diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index eb63083..3c46a11 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -18601,7 +18601,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..ee4b689 100644 +index 0fef1fc..46aa66e 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.4.0) @@ -18676,7 +18676,7 @@ index 0fef1fc..ee4b689 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +82,110 @@ optional_policy(` +@@ -23,11 +82,115 @@ optional_policy(` ') optional_policy(` @@ -18705,6 +18705,11 @@ index 0fef1fc..ee4b689 100644 optional_policy(` - git_role(staff_r, staff_t) ++ docker_stream_connect(staff_t) ++ docker_exec(staff_t) ++') ++ ++optional_policy(` + dnsmasq_read_pid_files(staff_t) +') + @@ -18788,7 +18793,7 @@ index 0fef1fc..ee4b689 100644 ') optional_policy(` -@@ -35,15 +193,31 @@ optional_policy(` +@@ -35,15 +198,31 @@ optional_policy(` ') optional_policy(` @@ -18822,7 +18827,7 @@ index 0fef1fc..ee4b689 100644 ') optional_policy(` -@@ -52,11 +226,61 @@ optional_policy(` +@@ -52,11 +231,61 @@ optional_policy(` ') optional_policy(` @@ -18884,7 +18889,7 @@ index 0fef1fc..ee4b689 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +289,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +294,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18895,7 +18900,7 @@ index 0fef1fc..ee4b689 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +298,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +303,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -18906,7 +18911,7 @@ index 0fef1fc..ee4b689 100644 ') optional_policy(` -@@ -101,10 +317,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +322,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18917,7 +18922,7 @@ index 0fef1fc..ee4b689 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +337,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +342,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18928,7 +18933,7 @@ index 0fef1fc..ee4b689 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +349,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +354,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18939,7 +18944,7 @@ index 0fef1fc..ee4b689 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +380,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +385,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -22141,7 +22146,7 @@ index fe0c682..e8dcfa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..1d92018 100644 +index cc877c7..b153547 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2) @@ -22630,20 +22635,17 @@ index cc877c7..1d92018 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -333,6 +507,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -332,7 +506,9 @@ auth_use_nsswitch(ssh_keygen_t) + logging_send_syslog_msg(ssh_keygen_t) ++userdom_home_manager(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_user_terminals(ssh_keygen_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files(ssh_keygen_t) -+ fs_manage_nfs_dirs(ssh_keygen_t) -+') optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -341,3 +521,140 @@ optional_policy(` +@@ -341,3 +517,140 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -32471,7 +32473,7 @@ index 808ba93..57a68da 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5..b4c7957 100644 +index 54f8fa5..caf32d6 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -32535,7 +32537,7 @@ index 54f8fa5..b4c7957 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +109,13 @@ ifdef(`distro_ubuntu',` ') ') @@ -32544,11 +32546,12 @@ index 54f8fa5..b4c7957 100644 +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) +userdom_manage_user_tmp_symlinks(ldconfig_t) ++userdom_rw_inherited_user_tmp_pipes(ldconfig_t) + ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +127,11 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -32560,7 +32563,7 @@ index 54f8fa5..b4c7957 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +148,14 @@ optional_policy(` +@@ -131,6 +149,14 @@ optional_policy(` ') optional_policy(` @@ -32575,7 +32578,7 @@ index 54f8fa5..b4c7957 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +166,3 @@ optional_policy(` +@@ -141,6 +167,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -33885,7 +33888,7 @@ index 59b04c1..13c21e8 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 6b91740..633e449 100644 +index 6b91740..562d1fd 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -23,6 +23,8 @@ ifdef(`distro_gentoo',` @@ -33922,7 +33925,7 @@ index 6b91740..633e449 100644 /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -89,8 +95,72 @@ ifdef(`distro_gentoo',` +@@ -89,8 +95,74 @@ ifdef(`distro_gentoo',` # # /usr # @@ -33993,11 +33996,13 @@ index 6b91740..633e449 100644 +/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/storaged/storaged-lvm-helper -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) # # /var -@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',` +@@ -98,5 +170,9 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -34177,7 +34182,7 @@ index 58bc27f..f887230 100644 +') + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..55d6ce4 100644 +index 79048c4..f505f63 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -34405,7 +34410,7 @@ index 79048c4..55d6ce4 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +374,30 @@ optional_policy(` +@@ -333,14 +374,34 @@ optional_policy(` ') optional_policy(` @@ -34429,6 +34434,10 @@ index 79048c4..55d6ce4 100644 ') optional_policy(` ++ policykit_dbus_chat(lvm_t) ++') ++ ++optional_policy(` + systemd_manage_passwd_run(lvm_t) +') + @@ -42130,7 +42139,7 @@ index db75976..4ca3a28 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..87b5cc3 100644 +index 9dc60c6..139edc7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44434,7 +44443,35 @@ index 9dc60c6..87b5cc3 100644 ## temporary symbolic links. ## ## -@@ -2661,6 +3362,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2566,6 +3267,27 @@ interface(`userdom_manage_user_tmp_symlinks',` + ## + ## + # ++interface(`userdom_rw_inherited_user_tmp_pipes',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ files_search_tmp($1) ++') ++ ++ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary named pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# + interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; +@@ -2661,6 +3383,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -44460,7 +44497,7 @@ index 9dc60c6..87b5cc3 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3397,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3418,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -44476,7 +44513,7 @@ index 9dc60c6..87b5cc3 100644 ## ## ## -@@ -2704,7 +3425,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3446,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -44485,7 +44522,7 @@ index 9dc60c6..87b5cc3 100644 ## ## ## -@@ -2712,14 +3433,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3454,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -44520,7 +44557,7 @@ index 9dc60c6..87b5cc3 100644 ') ######################################## -@@ -2814,6 +3551,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3572,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -44545,7 +44582,7 @@ index 9dc60c6..87b5cc3 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3587,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3608,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -44588,7 +44625,7 @@ index 9dc60c6..87b5cc3 100644 ## ## ## -@@ -2856,14 +3623,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3644,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -44626,7 +44663,7 @@ index 9dc60c6..87b5cc3 100644 ') ######################################## -@@ -2882,8 +3668,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3689,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -44656,96 +44693,95 @@ index 9dc60c6..87b5cc3 100644 ') ######################################## -@@ -2955,69 +3760,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3781,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') --######################################## +##################################### - ## --## Execute an Xserver session in all unprivileged user domains. This --## is an explicit transition, requiring the --## caller to use setexeccon(). ++## +## Allow domain dyntrans to unpriv userdomain. - ## - ## --## --## Domain allowed to transition. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`userdom_xsession_spec_domtrans_unpriv_users',` -- gen_require(` -- attribute unpriv_userdomain; -- ') ++## ++# +interface(`userdom_dyntransition_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') - -- xserver_xsession_spec_domtrans($1, unpriv_userdomain) -- allow unpriv_userdomain $1:fd use; -- allow unpriv_userdomain $1:fifo_file rw_file_perms; -- allow unpriv_userdomain $1:process sigchld; ++ + allow $1 unpriv_userdomain:process dyntransition; ++') ++ ++#################################### ++## ++## Allow domain dyntrans to admin userdomain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dyntransition_admin_users',` ++ gen_require(` ++ attribute admindomain; ++ ') ++ ++ allow $1 admindomain:process dyntransition; ++') ++ + ######################################## + ## + ## Execute an Xserver session in all unprivileged user domains. This +@@ -2978,9 +3840,9 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` + allow unpriv_userdomain $1:process sigchld; ') -####################################### -+#################################### ++######################################## ## -## Read and write unpriviledged user SysV sempaphores. -+## Allow domain dyntrans to admin userdomain. ++## Manage unpriviledged user SysV sempaphores. ## ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## + ## +@@ -2988,17 +3850,18 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` + ## ## # -interface(`userdom_rw_unpriv_user_semaphores',` -- gen_require(` -- attribute unpriv_userdomain; -- ') -+interface(`userdom_dyntransition_admin_users',` -+ gen_require(` -+ attribute admindomain; -+ ') ++interface(`userdom_manage_unpriv_user_semaphores',` + gen_require(` + attribute unpriv_userdomain; + ') - allow $1 unpriv_userdomain:sem rw_sem_perms; -+ allow $1 admindomain:process dyntransition; ++ allow $1 unpriv_userdomain:sem create_sem_perms; ') ######################################## ## -## Manage unpriviledged user SysV sempaphores. -+## Execute an Xserver session in all unprivileged user domains. This -+## is an explicit transition, requiring the -+## caller to use setexeccon(). ++## Manage unpriviledged user SysV shared ++## memory segments. ## ## ## --## Domain allowed access. -+## Domain allowed to transition. +@@ -3006,57 +3869,19 @@ interface(`userdom_rw_unpriv_user_semaphores',` ## ## # -interface(`userdom_manage_unpriv_user_semaphores',` -+interface(`userdom_xsession_spec_domtrans_unpriv_users',` ++interface(`userdom_manage_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') - allow $1 unpriv_userdomain:sem create_sem_perms; -+ xserver_xsession_spec_domtrans($1, unpriv_userdomain) -+ allow unpriv_userdomain $1:fd use; -+ allow unpriv_userdomain $1:fifo_file rw_file_perms; -+ allow unpriv_userdomain $1:process sigchld; ++ allow $1 unpriv_userdomain:shm create_shm_perms; ') -####################################### @@ -44753,26 +44789,52 @@ index 9dc60c6..87b5cc3 100644 ## -## Read and write unpriviledged user SysV shared -## memory segments. -+## Manage unpriviledged user SysV sempaphores. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`userdom_rw_unpriv_user_shared_mem',` +- gen_require(` +- attribute unpriv_userdomain; +- ') +- +- allow $1 unpriv_userdomain:shm rw_shm_perms; +-') +- +-######################################## +-## +-## Manage unpriviledged user SysV shared +-## memory segments. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`userdom_manage_unpriv_user_shared_mem',` +- gen_require(` +- attribute unpriv_userdomain; +- ') +- +- allow $1 unpriv_userdomain:shm create_shm_perms; +-') +- +-######################################## +-## +-## Execute bin_t in the unprivileged user domains. This +-## is an explicit transition, requiring the +-## caller to use setexeccon(). ++## Execute bin_t in the unprivileged user domains. This ++## is an explicit transition, requiring the ++## caller to use setexeccon(). ## ## ## -@@ -3025,12 +3829,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` - ## - ## - # --interface(`userdom_rw_unpriv_user_shared_mem',` -+interface(`userdom_manage_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:shm rw_shm_perms; -+ allow $1 unpriv_userdomain:sem create_sem_perms; - ') - - ######################################## -@@ -3094,7 +3898,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3919,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -44781,7 +44843,7 @@ index 9dc60c6..87b5cc3 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,16 +3914,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +3935,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -44792,33 +44854,11 @@ index 9dc60c6..87b5cc3 100644 files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## --## Send signull to unprivileged user domains. -+## Send general signals to unprivileged user domains. - ## - ## - ## -@@ -3127,30 +3933,12 @@ interface(`userdom_search_user_home_content',` - ## - ## - # --interface(`userdom_signull_unpriv_users',` -+interface(`userdom_signal_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:process signull; -') - -######################################## -## --## Send general signals to unprivileged user domains. +-## Send signull to unprivileged user domains. -## -## -## @@ -44826,17 +44866,18 @@ index 9dc60c6..87b5cc3 100644 -## -## -# --interface(`userdom_signal_unpriv_users',` +-interface(`userdom_signull_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:process signal; -+ allow $1 unpriv_userdomain:process signal; +- allow $1 unpriv_userdomain:process signull; ++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; ') ######################################## -@@ -3214,7 +4002,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4023,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -44863,7 +44904,7 @@ index 9dc60c6..87b5cc3 100644 ') ######################################## -@@ -3269,7 +4075,83 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,7 +4096,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -44948,7 +44989,7 @@ index 9dc60c6..87b5cc3 100644 ') ######################################## -@@ -3287,7 +4169,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3287,7 +4190,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -44957,7 +44998,7 @@ index 9dc60c6..87b5cc3 100644 ') ######################################## -@@ -3306,6 +4188,7 @@ interface(`userdom_read_all_users_state',` +@@ -3306,6 +4209,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -44965,7 +45006,7 @@ index 9dc60c6..87b5cc3 100644 kernel_search_proc($1) ') -@@ -3382,6 +4265,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4286,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -45008,7 +45049,7 @@ index 9dc60c6..87b5cc3 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4321,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4342,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -45033,7 +45074,7 @@ index 9dc60c6..87b5cc3 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4372,1680 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4393,1680 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -45145,7 +45186,7 @@ index 9dc60c6..87b5cc3 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 userdomain:process ptrace; + ') -+') + ') + +######################################## +## @@ -45202,7 +45243,7 @@ index 9dc60c6..87b5cc3 100644 + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir list_dir_perms; - ') ++') + +######################################## +## @@ -46715,7 +46756,7 @@ index 9dc60c6..87b5cc3 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..7283238 100644 +index f4ac38d..9284c24 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -46804,7 +46845,7 @@ index f4ac38d..7283238 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,390 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -46913,6 +46954,7 @@ index f4ac38d..7283238 100644 + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_certs_type) ++ fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type) +') + +tunable_policy(`use_nfs_home_dirs',` @@ -46930,6 +46972,7 @@ index f4ac38d..7283238 100644 + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_type) ++ fs_read_ecryptfs_symlinks(userdom_home_reader_type) +') + +tunable_policy(`use_nfs_home_dirs',` @@ -46954,7 +46997,9 @@ index f4ac38d..7283238 100644 +tunable_policy(`use_ecryptfs_home_dirs',` + fs_manage_ecryptfs_dirs(userdom_home_manager_type) + fs_manage_ecryptfs_files(userdom_home_manager_type) ++ fs_manage_ecryptfs_symlinks(userdom_home_manager_type) +') ++ +# vi /etc/mtab can cause an avc trying to relabel to self. +dontaudit userdomain self:file relabelto; + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 0034c9a..2a7c187 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9231,7 +9231,7 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48..7d8669f 100644 +index f5c1a48..f255b29 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) @@ -9269,7 +9269,17 @@ index f5c1a48..7d8669f 100644 corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) -@@ -109,16 +114,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) +@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t) + + corenet_sendrecv_ircd_server_packets(bitlbee_t) + corenet_tcp_bind_ircd_port(bitlbee_t) ++corenet_tcp_bind_interwise_port(bitlbee_t) + corenet_sendrecv_ircd_client_packets(bitlbee_t) ++corenet_tcp_connect_interwise_port(bitlbee_t) + corenet_tcp_connect_ircd_port(bitlbee_t) + corenet_tcp_sendrecv_ircd_port(bitlbee_t) + +@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) @@ -13147,7 +13157,7 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..e01156f 100644 +index 5f306dd..1543aec 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -13208,7 +13218,7 @@ index 5f306dd..e01156f 100644 ') optional_policy(` -@@ -179,12 +183,22 @@ optional_policy(` +@@ -179,12 +183,26 @@ optional_policy(` optional_policy(` dhcpd_domtrans(cobblerd_t) dhcpd_initrc_domtrans(cobblerd_t) @@ -13223,6 +13233,10 @@ index 5f306dd..e01156f 100644 +') + +optional_policy(` ++ gnome_dontaudit_search_config(cobblerd_t) ++') ++ ++optional_policy(` + libs_exec_ldconfig(cobblerd_t) +') + @@ -13231,7 +13245,7 @@ index 5f306dd..e01156f 100644 ') optional_policy(` -@@ -192,13 +206,13 @@ optional_policy(` +@@ -192,13 +210,13 @@ optional_policy(` ') optional_policy(` @@ -18752,14 +18766,21 @@ index 3023be7..303af85 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..2230476 100644 +index c91813c..dbd69b1 100644 --- a/cups.te +++ b/cups.te -@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2) +@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) # Declarations # -type cupsd_config_t; ++## ++##

++## Allow cups execmem/execstack ++##

++## ++gen_tunable(cups_execmem, false) ++ +attribute cups_domain; + +type cupsd_config_t, cups_domain; @@ -18782,7 +18803,7 @@ index c91813c..2230476 100644 files_config_file(cupsd_etc_t) type cupsd_initrc_exec_t; -@@ -33,13 +38,15 @@ type cupsd_lock_t; +@@ -33,13 +45,15 @@ type cupsd_lock_t; files_lock_file(cupsd_lock_t) type cupsd_log_t; @@ -18802,7 +18823,7 @@ index c91813c..2230476 100644 type cupsd_lpd_tmp_t; files_tmp_file(cupsd_lpd_tmp_t) -@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t) +@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t) type cupsd_lpd_var_run_t; files_pid_file(cupsd_lpd_var_run_t) @@ -18811,7 +18832,7 @@ index c91813c..2230476 100644 type cups_pdf_exec_t; cups_backend(cups_pdf_t, cups_pdf_exec_t) -@@ -55,29 +62,17 @@ type cups_pdf_tmp_t; +@@ -55,29 +69,17 @@ type cups_pdf_tmp_t; files_tmp_file(cups_pdf_tmp_t) type cupsd_tmp_t; @@ -18845,7 +18866,7 @@ index c91813c..2230476 100644 type ptal_t; type ptal_exec_t; -@@ -97,21 +92,49 @@ ifdef(`enable_mls',` +@@ -97,21 +99,49 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) ') @@ -18899,7 +18920,7 @@ index c91813c..2230476 100644 allow cupsd_t self:appletalk_socket create_socket_perms; allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -18910,10 +18931,11 @@ index c91813c..2230476 100644 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) +cups_filetrans_named_content(cupsd_t) ++can_exec(cupsd_t, cupsd_rw_etc_t) allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -@@ -136,22 +161,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) @@ -18941,7 +18963,7 @@ index c91813c..2230476 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -159,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -18953,7 +18975,7 @@ index c91813c..2230476 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -186,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -18978,7 +19000,7 @@ index c91813c..2230476 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -203,7 +235,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -18986,7 +19008,7 @@ index c91813c..2230476 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -212,17 +243,19 @@ files_read_world_readable_files(cupsd_t) +@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -19008,7 +19030,7 @@ index c91813c..2230476 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) -@@ -232,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -19017,7 +19039,7 @@ index c91813c..2230476 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -19043,8 +19065,15 @@ index c91813c..2230476 100644 +userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) ++tunable_policy(`cups_execmem',` ++ allow cupsd_t self:process { execmem execstack }; ++') ++ ++ optional_policy(` -@@ -272,6 +307,8 @@ optional_policy(` + apm_domtrans_client(cupsd_t) + ') +@@ -272,6 +320,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -19053,7 +19082,7 @@ index c91813c..2230476 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -282,8 +319,10 @@ optional_policy(` +@@ -282,8 +332,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -19064,7 +19093,7 @@ index c91813c..2230476 100644 ') ') -@@ -296,8 +335,8 @@ optional_policy(` +@@ -296,8 +348,8 @@ optional_policy(` ') optional_policy(` @@ -19074,7 +19103,7 @@ index c91813c..2230476 100644 ') optional_policy(` -@@ -306,7 +345,6 @@ optional_policy(` +@@ -306,7 +358,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -19082,7 +19111,7 @@ index c91813c..2230476 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -334,7 +372,11 @@ optional_policy(` +@@ -334,7 +385,11 @@ optional_policy(` ') optional_policy(` @@ -19095,7 +19124,7 @@ index c91813c..2230476 100644 ') ######################################## -@@ -342,12 +384,11 @@ optional_policy(` +@@ -342,12 +397,11 @@ optional_policy(` # Configuration daemon local policy # @@ -19111,7 +19140,7 @@ index c91813c..2230476 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -372,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -19132,7 +19161,7 @@ index c91813c..2230476 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -19153,7 +19182,7 @@ index c91813c..2230476 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -19165,7 +19194,7 @@ index c91813c..2230476 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +475,12 @@ optional_policy(` +@@ -449,9 +488,12 @@ optional_policy(` ') optional_policy(` @@ -19179,7 +19208,7 @@ index c91813c..2230476 100644 ') optional_policy(` -@@ -487,10 +516,6 @@ optional_policy(` +@@ -487,10 +529,6 @@ optional_policy(` # Lpd local policy # @@ -19190,7 +19219,7 @@ index c91813c..2230476 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +533,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +546,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -19208,7 +19237,7 @@ index c91813c..2230476 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +562,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +575,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -19218,7 +19247,7 @@ index c91813c..2230476 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +572,6 @@ optional_policy(` +@@ -550,7 +585,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -19226,7 +19255,7 @@ index c91813c..2230476 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +587,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +600,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -19255,13 +19284,11 @@ index c91813c..2230476 100644 - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` +- +-optional_policy(` - lpd_manage_spool(cups_pdf_t) -+ gnome_read_config(cups_pdf_t) - ') - +-') +- -######################################## -# -# HPLIP local policy @@ -19350,15 +19377,17 @@ index c91813c..2230476 100644 -userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_user_home_dirs(hplip_t) -userdom_dontaudit_search_user_home_content(hplip_t) -- --optional_policy(` ++userdom_home_manager(cups_pdf_t) + + optional_policy(` - dbus_system_bus_client(hplip_t) - - optional_policy(` - userdom_dbus_send_all_users(hplip_t) - ') --') -- ++ gnome_read_config(cups_pdf_t) + ') + -optional_policy(` - lpd_read_config(hplip_t) - lpd_manage_spool(hplip_t) @@ -19378,7 +19407,7 @@ index c91813c..2230476 100644 ######################################## # -@@ -735,7 +631,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +644,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -19386,7 +19415,7 @@ index c91813c..2230476 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +640,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +653,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -19400,7 +19429,7 @@ index c91813c..2230476 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +652,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +665,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -19409,7 +19438,7 @@ index c91813c..2230476 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +664,4 @@ optional_policy(` +@@ -773,3 +677,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -23805,10 +23834,10 @@ index 0000000..fd679a1 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..1048292 +index 0000000..76eb32e --- /dev/null +++ b/docker.if -@@ -0,0 +1,345 @@ +@@ -0,0 +1,364 @@ + +## The open-source application container engine. + @@ -23833,6 +23862,25 @@ index 0000000..1048292 + +######################################## +## ++## Execute docker in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_exec',` ++ gen_require(` ++ type docker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, docker_exec_t) ++') ++ ++######################################## ++## +## Search docker lib directories. +## +## @@ -28316,10 +28364,10 @@ index 0000000..04e159f +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..cb68ca9 +index 0000000..91ed5f4 --- /dev/null +++ b/gear.te -@@ -0,0 +1,125 @@ +@@ -0,0 +1,134 @@ +policy_module(gear, 1.0.0) + +######################################## @@ -28348,13 +28396,17 @@ index 0000000..cb68ca9 +# gear local policy +# +allow gear_t self:capability { chown net_admin fowner dac_override }; ++dontaudit gear_t self:capability sys_ptrace; +allow gear_t self:capability2 block_suspend; +allow gear_t self:process { getattr signal_perms }; +allow gear_t self:fifo_file rw_fifo_file_perms; +allow gear_t self:unix_stream_socket create_stream_socket_perms; +allow gear_t self:tcp_socket create_stream_socket_perms; + ++allow gear_t gear_unit_file_t:file read_file_perms; ++allow gear_t gear_unit_file_t:service manage_service_perms; +allow gear_t gear_unit_file_t:dir { relabelfrom relabelto }; ++manage_dirs_pattern(gear_t, gear_unit_file_t, gear_unit_file_t) + +manage_dirs_pattern(gear_t, gear_log_t, gear_log_t) +manage_files_pattern(gear_t, gear_log_t, gear_log_t) @@ -28376,6 +28428,7 @@ index 0000000..cb68ca9 +manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) +manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) +files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file }) ++init_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file }) + +kernel_read_system_state(gear_t) +kernel_read_network_state(gear_t) @@ -28401,8 +28454,10 @@ index 0000000..cb68ca9 +files_mounton_rootfs(gear_t) +files_read_etc_files(gear_t) + ++fs_list_cgroup_dirs(gear_t) +fs_read_cgroup_files(gear_t) +fs_read_tmpfs_symlinks(gear_t) ++fs_getattr_all_fs(gear_t) + +auth_use_nsswitch(gear_t) + @@ -28414,6 +28469,7 @@ index 0000000..cb68ca9 + +logging_send_audit_msgs(gear_t) +logging_send_syslog_msg(gear_t) ++logging_read_generic_logs(gear_t) + +miscfiles_read_localization(gear_t) + @@ -28427,6 +28483,7 @@ index 0000000..cb68ca9 +sysnet_manage_ifconfig_run(gear_t) + +systemd_manage_all_unit_files(gear_t) ++systemd_exec_systemctl(gear_t) + +optional_policy(` + hostname_exec(gear_t) @@ -28621,10 +28678,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..351f145 +index 0000000..204995f --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,53 @@ +@@ -0,0 +1,54 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -28647,6 +28704,7 @@ index 0000000..351f145 +# +# geoclue local policy +# ++allow geoclue_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t) +manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t) @@ -37100,10 +37158,10 @@ index 0000000..0d61849 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..535f79b +index 0000000..2c08717 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,47 @@ +@@ -0,0 +1,55 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -37139,6 +37197,11 @@ index 0000000..535f79b +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) + ++corecmd_exec_bin(keepalived_t) ++corecmd_exec_shell(keepalived_t) ++ ++corenet_tcp_connect_snmp_port(keepalived_t) ++ +auth_use_nsswitch(keepalived_t) + +corenet_tcp_connect_connlcli_port(keepalived_t) @@ -37151,6 +37214,9 @@ index 0000000..535f79b + +logging_send_syslog_msg(keepalived_t) + ++optional_policy(` ++ snmp_read_snmp_var_lib_files(keepalived_t) ++') diff --git a/kerberos.fc b/kerberos.fc index 4fe75fd..b029c28 100644 --- a/kerberos.fc @@ -40291,7 +40357,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..f4550f1 100644 +index be0ab84..44689e1 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -40488,7 +40554,7 @@ index be0ab84..f4550f1 100644 ') optional_policy(` -@@ -170,6 +216,10 @@ optional_policy(` +@@ -170,6 +216,11 @@ optional_policy(` ') optional_policy(` @@ -40496,10 +40562,11 @@ index be0ab84..f4550f1 100644 +') + +optional_policy(` ++ fail2ban_domtrans_client(logrotate_t) fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +228,7 @@ optional_policy(` +@@ -178,7 +229,7 @@ optional_policy(` ') optional_policy(` @@ -40508,7 +40575,7 @@ index be0ab84..f4550f1 100644 ') optional_policy(` -@@ -198,21 +248,26 @@ optional_policy(` +@@ -198,21 +249,26 @@ optional_policy(` ') optional_policy(` @@ -40539,7 +40606,7 @@ index be0ab84..f4550f1 100644 ') optional_policy(` -@@ -228,10 +283,21 @@ optional_policy(` +@@ -228,10 +284,21 @@ optional_policy(` ') optional_policy(` @@ -40561,7 +40628,7 @@ index be0ab84..f4550f1 100644 su_exec(logrotate_t) ') -@@ -241,13 +307,11 @@ optional_policy(` +@@ -241,13 +308,11 @@ optional_policy(` ####################################### # @@ -44972,7 +45039,7 @@ index 6ffaba2..549fb8c 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..cafb2b0 100644 +index 6194b80..7490fe3 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -45258,7 +45325,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',` +@@ -265,140 +173,156 @@ interface(`mozilla_exec_user_plugin_home_files',` ## # interface(`mozilla_execmod_user_home_files',` @@ -45362,7 +45429,8 @@ index 6194b80..cafb2b0 100644 + allow $1 mozilla_plugin_t:shm rw_shm_perms; + + ps_process_pattern($1, mozilla_plugin_t) -+ allow $1 mozilla_plugin_t:process signal_perms; ++ ps_process_pattern(mozilla_plugin_t, $1) ++ allow $1 mozilla_plugin_t:process { signal_perms noatsecure }; + + list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) @@ -45474,7 +45542,7 @@ index 6194b80..cafb2b0 100644 ') ######################################## -@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +348,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -45484,7 +45552,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +356,144 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -45658,7 +45726,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +501,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -45683,7 +45751,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -49123,7 +49191,7 @@ index b744fe3..50c386e 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b708708..7bdfb65 100644 +index b708708..78fa61c 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -49342,7 +49410,7 @@ index b708708..7bdfb65 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +431,32 @@ optional_policy(` +@@ -421,3 +431,33 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -49361,12 +49429,13 @@ index b708708..7bdfb65 100644 + +manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t) +manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t) ++files_tmp_filetrans(munin_script_t, munin_script_tmp_t, { dir file }) + +read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t) ++list_dirs_pattern(munin_script_t, munin_etc_t, munin_etc_t) +read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t) + -+read_files_pattern(munin_script_t, munin_log_t, munin_log_t) -+append_files_pattern(munin_script_t, munin_log_t, munin_log_t) ++manage_files_pattern(munin_script_t, munin_log_t, munin_log_t) + +files_search_var_lib(munin_script_t) + @@ -73727,10 +73796,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..f7958c0 100644 +index 8644d8b..e815665 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,138 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,146 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -73792,40 +73861,42 @@ index 8644d8b..f7958c0 100644 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +logging_log_filetrans(neutron_t, neutron_log_t, dir) -+ -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir }) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir }) + +-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) +-files_tmp_filetrans(quantum_t, quantum_tmp_t, file) +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) --manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) --files_tmp_filetrans(quantum_t, quantum_tmp_t, file) -+can_exec(neutron_t, neutron_tmp_t) - -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) ++can_exec(neutron_t, neutron_tmp_t) + +-can_exec(quantum_t, quantum_tmp_t) +kernel_rw_kernel_sysctl(neutron_t) +kernel_rw_net_sysctls(neutron_t) +kernel_read_system_state(neutron_t) +kernel_read_network_state(neutron_t) +kernel_request_load_module(neutron_t) --can_exec(quantum_t, quantum_tmp_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -73833,49 +73904,47 @@ index 8644d8b..f7958c0 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) -+corenet_tcp_bind_neutron_port(neutron_t) -+corenet_tcp_connect_keystone_port(neutron_t) -+corenet_tcp_connect_amqp_port(neutron_t) -+corenet_tcp_connect_mysqld_port(neutron_t) -+corenet_tcp_connect_osapi_compute_port(neutron_t) - -corenet_all_recvfrom_unlabeled(quantum_t) -corenet_all_recvfrom_netlabel(quantum_t) -corenet_tcp_sendrecv_generic_if(quantum_t) -corenet_tcp_sendrecv_generic_node(quantum_t) -corenet_tcp_sendrecv_all_ports(quantum_t) -corenet_tcp_bind_generic_node(quantum_t) -+domain_read_all_domains_state(neutron_t) -+domain_named_filetrans(neutron_t) ++corenet_tcp_bind_neutron_port(neutron_t) ++corenet_tcp_connect_keystone_port(neutron_t) ++corenet_tcp_connect_amqp_port(neutron_t) ++corenet_tcp_connect_mysqld_port(neutron_t) ++corenet_tcp_connect_osapi_compute_port(neutron_t) -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) ++domain_read_all_domains_state(neutron_t) ++domain_named_filetrans(neutron_t) + +-files_read_usr_files(quantum_t) +dev_read_sysfs(neutron_t) +dev_read_urand(neutron_t) +dev_mounton_sysfs(neutron_t) +dev_mount_sysfs_fs(neutron_t) +dev_unmount_sysfs_fs(neutron_t) --files_read_usr_files(quantum_t) -+files_mounton_non_security(neutron_t) - -auth_use_nsswitch(quantum_t) -+auth_use_nsswitch(neutron_t) ++files_mounton_non_security(neutron_t) -libs_exec_ldconfig(quantum_t) -+libs_exec_ldconfig(neutron_t) ++auth_use_nsswitch(neutron_t) -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) -+logging_send_audit_msgs(neutron_t) -+logging_send_syslog_msg(neutron_t) ++libs_exec_ldconfig(neutron_t) -miscfiles_read_localization(quantum_t) -+netutils_exec(neutron_t) ++logging_send_audit_msgs(neutron_t) ++logging_send_syslog_msg(neutron_t) -sysnet_domtrans_ifconfig(quantum_t) ++netutils_exec(neutron_t) ++ +# need to stay in neutron +sysnet_exec_ifconfig(neutron_t) +sysnet_manage_ifconfig_run(neutron_t) @@ -73902,13 +73971,17 @@ index 8644d8b..f7958c0 100644 optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) ++ modutils_domtrans_insmod(neutron_t) ++') + +- postgresql_tcp_connect(quantum_t) ++optional_policy(` + mysql_stream_connect(neutron_t) + mysql_read_db_lnk_files(neutron_t) + mysql_read_config(neutron_t) + mysql_tcp_connect(neutron_t) -+') - -- postgresql_tcp_connect(quantum_t) + ') ++ +optional_policy(` + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) @@ -73918,10 +73991,14 @@ index 8644d8b..f7958c0 100644 +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) - ') ++') + +optional_policy(` + sudo_exec(neutron_t) ++') ++ ++optional_policy(` ++ udev_domtrans(neutron_t) +') diff --git a/quota.fc b/quota.fc index cadabe3..54ba01d 100644 @@ -79586,10 +79663,20 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..54838ad 100644 +index d32e1a2..33ca060 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te -@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) +@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) + type rhsmcertd_lock_t; + files_lock_file(rhsmcertd_lock_t) + ++type rhsmcertd_tmp_t; ++files_tmp_file(rhsmcertd_tmp_t) ++ + type rhsmcertd_var_lib_t; + files_type(rhsmcertd_var_lib_t) + +@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t) # allow rhsmcertd_t self:capability sys_nice; @@ -79607,7 +79694,15 @@ index d32e1a2..54838ad 100644 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -50,25 +49,50 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) + ++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) ++manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) ++files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file }) ++ + manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) + manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) + +@@ -50,25 +56,53 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -79632,8 +79727,11 @@ index d32e1a2..54838ad 100644 -files_read_usr_files(rhsmcertd_t) +files_manage_generic_locks(rhsmcertd_t) +files_manage_system_conf_files(rhsmcertd_t) ++files_create_boot_flag(rhsmcertd_t) + +auth_read_passwd(rhsmcertd_t) ++ ++libs_exec_ldconfig(rhsmcertd_t) init_read_state(rhsmcertd_t) @@ -89876,10 +89974,18 @@ index e2544e1..d3fbd78 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index 7292dc0..ce903d6 100644 +index 7292dc0..103278d 100644 --- a/slocate.te +++ b/slocate.te -@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t) +@@ -44,6 +44,7 @@ dev_getattr_all_blk_files(locate_t) + dev_getattr_all_chr_files(locate_t) + + files_list_all(locate_t) ++files_list_isid_type_dirs(locate_t) + files_dontaudit_read_all_symlinks(locate_t) + files_getattr_all_files(locate_t) + files_getattr_all_pipes(locate_t) +@@ -62,7 +63,6 @@ fs_read_noxattr_fs_symlinks(locate_t) auth_use_nsswitch(locate_t) @@ -89887,7 +89993,7 @@ index 7292dc0..ce903d6 100644 ifdef(`enable_mls',` files_dontaudit_getattr_all_dirs(locate_t) -@@ -71,3 +70,8 @@ ifdef(`enable_mls',` +@@ -71,3 +71,8 @@ ifdef(`enable_mls',` optional_policy(` cron_system_entry(locate_t, locate_exec_t) ') @@ -94448,10 +94554,10 @@ index 0000000..6a1f575 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..9ee77b2 +index 0000000..7fce837 --- /dev/null +++ b/swift.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,102 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -94527,7 +94633,12 @@ index 0000000..9ee77b2 +kernel_read_system_state(swift_t) +kernel_read_network_state(swift_t) + ++# bug in swift ++corenet_tcp_bind_xserver_port(swift_t) ++corenet_tcp_bind_http_cache_port(swift_t) ++ +corecmd_exec_shell(swift_t) ++corecmd_exec_bin(swift_t) + +dev_read_urand(swift_t) + @@ -99388,7 +99499,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..a58e2dd 100644 +index 9d4d8cb..8cade37 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -99413,22 +99524,22 @@ index 9d4d8cb..a58e2dd 100644 # -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown }; ++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner }; dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket { accept listen }; -@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) +@@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) dev_read_urand(varnishd_t) -files_read_usr_files(varnishd_t) - +- fs_getattr_all_fs(varnishd_t) -@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t) + auth_use_nsswitch(varnishd_t) logging_send_syslog_msg(varnishd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 51c2e6d..97f061b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 56%{?dist} +Release: 57%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,33 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jun 9 2014 Miroslav Grepl 3.13.1-57 +- Allow staff_t to communicate and run docker +- Fix *_ecryptfs_home_dirs booleans +- Allow ldconfig_t to read/write inherited user tmp pipes +- Allow storaged to dbus chat with lvm_t +- Add support for storaged and storaged-lvm-helper. Labeled it as lvm_exec_t. +- Use proper calling in ssh.te for userdom_home_manager attribute +- Use userdom_home_manager_type() also for ssh_keygen_t +- Allow locate to list directories without labels +- Allow bitlbee to use tcp/7778 port +- /etc/cron.daily/logrotate to execute fail2ban-client. +- Allow keepalives to connect to SNMP port. Support to do SNMP stuff +- Allow staff_t to communicate and run docker +- Dontaudit search mgrepl/.local for cobblerd_t +- Allow neutron to execute kmod in insmod_t +- Allow neutron to execute udevadm in udev_t +- Allow also fowner cap for varnishd +- Allow keepalived to execute bin_t/shell_exec_t +- rhsmcertd seems to need these accesses. We need this backported to RHEL7 and perhaps RHEL6 policy +- Add cups_execmem boolean +- Allow gear to manage gear service +- New requires for gear to use systemctl and init var_run_t +- Allow cups to execute its rw_etc_t files, for brothers printers +- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs. +- Allow swift to execute bin_t +- Allow swift to bind http_cache + * Sun Jun 08 2014 Fedora Release Engineering - 3.13.1-56 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild