc index 3c7b1e8..1e155f5 100644 --- a/policy/modules/admin/logwatch.fc @@ -736,24 +873,23 @@ index 56c43c0..de535e4 100644 +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) + diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..8498ed1 100644 +index 5671977..24a6ad6 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te -@@ -7,9 +7,13 @@ policy_module(mcelog, 1.1.0) +@@ -7,8 +7,11 @@ policy_module(mcelog, 1.1.0) type mcelog_t; type mcelog_exec_t; +init_system_domain(mcelog_t, mcelog_exec_t) application_domain(mcelog_t, mcelog_exec_t) - cron_system_entry(mcelog_t, mcelog_exec_t) - +-cron_system_entry(mcelog_t, mcelog_exec_t) ++ +type mcelog_var_run_t; +files_pid_file(mcelog_var_run_t) -+ + ######################################## # - # mcelog local policy -@@ -17,10 +21,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t) +@@ -17,10 +20,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t) allow mcelog_t self:capability sys_admin; @@ -772,6 +908,14 @@ index 5671977..8498ed1 100644 files_read_etc_files(mcelog_t) +@@ -30,3 +41,7 @@ mls_file_read_all_levels(mcelog_t) + logging_send_syslog_msg(mcelog_t) + + miscfiles_read_localization(mcelog_t) ++ ++optional_policy(` ++ cron_system_entry(mcelog_t, mcelog_exec_t) ++') diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 0e19d80..9d58abe 100644 --- a/policy/modules/admin/mrtg.te @@ -878,10 +1022,10 @@ index 0000000..8c2e044 + diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te new file mode 100644 -index 0000000..67296b9 +index 0000000..104253d --- /dev/null +++ b/policy/modules/admin/ncftool.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,87 @@ +policy_module(ncftool, 1.0.0) + +######################################## @@ -935,10 +1079,6 @@ index 0000000..67296b9 + +miscfiles_read_localization(ncftool_t) + -+modutils_list_module_config(ncftool_t) -+modutils_read_module_config(ncftool_t) -+modutils_domtrans_insmod(ncftool_t) -+ +sysnet_delete_dhcpc_pid(ncftool_t) +sysnet_domtrans_dhcpc(ncftool_t) +sysnet_domtrans_ifconfig(ncftool_t) @@ -957,7 +1097,7 @@ index 0000000..67296b9 +') + +optional_policy(` -+ dbus_system_bus_client(ncftool_t) ++ dbus_system_bus_client(ncftool_t) +') + +optional_policy(` @@ -965,11 +1105,13 @@ index 0000000..67296b9 +') + +optional_policy(` -+ iptables_initrc_domtrans(ncftool_t) ++ netutils_domtrans(ncftool_t) +') + +optional_policy(` -+ netutils_domtrans(ncftool_t) ++ modutils_list_module_config(ncftool_t) ++ modutils_read_module_config(ncftool_t) ++ modutils_domtrans_insmod(ncftool_t) +') diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index c6ca761..46e0767 100644 @@ -1111,7 +1253,7 @@ index e0791b9..c083ea8 100644 + term_dontaudit_use_all_ptys(traceroute_t) +') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te -index c633aea..b773bc3 100644 +index c633aea..c489eec 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -43,7 +43,7 @@ type portage_db_t; @@ -1123,6 +1265,17 @@ index c633aea..b773bc3 100644 type portage_cache_t; files_type(portage_cache_t) +@@ -107,7 +107,9 @@ miscfiles_read_localization(gcc_config_t) + + userdom_use_user_terminals(gcc_config_t) + +-consoletype_exec(gcc_config_t) ++optional_policy(` ++ consoletype_exec(gcc_config_t) ++') + + optional_policy(` + seutil_use_newrole_fds(gcc_config_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index af55369..f77e897 100644 --- a/policy/modules/admin/prelink.te @@ -1234,10 +1387,10 @@ index 7077413..56d1ecb 100644 + +/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if -index 47c4723..4866a08 100644 +index 47c4723..ca58272 100644 --- a/policy/modules/admin/readahead.if +++ b/policy/modules/admin/readahead.if -@@ -1 +1,20 @@ +@@ -1 +1,40 @@ ## Readahead, read files into page cache for improved performance + +######################################## @@ -1258,6 +1411,26 @@ index 47c4723..4866a08 100644 + corecmd_search_bin($1) + domtrans_pattern($1, readahead_exec_t, readahead_t) +') ++ ++######################################## ++## ++## Manage readahead var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`readahead_manage_pid_files',` ++ gen_require(` ++ type readahead_var_run_t; ++ ') ++ ++ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t) ++ files_search_pids($1) ++') ++ diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index b4ac57e..d3b51b7 100644 --- a/policy/modules/admin/readahead.te @@ -1526,7 +1699,7 @@ index d33daa8..c76708e 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..31f474e 100644 +index 47a8f7d..bca3b72 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -1578,7 +1751,7 @@ index 47a8f7d..31f474e 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -173,6 +181,7 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) +@@ -173,11 +181,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) domain_dontaudit_getattr_all_dgram_sockets(rpm_t) @@ -1586,7 +1759,13 @@ index 47a8f7d..31f474e 100644 files_exec_etc_files(rpm_t) -@@ -207,6 +216,7 @@ optional_policy(` + init_domtrans_script(rpm_t) + init_use_script_ptys(rpm_t) ++init_signull_script(rpm_t) + + libs_exec_ld_so(rpm_t) + libs_exec_lib_files(rpm_t) +@@ -207,6 +217,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -1594,7 +1773,7 @@ index 47a8f7d..31f474e 100644 ') optional_policy(` -@@ -214,7 +224,7 @@ optional_policy(` +@@ -214,7 +225,7 @@ optional_policy(` ') optional_policy(` @@ -1603,7 +1782,7 @@ index 47a8f7d..31f474e 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -261,6 +271,7 @@ kernel_read_crypto_sysctls(rpm_script_t) +@@ -261,6 +272,7 @@ kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) @@ -1611,7 +1790,7 @@ index 47a8f7d..31f474e 100644 kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) -@@ -308,6 +319,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) +@@ -308,6 +320,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) @@ -1620,7 +1799,13 @@ index 47a8f7d..31f474e 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -338,12 +351,15 @@ modutils_domtrans_insmod(rpm_script_t) +@@ -332,18 +346,18 @@ logging_send_syslog_msg(rpm_script_t) + + miscfiles_read_localization(rpm_script_t) + +-modutils_domtrans_depmod(rpm_script_t) +-modutils_domtrans_insmod(rpm_script_t) +- seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1636,7 +1821,19 @@ index 47a8f7d..31f474e 100644 ') ') -@@ -377,8 +393,9 @@ optional_policy(` +@@ -368,6 +382,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_depmod(rpm_script_t) ++ modutils_domtrans_insmod(rpm_script_t) ++') ++ ++optional_policy(` + tzdata_domtrans(rpm_t) + tzdata_domtrans(rpm_script_t) + ') +@@ -377,8 +396,9 @@ optional_policy(` ') optional_policy(` @@ -1648,14 +1845,37 @@ index 47a8f7d..31f474e 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te -index c8ef84b..e241334 100644 +index c8ef84b..40ceffb 100644 --- a/policy/modules/admin/sectoolm.te +++ b/policy/modules/admin/sectoolm.te -@@ -84,6 +84,7 @@ logging_send_syslog_msg(sectoolm_t) +@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t) + + auth_use_nsswitch(sectoolm_t) + +-# tests related to network +-hostname_exec(sectoolm_t) +- +-# tests related to network +-iptables_domtrans(sectoolm_t) +- + libs_exec_ld_so(sectoolm_t) + + logging_send_syslog_msg(sectoolm_t) +@@ -84,6 +78,17 @@ logging_send_syslog_msg(sectoolm_t) sysnet_domtrans_ifconfig(sectoolm_t) userdom_manage_user_tmp_sockets(sectoolm_t) +userdom_dgram_send(sectoolm_t) ++ ++optional_policy(` ++ # tests related to network ++ hostname_exec(sectoolm_t) ++') ++ ++optional_policy(` ++ # tests related to network ++ iptables_domtrans(sectoolm_t) ++') optional_policy(` mount_exec(sectoolm_t) @@ -1943,10 +2163,18 @@ index 8966ec9..a54882c 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te -index bc00875..3c1b37b 100644 +index bc00875..b47c0f4 100644 --- a/policy/modules/admin/smoltclient.te +++ b/policy/modules/admin/smoltclient.te -@@ -46,6 +46,7 @@ fs_list_auto_mountpoints(smoltclient_t) +@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0) + type smoltclient_t; + type smoltclient_exec_t; + application_domain(smoltclient_t, smoltclient_exec_t) +-cron_system_entry(smoltclient_t, smoltclient_exec_t) + + type smoltclient_tmp_t; + files_tmp_file(smoltclient_tmp_t) +@@ -46,6 +45,7 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_files(smoltclient_t) @@ -1954,6 +2182,43 @@ index bc00875..3c1b37b 100644 files_read_usr_files(smoltclient_t) auth_use_nsswitch(smoltclient_t) +@@ -55,6 +55,10 @@ logging_send_syslog_msg(smoltclient_t) + miscfiles_read_localization(smoltclient_t) + + optional_policy(` ++ cron_system_entry(smoltclient_t, smoltclient_exec_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(smoltclient_t) + ') + +diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te +index fe1c377..7660180 100644 +--- a/policy/modules/admin/sosreport.te ++++ b/policy/modules/admin/sosreport.te +@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t) + + miscfiles_read_localization(sosreport_t) + +-# needed by modinfo +-modutils_read_module_deps(sosreport_t) +- + sysnet_read_config(sosreport_t) + + optional_policy(` +@@ -110,6 +107,11 @@ optional_policy(` + ') + + optional_policy(` ++ # needed by modinfo ++ modutils_read_module_deps(sosreport_t) ++') ++ ++optional_policy(` + fstools_domtrans(sosreport_t) + ') + diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 8c5fa3c..1a46f56 100644 --- a/policy/modules/admin/su.if @@ -2063,8 +2328,33 @@ index 2731fa1..3443ba2 100644 +type sudo_db_t; +files_type(sudo_db_t) + +diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te +index d5aaf0e..689b2fd 100644 +--- a/policy/modules/admin/sxid.te ++++ b/policy/modules/admin/sxid.te +@@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t) + + miscfiles_read_localization(sxid_t) + +-mount_exec(sxid_t) +- + sysnet_read_config(sxid_t) + + userdom_dontaudit_use_unpriv_user_fds(sxid_t) + +-cron_system_entry(sxid_t, sxid_exec_t) ++optional_policy(` ++ cron_system_entry(sxid_t, sxid_exec_t) ++') ++ ++optional_policy(` ++ mount_exec(sxid_t) ++') + + optional_policy(` + mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..c59c3cd 100644 +index 6a5004b..9b0f49e 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -2087,7 +2377,18 @@ index 6a5004b..c59c3cd 100644 files_getattr_all_dirs(tmpreaper_t) files_getattr_all_files(tmpreaper_t) -@@ -52,7 +56,9 @@ optional_policy(` +@@ -38,7 +42,9 @@ logging_send_syslog_msg(tmpreaper_t) + miscfiles_read_localization(tmpreaper_t) + miscfiles_delete_man_pages(tmpreaper_t) + +-cron_system_entry(tmpreaper_t, tmpreaper_exec_t) ++optional_policy(` ++ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) ++') + + ifdef(`distro_redhat',` + userdom_list_user_home_content(tmpreaper_t) +@@ -52,7 +58,9 @@ optional_policy(` ') optional_policy(` @@ -2097,7 +2398,7 @@ index 6a5004b..c59c3cd 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,6 +72,14 @@ optional_policy(` +@@ -66,6 +74,14 @@ optional_policy(` ') optional_policy(` @@ -2125,6 +2426,27 @@ index d0f2a64..7df0825 100644 files_search_spool(tzdata_t) fs_getattr_xattr_fs(tzdata_t) +diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te +index 74354da..0852738 100644 +--- a/policy/modules/admin/usbmodules.te ++++ b/policy/modules/admin/usbmodules.te +@@ -34,8 +34,6 @@ init_use_fds(usbmodules_t) + + miscfiles_read_hwdata(usbmodules_t) + +-modutils_read_module_deps(usbmodules_t) +- + userdom_use_user_terminals(usbmodules_t) + + optional_policy(` +@@ -45,3 +43,7 @@ optional_policy(` + optional_policy(` + logging_send_syslog_msg(usbmodules_t) + ') ++ ++optional_policy(` ++ modutils_read_module_deps(usbmodules_t) ++') diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 81fb26f..cd18ca8 100644 --- a/policy/modules/admin/usermanage.if @@ -2287,6 +2609,27 @@ index 1f42250..3d36ae2 100644 ######################################## # # awstats cgi script policy +diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te +index 47d81d1..046a9de 100644 +--- a/policy/modules/apps/calamaris.te ++++ b/policy/modules/apps/calamaris.te +@@ -66,8 +66,6 @@ miscfiles_read_localization(calamaris_t) + + userdom_dontaudit_list_user_home_dirs(calamaris_t) + +-squid_read_log(calamaris_t) +- + optional_policy(` + apache_search_sys_content(calamaris_t) + ') +@@ -79,3 +77,7 @@ optional_policy(` + optional_policy(` + mta_send_mail(calamaris_t) + ') ++ ++optional_policy(` ++ squid_read_log(calamaris_t) ++') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 1403835..2e9a72c 100644 --- a/policy/modules/apps/cdrecord.te @@ -2535,66 +2878,19 @@ index 0000000..0852151 + fs_read_inherited_cifs_files(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') -diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if -index ed94975..e43186f 100644 ---- a/policy/modules/apps/cpufreqselector.if -+++ b/policy/modules/apps/cpufreqselector.if -@@ -1 +1,42 @@ - ## Command-line CPU frequency settings. -+ -+######################################## -+## -+## Send a dbus message to -+## cpufreq-selector. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cpufreqselector_dbus_send',` -+ gen_require(` -+ type cpufreqselector_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 cpufreqselector_t:dbus send_msg; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## cpufreq-selector over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cpufreqselector_dbus_chat',` -+ gen_require(` -+ type cpufreqselector_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 cpufreqselector_t:dbus send_msg; -+ allow cpufreqselector_t $1:dbus send_msg; -+') diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te -index 0457de1..b440acb 100644 +index e51e7f5..8e0405f 100644 --- a/policy/modules/apps/cpufreqselector.te +++ b/policy/modules/apps/cpufreqselector.te -@@ -16,6 +16,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t) - +@@ -17,6 +17,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t) allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; + allow cpufreqselector_t self:process getsched; allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; +allow cpufreqselector_t self:process getsched; - files_read_etc_files(cpufreqselector_t) - files_read_usr_files(cpufreqselector_t) -@@ -24,10 +25,12 @@ corecmd_search_bin(cpufreqselector_t) + kernel_read_system_state(cpufreqselector_t) + +@@ -27,10 +28,12 @@ corecmd_search_bin(cpufreqselector_t) dev_rw_sysfs(cpufreqselector_t) @@ -2608,7 +2904,7 @@ index 0457de1..b440acb 100644 optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -@@ -50,3 +53,7 @@ optional_policy(` +@@ -53,3 +56,7 @@ optional_policy(` policykit_read_lib(cpufreqselector_t) policykit_read_reload(cpufreqselector_t) ') @@ -2862,10 +3158,10 @@ index 0000000..7fe26f3 +') diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te new file mode 100644 -index 0000000..0bbd523 +index 0000000..f4c2d3f --- /dev/null +++ b/policy/modules/apps/firewallgui.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,74 @@ +policy_module(firewallgui,1.0.0) + +######################################## @@ -2900,7 +3196,6 @@ index 0000000..0bbd523 + +corecmd_exec_shell(firewallgui_t) +corecmd_exec_bin(firewallgui_t) -+consoletype_exec(firewallgui_t) + +dev_read_urand(firewallgui_t) +dev_read_sysfs(firewallgui_t) @@ -2912,26 +3207,35 @@ index 0000000..0bbd523 +files_search_kernel_modules(firewallgui_t) +files_list_kernel_modules(firewallgui_t) + -+iptables_domtrans(firewallgui_t) -+iptables_initrc_domtrans(firewallgui_t) -+ -+modutils_getattr_module_deps(firewallgui_t) -+ +miscfiles_read_localization(firewallgui_t) + +userdom_dontaudit_search_user_home_dirs(firewallgui_t) + -+nscd_dontaudit_search_pid(firewallgui_t) -+nscd_socket_use(firewallgui_t) ++optional_policy(` ++ consoletype_exec(firewallgui_t) ++') + +optional_policy(` + gnome_read_gconf_home_files(firewallgui_t) +') + +optional_policy(` -+ policykit_dbus_chat(firewallgui_t) ++ iptables_domtrans(firewallgui_t) ++ iptables_initrc_domtrans(firewallgui_t) ++') ++ ++optional_policy(` ++ modutils_getattr_module_deps(firewallgui_t) +') + ++optional_policy(` ++ nscd_dontaudit_search_pid(firewallgui_t) ++ nscd_socket_use(firewallgui_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(firewallgui_t) ++') diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index 00a19e3..1354800 100644 --- a/policy/modules/apps/gnome.fc @@ -2974,10 +3278,10 @@ index 00a19e3..1354800 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..c9d74ee 100644 +index f5afe78..0c61d93 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,43 +1,519 @@ +@@ -1,43 +1,521 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -3073,9 +3377,10 @@ index f5afe78..c9d74ee 100644 + + dontaudit $3 gkeyringd_exec_t:file entrypoint; + ++ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_$1_t) ++ + allow gkeyringd_$1_t $3:dbus send_msg; + allow $3 gkeyringd_$1_t:dbus send_msg; -+ + optional_policy(` + dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t) + dbus_session_bus_client(gkeyringd_$1_t) @@ -3152,10 +3457,11 @@ index f5afe78..c9d74ee 100644 + gen_require(` + attribute gkeyringd_domain; + type gkeyringd_tmp_t; ++ type gconf_tmp_t; + ') + ++ allow $1 gconf_tmp_t:dir search_dir_perms; + stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) -+ gnome_search_gconf_tmp_dirs($1) +') + +######################################## @@ -3514,7 +3820,7 @@ index f5afe78..c9d74ee 100644 ## in the caller domain. ## ## -@@ -56,27 +532,26 @@ interface(`gnome_exec_gconf',` +@@ -56,27 +534,26 @@ interface(`gnome_exec_gconf',` ######################################## ## @@ -3550,7 +3856,7 @@ index f5afe78..c9d74ee 100644 ## ## ## -@@ -84,37 +559,41 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +561,41 @@ template(`gnome_read_gconf_config',` ## ## # @@ -3603,7 +3909,7 @@ index f5afe78..c9d74ee 100644 ## ## ## -@@ -122,12 +601,13 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,12 +603,13 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -3620,7 +3926,7 @@ index f5afe78..c9d74ee 100644 ') ######################################## -@@ -151,40 +631,258 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +633,258 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -3890,7 +4196,7 @@ index f5afe78..c9d74ee 100644 userdom_search_user_home_dirs($1) ') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..fd62ccc 100644 +index 2505654..2417992 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0) @@ -3961,7 +4267,7 @@ index 2505654..fd62ccc 100644 ############################## # # Local Policy -@@ -75,3 +106,149 @@ optional_policy(` +@@ -75,3 +106,151 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -4096,9 +4402,11 @@ index 2505654..fd62ccc 100644 + +miscfiles_read_localization(gkeyringd_domain) + -+xserver_append_xdm_home_files(gkeyringd_domain) -+xserver_read_xdm_home_files(gkeyringd_domain) -+xserver_use_xdm_fds(gkeyringd_domain) ++optional_policy(` ++ xserver_append_xdm_home_files(gkeyringd_domain) ++ xserver_read_xdm_home_files(gkeyringd_domain) ++ xserver_use_xdm_fds(gkeyringd_domain) ++') + +optional_policy(` + gnome_read_home_config(gkeyringd_domain) @@ -4621,7 +4929,7 @@ index 167950d..ef63b20 100644 + ') ') diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te -index f63c4c2..3812a46 100644 +index f63c4c2..bf59895 100644 --- a/policy/modules/apps/kdumpgui.te +++ b/policy/modules/apps/kdumpgui.te @@ -14,6 +14,7 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) @@ -4632,7 +4940,7 @@ index f63c4c2..3812a46 100644 allow kdumpgui_t self:fifo_file rw_fifo_file_perms; allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -33,6 +34,7 @@ files_manage_etc_symlinks(kdumpgui_t) +@@ -33,27 +34,38 @@ files_manage_etc_symlinks(kdumpgui_t) # for blkid.tab files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) @@ -4640,12 +4948,26 @@ index f63c4c2..3812a46 100644 storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) -@@ -50,10 +52,16 @@ miscfiles_read_localization(kdumpgui_t) + + auth_use_nsswitch(kdumpgui_t) + +-consoletype_exec(kdumpgui_t) +- +-kdump_manage_config(kdumpgui_t) +-kdump_initrc_domtrans(kdumpgui_t) +- + logging_send_syslog_msg(kdumpgui_t) + + miscfiles_read_localization(kdumpgui_t) init_dontaudit_read_all_script_files(kdumpgui_t) +userdom_dontaudit_search_admin_dir(kdumpgui_t) + ++optional_policy(` ++ consoletype_exec(kdumpgui_t) ++') ++ optional_policy(` dev_rw_lvm_control(kdumpgui_t) ') @@ -4655,6 +4977,11 @@ index f63c4c2..3812a46 100644 +') + +optional_policy(` ++ kdump_manage_config(kdumpgui_t) ++ kdump_initrc_domtrans(kdumpgui_t) ++') ++ ++optional_policy(` policykit_dbus_chat(kdumpgui_t) ') diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if @@ -5058,7 +5385,7 @@ index 9a6d67d..d88c02c 100644 +') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..26f1ff3 100644 +index 2a91fa8..9b22659 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -5140,7 +5467,7 @@ index 2a91fa8..26f1ff3 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,180 @@ optional_policy(` +@@ -266,3 +291,183 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -5197,6 +5524,7 @@ index 2a91fa8..26f1ff3 100644 +corenet_tcp_connect_http_cache_port(mozilla_plugin_t) +corenet_tcp_connect_squid_port(mozilla_plugin_t) +corenet_tcp_connect_ipp_port(mozilla_plugin_t) ++corenet_tcp_connect_mmcc_port(mozilla_plugin_t) +corenet_tcp_connect_speech_port(mozilla_plugin_t) +corenet_tcp_connect_streaming_port(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) @@ -5209,6 +5537,8 @@ index 2a91fa8..26f1ff3 100644 +dev_read_sysfs(mozilla_plugin_t) +dev_read_sound(mozilla_plugin_t) +dev_write_sound(mozilla_plugin_t) ++# for nvidia driver ++dev_rw_xserver_misc(mozilla_plugin_t) +dev_dontaudit_rw_dri(mozilla_plugin_t) + +domain_use_interactive_fds(mozilla_plugin_t) @@ -6920,7 +7250,7 @@ index c605046..97b3df2 100644 +miscfiles_read_localization(rssh_chroot_helper_t) + diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te -index 9ec1478..ceec04a 100644 +index 9ec1478..e3734df 100644 --- a/policy/modules/apps/sambagui.te +++ b/policy/modules/apps/sambagui.te @@ -27,9 +27,10 @@ corecmd_exec_bin(sambagui_t) @@ -6935,25 +7265,48 @@ index 9ec1478..ceec04a 100644 auth_use_nsswitch(sambagui_t) -@@ -39,6 +40,8 @@ miscfiles_read_localization(sambagui_t) +@@ -37,21 +38,32 @@ logging_send_syslog_msg(sambagui_t) - nscd_dontaudit_search_pid(sambagui_t) + miscfiles_read_localization(sambagui_t) +-nscd_dontaudit_search_pid(sambagui_t) + +-# handling with samba conf files +-samba_append_log(sambagui_t) +-samba_manage_config(sambagui_t) +-samba_manage_var_files(sambagui_t) +-samba_read_secrets(sambagui_t) +-samba_initrc_domtrans(sambagui_t) +-samba_domtrans_smbd(sambagui_t) +-samba_domtrans_nmbd(sambagui_t) +userdom_dontaudit_search_admin_dir(sambagui_t) -+ - # handling with samba conf files - samba_append_log(sambagui_t) - samba_manage_config(sambagui_t) -@@ -53,5 +56,9 @@ optional_policy(` + + optional_policy(` + consoletype_exec(sambagui_t) ') optional_policy(` ++ nscd_dontaudit_search_pid(sambagui_t) ++') ++ ++optional_policy(` + gnome_dontaudit_search_config(sambagui_t) +') + +optional_policy(` policykit_dbus_chat(sambagui_t) ') ++ ++optional_policy(` ++ # handling with samba conf files ++ samba_append_log(sambagui_t) ++ samba_manage_config(sambagui_t) ++ samba_manage_var_files(sambagui_t) ++ samba_read_secrets(sambagui_t) ++ samba_initrc_domtrans(sambagui_t) ++ samba_domtrans_smbd(sambagui_t) ++ samba_domtrans_nmbd(sambagui_t) ++') diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc new file mode 100644 index 0000000..6caef63 @@ -7275,10 +7628,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..e6e9f42 +index 0000000..2280381 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,465 @@ +@@ -0,0 +1,474 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7465,6 +7818,14 @@ index 0000000..e6e9f42 +allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; +term_create_pty(sandbox_x_domain,sandbox_devpts_t) + ++can_exec(sandbox_x_domain, sandbox_file_t) ++allow sandbox_x_domain sandbox_file_t:filesystem getattr; ++manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++ +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + +files_search_home(sandbox_x_domain) @@ -7500,6 +7861,8 @@ index 0000000..e6e9f42 +miscfiles_read_localization(sandbox_x_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) + ++mta_dontaudit_read_spool_symlinks(sandbox_x_domain) ++ +selinux_get_fs_mount(sandbox_x_domain) +selinux_validate_context(sandbox_x_domain) +selinux_compute_access_vector(sandbox_x_domain) @@ -7508,7 +7871,6 @@ index 0000000..e6e9f42 +selinux_compute_user_contexts(sandbox_x_domain) +seutil_read_default_contexts(sandbox_x_domain) + -+ +term_getattr_pty_fs(sandbox_x_domain) +term_use_ptmx(sandbox_x_domain) +term_search_ptys(sandbox_x_domain) @@ -7799,7 +8161,7 @@ index 320df26..0e4ead0 100644 files_search_tmp($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..7455c19 100644 +index 1dc7a85..787df80 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -53,8 +53,14 @@ interface(`seunshare_run',` @@ -7818,7 +8180,7 @@ index 1dc7a85..7455c19 100644 ## ## ## Role allowed access. -@@ -66,15 +72,28 @@ interface(`seunshare_run',` +@@ -66,15 +72,31 @@ interface(`seunshare_run',` ## ## # @@ -7849,15 +8211,18 @@ index 1dc7a85..7455c19 100644 + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; + ++ corecmd_bin_domtrans($1_seunshare_t, $1_t) ++ corecmd_shell_domtrans($1_seunshare_t, $1_t) ++ + ifdef(`hide_broken_symptoms', ` + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..63db4fd 100644 +index 7590165..44aa6d1 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,47 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,48 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -7871,7 +8236,7 @@ index 7590165..63db4fd 100644 # # seunshare local policy # -+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice }; ++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; @@ -7894,6 +8259,7 @@ index 7590165..63db4fd 100644 +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) +files_manage_generic_tmp_dirs(seunshare_domain) ++files_relabelfrom_tmp_dirs(seunshare_domain) -auth_use_nsswitch(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) @@ -7907,9 +8273,9 @@ index 7590165..63db4fd 100644 -userdom_use_user_terminals(seunshare_t) +miscfiles_read_localization(seunshare_domain) -+ -+userdom_use_user_terminals(seunshare_domain) ++userdom_use_user_terminals(seunshare_domain) ++userdom_list_user_home_content(seunshare_domain) ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) @@ -8156,10 +8522,10 @@ index 0000000..6878d68 + diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..d4e5e9e +index 0000000..db7941f --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,331 @@ +@@ -0,0 +1,333 @@ + +policy_module(telepathy, 1.0.0) + @@ -8227,6 +8593,7 @@ index 0000000..d4e5e9e +corenet_tcp_connect_mmcc_port(telepathy_msn_t) +corenet_tcp_connect_msnp_port(telepathy_msn_t) +corenet_tcp_connect_sametime_port(telepathy_msn_t) ++corenet_tcp_connect_ssdp_port(telepathy_msn_t) + +corecmd_exec_bin(telepathy_msn_t) +corecmd_exec_shell(telepathy_msn_t) @@ -8323,6 +8690,7 @@ index 0000000..d4e5e9e +allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms; + +corenet_sendrecv_ircd_client_packets(telepathy_idle_t) ++corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) +corenet_tcp_connect_ircd_port(telepathy_idle_t) + +dev_read_rand(telepathy_idle_t) @@ -9070,7 +9438,7 @@ index 5a07a43..e97e47f 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..791a227 100644 +index 0757523..6795999 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -9224,7 +9592,7 @@ index 0757523..791a227 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,24 +213,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,24 +213,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -9249,6 +9617,7 @@ index 0757523..791a227 100644 network_port(speech, tcp,8036,s0) -network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp ++network_port(ssdp, tcp,1900,s0, udp, 1900, s0) network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict @@ -9257,7 +9626,7 @@ index 0757523..791a227 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -205,16 +245,17 @@ network_port(transproxy, tcp,8081,s0) +@@ -205,16 +246,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -9278,7 +9647,7 @@ index 0757523..791a227 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -@@ -276,5 +317,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn +@@ -276,5 +318,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -9286,42 +9655,19 @@ index 0757523..791a227 100644 +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 8ac94e4..c02f095 100644 +index 6cf8784..286aec1 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -18,6 +18,7 @@ - /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) - /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) - /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -159,6 +160,7 @@ ifdef(`distro_suse', ` - - /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - -+/dev/mqueue(/.*)? <> - /dev/pts(/.*)? <> - - /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -178,13 +180,12 @@ ifdef(`distro_suse', ` - - /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) - --/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0) -+/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) - --ifdef(`distro_gentoo',` - # used by init scripts to initally populate udev /dev -+/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) +@@ -187,8 +187,6 @@ ifdef(`distro_suse', ` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) --') +-/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) +- ifdef(`distro_redhat',` # originally from named.fc -@@ -193,3 +194,8 @@ ifdef(`distro_redhat',` + /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) +@@ -196,3 +194,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -9331,7 +9677,7 @@ index 8ac94e4..c02f095 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index efaf808..d1ceca8 100644 +index e9313fb..8083a5b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -9395,132 +9741,73 @@ index efaf808..d1ceca8 100644 ## Add entries to directories in /dev. ## ## -@@ -336,6 +373,24 @@ interface(`dev_dontaudit_getattr_generic_files',` +@@ -715,7 +752,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` ######################################## ## -+## read generic files in /dev. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_read_generic_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ read_files_pattern($1, device_t, device_t) -+') -+ -+######################################## -+## - ## Read and write generic files in /dev. +-## Read symbolic links in device directories. ++## Create symbolic links in device directories. ## ## -@@ -516,6 +571,24 @@ interface(`dev_getattr_generic_chr_files',` + ## +@@ -723,17 +760,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` + ## + ## + # +-interface(`dev_read_generic_symlinks',` ++interface(`dev_create_generic_symlinks',` + gen_require(` + type device_t; + ') - ######################################## - ## -+## Allow relablefrom for generic character device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabelfrom_generic_chr_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ allow $1 device_t:chr_file relabelfrom; -+') -+ -+######################################## -+## - ## Dontaudit getattr for generic character device files. - ## - ## -@@ -552,6 +625,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` +- allow $1 device_t:lnk_file read_lnk_file_perms; ++ create_lnk_files_pattern($1, device_t, device_t) + ') ######################################## ## -+## Read generic character device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_generic_chr_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ allow $1 device_t:chr_file read_chr_file_perms; -+') -+ -+######################################## -+## - ## Read and write generic character device files. +-## Create symbolic links in device directories. ++## Delete symbolic links in device directories. ## ## -@@ -570,6 +661,24 @@ interface(`dev_rw_generic_chr_files',` + ## +@@ -741,17 +778,17 @@ interface(`dev_read_generic_symlinks',` + ## + ## + # +-interface(`dev_create_generic_symlinks',` ++interface(`dev_delete_generic_symlinks',` + gen_require(` + type device_t; + ') - ######################################## - ## -+## Read and write generic block device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_generic_blk_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ allow $1 device_t:blk_file rw_chr_file_perms; -+') -+ -+######################################## -+## - ## Dontaudit attempts to read/write generic character device files. - ## - ## -@@ -679,6 +788,24 @@ interface(`dev_delete_generic_symlinks',` +- create_lnk_files_pattern($1, device_t, device_t) ++ delete_lnk_files_pattern($1, device_t, device_t) + ') ######################################## ## +-## Delete symbolic links in device directories. +## Read symbolic links in device directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_generic_symlinks',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ allow $1 device_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## - ## Create, delete, read, and write symbolic links in device directories. ## ## -@@ -1088,6 +1215,42 @@ interface(`dev_create_all_chr_files',` + ## +@@ -759,12 +796,12 @@ interface(`dev_create_generic_symlinks',` + ## + ## + # +-interface(`dev_delete_generic_symlinks',` ++interface(`dev_read_generic_symlinks',` + gen_require(` + type device_t; + ') + +- delete_lnk_files_pattern($1, device_t, device_t) ++ allow $1 device_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1178,6 +1215,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -9563,82 +9850,7 @@ index efaf808..d1ceca8 100644 ## Delete all block device files. ## ## -@@ -1350,6 +1513,24 @@ interface(`dev_getattr_autofs_dev',` - - ######################################## - ## -+## Relable the autofs device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_autofs_dev',` -+ gen_require(` -+ type autofs_device_t; -+ ') -+ -+ allow $1 autofs_device_t:chr_file relabel_chr_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the attributes of - ## the autofs device node. - ## -@@ -1597,6 +1778,24 @@ interface(`dev_rw_cpu_microcode',` - - ######################################## - ## -+## Read the kernel crash device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_crash',` -+ gen_require(` -+ type device_t, crash_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, crash_device_t) -+') -+ -+######################################## -+## - ## Read and write the the hardware SSL accelerator. - ## - ## -@@ -1979,6 +2178,24 @@ interface(`dev_read_kmsg',` - - ######################################## - ## -+## Do not audit attempts to read the kernel messages -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_read_kmsg',` -+ gen_require(` -+ type kmsg_device_t; -+ ') -+ -+ dontaudit $1 kmsg_device_t:chr_file read; -+') -+ -+######################################## -+## - ## Write to the kernel messages device - ## - ## -@@ -3048,24 +3265,6 @@ interface(`dev_rw_printer',` +@@ -3192,24 +3265,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -9663,32 +9875,33 @@ index efaf808..d1ceca8 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3613,6 +3812,24 @@ interface(`dev_manage_smartcard',` +@@ -3884,25 +3939,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## -+## Associate a file to a sysfs filesystem. -+## -+## -+## -+## The type of the file to be associated to sysfs. -+## -+## -+# -+interface(`dev_associate_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:filesystem associate; -+') -+ -+######################################## -+## - ## Get the attributes of sysfs directories. +-## Create, read, write, and delete sysfs +-## directories. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dev_manage_sysfs_dirs',` +- gen_require(` +- type sysfs_t; +- ') +- +- manage_dirs_pattern($1, sysfs_t, sysfs_t) +-') +- +-######################################## +-## + ## Read hardware state information. ## - ## -@@ -3773,6 +3990,24 @@ interface(`dev_rw_sysfs',` + ## +@@ -3954,6 +3990,24 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -9713,63 +9926,11 @@ index efaf808..d1ceca8 100644 ## Read and write the TPM device. ## ## -@@ -3960,6 +4195,24 @@ interface(`dev_read_usbmon_dev',` - - ######################################## - ## -+## Write USB monitor devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_write_usbmon_dev',` -+ gen_require(` -+ type device_t, usbmon_device_t; -+ ') -+ -+ write_chr_files_pattern($1, device_t, usbmon_device_t) -+') -+ -+######################################## -+## - ## Mount a usbfs filesystem. - ## - ## -@@ -4270,11 +4523,10 @@ interface(`dev_write_video_dev',` - # - interface(`dev_rw_vhost',` - gen_require(` -- type vhost_device_t; -+ type device_t, vhost_device_t; - ') - -- list_dirs_pattern($1, vhost_device_t, vhost_device_t) -- rw_files_pattern($1, vhost_device_t, vhost_device_t) -+ rw_chr_files_pattern($1, device_t, vhost_device_t) - ') - - ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index c03e21b..2942d8d 100644 +index 3ff4f60..89ffda6 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te -@@ -56,6 +56,12 @@ dev_node(clock_device_t) - type cpu_device_t; - dev_node(cpu_device_t) - -+# -+# Type for /dev/crash -+# -+type crash_device_t; -+dev_node(crash_device_t) -+ - # for the IBM zSeries z90crypt hardware ssl accelorator - type crypt_device_t; - dev_node(crypt_device_t) -@@ -102,6 +108,7 @@ dev_node(ksm_device_t) +@@ -108,6 +108,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -9777,7 +9938,7 @@ index c03e21b..2942d8d 100644 # # Type for /dev/lirc -@@ -304,5 +311,5 @@ files_associate_tmp(device_node) +@@ -310,5 +311,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -9881,7 +10042,7 @@ index aad8c52..6ac24b0 100644 + dontaudit $1 domain:socket_class_set { read write }; +') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index bc534c1..2a6b5e1 100644 +index bc534c1..b70ea07 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.0) @@ -9974,7 +10135,7 @@ index bc534c1..2a6b5e1 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,85 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -9983,10 +10144,14 @@ index bc534c1..2a6b5e1 100644 +selinux_search_fs(domain) +selinux_dontaudit_read_fs(domain) + -+seutil_dontaudit_read_config(domain) ++optional_policy(` ++ seutil_dontaudit_read_config(domain) ++') + -+init_sigchld(domain) -+init_signull(domain) ++optional_policy(` ++ init_sigchld(domain) ++ init_signull(domain) ++') + +ifdef(`distro_redhat',` + files_search_mnt(domain) @@ -10061,7 +10226,7 @@ index bc534c1..2a6b5e1 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 3517db2..f798a69 100644 +index 16108f6..2abd3eb 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -10072,9 +10237,9 @@ index 3517db2..f798a69 100644 ') ifdef(`distro_suse',` -@@ -64,6 +65,13 @@ ifdef(`distro_suse',` - /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -58,6 +59,13 @@ ifdef(`distro_suse',` + /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) @@ -10086,7 +10251,7 @@ index 3517db2..f798a69 100644 /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -@@ -74,7 +82,10 @@ ifdef(`distro_suse',` +@@ -68,7 +76,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -10098,7 +10263,7 @@ index 3517db2..f798a69 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -95,7 +106,7 @@ ifdef(`distro_suse',` +@@ -89,7 +100,7 @@ ifdef(`distro_suse',` # HOME_ROOT # expanded by genhomedircon # @@ -10107,7 +10272,7 @@ index 3517db2..f798a69 100644 HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -159,6 +170,12 @@ HOME_ROOT/lost\+found/.* <> +@@ -153,6 +164,12 @@ HOME_ROOT/lost\+found/.* <> /proc -d <> /proc/.* <> @@ -10120,7 +10285,7 @@ index 3517db2..f798a69 100644 # # /selinux # -@@ -172,12 +189,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -166,12 +183,6 @@ HOME_ROOT/lost\+found/.* <> /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -10133,7 +10298,7 @@ index 3517db2..f798a69 100644 # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -217,7 +228,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -211,7 +222,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -10141,7 +10306,7 @@ index 3517db2..f798a69 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -233,6 +243,8 @@ ifndef(`distro_redhat',` +@@ -227,6 +237,8 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -10150,7 +10315,7 @@ index 3517db2..f798a69 100644 /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -249,7 +261,7 @@ ifndef(`distro_redhat',` +@@ -243,7 +255,7 @@ ifndef(`distro_redhat',` /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -10159,7 +10324,7 @@ index 3517db2..f798a69 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -258,3 +270,7 @@ ifndef(`distro_redhat',` +@@ -252,3 +264,7 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -10168,7 +10333,7 @@ index 3517db2..f798a69 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ed203b2..0a4f89a 100644 +index 958ca84..d451c3f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -11359,7 +11524,7 @@ index ed203b2..0a4f89a 100644 + dontaudit $1 file_type:file_class_set write; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index e8a6b1d..fd53860 100644 +index 6e01635..212a736 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -11,6 +11,7 @@ attribute lockfile; @@ -11415,7 +11580,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..c19e896 100644 +index dfe361a..fbbd1ce 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -11531,10 +11696,28 @@ index dfe361a..c19e896 100644 ## Create, read, write, and delete all noxattrfs directories. ## ## -@@ -1088,6 +1133,24 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## ++## Read/Write all inherited noxattrfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_noxattr_fs_files',` ++ gen_require(` ++ attribute noxattrfs; ++ ') ++ ++ allow $1 noxattrfs:file rw_inherited_file_perms; ++') ++ ++######################################## ++## +## Do not audit read all noxattrfs files. +## +## @@ -11556,7 +11739,7 @@ index dfe361a..c19e896 100644 ## Dont audit attempts to write to noxattrfs files. ## ## -@@ -1227,6 +1290,24 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -11564,7 +11747,7 @@ index dfe361a..c19e896 100644 +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# @@ -11578,10 +11761,28 @@ index dfe361a..c19e896 100644 + +######################################## +## ++## Read/Write inherited files on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1241,7 +1322,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -11590,7 +11791,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -1504,6 +1585,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -11616,7 +11817,7 @@ index dfe361a..c19e896 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1659,6 +1759,25 @@ interface(`fs_search_dos',` +@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',` ######################################## ## @@ -11642,7 +11843,7 @@ index dfe361a..c19e896 100644 ## Create, read, write, and delete dirs ## on a DOS filesystem. ## -@@ -1892,6 +2011,26 @@ interface(`fs_manage_fusefs_files',` +@@ -1892,6 +2047,26 @@ interface(`fs_manage_fusefs_files',` ######################################## ## @@ -11669,7 +11870,7 @@ index dfe361a..c19e896 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. -@@ -1931,7 +2070,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +2106,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -11697,7 +11898,7 @@ index dfe361a..c19e896 100644 ## ## ## -@@ -1946,6 +2104,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2140,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -11739,7 +11940,7 @@ index dfe361a..c19e896 100644 ######################################## ## -@@ -1999,6 +2192,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2228,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -11747,7 +11948,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -2331,6 +2525,7 @@ interface(`fs_read_nfs_files',` +@@ -2331,6 +2561,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -11755,7 +11956,7 @@ index dfe361a..c19e896 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2369,6 +2564,7 @@ interface(`fs_write_nfs_files',` +@@ -2369,6 +2600,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -11763,7 +11964,7 @@ index dfe361a..c19e896 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2395,6 +2591,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2627,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -11789,7 +11990,7 @@ index dfe361a..c19e896 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2650,24 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2686,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -11797,7 +11998,7 @@ index dfe361a..c19e896 100644 +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# @@ -11811,10 +12012,28 @@ index dfe361a..c19e896 100644 + +######################################## +## ++## Read/write inherited files on a NFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2682,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2736,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -11823,7 +12042,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -2637,6 +2870,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2924,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -11848,7 +12067,7 @@ index dfe361a..c19e896 100644 ## Read removable storage symbolic links. ## ## -@@ -2653,6 +2904,25 @@ interface(`fs_read_removable_symlinks',` +@@ -2653,6 +2958,25 @@ interface(`fs_read_removable_symlinks',` read_lnk_files_pattern($1, removable_t, removable_t) ') @@ -11874,7 +12093,7 @@ index dfe361a..c19e896 100644 ######################################## ## ## Read and write block nodes on removable filesystems. -@@ -2779,6 +3049,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2779,6 +3103,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -11882,7 +12101,7 @@ index dfe361a..c19e896 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +3090,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3144,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -11890,7 +12109,7 @@ index dfe361a..c19e896 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3117,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3171,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -11899,7 +12118,7 @@ index dfe361a..c19e896 100644 ## ## ## -@@ -2859,6 +3131,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3185,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -11907,7 +12126,7 @@ index dfe361a..c19e896 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3989,6 +4262,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4316,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -11950,7 +12169,7 @@ index dfe361a..c19e896 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4580,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4634,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -11959,7 +12178,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -4681,3 +4992,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5046,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -12228,7 +12447,7 @@ index 069d36c..adaabf4 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 5001b89..d513268 100644 +index 5001b89..160976e 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -12258,7 +12477,7 @@ index 5001b89..d513268 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -268,19 +272,31 @@ files_list_root(kernel_t) +@@ -268,19 +272,28 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -12277,20 +12496,29 @@ index 5001b89..d513268 100644 mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) +mls_fd_share_all_levels(kernel_t) -+ -+logging_manage_generic_logs(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') -+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + optional_policy(` hotplug_search_config(kernel_t) ') -@@ -357,6 +373,10 @@ optional_policy(` +@@ -296,6 +309,11 @@ optional_policy(` + + optional_policy(` + logging_send_syslog_msg(kernel_t) ++ logging_manage_generic_logs(kernel_t) ++') ++ ++optional_policy(` ++ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + ') + + optional_policy(` +@@ -357,6 +375,10 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -12794,10 +13022,10 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..62c9b17 100644 +index 2be17d2..6898bd0 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,56 @@ policy_module(staff, 2.2.0) +@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) role staff_r; userdom_unpriv_user_template(staff) @@ -12835,14 +13063,6 @@ index 2be17d2..62c9b17 100644 + +miscfiles_read_hwdata(staff_usertype) + -+modutils_read_module_config(staff_usertype) -+modutils_read_module_deps(staff_usertype) -+ -+netutils_run_ping(staff_t, staff_r) -+netutils_run_traceroute(staff_t, staff_r) -+netutils_signal_ping(staff_t) -+netutils_kill_ping(staff_t) -+ +ifndef(`enable_mls',` + selinux_read_policy(staff_t) +') @@ -12854,7 +13074,7 @@ index 2be17d2..62c9b17 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +71,118 @@ optional_policy(` +@@ -27,25 +63,138 @@ optional_policy(` ') optional_policy(` @@ -12863,6 +13083,10 @@ index 2be17d2..62c9b17 100644 +') + +optional_policy(` ++ colord_dbus_chat(staff_t) ++') ++ ++optional_policy(` + gnomeclock_dbus_chat(staff_t) +') + @@ -12897,6 +13121,18 @@ index 2be17d2..62c9b17 100644 +') + +optional_policy(` ++ modutils_read_module_config(staff_usertype) ++ modutils_read_module_deps(staff_usertype) ++') ++ ++optional_policy(` ++ netutils_run_ping(staff_t, staff_r) ++ netutils_run_traceroute(staff_t, staff_r) ++ netutils_signal_ping(staff_t) ++ netutils_kill_ping(staff_t) ++') ++ ++optional_policy(` + oident_manage_user_content(staff_t) + oident_relabel_user_content(staff_t) +') @@ -12910,6 +13146,10 @@ index 2be17d2..62c9b17 100644 ') optional_policy(` ++ qemu_role(staff_r, staff_t) ++') ++ ++optional_policy(` + rtkit_scheduled(staff_t) +') + @@ -12975,7 +13215,7 @@ index 2be17d2..62c9b17 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -89,10 +226,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +238,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -12986,7 +13226,7 @@ index 2be17d2..62c9b17 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +270,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +282,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -12997,7 +13237,7 @@ index 2be17d2..62c9b17 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +301,8 @@ ifndef(`distro_redhat',` +@@ -172,3 +313,8 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -13007,10 +13247,10 @@ index 2be17d2..62c9b17 100644 +') + diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 4a8d146..8839731 100644 +index 4a8d146..d721e34 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,41 @@ ifndef(`enable_mls',` +@@ -24,20 +24,40 @@ ifndef(`enable_mls',` # # Local policy # @@ -13037,7 +13277,6 @@ index 4a8d146..8839731 100644 +init_dbus_chat(sysadm_t) +init_script_role_transition(sysadm_r) + -+modutils_read_module_deps(sysadm_t) + +miscfiles_read_hwdata(sysadm_t) @@ -13052,7 +13291,7 @@ index 4a8d146..8839731 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +76,7 @@ ifndef(`enable_mls',` +@@ -55,6 +75,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -13060,7 +13299,7 @@ index 4a8d146..8839731 100644 ') tunable_policy(`allow_ptrace',` -@@ -69,7 +91,6 @@ optional_policy(` +@@ -69,7 +90,6 @@ optional_policy(` apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -13068,7 +13307,7 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -98,6 +119,10 @@ optional_policy(` +@@ -98,6 +118,10 @@ optional_policy(` ') optional_policy(` @@ -13079,7 +13318,7 @@ index 4a8d146..8839731 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -114,7 +139,7 @@ optional_policy(` +@@ -114,7 +138,7 @@ optional_policy(` ') optional_policy(` @@ -13088,7 +13327,7 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -124,6 +149,10 @@ optional_policy(` +@@ -124,6 +148,10 @@ optional_policy(` ') optional_policy(` @@ -13099,7 +13338,7 @@ index 4a8d146..8839731 100644 ddcprobe_run(sysadm_t, sysadm_r) ') -@@ -163,6 +192,13 @@ optional_policy(` +@@ -163,6 +191,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -13113,7 +13352,7 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -170,15 +206,15 @@ optional_policy(` +@@ -170,15 +205,15 @@ optional_policy(` ') optional_policy(` @@ -13132,7 +13371,12 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -202,14 +238,7 @@ optional_policy(` +@@ -198,18 +233,12 @@ optional_policy(` + modutils_run_depmod(sysadm_t, sysadm_r) + modutils_run_insmod(sysadm_t, sysadm_r) + modutils_run_update_mods(sysadm_t, sysadm_r) ++ modutils_read_module_deps(sysadm_t) + ') optional_policy(` mount_run(sysadm_t, sysadm_r) @@ -14048,10 +14292,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..daf56b2 +index 0000000..77c513d --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,497 @@ +@@ -0,0 +1,499 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -14153,9 +14397,11 @@ index 0000000..daf56b2 +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + -+mount_run_unconfined(unconfined_t, unconfined_r) -+# Unconfined running as system_r -+mount_domtrans_unconfined(unconfined_t) ++optional_policy(` ++ mount_run_unconfined(unconfined_t, unconfined_r) ++ # Unconfined running as system_r ++ mount_domtrans_unconfined(unconfined_t) ++') + +seutil_run_setsebool(unconfined_t, unconfined_r) +seutil_run_setfiles(unconfined_t, unconfined_r) @@ -14550,10 +14796,10 @@ index 0000000..daf56b2 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..54ea4f5 100644 +index e5bfdd4..10d03a3 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,63 @@ role user_r; +@@ -12,15 +12,67 @@ role user_r; userdom_unpriv_user_template(user) @@ -14572,6 +14818,10 @@ index e5bfdd4..54ea4f5 100644 ') optional_policy(` ++ colord_dbus_chat(user_t) ++') ++ ++optional_policy(` + gnome_role(user_r, user_t) +') + @@ -14617,7 +14867,7 @@ index e5bfdd4..54ea4f5 100644 vlock_run(user_t, user_r) ') -@@ -62,10 +110,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +114,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -14628,7 +14878,7 @@ index e5bfdd4..54ea4f5 100644 gpg_role(user_r, user_t) ') -@@ -118,7 +162,7 @@ ifndef(`distro_redhat',` +@@ -118,7 +166,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -14637,7 +14887,7 @@ index e5bfdd4..54ea4f5 100644 ') optional_policy(` -@@ -157,3 +201,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +205,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -14655,7 +14905,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..06b0e48 100644 +index e88b95f..9d37855 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -14689,12 +14939,14 @@ index e88b95f..06b0e48 100644 ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) -@@ -48,12 +48,21 @@ ifndef(`enable_mls',` - storage_raw_read_removable_device(xguest_t) +@@ -49,11 +49,23 @@ ifndef(`enable_mls',` ') ') -+# Dontaudit fusermount -+mount_dontaudit_exec_fusermount(xguest_t) + ++optional_policy(` ++ # Dontaudit fusermount ++ mount_dontaudit_exec_fusermount(xguest_t) ++') + +allow xguest_t self:process execmem; +kernel_dontaudit_request_load_module(xguest_t) @@ -14702,7 +14954,7 @@ index e88b95f..06b0e48 100644 +tunable_policy(`allow_execstack',` + allow xguest_t self:process execstack; +') - ++ # Allow mounting of file systems optional_policy(` tunable_policy(`xguest_mount_media',` @@ -14712,7 +14964,7 @@ index e88b95f..06b0e48 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -62,10 +71,9 @@ optional_policy(` +@@ -62,10 +74,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -14724,14 +14976,13 @@ index e88b95f..06b0e48 100644 ') ') -@@ -76,23 +84,99 @@ optional_policy(` +@@ -76,23 +87,98 @@ optional_policy(` ') optional_policy(` + chrome_role(xguest_r, xguest_usertype) +') + -+ +optional_policy(` hal_dbus_chat(xguest_t) ') @@ -14755,18 +15006,18 @@ index e88b95f..06b0e48 100644 + +optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) ++ mozilla_run_plugin(xguest_t, xguest_r) +') + +optional_policy(` -+ mozilla_run_plugin(xguest_t, xguest_r) ++ nsplugin_role(xguest_r, xguest_t) +') + +optional_policy(` -+ nsplugin_role(xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) + pcscd_read_pub_files(xguest_usertype) + pcscd_stream_connect(xguest_usertype) ') @@ -15364,10 +15615,10 @@ index 0000000..6bf0ad6 +') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te new file mode 100644 -index 0000000..4b9dc88 +index 0000000..dda9c93 --- /dev/null +++ b/policy/modules/services/aiccu.te -@@ -0,0 +1,71 @@ +@@ -0,0 +1,75 @@ +policy_module(aiccu, 1.0.0) + +######################################## @@ -15435,10 +15686,14 @@ index 0000000..4b9dc88 + +miscfiles_read_localization(aiccu_t) + -+modutils_domtrans_insmod(aiccu_t) ++optional_policy(` ++ modutils_domtrans_insmod(aiccu_t) ++') + -+sysnet_domtrans_ifconfig(aiccu_t) -+sysnet_dns_name_resolve(aiccu_t) ++optional_policy(` ++ sysnet_domtrans_ifconfig(aiccu_t) ++ sysnet_dns_name_resolve(aiccu_t) ++') diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if index 838d25b..0b0db39 100644 --- a/policy/modules/services/aide.if @@ -15678,7 +15933,7 @@ index ceb2142..e31d92a 100644 ') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index c3a1903..0140399 100644 +index c3a1903..19fb14a 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -47,7 +47,7 @@ files_type(amavis_spool_t) @@ -15716,10 +15971,39 @@ index c3a1903..0140399 100644 corenet_all_recvfrom_unlabeled(amavis_t) corenet_all_recvfrom_netlabel(amavis_t) -@@ -170,6 +171,10 @@ optional_policy(` +@@ -152,24 +153,32 @@ sysnet_use_ldap(amavis_t) + + userdom_dontaudit_search_user_home_dirs(amavis_t) + +-# Cron handling +-cron_use_fds(amavis_t) +-cron_use_system_job_fds(amavis_t) +-cron_rw_pipes(amavis_t) +- +-mta_read_config(amavis_t) +- + optional_policy(` + clamav_stream_connect(amavis_t) + clamav_domtrans_clamscan(amavis_t) + ') + + optional_policy(` ++ #Cron handling ++ cron_use_fds(amavis_t) ++ cron_use_system_job_fds(amavis_t) ++ cron_rw_pipes(amavis_t) ++') ++ ++optional_policy(` + dcc_domtrans_client(amavis_t) + dcc_stream_connect_dccifd(amavis_t) ') optional_policy(` ++ mta_read_config(amavis_t) ++') ++ ++optional_policy(` + nslcd_stream_connect(amavis_t) +') + @@ -17320,7 +17604,7 @@ index 1ea99b2..49e6c74 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..5fbd9b3 100644 +index 1c8c27e..ca71f13 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -17348,7 +17632,17 @@ index 1c8c27e..5fbd9b3 100644 dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -142,9 +146,8 @@ ifdef(`distro_redhat',` +@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t) + miscfiles_read_localization(apmd_t) + miscfiles_read_hwdata(apmd_t) + +-modutils_domtrans_insmod(apmd_t) +-modutils_read_module_config(apmd_t) +- + seutil_dontaudit_read_config(apmd_t) + + userdom_dontaudit_use_unpriv_user_fds(apmd_t) +@@ -142,9 +143,8 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) @@ -17359,7 +17653,7 @@ index 1c8c27e..5fbd9b3 100644 ') optional_policy(` -@@ -155,6 +158,15 @@ ifdef(`distro_redhat',` +@@ -155,6 +155,15 @@ ifdef(`distro_redhat',` netutils_domtrans(apmd_t) ') @@ -17375,6 +17669,18 @@ index 1c8c27e..5fbd9b3 100644 ',` # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) +@@ -205,6 +214,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(apmd_t) ++ modutils_read_module_config(apmd_t) ++') ++ ++optional_policy(` + pcmcia_domtrans_cardmgr(apmd_t) + pcmcia_domtrans_cardctl(apmd_t) + ') diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if index c804110..bdefbe1 100644 --- a/policy/modules/services/arpwatch.if @@ -17482,17 +17788,33 @@ index d80a16b..a43e006 100644 init_labeled_script_domtrans($1, automount_initrc_exec_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te -index 39799db..6189565 100644 +index 39799db..d174b05 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te -@@ -145,6 +145,7 @@ miscfiles_read_generic_certs(automount_t) +@@ -143,9 +143,6 @@ logging_search_logs(automount_t) + miscfiles_read_localization(automount_t) + miscfiles_read_generic_certs(automount_t) - # Run mount in the mount_t domain. - mount_domtrans(automount_t) -+mount_domtrans_showmount(automount_t) - mount_signal(automount_t) +-# Run mount in the mount_t domain. +-mount_domtrans(automount_t) +-mount_signal(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) + userdom_dontaudit_search_user_home_dirs(automount_t) +@@ -155,6 +152,13 @@ optional_policy(` + ') + + optional_policy(` ++ # Run mount in the mount_t domain. ++ mount_domtrans(automount_t) ++ mount_domtrans_showmount(automount_t) ++ mount_signal(automount_t) ++') ++ ++optional_policy(` + fstools_domtrans(automount_t) + ') + diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index 61c74bc..c6b0498 100644 --- a/policy/modules/services/avahi.if @@ -17506,10 +17828,18 @@ index 61c74bc..c6b0498 100644 allow avahi_t $1:dbus send_msg; ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te -index a7a0e71..15686e9 100644 +index a7a0e71..5352ef6 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te -@@ -46,6 +46,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) +@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t) + + type avahi_var_run_t; + files_pid_file(avahi_var_run_t) ++init_sock_file(avahi_var_run_t) + + ######################################## + # +@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) kernel_read_system_state(avahi_t) kernel_read_kernel_sysctls(avahi_t) kernel_read_network_state(avahi_t) @@ -17517,7 +17847,7 @@ index a7a0e71..15686e9 100644 corecmd_exec_bin(avahi_t) corecmd_exec_shell(avahi_t) -@@ -104,6 +105,10 @@ optional_policy(` +@@ -104,6 +106,10 @@ optional_policy(` ') optional_policy(` @@ -18329,10 +18659,10 @@ index 0000000..3964548 +') diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te new file mode 100644 -index 0000000..c63c8fa +index 0000000..b73c9f2 --- /dev/null +++ b/policy/modules/services/bugzilla.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,57 @@ +policy_module(bugzilla, 1.0) + +######################################## @@ -18375,12 +18705,14 @@ index 0000000..c63c8fa + +files_search_var_lib(httpd_bugzilla_script_t) + -+mta_send_mail(httpd_bugzilla_script_t) -+ +sysnet_read_config(httpd_bugzilla_script_t) +sysnet_use_ldap(httpd_bugzilla_script_t) + +optional_policy(` ++ mta_send_mail(httpd_bugzilla_script_t) ++') ++ ++optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) +') @@ -18466,10 +18798,10 @@ index 0000000..3b41945 +') diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te new file mode 100644 -index 0000000..575c16e +index 0000000..e7d2a5b --- /dev/null +++ b/policy/modules/services/cachefilesd.te -@@ -0,0 +1,143 @@ +@@ -0,0 +1,145 @@ +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. @@ -18535,7 +18867,9 @@ index 0000000..575c16e +# +# Permit RPM to deal with files in the cache +# -+rpm_use_script_fds(cachefilesd_t) ++optional_policy(` ++ rpm_use_script_fds(cachefilesd_t) ++') + +############################################################################### +# @@ -19231,7 +19565,7 @@ index 1f11572..7f6a7ab 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..f1571f1 100644 +index f758323..f2f0739 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ @@ -19276,7 +19610,29 @@ index f758323..f1571f1 100644 kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) -@@ -147,8 +151,10 @@ optional_policy(` +@@ -127,12 +131,16 @@ logging_send_syslog_msg(clamd_t) + + miscfiles_read_localization(clamd_t) + +-cron_use_fds(clamd_t) +-cron_use_system_job_fds(clamd_t) +-cron_rw_pipes(clamd_t) ++optional_policy(` ++ cron_use_fds(clamd_t) ++ cron_use_system_job_fds(clamd_t) ++ cron_rw_pipes(clamd_t) ++') + +-mta_read_config(clamd_t) +-mta_send_mail(clamd_t) ++optional_policy(` ++ mta_read_config(clamd_t) ++ mta_send_mail(clamd_t) ++') + + optional_policy(` + amavis_read_lib_files(clamd_t) +@@ -147,8 +155,10 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; @@ -19288,7 +19644,7 @@ index f758323..f1571f1 100644 ') ######################################## -@@ -178,10 +184,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +188,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -19307,7 +19663,7 @@ index f758323..f1571f1 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +201,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +205,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -19315,7 +19671,7 @@ index f758323..f1571f1 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +220,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +224,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -19338,7 +19694,7 @@ index f758323..f1571f1 100644 ######################################## # # clamscam local policy -@@ -248,9 +263,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) +@@ -248,9 +267,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) corenet_tcp_sendrecv_generic_node(clamscan_t) corenet_tcp_sendrecv_all_ports(clamscan_t) corenet_tcp_sendrecv_clamd_port(clamscan_t) @@ -19350,13 +19706,17 @@ index f758323..f1571f1 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -265,6 +282,9 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,7 +285,12 @@ miscfiles_read_public_files(clamscan_t) + clamav_stream_connect(clamscan_t) - mta_send_mail(clamscan_t) -+mta_read_queue(clamscan_t) -+ +-mta_send_mail(clamscan_t) +sysnet_read_config(clamscan_t) ++ ++optional_policy(` ++ mta_send_mail(clamscan_t) ++ mta_read_queue(clamscan_t) ++') optional_policy(` amavis_read_spool_files(clamscan_t) @@ -20046,8 +20406,140 @@ index 0258b48..8fde016 100644 +list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t) manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc +new file mode 100644 +index 0000000..7a01ff6 +--- /dev/null ++++ b/policy/modules/services/colord.fc +@@ -0,0 +1,4 @@ ++ ++/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) ++ ++/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) +diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if +new file mode 100644 +index 0000000..38cb883 +--- /dev/null ++++ b/policy/modules/services/colord.if +@@ -0,0 +1,42 @@ ++ ++## policy for colord ++ ++######################################## ++## ++## Execute a domain transition to run colord. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`colord_domtrans',` ++ gen_require(` ++ type colord_t, colord_exec_t; ++ ') ++ ++ domtrans_pattern($1, colord_exec_t, colord_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## colord over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`colord_dbus_chat',` ++ gen_require(` ++ type colord_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 colord_t:dbus send_msg; ++ allow colord_t $1:dbus send_msg; ++') ++ +diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te +new file mode 100644 +index 0000000..0ecb72e +--- /dev/null ++++ b/policy/modules/services/colord.te +@@ -0,0 +1,68 @@ ++policy_module(colord,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type colord_t; ++type colord_exec_t; ++dbus_system_domain(colord_t, colord_exec_t) ++ ++type colord_var_lib_t; ++files_type(colord_var_lib_t) ++ ++type colord_tmp_t; ++files_tmp_file(colord_tmp_t) ++ ++permissive colord_t; ++ ++######################################## ++# ++# colord local policy ++# ++allow colord_t self:fifo_file rw_fifo_file_perms; ++allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow colord_t self:udp_socket create_socket_perms; ++ ++manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) ++manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) ++files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) ++ ++manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) ++manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) ++files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) ++ ++kernel_read_device_sysctls(colord_t) ++ ++corenet_udp_bind_generic_node(colord_t) ++corenet_udp_bind_ipp_port(colord_t) ++ ++dev_read_raw_memory(colord_t) ++dev_write_raw_memory(colord_t) ++dev_read_video_dev(colord_t) ++dev_write_video_dev(colord_t) ++dev_read_rand(colord_t) ++dev_read_sysfs(colord_t) ++dev_read_urand(colord_t) ++dev_list_sysfs(colord_t) ++dev_read_generic_usb_dev(colord_t) ++ ++domain_use_interactive_fds(colord_t) ++ ++files_read_etc_files(colord_t) ++files_read_usr_files(colord_t) ++ ++miscfiles_read_localization(colord_t) ++ ++sysnet_dns_name_resolve(colord_t) ++ ++optional_policy(` ++ cups_read_rw_config(colord_t) ++ cups_stream_connect(colord_t) ++ cups_dbus_chat(colord_t) ++') ++ ++optional_policy(` ++ udev_read_db(colord_t) ++') diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if -index 42c6bd7..8f23087 100644 +index fd15dfe..ad224fa 100644 --- a/policy/modules/services/consolekit.if +++ b/policy/modules/services/consolekit.if @@ -5,9 +5,9 @@ @@ -20115,8 +20607,8 @@ index 42c6bd7..8f23087 100644 ## Read consolekit log files. ## ## -@@ -95,3 +134,22 @@ interface(`consolekit_read_pid_files',` - files_search_pids($1) +@@ -96,3 +135,22 @@ interface(`consolekit_read_pid_files',` + allow $1 consolekit_var_run_t:dir list_dir_perms; read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) ') + @@ -20139,7 +20631,7 @@ index 42c6bd7..8f23087 100644 + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index daf151d..16c0746 100644 +index e67a003..894d4e0 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t) @@ -20152,7 +20644,7 @@ index daf151d..16c0746 100644 ######################################## # # consolekit local policy -@@ -69,7 +72,10 @@ logging_send_audit_msgs(consolekit_t) +@@ -69,11 +72,12 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) @@ -20162,8 +20654,12 @@ index daf151d..16c0746 100644 +userdom_dontaudit_getattr_admin_home_files(consolekit_t) userdom_read_user_tmp_files(consolekit_t) - hal_ptrace(consolekit_t) -@@ -83,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',` +-hal_ptrace(consolekit_t) +- + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(consolekit_t) + ') +@@ -83,6 +87,14 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -20171,10 +20667,14 @@ index daf151d..16c0746 100644 +') + +optional_policy(` ++ hal_ptrace(consolekit_t) ++') ++ ++optional_policy(` dbus_system_domain(consolekit_t, consolekit_exec_t) optional_policy(` -@@ -99,6 +109,10 @@ optional_policy(` +@@ -99,6 +111,10 @@ optional_policy(` ') optional_policy(` @@ -20185,7 +20685,7 @@ index daf151d..16c0746 100644 policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) -@@ -106,9 +120,10 @@ optional_policy(` +@@ -106,9 +122,10 @@ optional_policy(` ') optional_policy(` @@ -20198,7 +20698,7 @@ index daf151d..16c0746 100644 xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -125,5 +140,6 @@ optional_policy(` +@@ -125,5 +142,6 @@ optional_policy(` optional_policy(` #reading .Xauthity @@ -20735,15 +21235,9 @@ index 35241ed..b6402c9 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f35b243..9941737 100644 +index f7583ab..9941737 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te -@@ -1,4 +1,4 @@ --policy_module(cron, 2.2.0) -+policy_module(cron, 2.2.1) - - gen_require(` - class passwd rootok; @@ -10,18 +10,18 @@ gen_require(` # @@ -20883,7 +21377,7 @@ index f35b243..9941737 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -203,12 +220,18 @@ files_list_usr(crond_t) +@@ -203,11 +220,16 @@ files_list_usr(crond_t) files_search_var_lib(crond_t) files_search_default(crond_t) @@ -20898,11 +21392,9 @@ index f35b243..9941737 100644 +logging_send_audit_msgs(crond_t) logging_send_syslog_msg(crond_t) -+logging_set_loginuid(crond_t) + logging_set_loginuid(crond_t) - seutil_read_config(crond_t) - seutil_read_default_contexts(crond_t) -@@ -219,8 +242,10 @@ miscfiles_read_localization(crond_t) +@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -20913,7 +21405,7 @@ index f35b243..9941737 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -232,7 +257,7 @@ ifdef(`distro_debian',` +@@ -233,7 +257,7 @@ ifdef(`distro_debian',` ') ') @@ -20922,16 +21414,7 @@ index f35b243..9941737 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -240,16 +265,39 @@ ifdef(`distro_redhat', ` - ') - ') - -+tunable_policy(`allow_polyinstantiation',` -+ files_polyinstantiate_all(crond_t) -+') -+ - tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; +@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -20962,7 +21445,7 @@ index f35b243..9941737 100644 amanda_search_var_lib(crond_t) ') -@@ -259,6 +307,8 @@ optional_policy(` +@@ -264,6 +307,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -20971,7 +21454,7 @@ index f35b243..9941737 100644 ') optional_policy(` -@@ -284,12 +334,18 @@ optional_policy(` +@@ -289,12 +334,18 @@ optional_policy(` udev_read_db(crond_t) ') @@ -20990,7 +21473,7 @@ index f35b243..9941737 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -301,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -21011,7 +21494,7 @@ index f35b243..9941737 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -324,6 +389,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -21019,7 +21502,7 @@ index f35b243..9941737 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -335,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -21034,7 +21517,7 @@ index f35b243..9941737 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -360,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -21042,7 +21525,7 @@ index f35b243..9941737 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -386,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -21050,7 +21533,7 @@ index f35b243..9941737 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -408,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -21062,7 +21545,7 @@ index f35b243..9941737 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -434,6 +508,8 @@ optional_policy(` +@@ -439,6 +508,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -21071,7 +21554,7 @@ index f35b243..9941737 100644 ') optional_policy(` -@@ -441,6 +517,14 @@ optional_policy(` +@@ -446,6 +517,14 @@ optional_policy(` ') optional_policy(` @@ -21086,7 +21569,7 @@ index f35b243..9941737 100644 ftp_read_log(system_cronjob_t) ') -@@ -451,15 +535,24 @@ optional_policy(` +@@ -456,15 +535,24 @@ optional_policy(` ') optional_policy(` @@ -21111,7 +21594,7 @@ index f35b243..9941737 100644 ') optional_policy(` -@@ -475,7 +568,7 @@ optional_policy(` +@@ -480,7 +568,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -21120,7 +21603,7 @@ index f35b243..9941737 100644 ') optional_policy(` -@@ -490,6 +583,7 @@ optional_policy(` +@@ -495,6 +583,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -21128,7 +21611,7 @@ index f35b243..9941737 100644 ') optional_policy(` -@@ -497,7 +591,13 @@ optional_policy(` +@@ -502,7 +591,13 @@ optional_policy(` ') optional_policy(` @@ -21142,7 +21625,7 @@ index f35b243..9941737 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -21230,7 +21713,7 @@ index 305ddf4..777091a 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..cf33683 100644 +index 0f28095..1c96265 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -21281,7 +21764,20 @@ index 0f28095..cf33683 100644 kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) -@@ -297,8 +301,10 @@ optional_policy(` +@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t) + userdom_dontaudit_use_unpriv_user_fds(cupsd_t) + userdom_dontaudit_search_user_home_content(cupsd_t) + +-# Write to /var/spool/cups. +-lpd_manage_spool(cupsd_t) +-lpd_read_config(cupsd_t) +-lpd_exec_lpr(cupsd_t) +-lpd_relabel_spool(cupsd_t) +- + optional_policy(` + apm_domtrans_client(cupsd_t) + ') +@@ -297,8 +295,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -21292,7 +21788,22 @@ index 0f28095..cf33683 100644 ') ') -@@ -371,8 +377,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -315,6 +315,14 @@ optional_policy(` + ') + + optional_policy(` ++ # Write to /var/spool/cups. ++ lpd_manage_spool(cupsd_t) ++ lpd_read_config(cupsd_t) ++ lpd_exec_lpr(cupsd_t) ++ lpd_relabel_spool(cupsd_t) ++') ++ ++optional_policy(` + mta_send_mail(cupsd_t) + ') + +@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -21303,7 +21814,7 @@ index 0f28095..cf33683 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -425,6 +432,7 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -21311,6 +21822,11 @@ index 0f28095..cf33683 100644 cups_stream_connect(cupsd_config_t) +-lpd_read_config(cupsd_config_t) +- + ifdef(`distro_redhat',` + optional_policy(` + rpm_read_db(cupsd_config_t) @@ -453,6 +461,10 @@ optional_policy(` ') @@ -21322,7 +21838,18 @@ index 0f28095..cf33683 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -587,14 +599,16 @@ auth_use_nsswitch(cups_pdf_t) +@@ -467,6 +479,10 @@ optional_policy(` + ') + + optional_policy(` ++ lpd_read_config(cupsd_config_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(cupsd_config_t) + userdom_read_all_users_state(cupsd_config_t) + ') +@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -21334,13 +21861,15 @@ index 0f28095..cf33683 100644 userdom_manage_user_home_content_files(cups_pdf_t) +userdom_dontaudit_search_admin_dir(cups_pdf_t) - lpd_manage_spool(cups_pdf_t) - +-lpd_manage_spool(cups_pdf_t) - ++optional_policy(` ++ lpd_manage_spool(cups_pdf_t) ++') + tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) - fs_manage_nfs_dirs(cups_pdf_t) -@@ -606,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -21351,7 +21880,7 @@ index 0f28095..cf33683 100644 ######################################## # # HPLIP local policy -@@ -639,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -21360,7 +21889,7 @@ index 0f28095..cf33683 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +703,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -21368,6 +21897,19 @@ index 0f28095..cf33683 100644 logging_send_syslog_msg(hplip_t) +@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) + userdom_dontaudit_search_user_home_dirs(hplip_t) + userdom_dontaudit_search_user_home_content(hplip_t) + +-lpd_read_config(hplip_t) +-lpd_manage_spool(hplip_t) ++optional_policy(` ++ lpd_read_config(hplip_t) ++ lpd_manage_spool(hplip_t) ++') + + optional_policy(` + dbus_system_bus_client(hplip_t) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index c43ff4c..a9783e3 100644 --- a/policy/modules/services/cvs.if @@ -21506,7 +22048,7 @@ index a8b93c0..831ce70 100644 type dante_var_run_t; files_pid_file(dante_var_run_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..bbc1a8f 100644 +index 0d5711c..2f38c31 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -21684,7 +22226,7 @@ index 0d5711c..bbc1a8f 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +552,22 @@ interface(`dbus_unconfined',` +@@ -497,3 +552,23 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -21707,20 +22249,32 @@ index 0d5711c..bbc1a8f 100644 + files_search_pids($1) + delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') ++ diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 98e5af6..a7472fc 100644 +index 86d09b4..1c0dd9b 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te -@@ -52,7 +52,7 @@ ifdef(`enable_mls',` +@@ -33,6 +33,7 @@ files_tmp_file(system_dbusd_tmp_t) + + type system_dbusd_var_lib_t; + files_type(system_dbusd_var_lib_t) ++init_sock_file(system_dbusd_var_lib_t) + + type system_dbusd_var_run_t; + files_pid_file(system_dbusd_var_run_t) +@@ -52,9 +53,9 @@ ifdef(`enable_mls',` # dac_override: /var/run/dbus is owned by messagebus on Debian # cjp: dac_override should probably go in a distro_debian -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; +allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; - allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; +-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; ++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; -@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) + allow system_dbusd_t self:dbus { send_msg acquire_svc }; + allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; +@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) @@ -21732,7 +22286,7 @@ index 98e5af6..a7472fc 100644 kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) -@@ -111,6 +112,8 @@ auth_read_pam_console_data(system_dbusd_t) +@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t) corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -21741,7 +22295,7 @@ index 98e5af6..a7472fc 100644 domain_use_interactive_fds(system_dbusd_t) domain_read_all_domains_state(system_dbusd_t) -@@ -121,7 +124,9 @@ files_read_usr_files(system_dbusd_t) +@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t) init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -21751,7 +22305,7 @@ index 98e5af6..a7472fc 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,6 +146,14 @@ optional_policy(` +@@ -141,10 +147,18 @@ optional_policy(` ') optional_policy(` @@ -21759,6 +22313,10 @@ index 98e5af6..a7472fc 100644 +') + +optional_policy(` + cpufreqselector_dbus_chat(system_dbusd_t) + ') + + optional_policy(` + networkmanager_initrc_domtrans(system_dbusd_t) +') + @@ -21766,7 +22324,7 @@ index 98e5af6..a7472fc 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -158,5 +171,12 @@ optional_policy(` +@@ -162,5 +176,12 @@ optional_policy(` # # Unconfined access to this module # @@ -22145,7 +22703,7 @@ index f706b99..22b862e 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..10c33ed 100644 +index f231f17..0d11034 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -22190,7 +22748,7 @@ index f231f17..10c33ed 100644 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) -@@ -178,25 +186,47 @@ optional_policy(` +@@ -178,33 +186,53 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -22239,7 +22797,15 @@ index f231f17..10c33ed 100644 kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) -@@ -212,12 +242,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) + corecmd_exec_bin(devicekit_power_t) + corecmd_exec_shell(devicekit_power_t) + +-consoletype_exec(devicekit_power_t) +- + domain_read_all_domains_state(devicekit_power_t) + + dev_read_input(devicekit_power_t) +@@ -212,12 +240,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -22256,18 +22822,25 @@ index f231f17..10c33ed 100644 term_use_all_terms(devicekit_power_t) -@@ -225,8 +259,11 @@ auth_use_nsswitch(devicekit_power_t) - - miscfiles_read_localization(devicekit_power_t) +@@ -227,6 +259,7 @@ miscfiles_read_localization(devicekit_power_t) -+modutils_domtrans_insmod(devicekit_power_t) -+ sysnet_read_config(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t) +sysnet_domtrans_dhcpc(devicekit_power_t) userdom_read_all_users_state(devicekit_power_t) +@@ -235,6 +268,10 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(devicekit_power_t) ++') ++ ++optional_policy(` + cron_initrc_domtrans(devicekit_power_t) + ') + @@ -261,14 +298,21 @@ optional_policy(` ') @@ -22291,10 +22864,14 @@ index f231f17..10c33ed 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +320,21 @@ optional_policy(` +@@ -276,9 +320,25 @@ optional_policy(` ') optional_policy(` ++ modutils_domtrans_insmod(devicekit_power_t) ++') ++ ++optional_policy(` + mount_domtrans(devicekit_power_t) +') + @@ -22494,10 +23071,10 @@ index 0000000..60c81d6 +') diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te new file mode 100644 -index 0000000..b4d0dd0 +index 0000000..b7fc006 --- /dev/null +++ b/policy/modules/services/dirsrv-admin.te -@@ -0,0 +1,95 @@ +@@ -0,0 +1,100 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -22545,8 +23122,10 @@ index 0000000..b4d0dd0 +# Needed for stop and restart scripts +dirsrv_read_var_run(dirsrvadmin_t) + -+apache_domtrans(dirsrvadmin_t) -+apache_signal(dirsrvadmin_t) ++optional_policy(` ++ apache_domtrans(dirsrvadmin_t) ++ apache_signal(dirsrvadmin_t) ++') + +######################################## +# @@ -22555,44 +23134,47 @@ index 0000000..b4d0dd0 +# +# +# Create a domain for the CGI scripts -+apache_content_template(dirsrvadmin) -+ -+allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -+allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; -+allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; -+allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; -+allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; -+allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; -+allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; -+ -+kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) -+ -+corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t) -+corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) -+corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) -+corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) -+corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) -+ -+files_search_var_lib(httpd_dirsrvadmin_script_t) -+ -+sysnet_read_config(httpd_dirsrvadmin_script_t) -+ -+manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) -+ -+# The CGI scripts must be able to manage dirsrv-admin -+dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) -+dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) -+dirsrv_domtrans(httpd_dirsrvadmin_script_t) -+dirsrv_signal(httpd_dirsrvadmin_script_t) -+dirsrv_signull(httpd_dirsrvadmin_script_t) -+dirsrv_manage_log(httpd_dirsrvadmin_script_t) -+dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) -+dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) -+dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) -+dirsrv_manage_config(httpd_dirsrvadmin_script_t) -+dirsrv_read_share(httpd_dirsrvadmin_script_t) ++ ++optional_policy(` ++ apache_content_template(dirsrvadmin) ++ ++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; ++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; ++ ++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) ++ ++ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t) ++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) ++ ++ files_search_var_lib(httpd_dirsrvadmin_script_t) ++ ++ sysnet_read_config(httpd_dirsrvadmin_script_t) ++ ++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) ++ ++ # The CGI scripts must be able to manage dirsrv-admin ++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) ++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_domtrans(httpd_dirsrvadmin_script_t) ++ dirsrv_signal(httpd_dirsrvadmin_script_t) ++ dirsrv_signull(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_log(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) ++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_read_share(httpd_dirsrvadmin_script_t) ++') diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc new file mode 100644 index 0000000..3aae725 @@ -24182,7 +24764,7 @@ index 69dcd2a..a9a9116 100644 /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..eca06f7 100644 +index 8a74a83..826e699 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -24284,7 +24866,7 @@ index 8a74a83..eca06f7 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -316,6 +338,23 @@ optional_policy(` +@@ -316,6 +338,25 @@ optional_policy(` ') optional_policy(` @@ -24299,16 +24881,18 @@ index 8a74a83..eca06f7 100644 + ') +') + -+tunable_policy(`ftpd_connect_db',` -+ mysql_tcp_connect(ftpd_t) -+ postgresql_tcp_connect(ftpd_t) ++optional_policy(` ++ tunable_policy(`ftpd_connect_db',` ++ mysql_tcp_connect(ftpd_t) ++ postgresql_tcp_connect(ftpd_t) ++ ') +') + +optional_policy(` inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -347,10 +386,11 @@ optional_policy(` +@@ -347,10 +388,11 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -24321,7 +24905,7 @@ index 8a74a83..eca06f7 100644 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) # Allow ftpdctl to read config files -@@ -368,15 +408,28 @@ files_read_etc_files(sftpd_t) +@@ -368,15 +410,28 @@ files_read_etc_files(sftpd_t) # allow read access to /home by default userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) @@ -25169,10 +25753,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..74db53c 100644 +index 4fde46b..f757926 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,11 +15,14 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,19 +15,20 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -25188,7 +25772,23 @@ index 4fde46b..74db53c 100644 files_read_etc_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) -@@ -39,6 +42,15 @@ optional_policy(` + + auth_use_nsswitch(gnomeclock_t) + +-clock_domtrans(gnomeclock_t) +- + miscfiles_read_localization(gnomeclock_t) + miscfiles_manage_localization(gnomeclock_t) + miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +36,23 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) + userdom_read_all_users_state(gnomeclock_t) + + optional_policy(` ++ clock_domtrans(gnomeclock_t) ++') ++ ++optional_policy(` + consolekit_dbus_chat(gnomeclock_t) ') optional_policy(` @@ -25289,6 +25889,30 @@ index 03742d8..2a87d1e 100644 dbus_system_bus_client(gpsd_t) ') +diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if +index 2d0b4e1..804d347 100644 +--- a/policy/modules/services/hadoop.if ++++ b/policy/modules/services/hadoop.if +@@ -175,8 +175,6 @@ template(`hadoop_domain_template',` + files_read_etc_files(hadoop_$1_initrc_t) + files_read_usr_files(hadoop_$1_initrc_t) + +- consoletype_exec(hadoop_$1_initrc_t) +- + fs_getattr_xattr_fs(hadoop_$1_initrc_t) + fs_search_cgroup_dirs(hadoop_$1_initrc_t) + +@@ -196,6 +194,10 @@ template(`hadoop_domain_template',` + userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) + + optional_policy(` ++ consoletype_exec(hadoop_$1_initrc_t) ++ ') ++ ++ optional_policy(` + nscd_socket_use(hadoop_$1_initrc_t) + ') + ') diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index c98b0df..3b1a051 100644 --- a/policy/modules/services/hal.fc @@ -25408,7 +26032,7 @@ index 7cf6763..ce32fe5 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te -index 24c6253..f11fa08 100644 +index 24c6253..9376ea0 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -25438,7 +26062,23 @@ index 24c6253..f11fa08 100644 dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) -@@ -211,13 +215,19 @@ seutil_read_config(hald_t) +@@ -186,8 +190,6 @@ term_use_unallocated_ttys(hald_t) + + auth_use_nsswitch(hald_t) + +-fstools_getattr_swap_files(hald_t) +- + init_domtrans_script(hald_t) + init_read_utmp(hald_t) + #hal runs shutdown, probably need a shutdown domain +@@ -204,20 +206,25 @@ logging_search_logs(hald_t) + miscfiles_read_localization(hald_t) + miscfiles_read_hwdata(hald_t) + +-modutils_domtrans_insmod(hald_t) +-modutils_read_module_deps(hald_t) +- + seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) seutil_read_file_contexts(hald_t) @@ -25455,11 +26095,13 @@ index 24c6253..f11fa08 100644 userdom_dontaudit_search_user_home_dirs(hald_t) +userdom_stream_connect(hald_t) + -+netutils_domtrans(hald_t) ++optional_policy(` ++ netutils_domtrans(hald_t) ++') optional_policy(` alsa_domtrans(hald_t) -@@ -252,8 +262,7 @@ optional_policy(` +@@ -252,8 +259,7 @@ optional_policy(` ') optional_policy(` @@ -25469,7 +26111,7 @@ index 24c6253..f11fa08 100644 init_dbus_chat_script(hald_t) -@@ -263,11 +272,20 @@ optional_policy(` +@@ -263,15 +269,28 @@ optional_policy(` ') optional_policy(` @@ -25490,7 +26132,27 @@ index 24c6253..f11fa08 100644 gpm_dontaudit_getattr_gpmctl(hald_t) ') -@@ -302,7 +320,7 @@ optional_policy(` + optional_policy(` ++ fstools_getattr_swap_files(hald_t) ++') ++ ++optional_policy(` + hotplug_read_config(hald_t) + ') + +@@ -280,6 +299,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(hald_t) ++ modutils_read_module_deps(hald_t) ++') ++ ++optional_policy(` + mount_domtrans(hald_t) + ') + +@@ -302,7 +326,7 @@ optional_policy(` ') optional_policy(` @@ -25499,7 +26161,7 @@ index 24c6253..f11fa08 100644 policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) -@@ -318,6 +336,10 @@ optional_policy(` +@@ -318,6 +342,10 @@ optional_policy(` ') optional_policy(` @@ -25510,7 +26172,7 @@ index 24c6253..f11fa08 100644 udev_domtrans(hald_t) udev_read_db(hald_t) ') -@@ -338,6 +360,10 @@ optional_policy(` +@@ -338,6 +366,10 @@ optional_policy(` virt_manage_images(hald_t) ') @@ -25521,7 +26183,7 @@ index 24c6253..f11fa08 100644 ######################################## # # Hal acl local policy -@@ -358,6 +384,7 @@ files_search_var_lib(hald_acl_t) +@@ -358,6 +390,7 @@ files_search_var_lib(hald_acl_t) manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -25529,7 +26191,7 @@ index 24c6253..f11fa08 100644 corecmd_exec_bin(hald_acl_t) -@@ -388,7 +415,7 @@ logging_send_syslog_msg(hald_acl_t) +@@ -388,7 +421,7 @@ logging_send_syslog_msg(hald_acl_t) miscfiles_read_localization(hald_acl_t) optional_policy(` @@ -25538,17 +26200,30 @@ index 24c6253..f11fa08 100644 policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) -@@ -470,6 +497,10 @@ files_read_usr_files(hald_keymap_t) +@@ -470,6 +503,12 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) -+# This is caused by a bug in hald and PolicyKit. -+# Should be removed when this is fixed -+cron_read_system_job_lib_files(hald_t) ++optional_policy(` ++ # This is caused by a bug in hald and PolicyKit. ++ # Should be removed when this is fixed ++ cron_read_system_job_lib_files(hald_t) ++') + ######################################## # # Local hald dccm policy +@@ -524,7 +563,9 @@ files_read_usr_files(hald_dccm_t) + + miscfiles_read_localization(hald_dccm_t) + +-hal_dontaudit_rw_dgram_sockets(hald_dccm_t) ++optional_policy(` ++ hal_dontaudit_rw_dgram_sockets(hald_dccm_t) ++') + + optional_policy(` + dbus_system_bus_client(hald_dccm_t) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if index 87b4531..db2d189 100644 --- a/policy/modules/services/hddtemp.if @@ -27563,10 +28238,10 @@ index 0000000..f60483e +') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te new file mode 100644 -index 0000000..b7d8f2f +index 0000000..fa43044 --- /dev/null +++ b/policy/modules/services/mock.te -@@ -0,0 +1,123 @@ +@@ -0,0 +1,125 @@ +policy_module(mock,1.0.0) + +## @@ -27673,8 +28348,6 @@ index 0000000..b7d8f2f + +miscfiles_read_localization(mock_t) + -+mount_domtrans(mock_t) -+ +userdom_use_user_ptys(mock_t) + +tunable_policy(`mock_enable_homedirs',` @@ -27682,6 +28355,10 @@ index 0000000..b7d8f2f +') + +optional_policy(` ++ mount_domtrans(mock_t) ++') ++ ++optional_policy(` + rpm_exec(mock_t) + rpm_manage_db(mock_t) + rpm_entry_type(mock_t) @@ -27707,7 +28384,7 @@ index 3368699..7a7fc02 100644 # interface(`modemmanager_domtrans',` diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te -index b3ace16..7f18c33 100644 +index b3ace16..812a9ff 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; @@ -27720,7 +28397,7 @@ index b3ace16..7f18c33 100644 allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -28,6 +29,7 @@ dev_rw_modem(modemmanager_t) +@@ -28,13 +29,24 @@ dev_rw_modem(modemmanager_t) files_read_etc_files(modemmanager_t) @@ -27728,20 +28405,24 @@ index b3ace16..7f18c33 100644 term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -@@ -37,5 +39,13 @@ logging_send_syslog_msg(modemmanager_t) - networkmanager_dbus_chat(modemmanager_t) - optional_policy(` -+ devicekit_dbus_chat_power(modemmanager_t) + logging_send_syslog_msg(modemmanager_t) + +-networkmanager_dbus_chat(modemmanager_t) ++optional_policy(` ++ networkmanager_dbus_chat(modemmanager_t) +') + +optional_policy(` -+ policykit_dbus_chat(modemmanager_t) ++ devicekit_dbus_chat_power(modemmanager_t) +') + +optional_policy(` ++ policykit_dbus_chat(modemmanager_t) ++') + + optional_policy(` udev_read_db(modemmanager_t) - ') diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if index 657a9fc..88e7330 100644 --- a/policy/modules/services/mojomojo.if @@ -29161,7 +29842,7 @@ index e9c0982..f11e4f2 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..579f237 100644 +index 0a0d63c..91de41a 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -29228,7 +29909,7 @@ index 0a0d63c..579f237 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,6 +180,7 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -29236,12 +29917,12 @@ index 0a0d63c..579f237 100644 files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) -@@ -183,11 +189,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - hostname_exec(mysqld_safe_t) + logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) +-hostname_exec(mysqld_safe_t) +logging_send_syslog_msg(mysqld_safe_t) -+ + miscfiles_read_localization(mysqld_safe_t) mysql_manage_db_files(mysqld_safe_t) @@ -29250,7 +29931,13 @@ index 0a0d63c..579f237 100644 +mysql_signull(mysqld_safe_t) mysql_write_log(mysqld_safe_t) ++optional_policy(` ++ hostname_exec(mysqld_safe_t) ++') ++ ######################################## + # + # MySQL Manager Policy diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index 8581040..2367841 100644 --- a/policy/modules/services/nagios.if @@ -29598,7 +30285,7 @@ index 2324d9e..8069487 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..cd5c974 100644 +index 0619395..3a396a1 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -29652,9 +30339,18 @@ index 0619395..cd5c974 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -141,22 +157,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t) +@@ -133,30 +149,37 @@ logging_send_syslog_msg(NetworkManager_t) + miscfiles_read_localization(NetworkManager_t) + miscfiles_read_generic_certs(NetworkManager_t) + +-modutils_domtrans_insmod(NetworkManager_t) +- + seutil_read_config(NetworkManager_t) + + sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) ++sysnet_signull_dhcpc(NetworkManager_t) sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_read_dhcp_config(NetworkManager_t) sysnet_delete_dhcpc_pid(NetworkManager_t) @@ -29673,8 +30369,6 @@ index 0619395..cd5c974 100644 +userdom_read_home_certs(NetworkManager_t) userdom_read_user_home_content_files(NetworkManager_t) +userdom_dgram_send(NetworkManager_t) -+ -+cron_read_system_job_lib_files(NetworkManager_t) optional_policy(` avahi_domtrans(NetworkManager_t) @@ -29685,12 +30379,16 @@ index 0619395..cd5c974 100644 ') optional_policy(` -@@ -172,14 +198,17 @@ optional_policy(` +@@ -172,14 +195,21 @@ optional_policy(` ') optional_policy(` - consoletype_exec(NetworkManager_t) + consoletype_domtrans(NetworkManager_t) ++') ++ ++optional_policy(` ++ cron_read_system_job_lib_files(NetworkManager_t) ') optional_policy(` @@ -29704,7 +30402,7 @@ index 0619395..cd5c974 100644 ') ') -@@ -202,6 +231,17 @@ optional_policy(` +@@ -202,6 +232,17 @@ optional_policy(` ') optional_policy(` @@ -29722,15 +30420,19 @@ index 0619395..cd5c974 100644 iptables_domtrans(NetworkManager_t) ') -@@ -219,6 +259,7 @@ optional_policy(` +@@ -219,6 +260,11 @@ optional_policy(` ') optional_policy(` ++ modutils_domtrans_insmod(NetworkManager_t) ++') ++ ++optional_policy(` + openvpn_read_config(NetworkManager_t) openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -263,6 +304,7 @@ optional_policy(` +@@ -263,6 +309,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -30839,7 +31541,7 @@ index ceafba6..eca6852 100644 # pid files diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te -index 3185114..790742c 100644 +index 3185114..514e127 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -16,7 +16,7 @@ type pegasus_tmp_t; @@ -30890,7 +31592,7 @@ index 3185114..790742c 100644 corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) -@@ -95,13 +98,12 @@ files_getattr_all_dirs(pegasus_t) +@@ -95,17 +98,14 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -30905,8 +31607,12 @@ index 3185114..790742c 100644 +files_read_all_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) - hostname_exec(pegasus_t) -@@ -114,7 +116,6 @@ logging_send_syslog_msg(pegasus_t) +-hostname_exec(pegasus_t) +- + init_rw_utmp(pegasus_t) + init_stream_connect_script(pegasus_t) + +@@ -114,17 +114,28 @@ logging_send_syslog_msg(pegasus_t) miscfiles_read_localization(pegasus_t) @@ -30914,7 +31620,14 @@ index 3185114..790742c 100644 sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -@@ -125,6 +126,14 @@ optional_policy(` + userdom_dontaudit_search_user_home_dirs(pegasus_t) + + optional_policy(` ++ hostname_exec(pegasus_t) ++') ++ ++optional_policy(` + rpm_exec(pegasus_t) ') optional_policy(` @@ -30929,7 +31642,7 @@ index 3185114..790742c 100644 seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -@@ -136,3 +145,13 @@ optional_policy(` +@@ -136,3 +147,13 @@ optional_policy(` optional_policy(` unconfined_signull(pegasus_t) ') @@ -31213,10 +31926,10 @@ index 0000000..6403c17 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..5793840 +index 0000000..d8f53f3 --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,219 @@ +@@ -0,0 +1,223 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -31271,7 +31984,9 @@ index 0000000..5793840 + +domain_read_all_domains_state(piranha_fos_t) + -+consoletype_exec(piranha_fos_t) ++optional_policy(` ++ consoletype_exec(piranha_fos_t) ++') + +# start and stop services +init_domtrans_script(piranha_fos_t) @@ -31324,7 +32039,9 @@ index 0000000..5793840 + +files_read_usr_files(piranha_web_t) + -+consoletype_exec(piranha_web_t) ++optional_policy(` ++ consoletype_exec(piranha_web_t) ++') + +optional_policy(` + apache_read_config(piranha_web_t) @@ -31660,10 +32377,18 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index fb8dc84..57fcfe1 100644 +index 06e217d..179e320 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te -@@ -19,6 +19,9 @@ files_type(plymouthd_spool_t) +@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1) + type plymouth_t; + type plymouth_exec_t; + application_domain(plymouth_t, plymouth_exec_t) ++role system_r types plymouth_t; + + type plymouthd_t; + type plymouthd_exec_t; +@@ -19,6 +20,9 @@ files_type(plymouthd_spool_t) type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) @@ -31673,7 +32398,7 @@ index fb8dc84..57fcfe1 100644 type plymouthd_var_run_t; files_pid_file(plymouthd_var_run_t) -@@ -42,6 +45,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) +@@ -42,6 +46,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) @@ -31684,7 +32409,7 @@ index fb8dc84..57fcfe1 100644 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -60,10 +67,22 @@ domain_use_interactive_fds(plymouthd_t) +@@ -60,10 +68,22 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -31707,7 +32432,7 @@ index fb8dc84..57fcfe1 100644 ######################################## # # Plymouth private policy -@@ -74,6 +93,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +94,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -31715,7 +32440,7 @@ index fb8dc84..57fcfe1 100644 domain_use_interactive_fds(plymouth_t) -@@ -87,7 +107,7 @@ sysnet_read_config(plymouth_t) +@@ -87,7 +108,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) @@ -31744,7 +32469,7 @@ index 27c739c..c65d18f 100644 /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if -index 48ff1e8..13cdc77 100644 +index 48ff1e8..be00a65 100644 --- a/policy/modules/services/policykit.if +++ b/policy/modules/services/policykit.if @@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',` @@ -31835,13 +32560,15 @@ index 48ff1e8..13cdc77 100644 ## # interface(`policykit_domtrans_resolve',` -@@ -206,4 +235,48 @@ interface(`policykit_read_lib',` +@@ -206,4 +235,50 @@ interface(`policykit_read_lib',` files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) + -+ # Broken placement -+ cron_read_system_job_lib_files($1) ++ optional_policy(` ++ # Broken placement ++ cron_read_system_job_lib_files($1) ++ ') +') + +####################################### @@ -33573,7 +34300,7 @@ index bc329d1..0589f97 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te -index d4000e0..93cbfa2 100644 +index d4000e0..312e537 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) @@ -33597,7 +34324,7 @@ index d4000e0..93cbfa2 100644 # tmp files manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -@@ -85,6 +86,7 @@ corenet_sendrecv_whois_client_packets(psad_t) +@@ -85,13 +86,12 @@ corenet_sendrecv_whois_client_packets(psad_t) dev_read_urand(psad_t) files_read_etc_runtime_files(psad_t) @@ -33605,6 +34332,24 @@ index d4000e0..93cbfa2 100644 fs_getattr_all_fs(psad_t) + auth_use_nsswitch(psad_t) + +-iptables_domtrans(psad_t) +- + logging_read_generic_logs(psad_t) + logging_read_syslog_config(psad_t) + logging_send_syslog_msg(psad_t) +@@ -101,6 +101,10 @@ miscfiles_read_localization(psad_t) + sysnet_exec_ifconfig(psad_t) + + optional_policy(` ++ iptables_domtrans(psad_t) ++') ++ ++optional_policy(` + mta_send_mail(psad_t) + mta_read_queue(psad_t) + ') diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if index 2855a44..0456b11 100644 --- a/policy/modules/services/puppet.if @@ -34832,7 +35577,7 @@ index 852840b..1244ab2 100644 + ') ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te -index 0a76027..88ac667 100644 +index 0a76027..364903e 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -49,6 +49,7 @@ fs_getattr_xattr_fs(remote_login_t) @@ -34852,27 +35597,32 @@ index 0a76027..88ac667 100644 miscfiles_read_localization(remote_login_t) -@@ -87,6 +88,7 @@ userdom_search_user_home_content(remote_login_t) +@@ -87,9 +88,7 @@ userdom_search_user_home_content(remote_login_t) # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) +- +-# Search for mail spool file. +-mta_getattr_spool(remote_login_t) +userdom_use_user_ptys(remote_login_t) - # Search for mail spool file. - mta_getattr_spool(remote_login_t) -@@ -106,15 +108,10 @@ optional_policy(` + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(remote_login_t) +@@ -106,15 +105,15 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(remote_login_t) -+ telnet_use_ptys(remote_login_t) ++ # Search for mail spool file. ++ mta_getattr_spool(remote_login_t) ') optional_policy(` - nscd_socket_use(remote_login_t) --') -- --optional_policy(` ++ telnet_use_ptys(remote_login_t) + ') + + optional_policy(` - unconfined_domain(remote_login_t) unconfined_shell_domtrans(remote_login_t) ') @@ -34982,7 +35732,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..f107bbb 100644 +index 00fa514..1ef4cc6 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -35034,7 +35784,15 @@ index 00fa514..f107bbb 100644 kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -78,14 +83,19 @@ domain_read_all_domains_state(rgmanager_t) +@@ -67,7 +72,6 @@ kernel_search_network_state(rgmanager_t) + + corecmd_exec_bin(rgmanager_t) + corecmd_exec_shell(rgmanager_t) +-consoletype_exec(rgmanager_t) + + # need to write to /dev/misc/dlm-control + dev_rw_dlm_control(rgmanager_t) +@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -35055,10 +35813,27 @@ index 00fa514..f107bbb 100644 storage_getattr_fixed_disk_dev(rgmanager_t) term_getattr_pty_fs(rgmanager_t) -@@ -118,6 +128,10 @@ optional_policy(` +-#term_use_ptmx(rgmanager_t) + + # needed by resources scripts + auth_read_all_files_except_shadow(rgmanager_t) +@@ -100,8 +108,6 @@ logging_send_syslog_msg(rgmanager_t) + + miscfiles_read_localization(rgmanager_t) + +-mount_domtrans(rgmanager_t) +- + tunable_policy(`rgmanager_can_network_connect',` + corenet_tcp_connect_all_ports(rgmanager_t) + ') +@@ -118,6 +124,14 @@ optional_policy(` ') optional_policy(` ++ consoletype_exec(rgmanager_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(rgmanager_t) +') + @@ -35066,7 +35841,7 @@ index 00fa514..f107bbb 100644 fstools_domtrans(rgmanager_t) ') -@@ -140,6 +154,11 @@ optional_policy(` +@@ -140,6 +154,15 @@ optional_policy(` ') optional_policy(` @@ -35075,6 +35850,10 @@ index 00fa514..f107bbb 100644 +') + +optional_policy(` ++ mount_domtrans(rgmanager_t) ++') ++ ++optional_policy(` mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') @@ -35684,7 +36463,7 @@ index f7826f9..3128dd8 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..052a1ff 100644 +index 33e72e8..b71d193 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -35750,7 +36529,43 @@ index 33e72e8..052a1ff 100644 domain_read_all_domains_state(ricci_modcluster_t) -@@ -241,8 +250,7 @@ optional_policy(` +@@ -209,13 +218,9 @@ logging_send_syslog_msg(ricci_modcluster_t) + + miscfiles_read_localization(ricci_modcluster_t) + +-modutils_domtrans_insmod(ricci_modcluster_t) +- +-mount_domtrans(ricci_modcluster_t) +- +-consoletype_exec(ricci_modcluster_t) +- +-ricci_stream_connect_modclusterd(ricci_modcluster_t) ++optional_policy(` ++ ricci_stream_connect_modclusterd(ricci_modcluster_t) ++') + + optional_policy(` + aisexec_stream_connect(ricci_modcluster_t) +@@ -233,6 +238,18 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(ricci_modcluster_t) ++') ++ ++optional_policy(` ++ mount_domtrans(ricci_modcluster_t) ++') ++ ++optional_policy(` ++ consoletype_exec(ricci_modcluster_t) ++') ++ ++optional_policy(` + nscd_socket_use(ricci_modcluster_t) + ') + +@@ -241,8 +258,7 @@ optional_policy(` ') optional_policy(` @@ -35760,7 +36575,7 @@ index 33e72e8..052a1ff 100644 ') ######################################## -@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; +@@ -261,6 +277,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -35771,7 +36586,7 @@ index 33e72e8..052a1ff 100644 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock +@@ -272,6 +292,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -35779,7 +36594,27 @@ index 33e72e8..052a1ff 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -444,6 +457,12 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t) + # Needed for running chkconfig + files_manage_etc_symlinks(ricci_modservice_t) + +-consoletype_exec(ricci_modservice_t) +- + init_domtrans_script(ricci_modservice_t) + + miscfiles_read_localization(ricci_modservice_t) +@@ -405,6 +424,10 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(ricci_modservice_t) ++') ++ ++optional_policy(` + nscd_dontaudit_search_pid(ricci_modservice_t) + ') + +@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -35792,6 +36627,50 @@ index 33e72e8..052a1ff 100644 storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) + +-fstools_domtrans(ricci_modstorage_t) +- + logging_send_syslog_msg(ricci_modstorage_t) + + miscfiles_read_localization(ricci_modstorage_t) + +-modutils_read_module_deps(ricci_modstorage_t) +- +-consoletype_exec(ricci_modstorage_t) +- +-mount_domtrans(ricci_modstorage_t) +- + optional_policy(` + aisexec_stream_connect(ricci_modstorage_t) + corosync_stream_connect(ricci_modstorage_t) +@@ -471,11 +492,27 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(ricci_modstorage_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(ricci_modstorage_t) ++') ++ ++optional_policy(` + lvm_domtrans(ricci_modstorage_t) + lvm_manage_config(ricci_modstorage_t) + ') + + optional_policy(` ++ modutils_read_module_deps(ricci_modstorage_t) ++') ++ ++optional_policy(` ++ mount_domtrans(ricci_modstorage_t) ++') ++ ++optional_policy(` + nscd_socket_use(ricci_modstorage_t) + ') + diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc index 2785337..c3c2775 100644 --- a/policy/modules/services/rlogin.fc @@ -35805,7 +36684,7 @@ index 2785337..c3c2775 100644 /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te -index 779fa44..0155ca7 100644 +index 779fa44..cdfebe3 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -35842,16 +36721,30 @@ index 779fa44..0155ca7 100644 files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -88,6 +87,9 @@ seutil_read_config(rlogind_t) +@@ -88,9 +87,9 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) +- +-remotelogin_domtrans(rlogind_t) +-remotelogin_signal(rlogind_t) +userdom_search_admin_dir(rlogind_t) +userdom_manage_user_tmp_files(rlogind_t) +userdom_tmp_filetrans_user_tmp(rlogind_t, file) - remotelogin_domtrans(rlogind_t) - remotelogin_signal(rlogind_t) + rlogin_read_home_content(rlogind_t) + +@@ -112,5 +111,10 @@ optional_policy(` + ') + + optional_policy(` ++ remotelogin_domtrans(rlogind_t) ++ remotelogin_signal(rlogind_t) ++') ++ ++optional_policy(` + tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) + ') diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc index 5c70c0c..6842295 100644 --- a/policy/modules/services/rpc.fc @@ -35955,7 +36848,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index 8e1ab72..e6821be 100644 +index 8e1ab72..eaa8036 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -36061,7 +36954,15 @@ index 8e1ab72..e6821be 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -218,6 +236,8 @@ tunable_policy(`allow_gssd_read_tmp',` +@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t) + + miscfiles_read_generic_certs(gssd_t) + +-mount_signal(gssd_t) +- + userdom_signal_all_users(gssd_t) + + tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) @@ -36070,6 +36971,17 @@ index 8e1ab72..e6821be 100644 ') optional_policy(` +@@ -229,6 +247,10 @@ optional_policy(` + ') + + optional_policy(` ++ mount_signal(gssd_t) ++') ++ ++optional_policy(` + pcscd_read_pub_files(gssd_t) + ') + diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc index f5c47d6..5a965e9 100644 --- a/policy/modules/services/rpcbind.fc @@ -36676,7 +37588,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..00a9125 100644 +index e30bb63..ef1edc6 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -36813,7 +37725,27 @@ index e30bb63..00a9125 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -677,7 +675,7 @@ samba_domtrans_nmbd(swat_t) +@@ -644,8 +642,6 @@ auth_use_nsswitch(smbmount_t) + + miscfiles_read_localization(smbmount_t) + +-mount_use_fds(smbmount_t) +- + locallogin_use_fds(smbmount_t) + + logging_search_logs(smbmount_t) +@@ -657,6 +653,10 @@ optional_policy(` + cups_read_rw_config(smbmount_t) + ') + ++optional_policy(` ++ mount_use_fds(smbmount_t) ++') ++ + ######################################## + # + # SWAT Local policy +@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -36822,7 +37754,7 @@ index e30bb63..00a9125 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +690,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -36837,7 +37769,7 @@ index e30bb63..00a9125 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +710,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -36845,7 +37777,7 @@ index e30bb63..00a9125 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +755,8 @@ logging_search_logs(swat_t) +@@ -754,6 +757,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -36854,7 +37786,7 @@ index e30bb63..00a9125 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +809,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -36876,7 +37808,7 @@ index e30bb63..00a9125 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +837,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -36884,7 +37816,7 @@ index e30bb63..00a9125 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +927,18 @@ optional_policy(` +@@ -922,6 +929,18 @@ optional_policy(` # optional_policy(` @@ -36903,7 +37835,7 @@ index e30bb63..00a9125 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +949,12 @@ optional_policy(` +@@ -932,9 +951,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -37170,7 +38102,7 @@ index 22dac1f..b6781d5 100644 + unconfined_domain_noaudit(unconfined_sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if -index 22dfeb4..d9f5dbc 100644 +index bcdd16c..7c379a8 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',` @@ -37219,7 +38151,7 @@ index 22dfeb4..d9f5dbc 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..b0ee422 100644 +index 086cd5f..43350e6 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) @@ -37250,7 +38182,16 @@ index 086cd5f..b0ee422 100644 corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -121,6 +126,14 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -112,8 +117,6 @@ logging_send_audit_msgs(setroubleshootd_t) + logging_send_syslog_msg(setroubleshootd_t) + logging_stream_connect_dispatcher(setroubleshootd_t) + +-modutils_read_module_config(setroubleshootd_t) +- + seutil_read_config(setroubleshootd_t) + seutil_read_file_contexts(setroubleshootd_t) + seutil_read_bin_policy(setroubleshootd_t) +@@ -121,6 +124,18 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -37262,10 +38203,14 @@ index 086cd5f..b0ee422 100644 +') + +optional_policy(` ++ modutils_read_module_config(setroubleshootd_t) ++') ++ ++optional_policy(` dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +165,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -152,6 +167,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) @@ -37273,7 +38218,7 @@ index 086cd5f..b0ee422 100644 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +178,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +180,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -37309,11 +38254,11 @@ index adea9f9..d5b2d93 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te -index 4804f14..761df2d 100644 +index 606a098..8b74d10 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te -@@ -72,16 +72,21 @@ files_exec_etc_files(fsdaemon_t) - files_read_etc_runtime_files(fsdaemon_t) +@@ -73,16 +73,21 @@ files_read_etc_runtime_files(fsdaemon_t) + files_read_usr_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) +files_read_usr_files(fsdaemon_t) @@ -38301,7 +39246,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..2cfaf93 100644 +index 22adaca..d9913e0 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -38567,7 +39512,40 @@ index 22adaca..2cfaf93 100644 files_search_pids($1) ') -@@ -695,7 +726,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -680,6 +711,32 @@ interface(`ssh_domtrans_keygen',` + domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) + ') + ++####################################### ++## ++## Execute ssh-keygen in the iptables domain, and ++## allow the specified role the ssh-keygen domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ssh_run_keygen',` ++ gen_require(` ++ type ssh_keygen_t; ++ ') ++ ++ role $2 types ssh_keygen_t; ++ ssh_domtrans_keygen($1) ++') ++ + ######################################## + ## + ## Read ssh server keys +@@ -695,7 +752,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -38576,7 +39554,7 @@ index 22adaca..2cfaf93 100644 ') ###################################### -@@ -735,3 +766,21 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +792,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -38599,7 +39577,7 @@ index 22adaca..2cfaf93 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..9a289e2 100644 +index 2dad3c8..f5c37de 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -38762,65 +39740,23 @@ index 2dad3c8..9a289e2 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -200,6 +211,57 @@ optional_policy(` - xserver_domtrans_xauth(ssh_t) +@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',` ') -+######################################## -+# -+# ssh_keygen local policy -+# -+ -+# ssh_keygen_t is the type of the ssh-keygen program when run at install time -+# and by sysadm_t -+ -+dontaudit ssh_keygen_t self:capability sys_tty_config; -+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; -+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow ssh_keygen_t sshd_key_t:file manage_file_perms; -+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) -+ -+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) -+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) -+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) -+ -+kernel_read_kernel_sysctls(ssh_keygen_t) -+ -+fs_search_auto_mountpoints(ssh_keygen_t) -+ -+dev_read_sysfs(ssh_keygen_t) -+dev_read_urand(ssh_keygen_t) -+ -+term_dontaudit_use_console(ssh_keygen_t) -+ -+domain_use_interactive_fds(ssh_keygen_t) -+ -+files_read_etc_files(ssh_keygen_t) -+ -+init_use_fds(ssh_keygen_t) -+init_use_script_ptys(ssh_keygen_t) -+ -+logging_send_syslog_msg(ssh_keygen_t) -+ -+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -+ -+optional_policy(` -+ nscd_socket_use(ssh_keygen_t) -+') -+ -+optional_policy(` -+ seutil_sigchld_newrole(ssh_keygen_t) + optional_policy(` ++ gnome_stream_connect_all_gkeyringd(ssh_t) +') + +optional_policy(` -+ udev_read_db(ssh_keygen_t) -+') + xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) + xserver_domtrans_xauth(ssh_t) + ') + + ############################## # # ssh_keysign_t local policy -@@ -209,7 +271,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,7 +225,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -38829,7 +39765,7 @@ index 2dad3c8..9a289e2 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +294,43 @@ optional_policy(` +@@ -232,33 +248,43 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -38882,7 +39818,7 @@ index 2dad3c8..9a289e2 100644 ') optional_policy(` -@@ -266,11 +338,24 @@ optional_policy(` +@@ -266,11 +292,24 @@ optional_policy(` ') optional_policy(` @@ -38908,7 +39844,7 @@ index 2dad3c8..9a289e2 100644 ') optional_policy(` -@@ -284,6 +369,11 @@ optional_policy(` +@@ -284,6 +323,11 @@ optional_policy(` ') optional_policy(` @@ -38920,7 +39856,7 @@ index 2dad3c8..9a289e2 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +382,26 @@ optional_policy(` +@@ -292,26 +336,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -38966,7 +39902,7 @@ index 2dad3c8..9a289e2 100644 ') dnl endif TODO ######################################## -@@ -324,7 +414,6 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,12 +368,15 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -38974,17 +39910,24 @@ index 2dad3c8..9a289e2 100644 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; -@@ -353,10 +442,6 @@ logging_send_syslog_msg(ssh_keygen_t) + files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) + ++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) ++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) ++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) ++ + kernel_read_kernel_sysctls(ssh_keygen_t) + + fs_search_auto_mountpoints(ssh_keygen_t) +@@ -353,7 +400,7 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` - nscd_socket_use(ssh_keygen_t) --') -- --optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) ++ nscd_socket_use(ssh_keygen_t) ') + optional_policy(` diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 941380a..6dbfc01 100644 --- a/policy/modules/services/sssd.if @@ -39279,7 +40222,7 @@ index 58e7ec0..cf4cc85 100644 + allow $1 telnetd_devpts_t:chr_file rw_term_perms; +') diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te -index f40e67b..34c4c57 100644 +index f40e67b..8d1e658 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0) @@ -39323,8 +40266,12 @@ index f40e67b..34c4c57 100644 init_rw_utmp(telnetd_t) -@@ -85,11 +80,8 @@ remotelogin_domtrans(telnetd_t) +@@ -81,15 +76,10 @@ miscfiles_read_localization(telnetd_t) + seutil_read_config(telnetd_t) + +-remotelogin_domtrans(telnetd_t) +- userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) - @@ -39337,7 +40284,7 @@ index f40e67b..34c4c57 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -98,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -98,3 +88,12 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') @@ -39347,6 +40294,9 @@ index f40e67b..34c4c57 100644 + kerberos_manage_host_rcache(telnetd_t) +') + ++optional_policy(` ++ remotelogin_domtrans(telnetd_t) ++') diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 38bb312..414e03f 100644 --- a/policy/modules/services/tftp.if @@ -40404,7 +41354,7 @@ index 7c5d8d8..5e2f264 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..3e3dc01 100644 +index 3eca020..a541a0a 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) @@ -40715,7 +41665,7 @@ index 3eca020..3e3dc01 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +356,31 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -40743,11 +41693,21 @@ index 3eca020..3e3dc01 100644 +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) +userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) + -+consoletype_exec(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -329,6 +415,10 @@ optional_policy(` +@@ -313,6 +398,10 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(virtd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(virtd_t) + + optional_policy(` +@@ -329,6 +418,10 @@ optional_policy(` ') optional_policy(` @@ -40758,7 +41718,7 @@ index 3eca020..3e3dc01 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +455,8 @@ optional_policy(` +@@ -365,6 +458,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -40767,9 +41727,11 @@ index 3eca020..3e3dc01 100644 ') optional_policy(` -@@ -396,12 +488,25 @@ optional_policy(` +@@ -394,14 +489,26 @@ optional_policy(` + # virtual domains common policy + # - allow virt_domain self:capability { dac_read_search dac_override kill }; +-allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_file_perms; +allow virt_domain self:fifo_file rw_fifo_file_perms; @@ -40794,7 +41756,7 @@ index 3eca020..3e3dc01 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +527,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +529,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -40802,7 +41764,7 @@ index 3eca020..3e3dc01 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +535,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +537,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -40815,11 +41777,14 @@ index 3eca020..3e3dc01 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +548,11 @@ files_search_all(virt_domain) +@@ -440,6 +550,14 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) +fs_getattr_hugetlbfs(virt_domain) ++fs_rw_inherited_nfs_files(virt_domain) ++fs_rw_inherited_cifs_files(virt_domain) ++fs_rw_inherited_noxattr_fs_files(virt_domain) + +# I think we need these for now. +miscfiles_read_public_files(virt_domain) @@ -40827,7 +41792,7 @@ index 3eca020..3e3dc01 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +570,117 @@ optional_policy(` +@@ -457,8 +575,117 @@ optional_policy(` ') optional_policy(` @@ -41111,10 +42076,10 @@ index 0000000..b9104b7 +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 -index 0000000..ff32e95 +index 0000000..a7de540 --- /dev/null +++ b/policy/modules/services/vnstatd.te -@@ -0,0 +1,70 @@ +@@ -0,0 +1,73 @@ +policy_module(vnstatd, 1.0.0) + +######################################## @@ -41135,7 +42100,6 @@ index 0000000..ff32e95 +type vnstat_t; +type vnstat_exec_t; +application_domain(vnstat_t, vnstat_exec_t) -+cron_system_entry(vnstat_t, vnstat_exec_t) + +######################################## +# @@ -41161,6 +42125,10 @@ index 0000000..ff32e95 + +miscfiles_read_localization(vnstatd_t) + ++optional_policy(` ++ cron_system_entry(vnstat_t, vnstat_exec_t) ++') ++ +######################################## +# +# vnstat local policy @@ -41351,7 +42319,7 @@ index 6f1e3c7..ecfe665 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..88c2626 100644 +index 130ced9..33c8170 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -41366,10 +42334,10 @@ index da2601a..88c2626 100644 ') role $1 types { xserver_t xauth_t iceauth_t }; -@@ -31,12 +32,13 @@ interface(`xserver_restricted_role',` +@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',` + allow xserver_t $2:fd use; allow xserver_t $2:shm rw_shm_perms; - domtrans_pattern($2, xserver_exec_t, xserver_t) - allow xserver_t $2:process signal; + allow xserver_t $2:process { getpgid signal }; @@ -41381,7 +42349,7 @@ index da2601a..88c2626 100644 allow $2 user_fonts_config_t:dir list_dir_perms; allow $2 user_fonts_config_t:file read_file_perms; -@@ -45,6 +47,8 @@ interface(`xserver_restricted_role',` +@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',` manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -41390,7 +42358,7 @@ index da2601a..88c2626 100644 files_search_tmp($2) # Communicate via System V shared memory. -@@ -70,17 +74,21 @@ interface(`xserver_restricted_role',` +@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -41416,7 +42384,7 @@ index da2601a..88c2626 100644 dev_rw_xserver_misc($2) dev_rw_power_management($2) -@@ -89,14 +97,15 @@ interface(`xserver_restricted_role',` +@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',` dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) @@ -41430,11 +42398,13 @@ index da2601a..88c2626 100644 + miscfiles_read_hwdata($2) xserver_common_x_domain_template(user, $2) + xserver_domtrans($2) - xserver_unconfined($2) ++ #xserver_unconfined($2) xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -106,12 +115,25 @@ interface(`xserver_restricted_role',` +@@ -106,12 +116,25 @@ interface(`xserver_restricted_role',` xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) @@ -41460,7 +42430,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -143,13 +165,15 @@ interface(`xserver_role',` +@@ -143,13 +166,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -41478,7 +42448,7 @@ index da2601a..88c2626 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +186,6 @@ interface(`xserver_role',` +@@ -162,7 +187,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -41486,7 +42456,7 @@ index da2601a..88c2626 100644 ') ####################################### -@@ -197,7 +220,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +221,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -41495,7 +42465,7 @@ index da2601a..88c2626 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +250,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +251,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -41504,7 +42474,7 @@ index da2601a..88c2626 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +279,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -41513,7 +42483,7 @@ index da2601a..88c2626 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +314,13 @@ interface(`xserver_user_client',` +@@ -291,13 +315,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -41531,7 +42501,7 @@ index da2601a..88c2626 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -342,19 +365,23 @@ interface(`xserver_user_client',` +@@ -342,19 +366,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -41558,7 +42528,7 @@ index da2601a..88c2626 100644 ') ############################## -@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +414,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -41574,7 +42544,7 @@ index da2601a..88c2626 100644 ') ####################################### -@@ -444,8 +480,8 @@ template(`xserver_object_types_template',` +@@ -444,8 +481,8 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -41585,7 +42555,7 @@ index da2601a..88c2626 100644 ') allow $2 self:shm create_shm_perms; -@@ -458,9 +494,9 @@ template(`xserver_user_x_domain_template',` +@@ -458,9 +495,9 @@ template(`xserver_user_x_domain_template',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -41597,7 +42567,7 @@ index da2601a..88c2626 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +508,25 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +509,25 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -41625,7 +42595,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -517,6 +558,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +559,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -41633,7 +42603,7 @@ index da2601a..88c2626 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -545,6 +587,28 @@ interface(`xserver_domtrans_xauth',` +@@ -545,6 +588,28 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -41662,7 +42632,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -598,6 +662,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +663,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -41670,7 +42640,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -615,7 +680,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +681,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -41679,7 +42649,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -651,7 +716,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +717,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -41688,7 +42658,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -670,7 +735,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +736,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -41697,7 +42667,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -688,7 +753,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +754,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -41706,7 +42676,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -703,12 +768,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +769,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -41720,7 +42690,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -724,11 +788,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +789,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -41754,7 +42724,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -765,7 +849,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +850,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -41763,7 +42733,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -805,7 +889,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +890,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -41791,7 +42761,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -897,7 +1000,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1001,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -41800,7 +42770,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -916,7 +1019,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1020,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -41809,7 +42779,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -963,6 +1066,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1067,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -41855,7 +42825,7 @@ index da2601a..88c2626 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1118,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1119,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -41864,7 +42834,7 @@ index da2601a..88c2626 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1180,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1181,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -41907,7 +42877,7 @@ index da2601a..88c2626 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1230,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1231,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -41916,7 +42886,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -1070,8 +1248,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1249,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -41928,7 +42898,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -1185,6 +1365,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1366,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -41955,7 +42925,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -1210,7 +1410,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1411,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -41964,7 +42934,7 @@ index da2601a..88c2626 100644 ## ## ## -@@ -1220,13 +1420,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1421,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -41989,7 +42959,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -1243,10 +1453,393 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1454,392 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -42014,11 +42984,10 @@ index da2601a..88c2626 100644 +# +interface(`xserver_dontaudit_append_xdm_home_files',` + gen_require(` -+ type xdm_home_t, xserver_tmp_t; ++ type xdm_home_t; + ') + + dontaudit $1 xdm_home_t:file rw_inherited_file_perms; -+ dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files($1) @@ -42386,15 +43355,9 @@ index da2601a..88c2626 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index edc58df..f71b9e8 100644 +index 6c01261..7add988 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te -@@ -1,4 +1,4 @@ --policy_module(xserver, 3.5.1) -+policy_module(xserver, 3.5.2) - - gen_require(` - class x_drawable all_x_drawable_perms; @@ -26,27 +26,50 @@ gen_require(` # @@ -42454,13 +43417,7 @@ index edc58df..f71b9e8 100644 attribute x_domain; # X Events -@@ -104,26 +127,30 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven - - type remote_t; - xserver_object_types_template(remote) --xserver_common_x_domain_template(remote,remote_t) -+xserver_common_x_domain_template(remote, remote_t) - +@@ -109,21 +132,25 @@ xserver_common_x_domain_template(remote, remote_t) type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; @@ -42584,7 +43541,7 @@ index edc58df..f71b9e8 100644 files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -234,9 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) +@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) allow xdm_t iceauth_home_t:file read_file_perms; @@ -42593,7 +43550,7 @@ index edc58df..f71b9e8 100644 fs_search_auto_mountpoints(iceauth_t) userdom_use_user_terminals(iceauth_t) -+userdom_read_user_tmp_files(iceauth_t) + userdom_read_user_tmp_files(iceauth_t) +userdom_read_all_users_state(iceauth_t) + +tunable_policy(`use_fusefs_home_dirs',` @@ -42602,7 +43559,7 @@ index edc58df..f71b9e8 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -246,50 +299,109 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,50 +299,109 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(iceauth_t) ') @@ -42717,7 +43674,7 @@ index edc58df..f71b9e8 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -301,20 +413,33 @@ optional_policy(` +@@ -302,20 +413,33 @@ optional_policy(` # XDM Local policy # @@ -42755,7 +43712,7 @@ index edc58df..f71b9e8 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -322,43 +447,69 @@ can_exec(xdm_t, xdm_exec_t) +@@ -323,43 +447,62 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -42779,15 +43736,7 @@ index edc58df..f71b9e8 100644 manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) --fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - --manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -+fs_getattr_all_fs(xdm_t) -+fs_list_inotifyfs(xdm_t) -+fs_dontaudit_list_noxattr_fs(xdm_t) -+fs_dontaudit_read_noxattr_fs_files(xdm_t) -+fs_manage_cgroup_dirs(xdm_t) -+fs_manage_cgroup_files(xdm_t) +-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) + @@ -42795,8 +43744,8 @@ index edc58df..f71b9e8 100644 +manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) -+ -+manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) + + manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) +manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) @@ -42832,7 +43781,7 @@ index edc58df..f71b9e8 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -367,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -368,18 +511,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -42860,7 +43809,7 @@ index edc58df..f71b9e8 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -390,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -391,18 +542,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -42884,7 +43833,7 @@ index edc58df..f71b9e8 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -410,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -411,18 +566,24 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -42912,7 +43861,7 @@ index edc58df..f71b9e8 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -432,9 +601,17 @@ files_list_mnt(xdm_t) +@@ -433,9 +594,22 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -42925,12 +43874,17 @@ index edc58df..f71b9e8 100644 fs_search_auto_mountpoints(xdm_t) +fs_rw_anon_inodefs_files(xdm_t) +fs_mount_tmpfs(xdm_t) ++fs_list_inotifyfs(xdm_t) ++fs_dontaudit_list_noxattr_fs(xdm_t) ++fs_dontaudit_read_noxattr_fs_files(xdm_t) ++fs_manage_cgroup_dirs(xdm_t) ++fs_manage_cgroup_files(xdm_t) + +mls_socket_write_to_clearance(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -443,28 +620,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -444,28 +618,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -42969,7 +43923,7 @@ index edc58df..f71b9e8 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -473,9 +658,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -474,9 +656,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -43000,20 +43954,22 @@ index edc58df..f71b9e8 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -491,6 +697,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -492,6 +695,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') -+tunable_policy(`xdm_exec_bootloader',` -+ bootloader_exec(xdm_t) -+ files_read_boot_files(xdm_t) -+ files_read_boot_symlinks(xdm_t) ++optional_policy(` ++ tunable_policy(`xdm_exec_bootloader',` ++ bootloader_exec(xdm_t) ++ files_read_boot_files(xdm_t) ++ files_read_boot_symlinks(xdm_t) ++ ') +') + tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -504,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -505,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -43035,10 +43991,11 @@ index edc58df..f71b9e8 100644 ') optional_policy(` -@@ -516,12 +738,54 @@ optional_policy(` +@@ -517,7 +738,37 @@ optional_policy(` ') optional_policy(` +- cpufreqselector_dbus_chat(xdm_t) + # Use dbus to start other processes as xdm_t + dbus_role_template(xdm, system_r, xdm_t) + @@ -43055,7 +44012,7 @@ index edc58df..f71b9e8 100644 + ') + + optional_policy(` -+ cpufreqselector_dbus_send(xdm_t) ++ cpufreqselector_dbus_chat(xdm_t) + ') + + optional_policy(` @@ -43070,12 +44027,10 @@ index edc58df..f71b9e8 100644 + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') -+') -+ -+optional_policy(` - # Talk to the console mouse server. - gpm_stream_connect(xdm_t) - gpm_setattr_gpmctl(xdm_t) + ') + + optional_policy(` +@@ -527,6 +778,14 @@ optional_policy(` ') optional_policy(` @@ -43090,7 +44045,7 @@ index edc58df..f71b9e8 100644 hostname_exec(xdm_t) ') -@@ -539,28 +803,64 @@ optional_policy(` +@@ -544,28 +803,65 @@ optional_policy(` ') optional_policy(` @@ -43127,6 +44082,7 @@ index edc58df..f71b9e8 100644 + rpm_exec(xdm_t) + rpm_read_db(xdm_t) + rpm_dontaudit_manage_db(xdm_t) ++ rpm_dontaudit_dbus_chat(xdm_t) +') + +optional_policy(` @@ -43164,10 +44120,14 @@ index edc58df..f71b9e8 100644 ') optional_policy(` -@@ -572,6 +872,10 @@ optional_policy(` +@@ -577,6 +873,14 @@ optional_policy(` ') optional_policy(` ++ vdagent_stream_connect(xdm_t) ++') ++ ++optional_policy(` + wm_exec(xdm_t) +') + @@ -43175,7 +44135,7 @@ index edc58df..f71b9e8 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +900,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -601,7 +905,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -43184,7 +44144,7 @@ index edc58df..f71b9e8 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -615,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -43200,7 +44160,7 @@ index edc58df..f71b9e8 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -630,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -635,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -43222,7 +44182,7 @@ index edc58df..f71b9e8 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -643,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -648,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -43230,7 +44190,7 @@ index edc58df..f71b9e8 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -669,7 +988,6 @@ dev_rw_apm_bios(xserver_t) +@@ -674,7 +993,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -43238,7 +44198,7 @@ index edc58df..f71b9e8 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -679,11 +997,17 @@ dev_wx_raw_memory(xserver_t) +@@ -684,11 +1002,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -43256,7 +44216,7 @@ index edc58df..f71b9e8 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -699,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -43270,14 +44230,23 @@ index edc58df..f71b9e8 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -717,15 +1046,19 @@ logging_send_audit_msgs(xserver_t) +@@ -713,8 +1042,6 @@ init_getpgid(xserver_t) + term_setattr_unallocated_ttys(xserver_t) + term_use_unallocated_ttys(xserver_t) + +-getty_use_fds(xserver_t) +- + locallogin_use_fds(xserver_t) + + logging_send_syslog_msg(xserver_t) +@@ -722,11 +1049,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) +- +-modutils_domtrans_insmod(xserver_t) +miscfiles_read_hwdata(xserver_t) - modutils_domtrans_insmod(xserver_t) - # read x_contexts seutil_read_default_contexts(xserver_t) +seutil_read_config(xserver_t) @@ -43285,12 +44254,7 @@ index edc58df..f71b9e8 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) - userdom_setattr_user_ttys(xserver_t) -+userdom_read_user_tmp_files(xserver_t) - userdom_rw_user_tmpfs_files(xserver_t) - - xserver_use_user_fonts(xserver_t) -@@ -774,16 +1107,28 @@ optional_policy(` +@@ -780,16 +1108,36 @@ optional_policy(` ') optional_policy(` @@ -43298,6 +44262,14 @@ index edc58df..f71b9e8 100644 +') + +optional_policy(` ++ getty_use_fds(xserver_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(xserver_t) ++') ++ ++optional_policy(` rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') @@ -43320,7 +44292,7 @@ index edc58df..f71b9e8 100644 unconfined_domtrans(xserver_t) ') -@@ -792,6 +1137,10 @@ optional_policy(` +@@ -798,6 +1146,10 @@ optional_policy(` ') optional_policy(` @@ -43331,7 +44303,7 @@ index edc58df..f71b9e8 100644 xfs_stream_connect(xserver_t) ') -@@ -807,10 +1156,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -813,10 +1165,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -43345,7 +44317,7 @@ index edc58df..f71b9e8 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -818,7 +1167,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -824,7 +1176,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -43354,7 +44326,7 @@ index edc58df..f71b9e8 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -831,6 +1180,9 @@ init_use_fds(xserver_t) +@@ -837,6 +1189,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -43364,7 +44336,7 @@ index edc58df..f71b9e8 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -838,6 +1190,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -844,6 +1199,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -43376,7 +44348,7 @@ index edc58df..f71b9e8 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -846,11 +1203,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -852,11 +1212,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -43393,7 +44365,7 @@ index edc58df..f71b9e8 100644 ') optional_policy(` -@@ -858,6 +1218,10 @@ optional_policy(` +@@ -864,6 +1227,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -43404,7 +44376,7 @@ index edc58df..f71b9e8 100644 ######################################## # # Rules common to all X window domains -@@ -901,7 +1265,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -907,7 +1274,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -43413,7 +44385,7 @@ index edc58df..f71b9e8 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -955,11 +1319,31 @@ allow x_domain self:x_resource { read write }; +@@ -961,11 +1328,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -43445,7 +44417,7 @@ index edc58df..f71b9e8 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -981,18 +1365,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -987,18 +1374,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -44084,7 +45056,7 @@ index 2952cef..4485fd5 100644 /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..a0feb45 100644 +index 42b4f0f..e6b751b 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -44473,10 +45445,10 @@ index bea0ade..a0feb45 100644 optional_policy(` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 54d122b..b86897f 100644 +index 66d13c4..66a0a25 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0) +@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1) # Declarations # @@ -44510,16 +45482,7 @@ index 54d122b..b86897f 100644 type pam_var_run_t; files_pid_file(pam_var_run_t) -@@ -83,7 +98,7 @@ logging_log_file(wtmp_t) - - allow chkpwd_t self:capability { dac_override setuid }; - dontaudit chkpwd_t self:capability sys_tty_config; --allow chkpwd_t self:process getattr; -+allow chkpwd_t self:process { getattr signal }; - - allow chkpwd_t shadow_t:file read_file_perms; - files_list_etc(chkpwd_t) -@@ -99,6 +114,8 @@ dev_read_urand(chkpwd_t) +@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd files_dontaudit_search_var(chkpwd_t) @@ -44528,7 +45491,7 @@ index 54d122b..b86897f 100644 fs_dontaudit_getattr_xattr_fs(chkpwd_t) -@@ -394,3 +411,13 @@ optional_policy(` +@@ -395,3 +412,13 @@ optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -44738,7 +45701,7 @@ index a97a096..ab1e16a 100644 /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index a442acc..133f7f8 100644 +index a442acc..9f99f16 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -44758,7 +45721,11 @@ index a442acc..133f7f8 100644 # Access to /initrd devices dev_getattr_usbfs_dirs(fsadm_t) # Access to /dev/mapper/control -@@ -117,6 +118,9 @@ fs_remount_xattr_fs(fsadm_t) +@@ -114,9 +115,13 @@ fs_rw_tmpfs_files(fsadm_t) + # remount file system to apply changes + fs_remount_xattr_fs(fsadm_t) + # for /dev/shm ++fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -44768,7 +45735,7 @@ index a442acc..133f7f8 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -130,6 +134,7 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -130,6 +135,7 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -44776,8 +45743,13 @@ index a442acc..133f7f8 100644 storage_swapon_fixed_disk(fsadm_t) term_use_console(fsadm_t) -@@ -147,7 +152,7 @@ modutils_read_module_deps(fsadm_t) +@@ -142,12 +148,9 @@ logging_send_syslog_msg(fsadm_t) + + miscfiles_read_localization(fsadm_t) +-modutils_read_module_config(fsadm_t) +-modutils_read_module_deps(fsadm_t) +- seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) @@ -44785,7 +45757,7 @@ index a442acc..133f7f8 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +171,19 @@ optional_policy(` +@@ -166,6 +169,24 @@ optional_policy(` ') optional_policy(` @@ -44802,10 +45774,15 @@ index a442acc..133f7f8 100644 +') + +optional_policy(` ++ modutils_read_module_config(fsadm_t) ++ modutils_read_module_deps(fsadm_t) ++') ++ ++optional_policy(` nis_use_ypbind(fsadm_t) ') -@@ -175,6 +193,14 @@ optional_policy(` +@@ -175,6 +196,14 @@ optional_policy(` ') optional_policy(` @@ -44855,11 +45832,37 @@ index c310775..d5fc685 100644 fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) +diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te +index 882c6a2..d0ff4ec 100644 +--- a/policy/modules/system/hotplug.te ++++ b/policy/modules/system/hotplug.te +@@ -105,9 +105,6 @@ libs_read_lib_files(hotplug_t) + miscfiles_read_hwdata(hotplug_t) + miscfiles_read_localization(hotplug_t) + +-modutils_domtrans_insmod(hotplug_t) +-modutils_read_module_deps(hotplug_t) +- + seutil_dontaudit_search_config(hotplug_t) + + sysnet_read_config(hotplug_t) +@@ -154,6 +151,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(hotplug_t) ++ modutils_read_module_deps(hotplug_t) ++') ++ ++optional_policy(` + mount_domtrans(hotplug_t) + ') + diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 6fed22c..06e5395 100644 +index 354ce93..f7cda1c 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -33,7 +33,21 @@ ifdef(`distro_gentoo', ` +@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', ` # # /sbin # @@ -44877,11 +45880,9 @@ index 6fed22c..06e5395 100644 +# /sbin +# /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - - ifdef(`distro_gentoo', ` - /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -@@ -53,6 +67,9 @@ ifdef(`distro_gentoo', ` + # because nowadays, /sbin/init is often a symlink to /sbin/upstart + /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) +@@ -55,6 +68,9 @@ ifdef(`distro_gentoo', ` /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -44892,7 +45893,7 @@ index 6fed22c..06e5395 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..2657c0b 100644 +index cc83689..6a82950 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -45335,7 +46336,7 @@ index cc83689..2657c0b 100644 ') ######################################## -@@ -1749,3 +1961,93 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +1961,120 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -45429,8 +46430,35 @@ index cc83689..2657c0b 100644 + + allow $1 init_t:unix_dgram_socket sendto; +') ++ ++######################################## ++## ++## Create a file type used for init socket files. ++## ++## ++##

++## This defines a type that init can create sock_file within for ++## impersonation purposes ++##

++## ++## ++## ++## Type to be used for a sock file. ++## ++## ++## ++# ++interface(`init_sock_file',` ++ gen_require(` ++ attribute init_sock_file_type; ++ ') ++ ++ typeattribute $1 init_sock_file_type; ++ ++') ++ diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 77e8ca8..2abb81b 100644 +index ea29513..2370758 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -45468,15 +46496,17 @@ index 77e8ca8..2abb81b 100644 # used for direct running of init scripts # by admin domains attribute direct_run_init; -@@ -25,6 +53,7 @@ attribute direct_init_entry; +@@ -25,6 +53,9 @@ attribute direct_init_entry; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; +attribute initrc_transition_domain; ++# Attribute used for systemd so domains can allow systemd to create sock_files ++attribute init_sock_file_type; # Mark process types as daemons attribute daemon; -@@ -32,7 +61,7 @@ attribute daemon; +@@ -32,7 +63,7 @@ attribute daemon; # # init_t is the domain of the init process. # @@ -45485,7 +46515,7 @@ index 77e8ca8..2abb81b 100644 type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) -@@ -63,6 +92,8 @@ role system_r types initrc_t; +@@ -63,6 +94,8 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -45494,7 +46524,7 @@ index 77e8ca8..2abb81b 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -87,7 +118,7 @@ ifdef(`enable_mls',` +@@ -87,7 +120,7 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -45503,7 +46533,7 @@ index 77e8ca8..2abb81b 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -100,7 +131,9 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -100,7 +133,9 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -45514,7 +46544,7 @@ index 77e8ca8..2abb81b 100644 # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -114,11 +147,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,11 +149,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -45528,7 +46558,7 @@ index 77e8ca8..2abb81b 100644 # Early devtmpfs dev_rw_generic_chr_files(init_t) -@@ -127,9 +162,13 @@ domain_kill_all_domains(init_t) +@@ -127,9 +164,13 @@ domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) @@ -45542,7 +46572,7 @@ index 77e8ca8..2abb81b 100644 files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) -@@ -151,6 +190,7 @@ mls_file_read_all_levels(init_t) +@@ -151,6 +192,7 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -45550,7 +46580,7 @@ index 77e8ca8..2abb81b 100644 selinux_set_all_booleans(init_t) -@@ -162,12 +202,15 @@ init_domtrans_script(init_t) +@@ -162,12 +204,15 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -45566,7 +46596,7 @@ index 77e8ca8..2abb81b 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +221,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +223,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -45575,12 +46605,15 @@ index 77e8ca8..2abb81b 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +229,100 @@ tunable_policy(`init_upstart',` +@@ -186,12 +231,105 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') +storage_raw_rw_fixed_disk(init_t) -+modutils_domtrans_insmod(init_t) ++ ++optional_policy(` ++ modutils_domtrans_insmod(init_t) ++') + +tunable_policy(`init_systemd',` + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -45648,6 +46681,8 @@ index 77e8ca8..2abb81b 100644 + # needs to remain + logging_create_devlog_dev(init_t) + ++ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) ++ +# miscfiles_delete_man_pages(init_t) +# miscfiles_relabel_man_pages(init_t) + @@ -45676,7 +46711,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -199,10 +330,25 @@ optional_policy(` +@@ -199,10 +337,25 @@ optional_policy(` ') optional_policy(` @@ -45702,7 +46737,7 @@ index 77e8ca8..2abb81b 100644 unconfined_domain(init_t) ') -@@ -212,7 +358,7 @@ optional_policy(` +@@ -212,7 +365,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -45711,7 +46746,7 @@ index 77e8ca8..2abb81b 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +387,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +394,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -45726,7 +46761,7 @@ index 77e8ca8..2abb81b 100644 init_write_initctl(initrc_t) -@@ -258,11 +406,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +413,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -45750,7 +46785,7 @@ index 77e8ca8..2abb81b 100644 corecmd_exec_all_executables(initrc_t) -@@ -279,6 +439,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +446,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -45758,7 +46793,7 @@ index 77e8ca8..2abb81b 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +452,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +459,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -45766,7 +46801,7 @@ index 77e8ca8..2abb81b 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +460,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +467,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -45782,7 +46817,7 @@ index 77e8ca8..2abb81b 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +485,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +492,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -45794,7 +46829,7 @@ index 77e8ca8..2abb81b 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +504,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +511,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -45808,7 +46843,7 @@ index 77e8ca8..2abb81b 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +519,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +526,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -45817,7 +46852,7 @@ index 77e8ca8..2abb81b 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +533,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +540,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -45825,7 +46860,7 @@ index 77e8ca8..2abb81b 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +545,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +552,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -45833,15 +46868,15 @@ index 77e8ca8..2abb81b 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +566,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +573,12 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript -miscfiles_read_generic_certs(initrc_t) +miscfiles_manage_generic_cert_files(initrc_t) - modutils_read_module_config(initrc_t) - modutils_domtrans_insmod(initrc_t) +-modutils_read_module_config(initrc_t) +-modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) @@ -45849,7 +46884,7 @@ index 77e8ca8..2abb81b 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -478,7 +651,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +656,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -45858,7 +46893,7 @@ index 77e8ca8..2abb81b 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -524,6 +697,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +702,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -45882,7 +46917,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -531,10 +721,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +726,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -45900,7 +46935,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -549,6 +746,39 @@ ifdef(`distro_suse',` +@@ -549,6 +751,39 @@ ifdef(`distro_suse',` ') ') @@ -45940,7 +46975,7 @@ index 77e8ca8..2abb81b 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +791,8 @@ optional_policy(` +@@ -561,6 +796,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -45949,7 +46984,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -577,6 +809,7 @@ optional_policy(` +@@ -577,6 +814,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -45957,7 +46992,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -589,6 +822,11 @@ optional_policy(` +@@ -589,6 +827,11 @@ optional_policy(` ') optional_policy(` @@ -45969,7 +47004,7 @@ index 77e8ca8..2abb81b 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +843,13 @@ optional_policy(` +@@ -605,9 +848,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -45983,7 +47018,19 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -706,7 +948,13 @@ optional_policy(` +@@ -649,6 +896,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_read_module_config(initrc_t) ++ modutils_domtrans_insmod(initrc_t) ++') ++ ++optional_policy(` + inn_exec_config(initrc_t) + ') + +@@ -706,7 +958,13 @@ optional_policy(` ') optional_policy(` @@ -45997,7 +47044,7 @@ index 77e8ca8..2abb81b 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +977,10 @@ optional_policy(` +@@ -729,6 +987,10 @@ optional_policy(` ') optional_policy(` @@ -46008,7 +47055,7 @@ index 77e8ca8..2abb81b 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +990,20 @@ optional_policy(` +@@ -738,10 +1000,20 @@ optional_policy(` ') optional_policy(` @@ -46029,7 +47076,7 @@ index 77e8ca8..2abb81b 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1012,10 @@ optional_policy(` +@@ -750,6 +1022,10 @@ optional_policy(` ') optional_policy(` @@ -46040,7 +47087,7 @@ index 77e8ca8..2abb81b 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1037,6 @@ optional_policy(` +@@ -771,8 +1047,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -46049,7 +47096,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -781,14 +1045,21 @@ optional_policy(` +@@ -781,14 +1055,21 @@ optional_policy(` ') optional_policy(` @@ -46071,7 +47118,7 @@ index 77e8ca8..2abb81b 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -810,11 +1081,19 @@ optional_policy(` +@@ -810,11 +1091,19 @@ optional_policy(` ') optional_policy(` @@ -46092,7 +47139,7 @@ index 77e8ca8..2abb81b 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1103,25 @@ optional_policy(` +@@ -824,6 +1113,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -46118,7 +47165,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -849,3 +1147,59 @@ optional_policy(` +@@ -849,3 +1157,37 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -46156,28 +47203,6 @@ index 77e8ca8..2abb81b 100644 +') + +init_rw_stream_sockets(daemon) -+ -+ifdef(`hide_broken_symptoms',` -+optional_policy(` -+gen_require(` -+ type system_dbusd_var_run_t; -+ type fsadm_t; -+ type avahi_var_run_t; -+') -+ -+fs_list_auto_mountpoints(fsadm_t) -+ -+fs_list_auto_mountpoints(lvm_t) -+fs_list_hugetlbfs(lvm_t) -+ -+allow init_t avahi_var_run_t:dir { write add_name }; -+allow init_t avahi_var_run_t:sock_file create; -+ -+allow init_t system_dbusd_var_run_t:dir { write add_name }; -+allow init_t system_dbusd_var_run_t:sock_file create; -+ -+') -+') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 07eba2b..942bea1 100644 --- a/policy/modules/system/ipsec.fc @@ -46319,7 +47344,7 @@ index 8232f91..8897e32 100644 + allow ipsec_mgmt_t $1:dbus send_msg; +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 98d6081..fbc8601 100644 +index 98d6081..ba4b965 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,7 +73,7 @@ role system_r types setkey_t; @@ -46421,15 +47446,19 @@ index 98d6081..fbc8601 100644 term_use_console(ipsec_mgmt_t) -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) +term_use_all_terms(ipsec_mgmt_t) -+ -+auth_dontaudit_read_login_records(ipsec_mgmt_t) ++auth_dontaudit_read_login_records(ipsec_mgmt_t) ++ +init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) -@@ -291,7 +308,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t) +@@ -287,11 +304,11 @@ logging_send_syslog_msg(ipsec_mgmt_t) + + miscfiles_read_localization(ipsec_mgmt_t) +-modutils_domtrans_insmod(ipsec_mgmt_t) +- seutil_dontaudit_search_config(ipsec_mgmt_t) +sysnet_manage_config(ipsec_mgmt_t) @@ -46438,7 +47467,7 @@ index 98d6081..fbc8601 100644 userdom_use_user_terminals(ipsec_mgmt_t) -@@ -300,6 +319,23 @@ optional_policy(` +@@ -300,6 +317,27 @@ optional_policy(` ') optional_policy(` @@ -46455,14 +47484,18 @@ index 98d6081..fbc8601 100644 +') + +optional_policy(` -+ iptables_domtrans(ipsec_mgmt_t) ++ iptables_domtrans(ipsec_mgmt_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(ipsec_mgmt_t) +') + +optional_policy(` nscd_socket_use(ipsec_mgmt_t) ') -@@ -386,6 +422,8 @@ miscfiles_read_localization(racoon_t) +@@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -46471,7 +47504,7 @@ index 98d6081..fbc8601 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -412,6 +450,7 @@ domain_ipsec_setcontext_all_domains(setkey_t) +@@ -412,6 +452,7 @@ domain_ipsec_setcontext_all_domains(setkey_t) files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -46479,7 +47512,7 @@ index 98d6081..fbc8601 100644 # allow setkey to set the context for ipsec SAs and policy. corenet_setcontext_all_spds(setkey_t) -@@ -423,4 +462,5 @@ miscfiles_read_localization(setkey_t) +@@ -423,4 +464,5 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) @@ -47534,10 +48567,10 @@ index 9b5a9ed..7ea0ae3 100644 ') diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..526d11c 100644 +index 879bb1e..7b22111 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc -@@ -28,10 +28,13 @@ ifdef(`distro_gentoo',` +@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',` # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -47551,7 +48584,19 @@ index 879bb1e..526d11c 100644 /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -97,5 +100,7 @@ ifdef(`distro_gentoo',` + /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) +-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) +@@ -97,5 +101,7 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -47604,7 +48649,7 @@ index 58bc27f..b95f0c0 100644 + allow $1 clvmd_tmpfs_t:file unlink; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..1440818 100644 +index a0a0ebf..f596c62 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -47703,7 +48748,7 @@ index a0a0ebf..1440818 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,8 +270,9 @@ files_read_etc_files(lvm_t) +@@ -253,17 +270,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -47714,7 +48759,11 @@ index a0a0ebf..1440818 100644 fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -264,6 +282,7 @@ fs_rw_anon_inodefs_files(lvm_t) + fs_dontaudit_read_removable_files(lvm_t) + fs_dontaudit_getattr_tmpfs_files(lvm_t) + fs_rw_anon_inodefs_files(lvm_t) ++fs_list_auto_mountpoints(lvm_t) ++fs_list_hugetlbfs(lvm_t) mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) @@ -47722,7 +48771,7 @@ index a0a0ebf..1440818 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -311,6 +330,11 @@ ifdef(`distro_redhat',` +@@ -311,6 +332,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -47734,7 +48783,7 @@ index a0a0ebf..1440818 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,6 +355,10 @@ optional_policy(` +@@ -331,6 +357,10 @@ optional_policy(` ') optional_policy(` @@ -47745,7 +48794,7 @@ index a0a0ebf..1440818 100644 modutils_domtrans_insmod(lvm_t) ') -@@ -339,6 +367,10 @@ optional_policy(` +@@ -339,6 +369,10 @@ optional_policy(` ') optional_policy(` @@ -48007,7 +49056,7 @@ index 72c746e..3d0bc28 100644 +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 8b5c196..83107f9 100644 +index 8b5c196..6dc92dd 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,16 @@ interface(`mount_domtrans',` @@ -48027,7 +49076,7 @@ index 8b5c196..83107f9 100644 ') ######################################## -@@ -45,8 +55,54 @@ interface(`mount_run',` +@@ -45,12 +55,77 @@ interface(`mount_run',` role $2 types mount_t; optional_policy(` @@ -48050,11 +49099,11 @@ index 8b5c196..83107f9 100644 + + optional_policy(` + samba_run_smbmount(mount_t, $2) -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. @@ -48074,16 +49123,39 @@ index 8b5c196..83107f9 100644 +interface(`mount_run_fusermount',` + gen_require(` + type mount_t; - ') ++ ') + + mount_domtrans_fusermount($1) + role $2 types mount_t; + + fstools_run(mount_t, $2) - ') - - ######################################## -@@ -84,9 +140,11 @@ interface(`mount_exec',` ++') ++ ++######################################## ++## ++## Read mount PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mount_read_pid_files',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ allow $1 mount_var_run_t:file read_file_perms; ++ files_search_pids($1) ++') ++ ++######################################## ++## + ## Execute mount in the caller domain. + ## + ## +@@ -84,9 +159,11 @@ interface(`mount_exec',` interface(`mount_signal',` gen_require(` type mount_t; @@ -48095,7 +49167,7 @@ index 8b5c196..83107f9 100644 ') ######################################## -@@ -95,7 +153,7 @@ interface(`mount_signal',` +@@ -95,7 +172,7 @@ interface(`mount_signal',` ## ## ## @@ -48104,7 +49176,7 @@ index 8b5c196..83107f9 100644 ## ## # -@@ -135,6 +193,24 @@ interface(`mount_send_nfs_client_request',` +@@ -135,6 +212,24 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -48129,7 +49201,7 @@ index 8b5c196..83107f9 100644 ## Execute mount in the unconfined mount domain. ## ## -@@ -176,4 +252,109 @@ interface(`mount_run_unconfined',` +@@ -176,4 +271,110 @@ interface(`mount_run_unconfined',` mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; @@ -48159,6 +49231,7 @@ index 8b5c196..83107f9 100644 + ') + + domtrans_pattern($1, fusermount_exec_t, mount_t) ++ ps_process_pattern(mount_t, $1) +') + +######################################## @@ -48240,7 +49313,7 @@ index 8b5c196..83107f9 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..b842390 100644 +index 15832c7..e7aff81 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -48430,16 +49503,12 @@ index 15832c7..b842390 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,10 +212,17 @@ ifdef(`distro_ubuntu',` +@@ -141,10 +212,13 @@ ifdef(`distro_ubuntu',` ') ') +corecmd_exec_shell(mount_t) + -+modutils_domtrans_insmod(mount_t) -+ -+fstools_domtrans(mount_t) -+ tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) @@ -48448,7 +49517,7 @@ index 15832c7..b842390 100644 ') optional_policy(` -@@ -174,6 +252,8 @@ optional_policy(` +@@ -174,6 +248,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -48457,7 +49526,7 @@ index 15832c7..b842390 100644 ') optional_policy(` -@@ -181,6 +261,28 @@ optional_policy(` +@@ -181,6 +257,28 @@ optional_policy(` ') optional_policy(` @@ -48486,7 +49555,7 @@ index 15832c7..b842390 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +290,44 @@ optional_policy(` +@@ -188,13 +286,52 @@ optional_policy(` ') ') @@ -48500,6 +49569,14 @@ index 15832c7..b842390 100644 +') + +optional_policy(` ++ modutils_domtrans_insmod(mount_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(mount_t) ++') ++ ++optional_policy(` + rhcs_stream_connect_gfs_controld(mount_t) +') + @@ -48531,7 +49608,7 @@ index 15832c7..b842390 100644 ') ######################################## -@@ -203,6 +336,43 @@ optional_policy(` +@@ -203,6 +340,43 @@ optional_policy(` # optional_policy(` @@ -48576,6 +49653,30 @@ index 15832c7..b842390 100644 +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) +diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te +index 4d06ae3..a9918e0 100644 +--- a/policy/modules/system/pcmcia.te ++++ b/policy/modules/system/pcmcia.te +@@ -98,8 +98,6 @@ logging_send_syslog_msg(cardmgr_t) + + miscfiles_read_localization(cardmgr_t) + +-modutils_domtrans_insmod(cardmgr_t) +- + sysnet_domtrans_ifconfig(cardmgr_t) + # for /etc/resolv.conf + sysnet_etc_filetrans_config(cardmgr_t) +@@ -110,6 +108,10 @@ userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) + userdom_dontaudit_search_user_home_dirs(cardmgr_t) + + optional_policy(` ++ modutils_domtrans_insmod(cardmgr_t) ++') ++ ++optional_policy(` + seutil_dontaudit_read_config(cardmgr_t) + seutil_sigchld_newrole(cardmgr_t) + ') diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index ed9c70d..b961d53 100644 --- a/policy/modules/system/raid.fc @@ -49107,7 +50208,7 @@ index 170e2c7..540a936 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..d6a6763 100644 +index 7ed9819..c3dc5ba 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -49120,7 +50221,7 @@ index 7ed9819..d6a6763 100644 type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -57,8 +60,9 @@ domain_interactive_fd(newrole_t) +@@ -57,8 +60,13 @@ domain_interactive_fd(newrole_t) # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # @@ -49128,11 +50229,15 @@ index 7ed9819..d6a6763 100644 -files_type(policy_config_t) +#type policy_config_t; +#files_type(policy_config_t) ++gen_require(` ++ type semanage_store_t; ++') ++ +typealias semanage_store_t alias policy_config_t; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -74,7 +78,6 @@ type restorecond_t; +@@ -74,7 +82,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -49140,7 +50245,7 @@ index 7ed9819..d6a6763 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -88,26 +91,36 @@ role system_r types run_init_t; +@@ -88,26 +95,36 @@ role system_r types run_init_t; type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) @@ -49179,7 +50284,7 @@ index 7ed9819..d6a6763 100644 ######################################## # # Checkpolicy local policy -@@ -176,6 +189,7 @@ term_list_ptys(load_policy_t) +@@ -176,6 +193,7 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -49187,7 +50292,7 @@ index 7ed9819..d6a6763 100644 miscfiles_read_localization(load_policy_t) -@@ -204,7 +218,7 @@ ifdef(`hide_broken_symptoms',` +@@ -204,7 +222,7 @@ ifdef(`hide_broken_symptoms',` # Newrole local policy # @@ -49196,7 +50301,7 @@ index 7ed9819..d6a6763 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -216,7 +234,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -49205,7 +50310,7 @@ index 7ed9819..d6a6763 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -233,6 +247,7 @@ domain_use_interactive_fds(newrole_t) +@@ -233,6 +251,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -49213,7 +50318,7 @@ index 7ed9819..d6a6763 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -260,25 +275,30 @@ term_relabel_all_ptys(newrole_t) +@@ -260,25 +279,30 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -49250,7 +50355,7 @@ index 7ed9819..d6a6763 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -312,6 +332,8 @@ kernel_use_fds(restorecond_t) +@@ -312,6 +336,8 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -49259,7 +50364,7 @@ index 7ed9819..d6a6763 100644 fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -335,6 +357,8 @@ miscfiles_read_localization(restorecond_t) +@@ -335,6 +361,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -49268,7 +50373,7 @@ index 7ed9819..d6a6763 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -353,7 +377,7 @@ optional_policy(` +@@ -353,7 +381,7 @@ optional_policy(` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -49277,7 +50382,7 @@ index 7ed9819..d6a6763 100644 # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -380,6 +404,8 @@ selinux_compute_create_context(run_init_t) +@@ -380,6 +408,8 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -49286,7 +50391,7 @@ index 7ed9819..d6a6763 100644 auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_domtrans_upd_passwd(run_init_t) -@@ -405,6 +431,15 @@ ifndef(`direct_sysadm_daemon',` +@@ -405,6 +435,15 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -49302,7 +50407,7 @@ index 7ed9819..d6a6763 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,61 +455,22 @@ optional_policy(` +@@ -420,61 +459,22 @@ optional_policy(` # semodule local policy # @@ -49319,17 +50424,17 @@ index 7ed9819..d6a6763 100644 - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) -- --dev_read_urand(semanage_t) +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --domain_use_interactive_fds(semanage_t) +-corecmd_exec_bin(semanage_t) +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +-dev_read_urand(semanage_t) +- +-domain_use_interactive_fds(semanage_t) +- -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -49351,13 +50456,13 @@ index 7ed9819..d6a6763 100644 -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - +- -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) -- ++# Admins are creating pp files in random locations ++auth_read_all_files_except_shadow(semanage_t) + -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) @@ -49372,13 +50477,13 @@ index 7ed9819..d6a6763 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +483,64 @@ ifdef(`distro_debian',` +@@ -487,118 +487,64 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') +optional_policy(` + setrans_initrc_domtrans(semanage_t) -+ domain_system_change_exemption(semanage_t) ++ domain_system_change_exemption(semanage_t) + consoletype_exec(semanage_t) +') + @@ -49455,17 +50560,17 @@ index 7ed9819..d6a6763 100644 -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) -- --logging_send_syslog_msg(setfiles_t) +init_dontaudit_use_fds(setsebool_t) --miscfiles_read_localization(setfiles_t) +-logging_send_syslog_msg(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) +-miscfiles_read_localization(setfiles_t) +- -seutil_libselinux_linked(setfiles_t) +######################################## +# @@ -49540,7 +50645,7 @@ index 1447687..cdc0223 100644 type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 726619b..ece1edf 100644 +index 694fd94..334e80e 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -10,10 +10,10 @@ @@ -49564,7 +50669,7 @@ index 726619b..ece1edf 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 8e71fb7..065b98e 100644 +index ff80d0a..7f1a21c 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` @@ -49592,7 +50697,7 @@ index 8e71fb7..065b98e 100644 ') ######################################## -@@ -249,6 +267,43 @@ interface(`sysnet_delete_dhcpc_state',` +@@ -269,6 +287,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -49636,7 +50741,7 @@ index 8e71fb7..065b98e 100644 ####################################### ## ## Set the attributes of network config files. -@@ -270,6 +325,44 @@ interface(`sysnet_setattr_config',` +@@ -290,6 +345,44 @@ interface(`sysnet_setattr_config',` ####################################### ## @@ -49681,7 +50786,7 @@ index 8e71fb7..065b98e 100644 ## Read network config files. ## ## -@@ -406,6 +499,7 @@ interface(`sysnet_manage_config',` +@@ -426,6 +519,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -49689,7 +50794,7 @@ index 8e71fb7..065b98e 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -444,6 +538,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -464,6 +558,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -49697,7 +50802,7 @@ index 8e71fb7..065b98e 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -464,6 +559,9 @@ interface(`sysnet_domtrans_ifconfig',` +@@ -484,6 +579,9 @@ interface(`sysnet_domtrans_ifconfig',` corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) @@ -49707,7 +50812,7 @@ index 8e71fb7..065b98e 100644 ') ######################################## -@@ -534,6 +632,25 @@ interface(`sysnet_signal_ifconfig',` +@@ -554,6 +652,25 @@ interface(`sysnet_signal_ifconfig',` ######################################## ## @@ -49733,7 +50838,7 @@ index 8e71fb7..065b98e 100644 ## Read the DHCP configuration files. ## ## -@@ -641,6 +758,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -661,6 +778,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -49742,7 +50847,7 @@ index 8e71fb7..065b98e 100644 sysnet_read_config($1) optional_policy(` -@@ -678,6 +797,9 @@ interface(`sysnet_use_ldap',` +@@ -698,6 +817,9 @@ interface(`sysnet_use_ldap',` corenet_sendrecv_ldap_client_packets($1) sysnet_read_config($1) @@ -49752,7 +50857,7 @@ index 8e71fb7..065b98e 100644 ') ######################################## -@@ -711,3 +833,49 @@ interface(`sysnet_use_portmap',` +@@ -731,3 +853,49 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -49803,10 +50908,10 @@ index 8e71fb7..065b98e 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index dfbe736..b8e873f 100644 +index df32316..6de83ef 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te -@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0) +@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1) # Declarations # @@ -49875,7 +50980,7 @@ index dfbe736..b8e873f 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,9 +148,11 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) +@@ -130,13 +148,13 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) init_rw_utmp(dhcpc_t) @@ -49886,8 +50991,12 @@ index dfbe736..b8e873f 100644 +miscfiles_read_generic_certs(dhcpc_t) miscfiles_read_localization(dhcpc_t) - modutils_domtrans_insmod(dhcpc_t) -@@ -155,6 +175,14 @@ optional_policy(` +-modutils_domtrans_insmod(dhcpc_t) +- + userdom_use_user_terminals(dhcpc_t) + userdom_dontaudit_search_user_home_dirs(dhcpc_t) + +@@ -155,6 +173,14 @@ optional_policy(` ') optional_policy(` @@ -49902,7 +51011,7 @@ index dfbe736..b8e873f 100644 init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -171,6 +199,8 @@ optional_policy(` +@@ -171,6 +197,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -49911,10 +51020,14 @@ index dfbe736..b8e873f 100644 ') optional_policy(` -@@ -192,6 +222,13 @@ optional_policy(` +@@ -192,6 +220,17 @@ optional_policy(` ') optional_policy(` ++ modutils_domtrans_insmod(dhcpc_t) ++') ++ ++optional_policy(` + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) + networkmanager_read_lib_files(dhcpc_t) @@ -49925,7 +51038,7 @@ index dfbe736..b8e873f 100644 nis_read_ypbind_pid(dhcpc_t) ') -@@ -213,6 +250,10 @@ optional_policy(` +@@ -213,6 +252,10 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -49936,7 +51049,7 @@ index dfbe736..b8e873f 100644 ') optional_policy(` -@@ -276,8 +317,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +319,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -49948,7 +51061,11 @@ index dfbe736..b8e873f 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -305,6 +349,8 @@ modutils_domtrans_insmod(ifconfig_t) +@@ -301,10 +347,11 @@ logging_send_syslog_msg(ifconfig_t) + + miscfiles_read_localization(ifconfig_t) + +-modutils_domtrans_insmod(ifconfig_t) seutil_use_runinit_fds(ifconfig_t) @@ -49957,7 +51074,7 @@ index dfbe736..b8e873f 100644 userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -314,6 +360,10 @@ ifdef(`distro_ubuntu',` +@@ -314,6 +361,10 @@ ifdef(`distro_ubuntu',` ') ') @@ -49968,7 +51085,7 @@ index dfbe736..b8e873f 100644 ifdef(`hide_broken_symptoms',` optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) -@@ -325,12 +375,27 @@ ifdef(`hide_broken_symptoms',` +@@ -325,12 +376,31 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -49992,11 +51109,15 @@ index dfbe736..b8e873f 100644 +') + +optional_policy(` ++ modutils_domtrans_insmod(ifconfig_t) ++') ++ ++optional_policy(` + netutils_domtrans(dhcpc_t) ') optional_policy(` -@@ -355,3 +420,9 @@ optional_policy(` +@@ -355,3 +425,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -50008,10 +51129,12 @@ index dfbe736..b8e873f 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..64fc1a5 +index 0000000..50aed3b --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,9 @@ +@@ -0,0 +1,11 @@ ++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) ++ +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + @@ -50023,10 +51146,10 @@ index 0000000..64fc1a5 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..eed77d0 +index 0000000..1d17a7b --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,122 @@ +@@ -0,0 +1,139 @@ +## SELinux policy for systemd components + +####################################### @@ -50065,6 +51188,23 @@ index 0000000..eed77d0 + domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) +') + ++######################################## ++## ++## Execute a domain transition to run systemd_notify. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_notify_domtrans',` ++ gen_require(` ++ type systemd_notify_t, systemd_notify_exec_t; ++ ') ++ ++ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t) ++') + +######################################## +## @@ -50151,10 +51291,10 @@ index 0000000..eed77d0 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..d09b523 +index 0000000..23d4b0c --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,108 @@ +@@ -0,0 +1,138 @@ + +policy_module(systemd, 1.0.0) + @@ -50177,7 +51317,12 @@ index 0000000..d09b523 +type systemd_tmpfiles_exec_t; +init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) + ++type systemd_notify_t; ++type systemd_notify_exec_t; ++init_systemd_domain(systemd_notify_t, systemd_notify_exec_t) ++ +permissive systemd_tmpfiles_t; ++permissive systemd_notify_t; + +# +# Type for systemd pipes in /dev/.systemd/ directory @@ -50263,23 +51408,42 @@ index 0000000..d09b523 + auth_rw_login_records(systemd_tmpfiles_t) +') + ++optional_policy(` ++ rpm_delete_db(systemd_tmpfiles_t) ++') ++ ++######################################## ++# ++# systemd_notify local policy ++# ++allow systemd_notify_t self:capability { chown }; ++allow systemd_notify_t self:process { fork setfscreate setsockcreate }; ++ ++allow systemd_notify_t self:fifo_file rw_fifo_file_perms; ++allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; ++ ++domain_use_interactive_fds(systemd_notify_t) ++ ++files_read_etc_files(systemd_notify_t) ++ ++auth_use_nsswitch(systemd_notify_t) ++ ++miscfiles_read_localization(systemd_notify_t) ++ ++optional_policy(` ++ readahead_manage_pid_files(systemd_notify_t) ++') diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index d1c22f3..44fe366 100644 +index 0291685..44fe366 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc -@@ -1,4 +1,4 @@ --/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) -+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) - /dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) - /dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) - @@ -22,3 +22,4 @@ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 025348a..ad5bfd8 100644 +index 025348a..8b50d5f 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -50364,7 +51528,7 @@ index 025348a..ad5bfd8 100644 +# +interface(`udev_run',` + gen_require(` -+ type iptables_t; ++ type udev_t; + ') + + udev_domtrans($1) @@ -50404,15 +51568,9 @@ index 025348a..ad5bfd8 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 8f852e5..d3c3938 100644 +index d88f7c3..d3c3938 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te -@@ -1,4 +1,4 @@ --policy_module(udev, 1.12.1) -+policy_module(udev, 1.12.2) - - ######################################## - # @@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -51310,7 +52468,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..296513f 100644 +index 28b88de..774a8cc 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -52354,7 +53512,7 @@ index 28b88de..296513f 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1164,77 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1164,78 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -52446,6 +53604,7 @@ index 28b88de..296513f 100644 optional_policy(` - setroubleshoot_stream_connect($1_t) + mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) + ') + + optional_policy(` @@ -52462,7 +53621,7 @@ index 28b88de..296513f 100644 ') ') -@@ -1039,7 +1270,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1271,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -52471,7 +53630,7 @@ index 28b88de..296513f 100644 ') ############################## -@@ -1066,6 +1297,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1298,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -52479,7 +53638,7 @@ index 28b88de..296513f 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1306,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1307,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -52489,7 +53648,7 @@ index 28b88de..296513f 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1323,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1324,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -52497,7 +53656,7 @@ index 28b88de..296513f 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,6 +1341,8 @@ template(`userdom_admin_user_template',` +@@ -1105,6 +1342,8 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -52506,7 +53665,7 @@ index 28b88de..296513f 100644 domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) -@@ -1119,15 +1357,19 @@ template(`userdom_admin_user_template',` +@@ -1119,15 +1358,19 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -52526,15 +53685,19 @@ index 28b88de..296513f 100644 term_use_all_terms($1_t) -@@ -1142,6 +1384,7 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1384,10 @@ template(`userdom_admin_user_template',` + logging_send_syslog_msg($1_t) - modutils_domtrans_insmod($1_t) -+ modutils_domtrans_depmod($1_t) +- modutils_domtrans_insmod($1_t) ++ optional_policy(` ++ modutils_domtrans_insmod($1_t) ++ modutils_domtrans_depmod($1_t) ++ ') # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1453,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1456,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -52543,7 +53706,7 @@ index 28b88de..296513f 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1467,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1470,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -52551,7 +53714,7 @@ index 28b88de..296513f 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1483,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1486,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -52559,7 +53722,7 @@ index 28b88de..296513f 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1526,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1529,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -52597,7 +53760,7 @@ index 28b88de..296513f 100644 ubac_constrained($1) ') -@@ -1395,6 +1668,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1671,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -52605,7 +53768,7 @@ index 28b88de..296513f 100644 files_search_home($1) ') -@@ -1441,6 +1715,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1718,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -52620,7 +53783,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1456,9 +1738,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1741,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -52632,7 +53795,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1515,10 +1799,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1802,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -52645,7 +53808,7 @@ index 28b88de..296513f 100644 ## ## ## -@@ -1526,35 +1810,71 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,33 +1813,69 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -52681,8 +53844,7 @@ index 28b88de..296513f 100644 -## -## +## - ## --## Domain allowed to transition. ++## +## Domain allowed access. +## +## @@ -52733,12 +53895,10 @@ index 28b88de..296513f 100644 +##

+## +## -+## -+## Domain allowed to transition. + ## + ## Domain allowed to transition. ## - ## - ## -@@ -1589,6 +1909,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1912,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -52747,7 +53907,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1603,10 +1925,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1928,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -52762,7 +53922,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1649,6 +1973,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1976,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -52788,7 +53948,7 @@ index 28b88de..296513f 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2043,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2046,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -52821,7 +53981,7 @@ index 28b88de..296513f 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2079,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2082,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -52839,7 +53999,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1810,8 +2176,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2179,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -52849,7 +54009,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1827,21 +2192,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2195,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -52875,7 +54035,7 @@ index 28b88de..296513f 100644 ######################################## ## ## Do not audit attempts to execute user home files. -@@ -2182,7 +2541,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2544,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -52884,7 +54044,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -2435,13 +2794,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2797,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -52900,7 +54060,7 @@ index 28b88de..296513f 100644 ## ## ## -@@ -2462,26 +2822,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2825,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -52927,7 +54087,7 @@ index 28b88de..296513f 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3155,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3158,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -52936,7 +54096,7 @@ index 28b88de..296513f 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3171,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3174,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -52952,7 +54112,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -2917,7 +3259,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3262,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -52961,7 +54121,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -2972,7 +3314,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3317,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -53008,7 +54168,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -3009,6 +3389,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3392,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -53016,7 +54176,7 @@ index 28b88de..296513f 100644 kernel_search_proc($1) ') -@@ -3139,3 +3520,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3523,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -54243,7 +55403,7 @@ index 77d41b6..4aa96c6 100644 files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index 4350ba0..630c03d 100644 +index 4350ba0..c8b1d3b 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1) @@ -54274,16 +55434,52 @@ index 4350ba0..630c03d 100644 ######################################## # # blktap local policy -@@ -341,6 +338,8 @@ xen_stream_connect_xenstore(xend_t) +@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t) - netutils_domtrans(xend_t) + logging_send_syslog_msg(xend_t) -+virt_read_config(xend_t) -+ +-lvm_domtrans(xend_t) +- + miscfiles_read_localization(xend_t) + miscfiles_read_hwdata(xend_t) + +-mount_domtrans(xend_t) + + sysnet_domtrans_dhcpc(xend_t) + sysnet_signal_dhcpc(xend_t) +@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) + + xen_stream_connect_xenstore(xend_t) + +-netutils_domtrans(xend_t) +- optional_policy(` brctl_domtrans(xend_t) ') -@@ -413,9 +412,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -349,6 +341,22 @@ optional_policy(` + consoletype_exec(xend_t) + ') + ++optional_policy(` ++ lvm_domtrans(xend_t) ++') ++ ++optional_policy(` ++ mount_domtrans(xend_t) ++') ++ ++optional_policy(` ++ netutils_domtrans(xend_t) ++') ++ ++optional_policy(` ++ virt_read_config(xend_t) ++') ++ + ######################################## + # + # Xen console local policy +@@ -413,9 +421,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -54295,7 +55491,7 @@ index 4350ba0..630c03d 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +442,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +451,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -54307,7 +55503,7 @@ index 4350ba0..630c03d 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +459,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +468,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -54404,7 +55600,7 @@ index 4350ba0..630c03d 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +474,4 @@ optional_policy(` +@@ -559,8 +483,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 76bb25a..f963050 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,8 +20,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.15 -Release: 5%{?dist} +Version: 3.9.16 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,19 @@ exit 0 %endif %changelog +* Tue Mar 8 2011 Miroslav Grepl 3.9.16-1 +- Update to upstream +- Fixes for telepathy +- Add port defition for ssdp port +- add policy for /bin/systemd-notify from Dan +- Mount command requires users read mount_var_run_t +- colord needs to read konject_uevent_socket +- User domains connect to the gkeyring socket +- Add colord policy and allow user_t and staff_t to dbus chat with it +- Add lvm_exec_t label for kpartx +- Dontaudit reading the mail_spool_t link from sandbox -X +- systemd is creating sockets in avahi_var_run and system_dbusd_var_run + * Tue Mar 1 2011 Miroslav Grepl 3.9.15-5 - gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd diff --git a/sources b/sources index 0fe45a1..e45ca02 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 409b40c8102b1617681ba17c31032e66 config.tgz -2eeeb55c62c5ead3dab8a0ae7b29bfd5 serefpolicy-3.9.15.tgz +f5e2a024693e5f5fb65bb2c1cd8256cd serefpolicy-3.9.16.tgz