diff --git a/policy-F16.patch b/policy-F16.patch index acd9272..24fcf61 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -141,18 +141,33 @@ index 111d004..c90e80d 100644 -## -gen_bool(secure_mode_policyload,false) diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..262b5ba 100644 +index 4705ab6..0f0bb47 100644 --- a/policy/global_tunables +++ b/policy/global_tunables -@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false) +@@ -6,6 +6,13 @@ + + ## + ##

++## Allow sysadm to debug or ptrace all processes. ++##

++## ++gen_tunable(deny_ptrace, false) ++ ++## ++##

+ ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla + ##

+ ## +@@ -13,21 +20,21 @@ gen_tunable(allow_execheap,false) ## ##

-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") -+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla ++## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla ##

## - gen_tunable(allow_execmem,false) +-gen_tunable(allow_execmem,false) ++gen_tunable(deny_execmem,false) ## ##

@@ -169,7 +184,7 @@ index 4705ab6..262b5ba 100644 ##

## gen_tunable(allow_execstack,false) -@@ -68,15 +68,6 @@ gen_tunable(global_ssp,false) +@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false) ## ##

@@ -185,7 +200,7 @@ index 4705ab6..262b5ba 100644 ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -105,9 +96,24 @@ gen_tunable(use_samba_home_dirs,false) +@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false) ## ##

@@ -832,9 +847,20 @@ index 0f57d3b..655d07f 100644 ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index cd5e005..50e9ee4 100644 +index cd5e005..72417f5 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te +@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0) + + type consoletype_t; + type consoletype_exec_t; +-init_domain(consoletype_t, consoletype_exec_t) +-init_system_domain(consoletype_t, consoletype_exec_t) ++application_domain(consoletype_t, consoletype_exec_t) ++role system_r types consoletype_t; + + ######################################## + # @@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t) mls_file_read_all_levels(consoletype_t) mls_file_write_all_levels(consoletype_t) @@ -1058,7 +1084,7 @@ index 8fa451c..f3a67c9 100644 ') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te -index c4d8998..f808287 100644 +index c4d8998..bd59f2e 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -19,6 +19,9 @@ role system_r types firstboot_t; @@ -1106,7 +1132,18 @@ index c4d8998..f808287 100644 # Add/remove user home directories userdom_manage_user_home_content_dirs(firstboot_t) userdom_manage_user_home_content_files(firstboot_t) -@@ -103,8 +109,18 @@ optional_policy(` +@@ -91,10 +97,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t) + userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) + + optional_policy(` +- consoletype_domtrans(firstboot_t) +-') +- +-optional_policy(` + dbus_system_bus_client(firstboot_t) + + optional_policy(` +@@ -103,8 +105,18 @@ optional_policy(` ') optional_policy(` @@ -1125,7 +1162,7 @@ index c4d8998..f808287 100644 optional_policy(` samba_rw_config(firstboot_t) -@@ -113,7 +129,7 @@ optional_policy(` +@@ -113,7 +125,7 @@ optional_policy(` optional_policy(` unconfined_domtrans(firstboot_t) # The big hammer @@ -1134,7 +1171,7 @@ index c4d8998..f808287 100644 ') optional_policy(` -@@ -125,6 +141,7 @@ optional_policy(` +@@ -125,6 +137,7 @@ optional_policy(` ') optional_policy(` @@ -1142,7 +1179,7 @@ index c4d8998..f808287 100644 gnome_manage_config(firstboot_t) ') -@@ -132,4 +149,5 @@ optional_policy(` +@@ -132,4 +145,5 @@ optional_policy(` xserver_domtrans(firstboot_t) xserver_rw_shm(firstboot_t) xserver_unconfined(firstboot_t) @@ -1161,7 +1198,7 @@ index c66934f..1aa1205 100644 /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if -index 4198ff5..a296bfa 100644 +index 4198ff5..419c7a9 100644 --- a/policy/modules/admin/kdump.if +++ b/policy/modules/admin/kdump.if @@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',` @@ -1220,6 +1257,19 @@ index 4198ff5..a296bfa 100644 #################################### ##

## Manage kdump configuration file. +@@ -98,8 +140,11 @@ interface(`kdump_admin',` + type kdump_initrc_exec_t; + ') + +- allow $1 kdump_t:process { ptrace signal_perms }; ++ allow $1 kdump_t:process signal_perms; + ps_process_pattern($1, kdump_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kdump_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te index b29d8e2..bcd9273 100644 --- a/policy/modules/admin/kdump.te @@ -1234,6 +1284,22 @@ index b29d8e2..bcd9273 100644 ##################################### # # kdump local policy +diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if +index c18c920..582f7f3 100644 +--- a/policy/modules/admin/kismet.if ++++ b/policy/modules/admin/kismet.if +@@ -239,7 +239,10 @@ interface(`kismet_admin',` + ') + + ps_process_pattern($1, kismet_t) +- allow $1 kismet_t:process { ptrace signal_perms }; ++ allow $1 kismet_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kismet_t:process ptrace; ++ ') + + kismet_manage_pid_files($1) + kismet_manage_lib($1) diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te index 9dd6880..4b7fa27 100644 --- a/policy/modules/admin/kismet.te @@ -1248,9 +1314,18 @@ index 9dd6880..4b7fa27 100644 optional_policy(` diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te -index 4f7bd3c..a29af21 100644 +index 4f7bd3c..9143343 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te +@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t) + # Local policy + # + +-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; ++allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; + dontaudit kudzu_t self:capability sys_tty_config; + allow kudzu_t self:process { signal_perms execmem }; + allow kudzu_t self:fifo_file rw_fifo_file_perms; @@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t) miscfiles_read_hwdata(kudzu_t) miscfiles_read_localization(kudzu_t) @@ -1288,22 +1363,21 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..98f0a2e 100644 +index 7090dae..a2512aa 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t) +@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t) # # Change ownership on log files. -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; -+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; - # for mailx +-# for mailx -dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; -+dontaudit logrotate_t self:capability { sys_ptrace }; ++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi +@@ -39,6 +37,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi allow logrotate_t self:process setfscreate; allow logrotate_t self:fd use; @@ -1311,7 +1385,7 @@ index 7090dae..98f0a2e 100644 allow logrotate_t self:fifo_file rw_fifo_file_perms; allow logrotate_t self:unix_dgram_socket create_socket_perms; allow logrotate_t self:unix_stream_socket create_stream_socket_perms; -@@ -61,6 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) +@@ -61,6 +60,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) @@ -1319,7 +1393,15 @@ index 7090dae..98f0a2e 100644 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) -@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) +@@ -75,6 +75,7 @@ fs_list_inotifyfs(logrotate_t) + mls_file_read_all_levels(logrotate_t) + mls_file_write_all_levels(logrotate_t) + mls_file_upgrade(logrotate_t) ++mls_process_write_to_clearance(logrotate_t) + + selinux_get_fs_mount(logrotate_t) + selinux_get_enforce_mode(logrotate_t) +@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -1327,7 +1409,7 @@ index 7090dae..98f0a2e 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -1350,7 +1432,7 @@ index 7090dae..98f0a2e 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +139,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +138,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -1359,7 +1441,7 @@ index 7090dae..98f0a2e 100644 ') optional_policy(` -@@ -154,6 +155,10 @@ optional_policy(` +@@ -154,6 +154,10 @@ optional_policy(` ') optional_policy(` @@ -1370,7 +1452,7 @@ index 7090dae..98f0a2e 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +167,20 @@ optional_policy(` +@@ -162,10 +166,20 @@ optional_policy(` ') optional_policy(` @@ -1391,7 +1473,7 @@ index 7090dae..98f0a2e 100644 cups_domtrans(logrotate_t) ') -@@ -200,9 +215,12 @@ optional_policy(` +@@ -200,9 +214,12 @@ optional_policy(` ') optional_policy(` @@ -1405,7 +1487,7 @@ index 7090dae..98f0a2e 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +246,14 @@ optional_policy(` +@@ -228,3 +245,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -1532,7 +1614,7 @@ index 56c43c0..0641226 100644 + +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..ef8bc09 100644 +index 5671977..ea06507 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0) @@ -1551,7 +1633,7 @@ index 5671977..ef8bc09 100644 ######################################## # -@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t) +@@ -17,16 +23,34 @@ cron_system_entry(mcelog_t, mcelog_exec_t) allow mcelog_t self:capability sys_admin; @@ -1574,7 +1656,11 @@ index 5671977..ef8bc09 100644 files_read_etc_files(mcelog_t) -@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t) + # for /dev/mem access + mls_file_read_all_levels(mcelog_t) + ++auth_read_passwd(mcelog_t) ++ logging_send_syslog_msg(mcelog_t) miscfiles_read_localization(mcelog_t) @@ -1648,14 +1734,15 @@ index 75ee31d..a28ab46 100644 + allow $2 ncftool_t:process signal; +') diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te -index ec29391..b25d59a 100644 +index ec29391..28c9672 100644 --- a/policy/modules/admin/ncftool.te +++ b/policy/modules/admin/ncftool.te -@@ -18,9 +18,13 @@ role system_r types ncftool_t; +@@ -17,10 +17,13 @@ role system_r types ncftool_t; + # ncftool local policy # - allow ncftool_t self:capability { net_admin sys_ptrace }; -+ +-allow ncftool_t self:capability { net_admin sys_ptrace }; ++allow ncftool_t self:capability net_admin; allow ncftool_t self:process signal; + allow ncftool_t self:fifo_file manage_fifo_file_perms; @@ -1665,7 +1752,7 @@ index ec29391..b25d59a 100644 allow ncftool_t self:tcp_socket create_stream_socket_perms; allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; -@@ -38,10 +42,14 @@ domain_read_all_domains_state(ncftool_t) +@@ -38,10 +41,14 @@ domain_read_all_domains_state(ncftool_t) dev_read_sysfs(ncftool_t) @@ -1680,7 +1767,7 @@ index ec29391..b25d59a 100644 miscfiles_read_localization(ncftool_t) sysnet_delete_dhcpc_pid(ncftool_t) -@@ -50,6 +58,8 @@ sysnet_domtrans_ifconfig(ncftool_t) +@@ -50,6 +57,8 @@ sysnet_domtrans_ifconfig(ncftool_t) sysnet_etc_filetrans_config(ncftool_t) sysnet_manage_config(ncftool_t) sysnet_read_dhcpc_state(ncftool_t) @@ -1689,7 +1776,7 @@ index ec29391..b25d59a 100644 sysnet_read_dhcpc_pid(ncftool_t) sysnet_signal_dhcpc(ncftool_t) -@@ -66,6 +76,7 @@ optional_policy(` +@@ -66,6 +75,7 @@ optional_policy(` optional_policy(` iptables_initrc_domtrans(ncftool_t) @@ -1949,358 +2036,19 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..0bd2028 +index 0000000..9c8b64f --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,349 @@ -+policy_module(permissivedomains,16) -+ -+optional_policy(` -+ gen_require(` -+ type polipo_t; -+ ') -+ -+ permissive polipo_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type pptp_t; -+ ') -+ -+ permissive pptp_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type quota_nld_t; -+ ') -+ -+ permissive quota_nld_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type bootloader_t; -+ ') -+ -+ permissive bootloader_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type systemd_logger_t; -+ ') -+ -+ permissive systemd_logger_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type systemd_logind_t; -+ ') -+ -+ permissive systemd_logind_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type fcoemon_t; -+ ') -+ -+ permissive fcoemon_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type httpd_passwd_t; -+ ') -+ -+ permissive httpd_passwd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type puppetca_t; -+ ') -+ -+ permissive puppetca_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type spamd_update_t; -+ ') -+ -+ permissive spamd_update_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type rhev_agentd_t; -+ ') -+ -+ permissive rhev_agentd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type abrt_handle_event_t; -+ ') -+ -+ permissive abrt_handle_event_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type cfengine_serverd_t; -+ ') -+ -+ permissive cfengine_serverd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type cfengine_execd_t; -+ ') -+ -+ permissive cfengine_execd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type cfengine_monitord_t; -+ ') -+ -+ permissive cfengine_monitord_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type rhsmcertd_t; -+ ') -+ -+ permissive rhsmcertd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type sshd_sandbox_t; -+ ') -+ -+ permissive sshd_sandbox_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type fail2ban_client_t; -+ ') -+ -+ permissive fail2ban_client_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type ctdbd_t; -+ ') -+ -+ permissive ctdbd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type mscan_t; -+ ') -+ -+ permissive mscan_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type lldpad_t; -+ ') -+ -+ permissive lldpad_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type nova_ajax_t; -+ type nova_api_t; -+ type nova_compute_t; -+ type nova_direct_t; -+ type nova_network_t; -+ type nova_objectstore_t; -+ type nova_scheduler_t; -+ type nova_vncproxy_t; -+ type nova_volume_t; -+ ') -+ -+ permissive nova_ajax_t; -+ permissive nova_api_t; -+ permissive nova_compute_t; -+ permissive nova_direct_t; -+ permissive nova_network_t; -+ permissive nova_objectstore_t; -+ permissive nova_scheduler_t; -+ permissive nova_vncproxy_t; -+ permissive nova_volume_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type rabbitmq_epmd_t; -+ type rabbitmq_beam_t; -+ ') -+ -+ permissive rabbitmq_epmd_t; -+ permissive rabbitmq_beam_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type sblim_gatherd_t; -+ ') -+ -+ permissive sblim_gatherd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type sblim_gatherd_t; -+ ') -+ -+ permissive sblim_gatherd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type callweaver_t; -+ ') -+ -+ permissive callweaver_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type sanlock_t; -+ ') -+ -+ permissive sanlock_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type uuidd_t; -+ ') -+ -+ permissive uuidd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type wdmd_t; -+ ') -+ -+ permissive wdmd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type dspam_t; -+ ') -+ -+ permissive dspam_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type virt_lxc_t; -+ ') -+ -+ permissive virt_lxc_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type virtd_t; -+ ') -+ -+ permissive virtd_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type pyicqt_t; -+ ') -+ -+ permissive pyicqt_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type telepathy_logger_t; -+ ') -+ -+ permissive telepathy_logger_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type glance_registry_t; -+ type glance_api_t; -+ ') -+ -+ permissive glance_registry_t; -+ permissive glance_api_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type thumb_t; -+ ') -+ -+ permissive thumb_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type virt_qmf_t; -+ ') -+ -+ permissive virt_qmf_t; -+') -+ -+# for cloudform daemons -+ -+optional_policy(` -+ gen_require(` -+ type deltacloudd_t; -+ type iwhd_t; -+ type mongod_t; -+ type thin_t; -+ ') -+ -+ permissive deltacloudd_t; -+ permissive iwhd_t; -+ permissive mongod_t; -+ permissive thin_t; -+') -+ -+optional_policy(` -+ gen_require(` -+ type chrome_sandbox_nacl_t; -+ ') +@@ -0,0 +1,10 @@ ++policy_module(permissivedomains,17) + -+ permissive chrome_sandbox_nacl_t; -+') + +optional_policy(` + gen_require(` -+ type matahari_sysconfigd_t; ++ type blueman_t; + ') + -+ permissive matahari_sysconfigd_t; ++ permissive blueman_t; +') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 @@ -3042,7 +2790,7 @@ index d33daa8..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..4b78d5b 100644 +index 47a8f7d..17b5426 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -3163,7 +2911,17 @@ index 47a8f7d..4b78d5b 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -225,7 +250,8 @@ optional_policy(` + # rpm-script Local policy + # + +-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; ++allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; ++ + allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; + allow rpm_script_t self:fd use; + allow rpm_script_t self:fifo_file rw_fifo_file_perms; +@@ -257,12 +283,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) can_exec(rpm_script_t, rpm_script_tmpfs_t) @@ -3182,7 +2940,7 @@ index 47a8f7d..4b78d5b 100644 dev_list_sysfs(rpm_script_t) # ideally we would not need this -@@ -299,15 +330,17 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -299,15 +331,17 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -3203,7 +2961,7 @@ index 47a8f7d..4b78d5b 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -331,19 +364,20 @@ libs_domtrans_ldconfig(rpm_script_t) +@@ -331,23 +365,24 @@ libs_domtrans_ldconfig(rpm_script_t) logging_send_syslog_msg(rpm_script_t) miscfiles_read_localization(rpm_script_t) @@ -3227,7 +2985,12 @@ index 47a8f7d..4b78d5b 100644 ') ') -@@ -368,6 +402,11 @@ optional_policy(` +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow rpm_script_t self:process execmem; + ') + +@@ -368,6 +403,11 @@ optional_policy(` ') optional_policy(` @@ -3239,7 +3002,7 @@ index 47a8f7d..4b78d5b 100644 tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -377,8 +416,9 @@ optional_policy(` +@@ -377,8 +417,9 @@ optional_policy(` ') optional_policy(` @@ -3251,9 +3014,18 @@ index 47a8f7d..4b78d5b 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te -index c8ef84b..40ceffb 100644 +index c8ef84b..eb4bd05 100644 --- a/policy/modules/admin/sectoolm.te +++ b/policy/modules/admin/sectoolm.te +@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t) + # sectool local policy + # + +-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; ++allow sectoolm_t self:capability { dac_override net_admin sys_nice }; + allow sectoolm_t self:process { getcap getsched signull setsched }; + dontaudit sectoolm_t self:process { execstack execmem }; + allow sectoolm_t self:fifo_file rw_fifo_file_perms; @@ -70,12 +70,6 @@ application_exec_all(sectoolm_t) auth_use_nsswitch(sectoolm_t) @@ -3286,7 +3058,7 @@ index c8ef84b..40ceffb 100644 optional_policy(` mount_exec(sectoolm_t) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if -index 781ad7e..082f0c5 100644 +index 781ad7e..f7b8881 100644 --- a/policy/modules/admin/shorewall.if +++ b/policy/modules/admin/shorewall.if @@ -55,28 +55,9 @@ interface(`shorewall_read_config',` @@ -3367,10 +3139,32 @@ index 781ad7e..082f0c5 100644 ## # interface(`shorewall_rw_lib_files',` +@@ -177,8 +139,11 @@ interface(`shorewall_admin',` + type shorewall_tmp_t, shorewall_etc_t; + ') + +- allow $1 shorewall_t:process { ptrace signal_perms }; ++ allow $1 shorewall_t:process signal_perms; + ps_process_pattern($1, shorewall_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 shorewall_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te -index 95bce88..1a53b7b 100644 +index 95bce88..95065c3 100644 --- a/policy/modules/admin/shorewall.te +++ b/policy/modules/admin/shorewall.te +@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t) + # shorewall local policy + # + +-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; ++allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice }; + dontaudit shorewall_t self:capability sys_tty_config; + allow shorewall_t self:fifo_file rw_fifo_file_perms; + @@ -59,6 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) @@ -3640,9 +3434,18 @@ index 94c01b5..f64bd93 100644 ######################################## diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te -index fe1c377..bedbb9b 100644 +index fe1c377..724df48 100644 --- a/policy/modules/admin/sosreport.te +++ b/policy/modules/admin/sosreport.te +@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) + # sosreport local policy + # + +-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; ++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; + allow sosreport_t self:process { setsched signull }; + allow sosreport_t self:fifo_file rw_fifo_file_perms; + allow sosreport_t self:tcp_socket create_stream_socket_perms; @@ -74,13 +74,17 @@ files_read_all_symlinks(sosreport_t) # for blkid.tab files_manage_etc_runtime_files(sosreport_t) @@ -4056,7 +3859,7 @@ index d5aaf0e..6b16aef 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..90cf622 100644 +index 6a5004b..70d684a 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -4067,7 +3870,16 @@ index 6a5004b..90cf622 100644 application_domain(tmpreaper_t, tmpreaper_exec_t) role system_r types tmpreaper_t; -@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t) +@@ -18,6 +19,8 @@ role system_r types tmpreaper_t; + allow tmpreaper_t self:process { fork sigchld }; + allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; + ++kernel_read_system_state(tmpreaper_t) ++ + dev_read_urand(tmpreaper_t) + + fs_getattr_xattr_fs(tmpreaper_t) +@@ -25,11 +28,16 @@ fs_getattr_xattr_fs(tmpreaper_t) files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) @@ -4084,7 +3896,7 @@ index 6a5004b..90cf622 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t) +@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) @@ -4106,7 +3918,7 @@ index 6a5004b..90cf622 100644 ') optional_policy(` -@@ -52,7 +62,9 @@ optional_policy(` +@@ -52,7 +64,9 @@ optional_policy(` ') optional_policy(` @@ -4116,7 +3928,7 @@ index 6a5004b..90cf622 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +78,13 @@ optional_policy(` +@@ -66,9 +80,13 @@ optional_policy(` ') optional_policy(` @@ -4382,7 +4194,7 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..cd9d876 100644 +index 441cf22..cc0406f 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto; @@ -4393,7 +4205,7 @@ index 441cf22..cd9d876 100644 selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) -@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t) +@@ -79,25 +80,25 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -4413,10 +4225,18 @@ index 441cf22..cd9d876 100644 -auth_domtrans_chk_passwd(chfn_t) -auth_dontaudit_read_shadow(chfn_t) -auth_use_nsswitch(chfn_t) ++auth_manage_passwd(chfn_t) +auth_use_pam(chfn_t) # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) + + domain_use_interactive_fds(chfn_t) + +-files_manage_etc_files(chfn_t) + files_read_etc_runtime_files(chfn_t) + files_dontaudit_search_var(chfn_t) + files_dontaudit_search_home(chfn_t) @@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -4447,7 +4267,29 @@ index 441cf22..cd9d876 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -203,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t) + + domain_use_interactive_fds(groupadd_t) + +-files_manage_etc_files(groupadd_t) + files_relabel_etc_files(groupadd_t) ++files_read_etc_files(groupadd_t) + files_read_etc_runtime_files(groupadd_t) + files_read_usr_symlinks(groupadd_t) + +@@ -219,9 +225,10 @@ miscfiles_read_localization(groupadd_t) + auth_domtrans_chk_passwd(groupadd_t) + auth_rw_lastlog(groupadd_t) + auth_use_nsswitch(groupadd_t) ++auth_manage_passwd(groupadd_t) ++auth_manage_shadow(groupadd_t) + # these may be unnecessary due to the above + # domtrans_chk_passwd() call. +-auth_manage_shadow(groupadd_t) + auth_relabel_shadow(groupadd_t) + auth_etc_filetrans_shadow(groupadd_t) + +@@ -277,6 +284,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -4455,7 +4297,7 @@ index 441cf22..cd9d876 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t) +@@ -291,26 +299,30 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -4465,6 +4307,7 @@ index 441cf22..cd9d876 100644 +term_getattr_all_ptys(passwd_t) -auth_domtrans_chk_passwd(passwd_t) ++auth_manage_passwd(passwd_t) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) @@ -4479,7 +4322,9 @@ index 441cf22..cd9d876 100644 domain_use_interactive_fds(passwd_t) -@@ -311,6 +320,8 @@ files_search_var(passwd_t) + files_read_etc_runtime_files(passwd_t) +-files_manage_etc_files(passwd_t) + files_search_var(passwd_t) files_dontaudit_search_pids(passwd_t) files_relabel_etc_files(passwd_t) @@ -4488,7 +4333,7 @@ index 441cf22..cd9d876 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t) +@@ -323,7 +335,7 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) @@ -4497,7 +4342,7 @@ index 441cf22..cd9d876 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +344,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -4505,7 +4350,7 @@ index 441cf22..cd9d876 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,9 +394,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -4514,18 +4359,27 @@ index 441cf22..cd9d876 100644 +term_use_all_inherited_terms(sysadm_passwd_t) +term_getattr_all_ptys(sysadm_passwd_t) ++auth_manage_passwd(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +438,7 @@ optional_policy(` - # Useradd local policy + auth_etc_filetrans_shadow(sysadm_passwd_t) +@@ -396,7 +410,6 @@ files_read_usr_files(sysadm_passwd_t) + + domain_use_interactive_fds(sysadm_passwd_t) + +-files_manage_etc_files(sysadm_passwd_t) + files_relabel_etc_files(sysadm_passwd_t) + files_read_etc_runtime_files(sysadm_passwd_t) + # for nscd lookups +@@ -427,6 +440,7 @@ optional_policy(` # --allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace }; + allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; ++ dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t) +@@ -448,10 +462,13 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -4536,9 +4390,11 @@ index 441cf22..cd9d876 100644 domain_read_all_domains_state(useradd_t) +domain_dontaudit_read_all_domains_state(useradd_t) - files_manage_etc_files(useradd_t) +-files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t) + files_relabel_etc_files(useradd_t) + files_read_etc_runtime_files(useradd_t) +@@ -460,6 +477,7 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -4546,7 +4402,7 @@ index 441cf22..cd9d876 100644 # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) -@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +487,8 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -4557,7 +4413,15 @@ index 441cf22..cd9d876 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -478,6 +496,7 @@ auth_rw_faillog(useradd_t) + auth_use_nsswitch(useradd_t) + # these may be unnecessary due to the above + # domtrans_chk_passwd() call. ++auth_manage_passwd(useradd_t) + auth_manage_shadow(useradd_t) + auth_relabel_shadow(useradd_t) + auth_etc_filetrans_shadow(useradd_t) +@@ -498,21 +517,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -4851,10 +4715,10 @@ index 0000000..1553356 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..28cfa1d +index 0000000..6c642a2 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,178 @@ +@@ -0,0 +1,180 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4883,7 +4747,7 @@ index 0000000..28cfa1d +# +# chrome_sandbox local policy +# -+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; ++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot }; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:process setsched; +allow chrome_sandbox_t self:fifo_file manage_file_perms; @@ -4940,6 +4804,8 @@ index 0000000..28cfa1d +userdom_read_inherited_user_home_content_files(chrome_sandbox_t) +userdom_dontaudit_use_user_terminals(chrome_sandbox_t) +userdom_search_user_home_content(chrome_sandbox_t) ++# This one we should figure a way to make it more secure ++userdom_manage_home_certs(chrome_sandbox_t) + +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) @@ -5034,11 +4900,15 @@ index 0000000..28cfa1d +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t) diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te -index 37475dd..7db4a01 100644 +index 37475dd..6026789 100644 --- a/policy/modules/apps/cpufreqselector.te +++ b/policy/modules/apps/cpufreqselector.te -@@ -17,6 +17,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t) - allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; +@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t) + # cpufreq-selector local policy + # + +-allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; ++allow cpufreqselector_t self:capability sys_nice; allow cpufreqselector_t self:process getsched; allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; +allow cpufreqselector_t self:process getsched; @@ -5525,6 +5395,19 @@ index 0000000..86b640d +optional_policy(` + policykit_dbus_chat(firewallgui_t) +') +diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te +index ac4f509..4b7b763 100644 +--- a/policy/modules/apps/games.te ++++ b/policy/modules/apps/games.te +@@ -166,7 +166,7 @@ userdom_manage_user_tmp_sockets(games_t) + # Suppress .icons denial until properly implemented + userdom_dontaudit_read_user_home_content_files(games_t) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`', ` + allow games_t self:process execmem; + ') + diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te index 6e4add5..10a2ce4 100644 --- a/policy/modules/apps/gift.te @@ -5591,10 +5474,10 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..3f977fc 100644 +index f5afe78..deab06c 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,787 @@ +@@ -1,44 +1,786 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -5690,8 +5573,7 @@ index f5afe78..3f977fc 100644 + auth_use_nsswitch($1_gkeyringd_t) + + ps_process_pattern($3, $1_gkeyringd_t) -+ allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; -+ ++ allow $3 $1_gkeyringd_t:process signal_perms; + dontaudit $3 gkeyringd_exec_t:file entrypoint; + + stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) @@ -6401,7 +6283,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -46,37 +789,117 @@ interface(`gnome_role',` +@@ -46,37 +788,117 @@ interface(`gnome_role',` ## ## # @@ -6529,7 +6411,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -84,37 +907,53 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +906,53 @@ template(`gnome_read_gconf_config',` ## ## # @@ -6594,7 +6476,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -122,17 +961,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +960,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -6616,7 +6498,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -140,51 +979,299 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +978,299 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -6933,7 +6815,7 @@ index f5afe78..3f977fc 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..c365443 100644 +index 2505654..45b4ca9 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0) @@ -7021,7 +6903,7 @@ index 2505654..c365443 100644 +# gconf-defaults-mechanisms local policy +# + -+allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace }; ++allow gconfdefaultsm_t self:capability { dac_override sys_nice }; +allow gconfdefaultsm_t self:process getsched; +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; + @@ -7070,7 +6952,7 @@ index 2505654..c365443 100644 +# gnome-system-monitor-mechanisms local policy +# + -+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; ++allow gnomesystemmm_t self:capability sys_nice; +allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(gnomesystemmm_t) @@ -7506,7 +7388,7 @@ index 65ece18..6bfdfd3 100644 +/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0) /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if -index 4f9dc90..8dc8a5f 100644 +index 4f9dc90..81a0fc6 100644 --- a/policy/modules/apps/irc.if +++ b/policy/modules/apps/irc.if @@ -18,9 +18,11 @@ @@ -7528,7 +7410,7 @@ index 4f9dc90..8dc8a5f 100644 + + domtrans_pattern($2, irssi_exec_t, irssi_t) + -+ allow $2 irssi_t:process { ptrace signal_perms }; ++ allow $2 irssi_t:process signal_perms; + ps_process_pattern($2, irssi_t) + + manage_dirs_pattern($2, irssi_home_t, irssi_home_t) @@ -7839,10 +7721,10 @@ index 0000000..cf65577 +') diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te new file mode 100644 -index 0000000..6d0c9e3 +index 0000000..169421f --- /dev/null +++ b/policy/modules/apps/kde.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,40 @@ +policy_module(kde,1.0.0) + +######################################## @@ -7858,9 +7740,6 @@ index 0000000..6d0c9e3 +# +# backlighthelper local policy +# -+ -+dontaudit kdebacklighthelper_t self:capability sys_ptrace; -+ +allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(kdebacklighthelper_t) @@ -7965,13 +7844,18 @@ index b2e27ec..c324f94 100644 ## ## diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te -index a0be4ef..9fcc9df 100644 +index a0be4ef..a3d8afd 100644 --- a/policy/modules/apps/livecd.te +++ b/policy/modules/apps/livecd.te -@@ -21,15 +21,32 @@ files_tmp_file(livecd_tmp_t) +@@ -20,16 +20,36 @@ files_tmp_file(livecd_tmp_t) + dontaudit livecd_t self:capability2 mac_admin; - domain_ptrace_all_domains(livecd_t) +-domain_ptrace_all_domains(livecd_t) ++tunable_policy(`deny_ptrace',`',` ++ domain_ptrace_all_domains(livecd_t) ++') ++ +domain_interactive_fd(livecd_t) manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) @@ -8018,10 +7902,19 @@ index b55edd0..7b8d952 100644 ######################################## diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te -index 2523758..50629a8 100644 +index 2523758..09669b6 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te -@@ -38,7 +38,7 @@ locallogin_use_fds(loadkeys_t) +@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t) + term_dontaudit_use_console(loadkeys_t) + term_use_unallocated_ttys(loadkeys_t) + ++auth_read_passwd(loadkeys_t) ++ + init_dontaudit_use_fds(loadkeys_t) + init_dontaudit_use_script_ptys(loadkeys_t) + +@@ -38,7 +40,7 @@ locallogin_use_fds(loadkeys_t) miscfiles_read_localization(loadkeys_t) @@ -8030,7 +7923,7 @@ index 2523758..50629a8 100644 userdom_list_user_home_content(loadkeys_t) ifdef(`hide_broken_symptoms',` -@@ -46,5 +46,9 @@ ifdef(`hide_broken_symptoms',` +@@ -46,5 +48,9 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -8052,18 +7945,21 @@ index 0bac996..ca2388d 100644 +userdom_use_inherited_user_terminals(lockdev_t) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if -index 7b08e13..1fa8573 100644 +index 7b08e13..b2b83ad 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if -@@ -41,7 +41,6 @@ template(`mono_role_template',` +@@ -40,16 +40,16 @@ template(`mono_role_template',` + domain_interactive_fd($1_mono_t) application_type($1_mono_t) - allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; +- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; - - allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; +- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; ++ allow $1_mono_t self:process { signal getsched execheap execmem execstack }; ++ allow $3 $1_mono_t:process { getattr noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) -@@ -49,7 +48,8 @@ template(`mono_role_template',` + fs_dontaudit_rw_tmpfs_files($1_mono_t) corecmd_bin_domtrans($1_mono_t, $1_t) @@ -8073,6 +7969,19 @@ index 7b08e13..1fa8573 100644 optional_policy(` xserver_role($1_r, $1_mono_t) +diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te +index dff0f12..ecab36d 100644 +--- a/policy/modules/apps/mono.te ++++ b/policy/modules/apps/mono.te +@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) + # Local policy + # + +-allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; ++allow mono_t self:process { signal getsched execheap execmem execstack }; + + init_dbus_chat_script(mono_t) + diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc index 93ac529..35b51ab 100644 --- a/policy/modules/apps/mozilla.fc @@ -8108,7 +8017,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..8fe4551 100644 +index fbb5c5a..b9b8ac2 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -8165,7 +8074,7 @@ index fbb5c5a..8fe4551 100644 + allow mozilla_plugin_t $1:sem create_sem_perms; + + ps_process_pattern($1, mozilla_plugin_t) -+ allow $1 mozilla_plugin_t:process { ptrace signal_perms }; ++ allow $1 mozilla_plugin_t:process signal_perms; ') ######################################## @@ -8261,7 +8170,7 @@ index fbb5c5a..8fe4551 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..8768af4 100644 +index 2e9318b..69e2534 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -8304,7 +8213,7 @@ index 2e9318b..8768af4 100644 logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -@@ -165,7 +172,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +@@ -165,14 +172,18 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -8313,7 +8222,20 @@ index 2e9318b..8768af4 100644 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -262,6 +269,7 @@ optional_policy(` + xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) + +-tunable_policy(`allow_execmem',` +- allow mozilla_t self:process { execmem execstack }; ++tunable_policy(`allow_execstack',` ++ allow mozilla_t self:process execstack; ++') ++ ++tunable_policy(`deny_execmem',`',` ++ allow mozilla_t self:process execmem; + ') + + tunable_policy(`use_nfs_home_dirs',` +@@ -262,6 +273,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -8321,7 +8243,7 @@ index 2e9318b..8768af4 100644 ') optional_policy(` -@@ -278,7 +286,8 @@ optional_policy(` +@@ -278,7 +290,8 @@ optional_policy(` ') optional_policy(` @@ -8331,12 +8253,12 @@ index 2e9318b..8768af4 100644 ') optional_policy(` -@@ -296,16 +305,19 @@ optional_policy(` +@@ -296,16 +309,19 @@ optional_policy(` # mozilla_plugin local policy # -dontaudit mozilla_plugin_t self:capability { sys_ptrace }; -+dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice }; ++dontaudit mozilla_plugin_t self:capability sys_nice; + allow mozilla_plugin_t self:process { setsched signal_perms execmem }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; @@ -8355,7 +8277,7 @@ index 2e9318b..8768af4 100644 can_exec(mozilla_plugin_t, mozilla_home_t) read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -@@ -313,8 +325,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +@@ -313,8 +329,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -8368,7 +8290,7 @@ index 2e9318b..8768af4 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t) +@@ -332,11 +350,9 @@ kernel_request_load_module(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -8382,7 +8304,7 @@ index 2e9318b..8768af4 100644 corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -@@ -344,6 +356,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) +@@ -344,6 +360,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) @@ -8392,7 +8314,7 @@ index 2e9318b..8768af4 100644 dev_read_rand(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) -@@ -385,13 +400,19 @@ term_getattr_all_ttys(mozilla_plugin_t) +@@ -385,20 +404,26 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -8410,9 +8332,19 @@ index 2e9318b..8768af4 100644 +userdom_read_home_certs(mozilla_plugin_t) +userdom_dontaudit_write_home_certs(mozilla_plugin_t) - tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process { execmem execstack }; -@@ -425,7 +446,13 @@ optional_policy(` +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_t self:process { execmem execstack }; ++tunable_policy(`deny_execmem',`', ` ++ allow mozilla_plugin_t self:process execmem; + ') + + tunable_policy(`allow_execstack',` +- allow mozilla_plugin_t self:process { execstack }; ++ allow mozilla_plugin_t self:process execstack; + ') + + tunable_policy(`use_nfs_home_dirs',` +@@ -425,7 +450,13 @@ optional_policy(` ') optional_policy(` @@ -8426,7 +8358,7 @@ index 2e9318b..8768af4 100644 ') optional_policy(` -@@ -438,7 +465,14 @@ optional_policy(` +@@ -438,7 +469,14 @@ optional_policy(` ') optional_policy(` @@ -8442,7 +8374,7 @@ index 2e9318b..8768af4 100644 ') optional_policy(` -@@ -446,10 +480,27 @@ optional_policy(` +@@ -446,10 +484,27 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -8515,7 +8447,7 @@ index d8ea41d..8bdc526 100644 + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te -index 072a210..16ce654 100644 +index 072a210..8b1fa1b 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t) @@ -8535,6 +8467,15 @@ index 072a210..16ce654 100644 # Handle removable media, /tmp, and /home userdom_list_user_tmp(mencoder_t) userdom_read_user_tmp_files(mencoder_t) +@@ -91,7 +92,7 @@ ifndef(`enable_mls',` + fs_read_removable_symlinks(mencoder_t) + ') + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow mencoder_t self:process execmem; + ') + @@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) @@ -8559,6 +8500,15 @@ index 072a210..16ce654 100644 # Read media files userdom_list_user_tmp(mplayer_t) userdom_read_user_tmp_files(mplayer_t) +@@ -246,7 +252,7 @@ ifdef(`enable_mls',`',` + fs_read_removable_symlinks(mplayer_t) + ') + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow mplayer_t self:process execmem; + ') + @@ -305,7 +311,7 @@ optional_policy(` ') @@ -8694,7 +8644,7 @@ index 0000000..22e6c96 +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if new file mode 100644 -index 0000000..1925bd9 +index 0000000..fce899a --- /dev/null +++ b/policy/modules/apps/nsplugin.if @@ -0,0 +1,472 @@ @@ -8793,7 +8743,7 @@ index 0000000..1925bd9 + dontaudit nsplugin_t $2:shm destroy; + allow $2 nsplugin_t:sem rw_sem_perms; + -+ allow $2 nsplugin_t:process { getattr ptrace signal_perms }; ++ allow $2 nsplugin_t:process { getattr signal_perms }; + allow $2 nsplugin_t:unix_stream_socket connectto; + + # Connect to pulseaudit server @@ -9172,7 +9122,7 @@ index 0000000..1925bd9 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..f0773b4 +index 0000000..3b6b4cb --- /dev/null +++ b/policy/modules/apps/nsplugin.te @@ -0,0 +1,335 @@ @@ -9232,7 +9182,7 @@ index 0000000..f0773b4 +# +dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; +allow nsplugin_t self:fifo_file rw_file_perms; -+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; ++allow nsplugin_t self:process { setpgid getsched setsched signal_perms }; + +allow nsplugin_t self:sem create_sem_perms; +allow nsplugin_t self:shm create_shm_perms; @@ -9522,7 +9472,7 @@ index 0000000..4428be4 + diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if new file mode 100644 -index 0000000..0578e7c +index 0000000..792bf9c --- /dev/null +++ b/policy/modules/apps/openoffice.if @@ -0,0 +1,124 @@ @@ -9597,7 +9547,7 @@ index 0000000..0578e7c + + allow $1_openoffice_t self:process { getsched sigkill execmem execstack }; + -+ allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; ++ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh }; + allow $1_openoffice_t $3:tcp_socket { read write }; + + domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) @@ -9672,6 +9622,20 @@ index 0000000..a842371 +# Unconfined java local policy +# + +diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te +index ccc15ab..9f88c3a 100644 +--- a/policy/modules/apps/podsleuth.te ++++ b/policy/modules/apps/podsleuth.te +@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t) + # podsleuth local policy + # + allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; ++allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; ++ + allow podsleuth_t self:fifo_file rw_file_perms; + allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; + allow podsleuth_t self:sem create_sem_perms; diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc index 84f23dc..af5b87d 100644 --- a/policy/modules/apps/pulseaudio.fc @@ -9688,21 +9652,20 @@ index 84f23dc..af5b87d 100644 /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if -index f40c64d..a08cb82 100644 +index f40c64d..aa9e8e2 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if -@@ -35,6 +35,10 @@ interface(`pulseaudio_role',` +@@ -35,6 +35,9 @@ interface(`pulseaudio_role',` allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; -+ userdom_manage_home_role($1, pulseaudio_t) + userdom_manage_tmp_role($1, pulseaudio_t) + userdom_manage_tmpfs_role($1, pulseaudio_t) + allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') -@@ -257,4 +261,66 @@ interface(`pulseaudio_manage_home_files',` +@@ -257,4 +260,66 @@ interface(`pulseaudio_manage_home_files',` userdom_search_user_home_dirs($1) manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) @@ -9770,7 +9733,7 @@ index f40c64d..a08cb82 100644 + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index d1eace5..8522ab4 100644 +index d1eace5..5314e57 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -9801,7 +9764,7 @@ index d1eace5..8522ab4 100644 auth_use_nsswitch(pulseaudio_t) -@@ -94,10 +95,9 @@ logging_send_syslog_msg(pulseaudio_t) +@@ -94,10 +95,29 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) @@ -9809,13 +9772,33 @@ index d1eace5..8522ab4 100644 -userdom_manage_user_home_content_files(pulseaudio_t) -userdom_manage_user_tmp_files(pulseaudio_t) -userdom_manage_user_tmpfs_files(pulseaudio_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_mount_nfs(pulseaudio_t) ++ fs_mounton_nfs(pulseaudio_t) ++ fs_manage_nfs_dirs(pulseaudio_t) ++ fs_manage_nfs_files(pulseaudio_t) ++ fs_manage_nfs_symlinks(pulseaudio_t) ++ fs_manage_nfs_named_sockets(pulseaudio_t) ++ fs_manage_nfs_named_pipes(pulseaudio_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_mount_cifs(pulseaudio_t) ++ fs_mounton_cifs(pulseaudio_t) ++ fs_manage_cifs_dirs(pulseaudio_t) ++ fs_manage_cifs_files(pulseaudio_t) ++ fs_manage_cifs_symlinks(pulseaudio_t) ++ fs_manage_cifs_named_sockets(pulseaudio_t) ++ fs_manage_cifs_named_pipes(pulseaudio_t) ++') ++ +optional_policy(` + alsa_read_rw_config(pulseaudio_t) +') optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -127,10 +127,24 @@ optional_policy(` +@@ -127,10 +147,24 @@ optional_policy(` ') optional_policy(` @@ -9840,7 +9823,7 @@ index d1eace5..8522ab4 100644 policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -148,3 +162,7 @@ optional_policy(` +@@ -148,3 +182,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -10030,10 +10013,20 @@ index 268d691..da3a26d 100644 + domain_entry_file($1, qemu_exec_t) +') diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te -index 1813e16..50a3a34 100644 +index 1813e16..606d712 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te -@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t) +@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true) + ## + gen_tunable(qemu_use_usb, true) + +-type qemu_exec_t; + virt_domain_template(qemu) +-application_domain(qemu_t, qemu_exec_t) + role system_r types qemu_t; + + ######################################## +@@ -55,6 +53,7 @@ storage_raw_read_removable_device(qemu_t) userdom_search_user_home_content(qemu_t) userdom_read_user_tmpfs_files(qemu_t) @@ -10041,7 +10034,7 @@ index 1813e16..50a3a34 100644 tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; -@@ -99,6 +100,13 @@ optional_policy(` +@@ -99,6 +98,13 @@ optional_policy(` ') optional_policy(` @@ -10055,7 +10048,7 @@ index 1813e16..50a3a34 100644 virt_manage_images(qemu_t) virt_append_log(qemu_t) ') -@@ -111,18 +119,3 @@ optional_policy(` +@@ -111,18 +117,3 @@ optional_policy(` xserver_read_xdm_pid(qemu_t) xserver_stream_connect(qemu_t) ') @@ -10488,10 +10481,10 @@ index 0000000..809784d +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..5e75113 +index 0000000..76dbb45 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,488 @@ +@@ -0,0 +1,501 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -10534,7 +10527,12 @@ index 0000000..5e75113 +# +# sandbox xserver policy +# -+allow sandbox_xserver_t self:process { execmem execstack }; ++allow sandbox_xserver_t self:process execstack; ++ ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_xserver_t self:process execmem; ++') ++ +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; +allow sandbox_xserver_t self:shm create_shm_perms; +allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; @@ -10613,7 +10611,11 @@ index 0000000..5e75113 +# sandbox local policy +# + -+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; ++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_domain self:process execmem; ++') ++ +allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:sem create_sem_perms; +allow sandbox_domain self:shm create_shm_perms; @@ -10662,7 +10664,11 @@ index 0000000..5e75113 +# +# sandbox_x_domain local policy +# -+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; ++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_x_domain self:process execmem; ++') ++ +allow sandbox_x_domain self:fifo_file manage_file_perms; +allow sandbox_x_domain self:sem create_sem_perms; +allow sandbox_x_domain self:shm create_shm_perms; @@ -11923,10 +11929,10 @@ index 0000000..5554dc9 + diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..b4001f1 +index 0000000..01584ce --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,76 @@ +@@ -0,0 +1,81 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -11948,7 +11954,12 @@ index 0000000..b4001f1 +# thumb local policy +# + -+allow thumb_t self:process { setsched signal setrlimit execmem }; ++allow thumb_t self:process { setsched signal setrlimit }; ++ ++tunable_policy(`deny_execmem',`',` ++ allow thumb_t self:process execmem; ++') ++ +allow thumb_t self:fifo_file manage_fifo_file_perms; +allow thumb_t self:unix_stream_socket create_stream_socket_perms; +allow thumb_t self:netlink_route_socket r_netlink_socket_perms; @@ -12016,10 +12027,35 @@ index 11fe4f2..98bfbf3 100644 userdom_read_user_home_content_files(tvtime_t) # X access, Home files +diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if +index d2ab7cb..ddb34f1 100644 +--- a/policy/modules/apps/uml.if ++++ b/policy/modules/apps/uml.if +@@ -31,9 +31,9 @@ interface(`uml_role',` + allow $2 uml_t:unix_dgram_socket sendto; + allow uml_t $2:unix_dgram_socket sendto; + +- # allow ps, ptrace, signal ++ # allow ps, signal + ps_process_pattern($2, uml_t) +- allow $2 uml_t:process { ptrace signal_perms }; ++ allow $2 uml_t:process signal_perms; + + allow $2 uml_ro_t:dir list_dir_perms; + read_files_pattern($2, uml_ro_t, uml_ro_t) diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te -index 2df1343..7a11f39 100644 +index 2df1343..c716960 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te +@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t) + # + + allow uml_t self:fifo_file rw_fifo_file_perms; +-allow uml_t self:process { signal_perms ptrace }; ++allow uml_t self:process signal_perms; + allow uml_t self:unix_stream_socket create_stream_socket_perms; + allow uml_t self:unix_dgram_socket create_socket_perms; + # Use the network. @@ -134,7 +134,7 @@ seutil_use_newrole_fds(uml_t) # Use the network. sysnet_read_config(uml_t) @@ -12253,16 +12289,35 @@ index 13b2cea..8ce8577 100644 + files_search_mnt(consolehelper_domain) + fs_search_cifs(consolehelper_domain) +') +diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if +index ba9b9d6..09ae47c 100644 +--- a/policy/modules/apps/usernetctl.if ++++ b/policy/modules/apps/usernetctl.if +@@ -47,10 +47,6 @@ interface(`usernetctl_run',` + sysnet_run_dhcpc(usernetctl_t, $2) + + optional_policy(` +- consoletype_run(usernetctl_t, $2) +- ') +- +- optional_policy(` + iptables_run(usernetctl_t, $2) + ') + diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te -index 9586818..f938024 100644 +index 9586818..93edd6b 100644 --- a/policy/modules/apps/usernetctl.te +++ b/policy/modules/apps/usernetctl.te -@@ -58,7 +58,7 @@ seutil_read_config(usernetctl_t) +@@ -58,7 +58,11 @@ seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) -userdom_use_user_terminals(usernetctl_t) +userdom_use_inherited_user_terminals(usernetctl_t) ++ ++optional_policy(` ++ consoletype_exec(usernetctl_t) ++') optional_policy(` hostname_exec(usernetctl_t) @@ -12294,9 +12349,18 @@ index f647c7e..252468a 100644 /usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te -index 23066a1..6aff330 100644 +index 23066a1..dc73652 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te +@@ -72,7 +72,7 @@ ifdef(`enable_mcs',` + # VMWare host local policy + # + +-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; ++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; + dontaudit vmware_host_t self:capability sys_tty_config; + allow vmware_host_t self:process { execstack execmem signal_perms }; + allow vmware_host_t self:fifo_file rw_fifo_file_perms; @@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) @@ -12412,7 +12476,7 @@ index 9d24449..2666317 100644 /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if -index f9a73d0..e10101a 100644 +index f9a73d0..00a98f1 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -29,12 +29,16 @@ @@ -12450,7 +12514,13 @@ index f9a73d0..e10101a 100644 type wine_exec_t; ') -@@ -101,7 +105,7 @@ template(`wine_role_template',` +@@ -96,12 +100,12 @@ template(`wine_role_template',` + role $2 types $1_wine_t; + + allow $1_wine_t self:process { execmem execstack }; +- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; ++ allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; + domtrans_pattern($3, wine_exec_t, $1_wine_t) corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) @@ -12902,6 +12972,19 @@ index 9e9263a..650e796 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') +diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te +index 23a1c3c..9527971 100644 +--- a/policy/modules/kernel/corecommands.te ++++ b/policy/modules/kernel/corecommands.te +@@ -13,7 +13,7 @@ attribute exec_type; + # + # bin_t is the type of files in the system bin/sbin directories. + # +-type bin_t alias { ls_exec_t sbin_t }; ++type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t }; + corecmd_executable_file(bin_t) + dev_associate(bin_t) #For /dev/MAKEDEV + diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 4f3b542..cf422f4 100644 --- a/policy/modules/kernel/corenetwork.if.in @@ -14064,7 +14147,7 @@ index 4f3b542..cf422f4 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..ff28a20 100644 +index 99b71cb..1541989 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14212,7 +14295,7 @@ index 99b71cb..ff28a20 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) -+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -16078,7 +16161,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..a60d2f8 100644 +index fae1ab1..f9a1bcc 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -16162,16 +16245,22 @@ index fae1ab1..a60d2f8 100644 ') ######################################## -@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; +@@ -143,8 +178,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; +allow unconfined_domain_type unconfined_domain_type:dbus send_msg; + # Act upon any other process. - allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; +-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; ++allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; ++tunable_policy(`deny_ptrace',`',` ++ allow unconfined_domain_type domain:process ptrace; ++') -@@ -158,5 +195,215 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; + # Create/access any System V IPC objects. + allow unconfined_domain_type domain:{ sem msgq shm } *; +@@ -158,5 +198,217 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -16259,6 +16348,7 @@ index fae1ab1..a60d2f8 100644 + +optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) ++ userdom_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` @@ -16387,6 +16477,7 @@ index fae1ab1..a60d2f8 100644 +') + +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; ++dontaudit domain self:capability sys_ptrace; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c19518a..12e8e9c 100644 --- a/policy/modules/kernel/files.fc @@ -19215,7 +19306,7 @@ index 6346378..8c500cd 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index d91c62f..c857dc0 100644 +index d91c62f..8852535 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,12 @@ @@ -19248,7 +19339,20 @@ index d91c62f..c857dc0 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -242,11 +252,14 @@ dev_search_usbfs(kernel_t) +@@ -181,7 +191,11 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) + # kernel local policy + # + +-allow kernel_t self:capability *; ++allow kernel_t self:capability ~{ sys_ptrace }; ++tunable_policy(`deny_ptrace',`',` ++ allow kernel_t self:capability sys_ptrace; ++') ++ + allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow kernel_t self:shm create_shm_perms; + allow kernel_t self:sem create_sem_perms; +@@ -242,11 +256,14 @@ dev_search_usbfs(kernel_t) # devtmpfs handling: dev_create_generic_dirs(kernel_t) dev_delete_generic_dirs(kernel_t) @@ -19267,7 +19371,7 @@ index d91c62f..c857dc0 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -255,7 +268,8 @@ fs_unmount_all_fs(kernel_t) +@@ -255,7 +272,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -19277,7 +19381,7 @@ index d91c62f..c857dc0 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -269,25 +283,47 @@ files_list_root(kernel_t) +@@ -269,25 +287,47 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -19325,7 +19429,7 @@ index d91c62f..c857dc0 100644 ') optional_policy(` -@@ -297,6 +333,19 @@ optional_policy(` +@@ -297,6 +337,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -19345,7 +19449,7 @@ index d91c62f..c857dc0 100644 ') optional_policy(` -@@ -334,9 +383,7 @@ optional_policy(` +@@ -334,9 +387,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -19356,7 +19460,7 @@ index d91c62f..c857dc0 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -345,7 +392,7 @@ optional_policy(` +@@ -345,7 +396,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -19365,7 +19469,7 @@ index d91c62f..c857dc0 100644 ') ') -@@ -358,6 +405,15 @@ optional_policy(` +@@ -358,6 +409,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -19381,10 +19485,12 @@ index d91c62f..c857dc0 100644 ######################################## # # Unlabeled process local policy -@@ -387,3 +443,16 @@ allow kern_unconfined unlabeled_t:filesystem *; +@@ -386,4 +446,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; + allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; - allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; +-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; ++allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; + +gen_require(` + bool secure_mode_insmod; @@ -21018,9 +21124,18 @@ index 0faef68..4264c9c 100644 consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te -index 1875064..e9c9277 100644 +index 1875064..2adc35f 100644 --- a/policy/modules/roles/dbadm.te +++ b/policy/modules/roles/dbadm.te +@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm) + # database admin local policy + # + +-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; ++allow dbadm_t self:capability { dac_override dac_read_search }; + + files_dontaudit_search_all_dirs(dbadm_t) + files_delete_generic_locks(dbadm_t) @@ -37,6 +37,7 @@ files_list_var(dbadm_t) selinux_get_enforce_mode(dbadm_t) @@ -21058,6 +21173,18 @@ index 1cb7311..1de82b2 100644 +') + +gen_user(guest_u, user, guest_r, s0, s0) +diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te +index 3a45a3e..6b08160 100644 +--- a/policy/modules/roles/logadm.te ++++ b/policy/modules/roles/logadm.te +@@ -14,6 +14,5 @@ userdom_base_user_template(logadm) + # logadmin local policy + # + +-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; +- ++allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; + logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index be4de58..7e8b6ec 100644 --- a/policy/modules/roles/secadm.te @@ -21082,7 +21209,7 @@ index be4de58..7e8b6ec 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..e47e0f0 100644 +index 2be17d2..cfea862 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,55 @@ policy_module(staff, 2.2.0) @@ -21304,7 +21431,18 @@ index 2be17d2..e47e0f0 100644 xserver_role(staff_r, staff_t) ') -@@ -89,18 +262,10 @@ ifndef(`distro_redhat',` +@@ -61,6 +234,10 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` ++ blueman_dbus_chat(staff_t) ++ ') ++ ++ optional_policy(` + bluetooth_role(staff_r, staff_t) + ') + +@@ -89,18 +266,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21323,7 +21461,7 @@ index 2be17d2..e47e0f0 100644 java_role(staff_r, staff_t) ') -@@ -121,10 +286,6 @@ ifndef(`distro_redhat',` +@@ -121,10 +290,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21334,7 +21472,7 @@ index 2be17d2..e47e0f0 100644 pyzor_role(staff_r, staff_t) ') -@@ -137,10 +298,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +302,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21345,7 +21483,7 @@ index 2be17d2..e47e0f0 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +329,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +333,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -21354,10 +21492,24 @@ index 2be17d2..e47e0f0 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..c6aa0bc 100644 +index e14b961..0d1af63 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,52 @@ ifndef(`enable_mls',` +@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1) + # Declarations + # + +-## +-##

+-## Allow sysadm to debug or ptrace all processes. +-##

+-## +-gen_tunable(allow_ptrace, false) +- + role sysadm_r; + + userdom_admin_user_template(sysadm) +@@ -24,20 +17,52 @@ ifndef(`enable_mls',` # # Local policy # @@ -21410,15 +21562,19 @@ index e14b961..c6aa0bc 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +87,7 @@ ifndef(`enable_mls',` +@@ -55,9 +80,10 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) + logging_stream_connect_syslog(sysadm_t) ') - tunable_policy(`allow_ptrace',` -@@ -67,9 +100,9 @@ optional_policy(` +-tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(sysadm_t) + ') + +@@ -67,9 +93,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -21429,7 +21585,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -98,6 +131,10 @@ optional_policy(` +@@ -98,6 +124,10 @@ optional_policy(` ') optional_policy(` @@ -21440,19 +21596,20 @@ index e14b961..c6aa0bc 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -110,11 +147,19 @@ optional_policy(` +@@ -110,11 +140,19 @@ optional_policy(` ') optional_policy(` +- consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) -+') -+ -+optional_policy(` - consoletype_run(sysadm_t, sysadm_r) ') optional_policy(` - cvs_exec(sysadm_t) ++ consoletype_exec(sysadm_t) ++') ++ ++optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -21461,7 +21618,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -128,6 +173,10 @@ optional_policy(` +@@ -128,6 +166,10 @@ optional_policy(` ') optional_policy(` @@ -21472,7 +21629,7 @@ index e14b961..c6aa0bc 100644 dmesg_exec(sysadm_t) ') -@@ -163,6 +212,13 @@ optional_policy(` +@@ -163,6 +205,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -21486,7 +21643,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -170,15 +226,20 @@ optional_policy(` +@@ -170,15 +219,20 @@ optional_policy(` ') optional_policy(` @@ -21510,7 +21667,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -198,22 +259,20 @@ optional_policy(` +@@ -198,22 +252,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -21539,7 +21696,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -225,25 +284,47 @@ optional_policy(` +@@ -225,25 +277,47 @@ optional_policy(` ') optional_policy(` @@ -21587,7 +21744,7 @@ index e14b961..c6aa0bc 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,31 +334,32 @@ optional_policy(` +@@ -253,31 +327,32 @@ optional_policy(` ') optional_policy(` @@ -21627,7 +21784,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -302,12 +384,18 @@ optional_policy(` +@@ -302,12 +377,18 @@ optional_policy(` ') optional_policy(` @@ -21647,7 +21804,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -332,7 +420,10 @@ optional_policy(` +@@ -332,7 +413,10 @@ optional_policy(` ') optional_policy(` @@ -21659,7 +21816,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -343,19 +434,15 @@ optional_policy(` +@@ -343,19 +427,15 @@ optional_policy(` ') optional_policy(` @@ -21681,7 +21838,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -367,45 +454,45 @@ optional_policy(` +@@ -367,45 +447,45 @@ optional_policy(` ') optional_policy(` @@ -21738,7 +21895,7 @@ index e14b961..c6aa0bc 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +505,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +498,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21749,7 +21906,7 @@ index e14b961..c6aa0bc 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +522,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +515,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -21757,7 +21914,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -446,11 +530,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +523,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22536,10 +22693,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..4163dc5 +index 0000000..4ce2685 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,442 @@ +@@ -0,0 +1,401 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -22646,11 +22803,11 @@ index 0000000..4163dc5 +usermanage_run_passwd(unconfined_t, unconfined_r) +usermanage_run_chfn(unconfined_t, unconfined_r) + -+tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow unconfined_t self:process execmem; +') + -+tunable_policy(`allow_execmem && allow_execstack',` ++tunable_policy(`allow_execstack',` + allow unconfined_t self:process execstack; +') + @@ -22688,6 +22845,10 @@ index 0000000..4163dc5 + ') + + optional_policy(` ++ blueman_dbus_chat(unconfined_usertype) ++ ') ++ ++ optional_policy(` + certmonger_dbus_chat(unconfined_usertype) + ') + @@ -22767,7 +22928,6 @@ index 0000000..4163dc5 + + optional_policy(` + unconfined_domain(unconfined_dbusd_t) -+ unconfined_execmem_domtrans(unconfined_dbusd_t) + + optional_policy(` + xserver_rw_shm(unconfined_dbusd_t) @@ -22902,7 +23062,6 @@ index 0000000..4163dc5 + ') + + samba_role_notrans(unconfined_r) -+# samba_run_winbind_helper(unconfined_t, unconfined_r) + samba_run_smbcontrol(unconfined_t, unconfined_r) +') + @@ -22937,53 +23096,10 @@ index 0000000..4163dc5 + xserver_manage_home_fonts(unconfined_t) +') + -+######################################## -+# -+# Unconfined Execmem Local policy -+# -+ -+optional_policy(` -+ execmem_role_template(unconfined, unconfined_r, unconfined_t) -+ typealias unconfined_execmem_t alias execmem_t; -+ typealias unconfined_execmem_t alias unconfined_openoffice_t; -+ unconfined_domain_noaudit(unconfined_execmem_t) -+ allow unconfined_execmem_t unconfined_t:process transition; -+ rpm_transition_script(unconfined_execmem_t) -+ role system_r types unconfined_execmem_t; -+ -+ optional_policy(` -+ init_dbus_chat_script(unconfined_execmem_t) -+ dbus_system_bus_client(unconfined_execmem_t) -+ unconfined_dbus_chat(unconfined_execmem_t) -+ unconfined_dbus_connect(unconfined_execmem_t) -+ ') -+ -+ optional_policy(` -+ tunable_policy(`allow_unconfined_nsplugin_transition',`', ` -+ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t) -+ ') -+ ') -+ -+ optional_policy(` -+ tunable_policy(`unconfined_login',` -+ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t) -+ ') -+ ') -+ -+ optional_policy(` -+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t) -+ ') -+') -+ -+######################################## -+# -+# Unconfined mount local policy -+# -+ +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..cd87e46 100644 +index e5bfdd4..9db5ebd 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -12,15 +12,97 @@ role user_r; @@ -23084,7 +23200,18 @@ index e5bfdd4..cd87e46 100644 vlock_run(user_t, user_r) ') -@@ -62,19 +144,11 @@ ifndef(`distro_redhat',` +@@ -34,6 +116,10 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` ++ blueman_dbus_chat(staff_t) ++ ') ++ ++ optional_policy(` + bluetooth_role(user_r, user_t) + ') + +@@ -62,19 +148,11 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23105,7 +23232,7 @@ index e5bfdd4..cd87e46 100644 ') optional_policy(` -@@ -98,10 +172,6 @@ ifndef(`distro_redhat',` +@@ -98,10 +176,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23116,7 +23243,7 @@ index e5bfdd4..cd87e46 100644 postgresql_role(user_r, user_t) ') -@@ -118,11 +188,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +192,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23129,15 +23256,24 @@ index e5bfdd4..cd87e46 100644 ') optional_policy(` -@@ -157,3 +223,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +227,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') + diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te -index 0ecc786..dbf2710 100644 +index 0ecc786..3e7e984 100644 --- a/policy/modules/roles/webadm.te +++ b/policy/modules/roles/webadm.te +@@ -28,7 +28,7 @@ userdom_base_user_template(webadm) + # webadmin local policy + # + +-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; ++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; + + files_dontaudit_search_all_dirs(webadm_t) + files_manage_generic_locks(webadm_t) @@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t) seutil_domtrans_setfiles(webadm_t) @@ -23147,7 +23283,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..1cd57fd 100644 +index e88b95f..b1ea76e 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -23181,7 +23317,7 @@ index e88b95f..1cd57fd 100644 ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) -@@ -49,11 +49,23 @@ ifndef(`enable_mls',` +@@ -49,11 +49,22 @@ ifndef(`enable_mls',` ') ') @@ -23190,7 +23326,6 @@ index e88b95f..1cd57fd 100644 + mount_dontaudit_exec_fusermount(xguest_t) +') + -+allow xguest_t self:process execmem; +kernel_dontaudit_request_load_module(xguest_t) + +tunable_policy(`allow_execstack',` @@ -23206,7 +23341,7 @@ index e88b95f..1cd57fd 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -62,10 +74,9 @@ optional_policy(` +@@ -62,10 +73,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -23218,7 +23353,7 @@ index e88b95f..1cd57fd 100644 ') ') -@@ -76,23 +87,102 @@ optional_policy(` +@@ -76,23 +86,98 @@ optional_policy(` ') optional_policy(` @@ -23236,17 +23371,14 @@ index e88b95f..1cd57fd 100644 + +optional_policy(` + gnome_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) + gnomeclock_dontaudit_dbus_chat(xguest_t) +') + +optional_policy(` -+ java_role_template(xguest, xguest_r, xguest_t) -+') -+ -+optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) +') + @@ -23256,10 +23388,9 @@ index e88b95f..1cd57fd 100644 + +optional_policy(` + nsplugin_role(xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + pcscd_read_pub_files(xguest_usertype) + pcscd_stream_connect(xguest_usertype) +') @@ -23308,7 +23439,7 @@ index e88b95f..1cd57fd 100644 + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) -+ ') + ') + + #optional_policy(` + # telepathy_dbus_session_role(xguest_r, xguest_t) @@ -23318,7 +23449,7 @@ index e88b95f..1cd57fd 100644 +optional_policy(` + gen_require(` + type mozilla_t; - ') ++ ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; @@ -23368,7 +23499,7 @@ index 1bd5812..0d7d8d1 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..b2d6129 100644 +index 0b827c5..d83d4dc 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -23379,21 +23510,20 @@ index 0b827c5..b2d6129 100644 ps_process_pattern($1, abrt_t) ') -@@ -160,8 +161,7 @@ interface(`abrt_run_helper',` +@@ -160,8 +161,45 @@ interface(`abrt_run_helper',` ######################################## ## -## Send and receive messages from -## abrt over dbus. +## Read abrt cache - ## - ## - ## -@@ -169,12 +169,52 @@ interface(`abrt_run_helper',` - ## - ## - # --interface(`abrt_cache_manage',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`abrt_read_cache',` + gen_require(` + type abrt_var_cache_t; @@ -23425,13 +23555,14 @@ index 0b827c5..b2d6129 100644 +######################################## +## +## Manage abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -169,12 +207,14 @@ interface(`abrt_run_helper',` + ## + ## + # +-interface(`abrt_cache_manage',` +interface(`abrt_manage_cache',` gen_require(` type abrt_var_cache_t; @@ -23468,7 +23599,20 @@ index 0b827c5..b2d6129 100644 ##################################### ## ## All of the rules required to administrate -@@ -286,18 +344,116 @@ interface(`abrt_admin',` +@@ -278,26 +336,128 @@ interface(`abrt_admin',` + type abrt_initrc_exec_t; + ') + +- allow $1 abrt_t:process { ptrace signal_perms }; ++ allow $1 abrt_t:process { signal_perms }; + ps_process_pattern($1, abrt_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 abrt_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, abrt_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 abrt_initrc_exec_t system_r; allow $2 system_r; @@ -23591,7 +23735,7 @@ index 0b827c5..b2d6129 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..4b0f7cc 100644 +index 30861ec..d5a9038 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -23643,7 +23787,7 @@ index 30861ec..4b0f7cc 100644 type abrt_helper_exec_t; application_domain(abrt_helper_t, abrt_helper_exec_t) role system_r types abrt_helper_t; -@@ -43,14 +72,34 @@ ifdef(`enable_mcs',` +@@ -43,22 +72,42 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -23680,15 +23824,16 @@ index 30861ec..4b0f7cc 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; - allow abrt_t self:netlink_route_socket r_netlink_socket_perms; + allow abrt_t self:udp_socket create_socket_perms; + allow abrt_t self:unix_dgram_socket create_socket_perms; +-allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files +list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -68,7 +117,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) # abrt tmp files manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) @@ -23698,7 +23843,7 @@ index 30861ec..4b0f7cc 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -23710,7 +23855,7 @@ index 30861ec..4b0f7cc 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -23718,7 +23863,7 @@ index 30861ec..4b0f7cc 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -23728,7 +23873,7 @@ index 30861ec..4b0f7cc 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -23737,15 +23882,16 @@ index 30861ec..4b0f7cc 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +185,31 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) -sysnet_read_config(abrt_t) -+sysnet_dns_name_resolve(abrt_t) - +- logging_read_generic_logs(abrt_t) -logging_send_syslog_msg(abrt_t) ++ ++auth_use_nsswitch(abrt_t) miscfiles_read_generic_certs(abrt_t) -miscfiles_read_localization(abrt_t) @@ -23764,19 +23910,16 @@ index 30861ec..4b0f7cc 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +213,11 @@ optional_policy(` ') optional_policy(` +- nis_use_ypbind(abrt_t) + nsplugin_read_rw_files(abrt_t) + nsplugin_read_home(abrt_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(abrt_t) - policykit_domtrans_auth(abrt_t) - policykit_read_lib(abrt_t) -@@ -167,6 +235,7 @@ optional_policy(` + ') + + optional_policy(` +@@ -167,6 +230,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -23784,7 +23927,7 @@ index 30861ec..4b0f7cc 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +247,35 @@ optional_policy(` +@@ -178,12 +242,35 @@ optional_policy(` ') optional_policy(` @@ -23821,7 +23964,7 @@ index 30861ec..4b0f7cc 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +287,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -23850,7 +23993,7 @@ index 30861ec..4b0f7cc 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +315,128 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +310,128 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -23858,7 +24001,7 @@ index 30861ec..4b0f7cc 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') - ') ++') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -23936,7 +24079,7 @@ index 30861ec..4b0f7cc 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) -+') + ') + +######################################## +# @@ -23980,7 +24123,7 @@ index 30861ec..4b0f7cc 100644 + +miscfiles_read_localization(abrt_domain) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if -index c0f858d..d639ae0 100644 +index c0f858d..5770f1a 100644 --- a/policy/modules/services/accountsd.if +++ b/policy/modules/services/accountsd.if @@ -5,9 +5,9 @@ @@ -24004,17 +24147,22 @@ index c0f858d..d639ae0 100644 ## ## # -@@ -138,7 +138,7 @@ interface(`accountsd_admin',` +@@ -138,8 +138,12 @@ interface(`accountsd_admin',` type accountsd_t; ') - allow $1 accountsd_t:process { ptrace signal_perms getattr }; -+ allow $1 accountsd_t:process { ptrace signal_perms }; ++ allow $1 accountsd_t:process signal_perms; ps_process_pattern($1, accountsd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 acountsd_t:process ptrace; ++ ') ++ accountsd_manage_lib_files($1) + ') diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te -index 1632f10..493bde2 100644 +index 1632f10..a538582 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) @@ -24026,10 +24174,12 @@ index 1632f10..493bde2 100644 type accountsd_var_lib_t; files_type(accountsd_var_lib_t) -@@ -18,6 +20,7 @@ files_type(accountsd_var_lib_t) +@@ -17,7 +19,8 @@ files_type(accountsd_var_lib_t) + # accountsd local policy # - allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; +-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; ++allow accountsd_t self:capability { dac_override setuid setgid }; +allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; @@ -24057,17 +24207,21 @@ index 1632f10..493bde2 100644 + xserver_manage_xdm_etc_files(accountsd_t) +') diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if -index 8559cdc..49c0cc8 100644 +index 8559cdc..641044e 100644 --- a/policy/modules/services/afs.if +++ b/policy/modules/services/afs.if -@@ -97,8 +97,8 @@ interface(`afs_admin',` +@@ -97,8 +97,12 @@ interface(`afs_admin',` type afs_t, afs_initrc_exec_t; ') - allow $1 afs_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, afs_t, afs_t) -+ allow $1 afs_t:process { ptrace signal_perms }; ++ allow $1 afs_t:process signal_perms; + ps_process_pattern($1, afs_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 afs_t:process ptrace; ++ ') # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) @@ -24086,6 +24240,25 @@ index a496fde..847609a 100644 ######################################## # # AFS bossserver local policy +diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if +index 184c9a8..8f77bf5 100644 +--- a/policy/modules/services/aiccu.if ++++ b/policy/modules/services/aiccu.if +@@ -79,9 +79,13 @@ interface(`aiccu_admin',` + type aiccu_var_run_t; + ') + +- allow $1 aiccu_t:process { ptrace signal_perms }; ++ allow $1 aiccu_t:process signal_perms; + ps_process_pattern($1, aiccu_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 aiccu_t:process ptrace; ++ ') ++ + aiccu_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te index 6d685ba..4114d9b 100644 --- a/policy/modules/services/aiccu.te @@ -24116,7 +24289,7 @@ index 7798464..ff76db7 100644 /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) /var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if -index 838d25b..0b0db39 100644 +index 838d25b..b84d045 100644 --- a/policy/modules/services/aide.if +++ b/policy/modules/services/aide.if @@ -33,6 +33,7 @@ interface(`aide_domtrans',` @@ -24127,6 +24300,21 @@ index 838d25b..0b0db39 100644 # interface(`aide_run',` gen_require(` +@@ -60,9 +61,13 @@ interface(`aide_admin',` + type aide_t, aide_db_t, aide_log_t; + ') + +- allow $1 aide_t:process { ptrace signal_perms }; ++ allow $1 aide_t:process signal_perms; + ps_process_pattern($1, aide_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 aide_t:process ptrace; ++ ') ++ + files_list_etc($1) + admin_pattern($1, aide_db_t) + diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te index 2509dd2..7ada82f 100644 --- a/policy/modules/services/aide.te @@ -24152,7 +24340,7 @@ index 2509dd2..7ada82f 100644 -userdom_use_user_terminals(aide_t) +userdom_use_inherited_user_terminals(aide_t) diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if -index 0370dba..af5d229 100644 +index 0370dba..feea7e5 100644 --- a/policy/modules/services/aisexec.if +++ b/policy/modules/services/aisexec.if @@ -5,9 +5,9 @@ @@ -24167,6 +24355,21 @@ index 0370dba..af5d229 100644 ## # interface(`aisexec_domtrans',` +@@ -82,9 +82,13 @@ interface(`aisexecd_admin',` + type aisexec_initrc_exec_t; + ') + +- allow $1 aisexec_t:process { ptrace signal_perms }; ++ allow $1 aisexec_t:process signal_perms; + ps_process_pattern($1, aisexec_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 aisexec_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, aisexec_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 aisexec_initrc_exec_t system_r; diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te index 64953f7..99a750b 100644 --- a/policy/modules/services/aisexec.te @@ -24196,10 +24399,10 @@ index 0000000..aeb1888 +/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if new file mode 100644 -index 0000000..0f3fc36 +index 0000000..7abe946 --- /dev/null +++ b/policy/modules/services/ajaxterm.if -@@ -0,0 +1,86 @@ +@@ -0,0 +1,90 @@ +## policy for ajaxterm + +######################################## @@ -24278,9 +24481,13 @@ index 0000000..0f3fc36 + type ajaxterm_t, ajaxterm_initrc_exec_t; + ') + -+ allow $1 ajaxterm_t:process { ptrace signal_perms }; ++ allow $1 ajaxterm_t:process signal_perms; + ps_process_pattern($1, ajaxterm_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ajaxterm_t:process ptrace; ++ ') ++ + ajaxterm_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ajaxterm_initrc_exec_t system_r; @@ -24369,6 +24576,25 @@ index d96fdfa..e07158f 100644 ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) +diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if +index e31d92a..e515cb8 100644 +--- a/policy/modules/services/amavis.if ++++ b/policy/modules/services/amavis.if +@@ -231,9 +231,13 @@ interface(`amavis_admin',` + type amavis_initrc_exec_t; + ') + +- allow $1 amavis_t:process { ptrace signal_perms }; ++ allow $1 amavis_t:process signal_perms; + ps_process_pattern($1, amavis_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 amavis_t:process ptrace; ++ ') ++ + amavis_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 amavis_initrc_exec_t system_r; diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index deca9d3..ae8c579 100644 --- a/policy/modules/services/amavis.te @@ -24566,10 +24792,10 @@ index 9e39aa5..a9959fa 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..e12bbc0 100644 +index 6480167..2ad693a 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if -@@ -13,17 +13,13 @@ +@@ -13,62 +13,46 @@ # template(`apache_content_template',` gen_require(` @@ -24579,6 +24805,7 @@ index 6480167..e12bbc0 100644 + attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; + type httpd_sys_content_t; ++ attribute httpd_script_type, httpd_content_type; ') - # allow write access to public file transfer - # services files. @@ -24587,68 +24814,89 @@ index 6480167..e12bbc0 100644 #This type is for webpages - type httpd_$1_content_t, httpdcontent; # customizable + type httpd_$1_content_t; # customizable; ++ typeattribute httpd_$1_content_t httpd_content_type; typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) -@@ -36,32 +32,32 @@ template(`apache_content_template',` + # This type is used for .htaccess files +- type httpd_$1_htaccess_t; # customizable; ++ type httpd_$1_htaccess_t, httpd_content_type; # customizable; ++ typeattribute httpd_$1_htaccess_t httpd_content_type; + files_type(httpd_$1_htaccess_t) + + # Type that CGI scripts run as +- type httpd_$1_script_t; ++ type httpd_$1_script_t, httpd_script_type; domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; -+ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type) -+ # This type is used for executable scripts files type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) +- corecmd_shell_entry_type(httpd_$1_script_t) ++ typeattribute httpd_$1_script_exec_t httpd_content_type; domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - type httpd_$1_rw_content_t, httpdcontent; # customizable + type httpd_$1_rw_content_t; # customizable ++ typeattribute httpd_$1_rw_content_t httpd_content_type; typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; files_type(httpd_$1_rw_content_t) - type httpd_$1_ra_content_t, httpdcontent; # customizable -+ type httpd_$1_ra_content_t; # customizable ++ type httpd_$1_ra_content_t, httpd_content_type; # customizable ++ typeattribute httpd_$1_ra_content_t httpd_content_type; typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - +- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) +- - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - - allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; +- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; -+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - - allow httpd_$1_script_t self:fifo_file rw_file_perms; - allow httpd_$1_script_t self:unix_stream_socket connectto; - - allow httpd_$1_script_t httpd_t:fifo_file write; - # apache should set close-on-exec +- +- allow httpd_$1_script_t self:fifo_file rw_file_perms; +- allow httpd_$1_script_t self:unix_stream_socket connectto; +- +- allow httpd_$1_script_t httpd_t:fifo_file write; +- # apache should set close-on-exec - dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; -+ apache_dontaudit_leaks(httpd_$1_script_t) - +- # Allow the script process to search the cgi directory, and users directory allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; -@@ -86,7 +82,6 @@ template(`apache_content_template',` + +- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) +- logging_search_logs(httpd_$1_script_t) +- + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) + allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; + +@@ -86,40 +70,6 @@ template(`apache_content_template',` manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - - kernel_dontaudit_search_sysctl(httpd_$1_script_t) - kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -95,6 +90,7 @@ template(`apache_content_template',` - dev_read_urand(httpd_$1_script_t) - - corecmd_exec_all_executables(httpd_$1_script_t) -+ application_exec_all(httpd_$1_script_t) - - files_exec_etc_files(httpd_$1_script_t) - files_read_etc_files(httpd_$1_script_t) -@@ -108,19 +104,6 @@ template(`apache_content_template',` - - seutil_dontaudit_search_config(httpd_$1_script_t) - +- +- kernel_dontaudit_search_sysctl(httpd_$1_script_t) +- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) +- +- dev_read_rand(httpd_$1_script_t) +- dev_read_urand(httpd_$1_script_t) +- +- corecmd_exec_all_executables(httpd_$1_script_t) +- +- files_exec_etc_files(httpd_$1_script_t) +- files_read_etc_files(httpd_$1_script_t) +- files_search_home(httpd_$1_script_t) +- +- libs_exec_ld_so(httpd_$1_script_t) +- libs_exec_lib_files(httpd_$1_script_t) +- +- miscfiles_read_fonts(httpd_$1_script_t) +- miscfiles_read_public_files(httpd_$1_script_t) +- +- seutil_dontaudit_search_config(httpd_$1_script_t) +- - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t httpdcontent:file entrypoint; - @@ -24661,15 +24909,26 @@ index 6480167..e12bbc0 100644 - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') -- + # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -@@ -140,26 +123,37 @@ template(`apache_content_template',` - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -+ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto; +@@ -128,68 +78,25 @@ template(`apache_content_template',` + manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + +- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms }; + read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + +- allow httpd_t httpd_$1_content_t:dir list_dir_perms; +- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) +- +- allow httpd_t httpd_$1_content_t:dir list_dir_perms; +- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) ') tunable_policy(`httpd_enable_cgi',` @@ -24684,45 +24943,50 @@ index 6480167..e12bbc0 100644 + # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms; -+ allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms; -+ - allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; - - allow httpd_$1_script_t self:process { setsched signal_perms }; - allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; -+ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms; - - allow httpd_$1_script_t httpd_t:fd use; - allow httpd_$1_script_t httpd_t:process sigchld; - -+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; -+ - kernel_read_system_state(httpd_$1_script_t) - - dev_read_urand(httpd_$1_script_t) -@@ -172,6 +166,7 @@ template(`apache_content_template',` - libs_read_lib_files(httpd_$1_script_t) - - miscfiles_read_localization(httpd_$1_script_t) -+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms; - ') - - optional_policy(` -@@ -182,10 +177,6 @@ template(`apache_content_template',` - - optional_policy(` - postgresql_unpriv_client(httpd_$1_script_t) +- +- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; +- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; +- +- allow httpd_$1_script_t self:process { setsched signal_perms }; +- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; +- +- allow httpd_$1_script_t httpd_t:fd use; +- allow httpd_$1_script_t httpd_t:process sigchld; +- +- kernel_read_system_state(httpd_$1_script_t) +- +- dev_read_urand(httpd_$1_script_t) +- +- fs_getattr_xattr_fs(httpd_$1_script_t) +- +- files_read_etc_runtime_files(httpd_$1_script_t) +- files_read_usr_files(httpd_$1_script_t) +- +- libs_read_lib_files(httpd_$1_script_t) +- +- miscfiles_read_localization(httpd_$1_script_t) +- ') +- +- optional_policy(` +- tunable_policy(`httpd_enable_cgi && allow_ypbind',` +- nis_use_ypbind_uncond(httpd_$1_script_t) +- ') +- ') +- +- optional_policy(` +- postgresql_unpriv_client(httpd_$1_script_t) - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_$1_script_t) - ') +- ') +- +- optional_policy(` +- nscd_socket_use(httpd_$1_script_t) ') + ') - optional_policy(` -@@ -211,9 +202,8 @@ template(`apache_content_template',` +@@ -211,9 +118,8 @@ template(`apache_content_template',` interface(`apache_role',` gen_require(` attribute httpdcontent; @@ -24734,7 +24998,7 @@ index 6480167..e12bbc0 100644 ') role $1 types httpd_user_script_t; -@@ -234,6 +224,13 @@ interface(`apache_role',` +@@ -234,6 +140,13 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -24748,7 +25012,7 @@ index 6480167..e12bbc0 100644 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -248,6 +245,9 @@ interface(`apache_role',` +@@ -248,6 +161,9 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) @@ -24758,7 +25022,7 @@ index 6480167..e12bbc0 100644 tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) -@@ -317,6 +317,25 @@ interface(`apache_domtrans',` +@@ -317,6 +233,25 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -24784,7 +25048,7 @@ index 6480167..e12bbc0 100644 ####################################### ## ## Send a generic signal to apache. -@@ -405,7 +424,7 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -405,7 +340,7 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -24793,7 +25057,7 @@ index 6480167..e12bbc0 100644 ') ######################################## -@@ -487,7 +506,7 @@ interface(`apache_setattr_cache_dirs',` +@@ -487,7 +422,7 @@ interface(`apache_setattr_cache_dirs',` type httpd_cache_t; ') @@ -24802,7 +25066,7 @@ index 6480167..e12bbc0 100644 ') ######################################## -@@ -531,6 +550,25 @@ interface(`apache_rw_cache_files',` +@@ -531,6 +466,25 @@ interface(`apache_rw_cache_files',` ######################################## ## ## Allow the specified domain to delete @@ -24828,7 +25092,7 @@ index 6480167..e12bbc0 100644 ## Apache cache. ## ## -@@ -549,6 +587,26 @@ interface(`apache_delete_cache_files',` +@@ -549,6 +503,26 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -24855,7 +25119,7 @@ index 6480167..e12bbc0 100644 ## Allow the specified domain to read ## apache configuration files. ## -@@ -699,7 +757,7 @@ interface(`apache_dontaudit_append_log',` +@@ -699,7 +673,7 @@ interface(`apache_dontaudit_append_log',` type httpd_log_t; ') @@ -24864,7 +25128,7 @@ index 6480167..e12bbc0 100644 ') ######################################## -@@ -745,6 +803,25 @@ interface(`apache_dontaudit_search_modules',` +@@ -745,6 +719,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -24890,7 +25154,7 @@ index 6480167..e12bbc0 100644 ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -761,6 +838,7 @@ interface(`apache_list_modules',` +@@ -761,6 +754,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -24898,7 +25162,7 @@ index 6480167..e12bbc0 100644 ') ######################################## -@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',` +@@ -802,6 +796,43 @@ interface(`apache_domtrans_rotatelogs',` domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') @@ -24942,7 +25206,7 @@ index 6480167..e12bbc0 100644 ######################################## ## ## Allow the specified domain to list -@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',` +@@ -819,6 +850,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -24950,7 +25214,7 @@ index 6480167..e12bbc0 100644 files_search_var($1) ') -@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',` +@@ -846,6 +878,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -25025,7 +25289,7 @@ index 6480167..e12bbc0 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +962,12 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -25039,7 +25303,7 @@ index 6480167..e12bbc0 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1026,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -25051,7 +25315,7 @@ index 6480167..e12bbc0 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1056,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -25060,7 +25324,7 @@ index 6480167..e12bbc0 100644 ') ######################################## -@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1197,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -25086,7 +25350,7 @@ index 6480167..e12bbc0 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1232,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -25095,7 +25359,7 @@ index 6480167..e12bbc0 100644 ') ######################################## -@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',` +@@ -1150,12 +1275,6 @@ interface(`apache_cgi_domain',` ## ## All of the rules required to administrate an apache environment ## @@ -25108,7 +25372,7 @@ index 6480167..e12bbc0 100644 ## ## ## Domain allowed access. -@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',` +@@ -1170,19 +1289,21 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -25127,11 +25391,17 @@ index 6480167..e12bbc0 100644 ') - allow $1 httpd_t:process { getattr ptrace signal_perms }; -+ allow $1 httpd_t:process { ptrace signal_perms }; ++ allow $1 httpd_t:process signal_perms; ps_process_pattern($1, httpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 httpd_t:process ptrace; ++ ') ++ init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1392,10 @@ interface(`apache_admin',` + domain_system_change_exemption($1) + role_transition $2 httpd_initrc_exec_t system_r; +@@ -1191,10 +1312,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -25144,7 +25414,7 @@ index 6480167..e12bbc0 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1406,69 @@ interface(`apache_admin',` +@@ -1205,14 +1326,69 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -25220,10 +25490,10 @@ index 6480167..e12bbc0 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..248682c 100644 +index 3136c6a..7cb2fe5 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,203 @@ policy_module(apache, 2.2.1) +@@ -18,136 +18,211 @@ policy_module(apache, 2.2.1) # Declarations # @@ -25482,8 +25752,16 @@ index 3136c6a..248682c 100644 + attribute httpdcontent; attribute httpd_user_content_type; ++attribute httpd_content_type; + + # domains that can exec all users scripts + attribute httpd_exec_scripts; -@@ -166,7 +239,7 @@ files_type(httpd_cache_t) ++attribute httpd_script_type; + attribute httpd_script_exec_type; + attribute httpd_user_script_exec_type; + +@@ -166,7 +241,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -25492,7 +25770,7 @@ index 3136c6a..248682c 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +250,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +252,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -25502,12 +25780,16 @@ index 3136c6a..248682c 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +292,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +294,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) -typealias httpd_sys_content_t alias ntop_http_content_t; + ++optional_policy(` ++ postgresql_unpriv_client(httpd_sys_script_t) ++') ++ +typeattribute httpd_sys_content_t httpdcontent; # customizable +typeattribute httpd_sys_rw_content_t httpdcontent; # customizable +typeattribute httpd_sys_ra_content_t httpdcontent; # customizable @@ -25521,7 +25803,7 @@ index 3136c6a..248682c 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +312,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +318,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -25532,7 +25814,7 @@ index 3136c6a..248682c 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +323,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +329,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -25540,7 +25822,7 @@ index 3136c6a..248682c 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +345,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +351,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -25564,7 +25846,7 @@ index 3136c6a..248682c 100644 ######################################## # # Apache server local policy -@@ -281,11 +381,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +387,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -25578,7 +25860,7 @@ index 3136c6a..248682c 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +431,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +437,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -25589,7 +25871,7 @@ index 3136c6a..248682c 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +458,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +464,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -25599,7 +25881,7 @@ index 3136c6a..248682c 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +471,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +477,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -25616,7 +25898,7 @@ index 3136c6a..248682c 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +488,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +494,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -25632,7 +25914,7 @@ index 3136c6a..248682c 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +501,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +507,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -25640,7 +25922,7 @@ index 3136c6a..248682c 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +513,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +519,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -25744,7 +26026,7 @@ index 3136c6a..248682c 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +620,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,25 +626,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -25794,7 +26076,7 @@ index 3136c6a..248682c 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +670,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +676,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -25811,7 +26093,7 @@ index 3136c6a..248682c 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +694,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +700,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -25832,7 +26114,7 @@ index 3136c6a..248682c 100644 ') optional_policy(` -@@ -513,7 +718,13 @@ optional_policy(` +@@ -513,7 +724,13 @@ optional_policy(` ') optional_policy(` @@ -25847,7 +26129,7 @@ index 3136c6a..248682c 100644 ') optional_policy(` -@@ -528,7 +739,19 @@ optional_policy(` +@@ -528,7 +745,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -25868,7 +26150,7 @@ index 3136c6a..248682c 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +760,13 @@ optional_policy(` +@@ -537,8 +766,13 @@ optional_policy(` ') optional_policy(` @@ -25883,7 +26165,7 @@ index 3136c6a..248682c 100644 ') ') -@@ -556,7 +784,13 @@ optional_policy(` +@@ -556,7 +790,13 @@ optional_policy(` ') optional_policy(` @@ -25897,7 +26179,7 @@ index 3136c6a..248682c 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +801,7 @@ optional_policy(` +@@ -567,6 +807,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -25905,7 +26187,7 @@ index 3136c6a..248682c 100644 ') optional_policy(` -@@ -577,6 +812,20 @@ optional_policy(` +@@ -577,6 +818,20 @@ optional_policy(` ') optional_policy(` @@ -25926,7 +26208,7 @@ index 3136c6a..248682c 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +840,11 @@ optional_policy(` +@@ -591,6 +846,11 @@ optional_policy(` ') optional_policy(` @@ -25938,7 +26220,7 @@ index 3136c6a..248682c 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +857,12 @@ optional_policy(` +@@ -603,6 +863,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -25951,7 +26233,7 @@ index 3136c6a..248682c 100644 ######################################## # # Apache helper local policy -@@ -616,7 +876,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +882,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -25964,7 +26246,7 @@ index 3136c6a..248682c 100644 ######################################## # -@@ -654,28 +918,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +924,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -26008,7 +26290,7 @@ index 3136c6a..248682c 100644 ') ######################################## -@@ -685,6 +951,8 @@ optional_policy(` +@@ -685,6 +957,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -26017,7 +26299,7 @@ index 3136c6a..248682c 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +967,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +973,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -26043,7 +26325,7 @@ index 3136c6a..248682c 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1013,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1019,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -26076,7 +26358,7 @@ index 3136c6a..248682c 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1060,25 @@ optional_policy(` +@@ -769,6 +1066,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -26102,7 +26384,7 @@ index 3136c6a..248682c 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1099,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1105,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -26120,7 +26402,7 @@ index 3136c6a..248682c 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1118,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1124,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -26177,7 +26459,7 @@ index 3136c6a..248682c 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1169,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1175,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -26208,7 +26490,7 @@ index 3136c6a..248682c 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1204,20 @@ optional_policy(` +@@ -842,10 +1210,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -26229,7 +26511,7 @@ index 3136c6a..248682c 100644 ') ######################################## -@@ -891,11 +1263,49 @@ optional_policy(` +@@ -891,11 +1269,137 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -26247,13 +26529,13 @@ index 3136c6a..248682c 100644 + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) - ') ++') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) -+') + ') + +######################################## +# @@ -26282,6 +26564,94 @@ index 3136c6a..248682c 100644 +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; + ++ ++search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type) ++corecmd_shell_entry_type(httpd_script_type) ++ ++allow httpd_script_type self:fifo_file rw_file_perms; ++allow httpd_script_type self:unix_stream_socket connectto; ++ ++allow httpd_script_type httpd_t:fifo_file write; ++# apache should set close-on-exec ++apache_dontaudit_leaks(httpd_script_type) ++ ++append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t) ++logging_search_logs(httpd_script_type) ++ ++kernel_dontaudit_search_sysctl(httpd_script_type) ++kernel_dontaudit_search_kernel_sysctl(httpd_script_type) ++ ++dev_read_rand(httpd_script_type) ++dev_read_urand(httpd_script_type) ++ ++corecmd_exec_all_executables(httpd_script_type) ++application_exec_all(httpd_script_type) ++ ++files_exec_etc_files(httpd_script_type) ++files_read_etc_files(httpd_script_type) ++files_search_home(httpd_script_type) ++ ++libs_exec_ld_so(httpd_script_type) ++libs_exec_lib_files(httpd_script_type) ++ ++miscfiles_read_fonts(httpd_script_type) ++miscfiles_read_public_files(httpd_script_type) ++ ++seutil_dontaudit_search_config(httpd_script_type) ++allow httpd_t httpd_script_type:unix_stream_socket connectto; ++ ++allow httpd_t httpd_script_exec_type:file read_file_perms; ++allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; ++allow httpd_t httpd_script_type:process { signal sigkill sigstop }; ++allow httpd_t httpd_script_exec_type:dir list_dir_perms; ++ ++allow httpd_script_type self:process { setsched signal_perms }; ++allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; ++allow httpd_script_type self:unix_dgram_socket create_socket_perms; ++ ++allow httpd_script_type httpd_t:fd use; ++allow httpd_script_type httpd_t:process sigchld; ++ ++dontaudit httpd_script_type httpd_t:tcp_socket { read write }; ++ ++kernel_read_system_state(httpd_script_type) ++ ++dev_read_urand(httpd_script_type) ++ ++fs_getattr_xattr_fs(httpd_script_type) ++ ++files_read_etc_runtime_files(httpd_script_type) ++files_read_usr_files(httpd_script_type) ++ ++libs_read_lib_files(httpd_script_type) ++ ++miscfiles_read_localization(httpd_script_type) ++allow httpd_script_type httpd_sys_content_t:dir search_dir_perms; ++ ++tunable_policy(`httpd_enable_cgi && allow_ypbind',` ++ nis_use_ypbind_uncond(httpd_script_type) ++') ++ ++optional_policy(` ++ nscd_socket_use(httpd_script_type) ++') ++ ++read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++ ++tunable_policy(`httpd_builtin_scripting',` ++ allow httpd_t httpd_content_type:dir search_dir_perms; ++ allow httpd_suexec_t httpd_content_type:dir search_dir_perms; ++ ++ allow httpd_t httpd_content_type:dir list_dir_perms; ++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++ ++ allow httpd_t httpd_content_type:dir list_dir_perms; ++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++') ++ ++ diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc index cd07b96..9b7742f 100644 --- a/policy/modules/services/apcupsd.fc @@ -26300,6 +26670,25 @@ index cd07b96..9b7742f 100644 /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if +index e342775..4ffdb80 100644 +--- a/policy/modules/services/apcupsd.if ++++ b/policy/modules/services/apcupsd.if +@@ -146,9 +146,13 @@ interface(`apcupsd_admin',` + type apcupsd_initrc_exec_t; + ') + +- allow $1 apcupsd_t:process { ptrace signal_perms }; ++ allow $1 apcupsd_t:process signal_perms; + ps_process_pattern($1, apcupsd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 apcupsd_t:process ptrace; ++ ') ++ + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apcupsd_initrc_exec_t system_r; diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index d052bf0..ec55314 100644 --- a/policy/modules/services/apcupsd.te @@ -26355,7 +26744,7 @@ index 1ea99b2..9427dd5 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..21b91de 100644 +index 1c8c27e..f8de34e 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -26375,8 +26764,12 @@ index 1c8c27e..21b91de 100644 domain_use_interactive_fds(apm_t) -@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; - dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; +@@ -59,9 +60,10 @@ logging_send_syslog_msg(apm_t) + # mknod: controlling an orderly resume of PCMCIA requires creating device + # nodes 254,{0,1,2} for some reason. + allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; +-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; ++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; +allow apmd_t self:netlink_socket create_socket_perms; @@ -26473,18 +26866,24 @@ index 1c8c27e..21b91de 100644 ') diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if -index c804110..bdefbe1 100644 +index c804110..980cd57 100644 --- a/policy/modules/services/arpwatch.if +++ b/policy/modules/services/arpwatch.if -@@ -137,7 +137,7 @@ interface(`arpwatch_admin',` +@@ -137,9 +137,13 @@ interface(`arpwatch_admin',` type arpwatch_initrc_exec_t; ') - allow $1 arpwatch_t:process { ptrace signal_perms getattr }; -+ allow $1 arpwatch_t:process { ptrace signal_perms }; ++ allow $1 arpwatch_t:process signal_perms; ps_process_pattern($1, arpwatch_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 arpwatch_t:process ptrace; ++ ') ++ arpwatch_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 arpwatch_initrc_exec_t system_r; diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te index 804135f..af04567 100644 --- a/policy/modules/services/arpwatch.te @@ -26501,18 +26900,24 @@ index 804135f..af04567 100644 kernel_request_load_module(arpwatch_t) diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if -index 8b8143e..c1a2b96 100644 +index 8b8143e..a04a8af 100644 --- a/policy/modules/services/asterisk.if +++ b/policy/modules/services/asterisk.if -@@ -64,7 +64,7 @@ interface(`asterisk_admin',` +@@ -64,9 +64,13 @@ interface(`asterisk_admin',` type asterisk_initrc_exec_t; ') - allow $1 asterisk_t:process { ptrace signal_perms getattr }; -+ allow $1 asterisk_t:process { ptrace signal_perms }; ++ allow $1 asterisk_t:process signal_perms; ps_process_pattern($1, asterisk_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 asterisk_t:process ptrace; ++ ') ++ init_labeled_script_domtrans($1, asterisk_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index b3b0176..8e66610 100644 --- a/policy/modules/services/asterisk.te @@ -26593,8 +26998,21 @@ index b3b0176..8e66610 100644 mysql_stream_connect(asterisk_t) ') +diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te +index 2b348c7..b89658c 100644 +--- a/policy/modules/services/audioentropy.te ++++ b/policy/modules/services/audioentropy.te +@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t) + + domain_use_interactive_fds(entropyd_t) + ++auth_read_passwd(entropyd_t) ++ + logging_send_syslog_msg(entropyd_t) + + miscfiles_read_localization(entropyd_t) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if -index d80a16b..68b85e2 100644 +index d80a16b..4f2a53f 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -29,7 +29,6 @@ interface(`automount_domtrans',` @@ -26632,15 +27050,21 @@ index d80a16b..68b85e2 100644 ') ######################################## -@@ -149,7 +150,7 @@ interface(`automount_admin',` +@@ -149,9 +150,13 @@ interface(`automount_admin',` type automount_var_run_t, automount_initrc_exec_t; ') - allow $1 automount_t:process { ptrace signal_perms getattr }; -+ allow $1 automount_t:process { ptrace signal_perms }; ++ allow $1 automount_t:process signal_perms; ps_process_pattern($1, automount_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 automount_t:process ptrace; ++ ') ++ init_labeled_script_domtrans($1, automount_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 automount_initrc_exec_t system_r; diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 39799db..9390ef1 100644 --- a/policy/modules/services/automount.te @@ -26678,7 +27102,7 @@ index 39799db..9390ef1 100644 ') diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if -index 61c74bc..c6b0498 100644 +index 61c74bc..c7a0db2 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',` @@ -26689,6 +27113,21 @@ index 61c74bc..c6b0498 100644 allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') +@@ -153,9 +154,13 @@ interface(`avahi_admin',` + type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + ') + +- allow $1 avahi_t:process { ptrace signal_perms }; ++ allow $1 avahi_t:process signal_perms; + ps_process_pattern($1, avahi_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 avahi_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, avahi_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 avahi_initrc_exec_t system_r; diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index a7a0e71..5352ef6 100644 --- a/policy/modules/services/avahi.te @@ -26734,7 +27173,7 @@ index 59aa54f..f944a65 100644 /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if -index 44a1e3d..7802b7b 100644 +index 44a1e3d..7cc67ec 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` @@ -26822,7 +27261,7 @@ index 44a1e3d..7802b7b 100644 ## Manage BIND zone files. ## ## -@@ -359,10 +403,9 @@ interface(`bind_udp_chat_named',` +@@ -359,18 +403,25 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -26835,8 +27274,26 @@ index 44a1e3d..7802b7b 100644 + type dnssec_t, ndc_t, named_keytab_t; ') - allow $1 named_t:process { ptrace signal_perms }; -@@ -391,9 +434,10 @@ interface(`bind_admin',` +- allow $1 named_t:process { ptrace signal_perms }; ++ allow $1 named_t:process signal_perms; + ps_process_pattern($1, named_t) + +- allow $1 ndc_t:process { ptrace signal_perms }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 named_t:process ptrace; ++ ') ++ ++ allow $1 ndc_t:process signal_perms; + ps_process_pattern($1, ndc_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ndc_t:process ptrace; ++ ') ++ + bind_run_ndc($1, $2) + + init_labeled_script_domtrans($1, named_initrc_exec_t) +@@ -391,9 +442,10 @@ interface(`bind_admin',` admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -27004,6 +27461,25 @@ index 0197980..f8bce2c 100644 + +/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) +/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) +diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if +index de0bd67..1df2048 100644 +--- a/policy/modules/services/bitlbee.if ++++ b/policy/modules/services/bitlbee.if +@@ -43,9 +43,13 @@ interface(`bitlbee_admin',` + type bitlbee_initrc_exec_t; + ') + +- allow $1 bitlbee_t:process { ptrace signal_perms }; ++ allow $1 bitlbee_t:process signal_perms; + ps_process_pattern($1, bitlbee_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bitlbee_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te index f4e7ad3..2faf42a 100644 --- a/policy/modules/services/bitlbee.te @@ -27071,8 +27547,106 @@ index f4e7ad3..2faf42a 100644 dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) +diff --git a/policy/modules/services/blueman.fc b/policy/modules/services/blueman.fc +new file mode 100644 +index 0000000..69f2b36 +--- /dev/null ++++ b/policy/modules/services/blueman.fc +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) +diff --git a/policy/modules/services/blueman.if b/policy/modules/services/blueman.if +new file mode 100644 +index 0000000..d694c0a +--- /dev/null ++++ b/policy/modules/services/blueman.if +@@ -0,0 +1,41 @@ ++## policy for blueman ++ ++######################################## ++## ++## Transition to blueman. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`blueman_domtrans',` ++ gen_require(` ++ type blueman_t, blueman_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, blueman_exec_t, blueman_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## blueman over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`blueman_dbus_chat',` ++ gen_require(` ++ type blueman_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 blueman_t:dbus send_msg; ++ allow blueman_t $1:dbus send_msg; ++') +diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te +new file mode 100644 +index 0000000..fde1531 +--- /dev/null ++++ b/policy/modules/services/blueman.te +@@ -0,0 +1,37 @@ ++policy_module(blueman, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type blueman_t; ++type blueman_exec_t; ++dbus_system_domain(blueman_t, blueman_exec_t) ++ ++######################################## ++# ++# blueman local policy ++# ++allow blueman_t self:fifo_file rw_fifo_file_perms; ++ ++kernel_read_system_state(blueman_t) ++ ++corecmd_exec_bin(blueman_t) ++ ++dev_rw_wireless(blueman_t) ++ ++domain_use_interactive_fds(blueman_t) ++ ++files_read_etc_files(blueman_t) ++files_read_usr_files(blueman_t) ++ ++auth_read_passwd(blueman_t) ++ ++logging_send_syslog_msg(blueman_t) ++ ++miscfiles_read_localization(blueman_t) ++ ++optional_policy(` ++ avahi_domtrans(blueman_t) ++') diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if -index 3e45431..4aa8fb1 100644 +index 3e45431..a726c09 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -14,6 +14,7 @@ @@ -27083,16 +27657,29 @@ index 3e45431..4aa8fb1 100644 # interface(`bluetooth_role',` gen_require(` -@@ -27,7 +28,7 @@ interface(`bluetooth_role',` +@@ -27,7 +28,11 @@ interface(`bluetooth_role',` # allow ps to show cdrecord and allow the user to kill it ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process signal; -+ allow $2 bluetooth_helper_t:process { ptrace signal_perms }; ++ allow $2 bluetooth_helper_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 bluetooth_helper_t:process ptrace; ++ ') manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',` +@@ -35,6 +40,8 @@ interface(`bluetooth_role',` + + manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) + manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) ++ ++ bluetooth_stream_connect($2) + ') + + ##################################### +@@ -91,7 +98,7 @@ interface(`bluetooth_read_config',` type bluetooth_conf_t; ') @@ -27101,7 +27688,7 @@ index 3e45431..4aa8fb1 100644 ') ######################################## -@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',` +@@ -117,6 +124,27 @@ interface(`bluetooth_dbus_chat',` ######################################## ## @@ -27129,7 +27716,7 @@ index 3e45431..4aa8fb1 100644 ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## -@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',` +@@ -157,7 +185,7 @@ interface(`bluetooth_run_helper',` ######################################## ## @@ -27138,7 +27725,7 @@ index 3e45431..4aa8fb1 100644 ## ## ## -@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',` +@@ -170,8 +198,8 @@ interface(`bluetooth_dontaudit_read_helper_state',` type bluetooth_helper_t; ') @@ -27149,7 +27736,7 @@ index 3e45431..4aa8fb1 100644 ') ######################################## -@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',` +@@ -194,14 +222,17 @@ interface(`bluetooth_dontaudit_read_helper_state',` interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; @@ -27159,8 +27746,18 @@ index 3e45431..4aa8fb1 100644 - type bluetooth_initrc_exec_t; ') - allow $1 bluetooth_t:process { ptrace signal_perms }; -@@ -217,9 +238,6 @@ interface(`bluetooth_admin',` +- allow $1 bluetooth_t:process { ptrace signal_perms }; ++ allow $1 bluetooth_t:process signal_perms; + ps_process_pattern($1, bluetooth_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bluetooth_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bluetooth_initrc_exec_t system_r; +@@ -217,9 +248,6 @@ interface(`bluetooth_admin',` admin_pattern($1, bluetooth_conf_t) admin_pattern($1, bluetooth_conf_rw_t) @@ -27255,10 +27852,10 @@ index 0000000..c095160 +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if new file mode 100644 -index 0000000..fa9b95a +index 0000000..9fe3f9e --- /dev/null +++ b/policy/modules/services/boinc.if -@@ -0,0 +1,150 @@ +@@ -0,0 +1,154 @@ +## policy for boinc + +######################################## @@ -27398,9 +27995,13 @@ index 0000000..fa9b95a + type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; + ') + -+ allow $1 boinc_t:process { ptrace signal_perms }; ++ allow $1 boinc_t:process signal_perms; + ps_process_pattern($1, boinc_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 boic_t:process ptrace; ++ ') ++ + boinc_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 boinc_initrc_exec_t system_r; @@ -27411,10 +28012,10 @@ index 0000000..fa9b95a +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..e841806 +index 0000000..61db909 --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,174 @@ +@@ -0,0 +1,178 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -27538,9 +28139,13 @@ index 0000000..e841806 +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +allow boinc_t boinc_project_t:process sigkill; + -+allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop }; ++allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { execmem execstack }; + ++tunable_policy(`deny_ptrace',`',` ++ allow boinc_project_t self:process ptrace; ++') ++ +allow boinc_project_t self:fifo_file rw_fifo_file_perms; +allow boinc_project_t self:sem create_sem_perms; + @@ -27599,10 +28204,10 @@ index 8c84063..c8bfb68 100644 /usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if -index de89d0f..140f520 100644 +index de89d0f..954e726 100644 --- a/policy/modules/services/bugzilla.if +++ b/policy/modules/services/bugzilla.if -@@ -58,13 +58,16 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` +@@ -58,13 +58,20 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` interface(`bugzilla_admin',` gen_require(` type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; @@ -27613,9 +28218,14 @@ index de89d0f..140f520 100644 + type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; + ') - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; +- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; ++ allow $1 httpd_bugzilla_script_t:process signal_perms; ps_process_pattern($1, httpd_bugzilla_script_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 httpd_bugzilla_script_t:process ptrace; ++ ') ++ + files_list_tmp($1) + admin_pattern($1, httpd_bugzilla_tmp_t) + @@ -27893,10 +28503,10 @@ index 0000000..3e15c63 +/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0) diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if new file mode 100644 -index 0000000..564acbd +index 0000000..512fcb9 --- /dev/null +++ b/policy/modules/services/callweaver.if -@@ -0,0 +1,358 @@ +@@ -0,0 +1,362 @@ +## Open source PBX project. + +######################################## @@ -28235,9 +28845,13 @@ index 0000000..564acbd + type callweaver_spool_t; + ') + -+ allow $1 callweaver_t:process { ptrace signal_perms }; ++ allow $1 callweaver_t:process signal_perms; + ps_process_pattern($1, callweaver_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 callweaver_t:process ptrace; ++ ') ++ + callweaver_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 callweaver_initrc_exec_t system_r; @@ -28348,6 +28962,25 @@ index 5432d0e..f77df02 100644 /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) -/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) +/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0) +diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if +index 4a26b0c..00b64dc 100644 +--- a/policy/modules/services/canna.if ++++ b/policy/modules/services/canna.if +@@ -42,9 +42,13 @@ interface(`canna_admin',` + type canna_var_run_t, canna_initrc_exec_t; + ') + +- allow $1 canna_t:process { ptrace signal_perms }; ++ allow $1 canna_t:process signal_perms; + ps_process_pattern($1, canna_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 canna_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, canna_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 canna_initrc_exec_t system_r; diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index 1d25efe..1b16191 100644 --- a/policy/modules/services/canna.te @@ -28428,7 +29061,7 @@ index 4c90b57..418eb6b 100644 unconfined_use_fds(ccs_t) ') diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if -index fa62787..ffd0da5 100644 +index fa62787..d61f61f 100644 --- a/policy/modules/services/certmaster.if +++ b/policy/modules/services/certmaster.if @@ -5,9 +5,9 @@ @@ -28452,7 +29085,7 @@ index fa62787..ffd0da5 100644 ## ## ## -@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',` +@@ -116,21 +116,24 @@ interface(`certmaster_manage_log',` interface(`certmaster_admin',` gen_require(` type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; @@ -28461,8 +29094,17 @@ index fa62787..ffd0da5 100644 + type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; ') - allow $1 certmaster_t:process { ptrace signal_perms }; -@@ -129,8 +128,8 @@ interface(`certmaster_admin',` +- allow $1 certmaster_t:process { ptrace signal_perms }; ++ allow $1 certmaster_t:process signal_perms; + ps_process_pattern($1, certmaster_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 certmaster_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 certmaster_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) @@ -28508,7 +29150,7 @@ index 3384132..97d3269 100644 files_search_var_lib(certmaster_t) diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if -index 7a6e5ba..d664be8 100644 +index 7a6e5ba..e238dfd 100644 --- a/policy/modules/services/certmonger.if +++ b/policy/modules/services/certmonger.if @@ -5,9 +5,9 @@ @@ -28523,7 +29165,20 @@ index 7a6e5ba..d664be8 100644 ## # interface(`certmonger_domtrans',` -@@ -166,9 +166,9 @@ interface(`certmonger_admin',` +@@ -158,7 +158,11 @@ interface(`certmonger_admin',` + ') + + ps_process_pattern($1, certmonger_t) +- allow $1 certmonger_t:process { ptrace signal_perms }; ++ allow $1 certmonger_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 certmonger_t:process ptrace; ++ ') + + # Allow certmonger_t to restart the apache service + certmonger_initrc_domtrans($1) +@@ -166,9 +170,9 @@ interface(`certmonger_admin',` role_transition $2 certmonger_initrc_exec_t system_r; allow $2 system_r; @@ -28630,10 +29285,10 @@ index 0000000..4ec83df +/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if new file mode 100644 -index 0000000..12fe9ce +index 0000000..883b697 --- /dev/null +++ b/policy/modules/services/cfengine.if -@@ -0,0 +1,23 @@ +@@ -0,0 +1,42 @@ + +## policy for cfengine + @@ -28657,6 +29312,25 @@ index 0000000..12fe9ce + domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t) +') + ++######################################## ++## ++## Read cfengine lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_read_lib_files',` ++ gen_require(` ++ type cfengine_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) ++') ++ diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te new file mode 100644 index 0000000..1ba0484 @@ -28791,7 +29465,7 @@ index 0000000..1ba0484 +sysnet_dns_name_resolve(cfengine_monitord_t) +sysnet_domtrans_ifconfig(cfengine_monitord_t) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if -index 33facaf..e5cbcef 100644 +index 33facaf..225e70c 100644 --- a/policy/modules/services/cgroup.if +++ b/policy/modules/services/cgroup.if @@ -6,9 +6,9 @@ @@ -28830,8 +29504,39 @@ index 33facaf..e5cbcef 100644 ## # interface(`cgroup_domtrans_cgred',` +@@ -171,15 +171,27 @@ interface(`cgroup_admin',` + type cgrules_etc_t, cgclear_t; + ') + +- allow $1 cgclear_t:process { ptrace signal_perms }; ++ allow $1 cgclear_t:process signal_perms; + ps_process_pattern($1, cgclear_t) + +- allow $1 cgconfig_t:process { ptrace signal_perms }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cglear_t:process ptrace; ++ ') ++ ++ allow $1 cgconfig_t:process signal_perms; + ps_process_pattern($1, cgconfig_t) + +- allow $1 cgred_t:process { ptrace signal_perms }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgconfig_t:process ptrace; ++ ') ++ ++ allow $1 cgred_t:process signal_perms; + ps_process_pattern($1, cgred_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgred_t:process ptrace; ++ ') ++ + admin_pattern($1, cgconfig_etc_t) + admin_pattern($1, cgrules_etc_t) + files_list_etc($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te -index dad226c..7617c53 100644 +index dad226c..084063b 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -28853,7 +29558,17 @@ index dad226c..7617c53 100644 allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; kernel_read_system_state(cgclear_t) -@@ -86,6 +85,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) +@@ -77,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t) + # cgred personal policy. + # + +-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; ++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override }; ++ + allow cgred_t self:netlink_socket { write bind create read }; + allow cgred_t self:unix_dgram_socket { write create connect }; + +@@ -86,6 +86,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) allow cgred_t cgrules_etc_t:file read_file_perms; @@ -28863,7 +29578,7 @@ index dad226c..7617c53 100644 # rc script creates pid file manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -@@ -104,6 +106,8 @@ files_read_etc_files(cgred_t) +@@ -104,6 +107,8 @@ files_read_etc_files(cgred_t) fs_write_cgroup_files(cgred_t) @@ -28890,7 +29605,7 @@ index fd8cd0b..45096d8 100644 +/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if -index 9a0da94..714f905 100644 +index 9a0da94..4d21fbd 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` @@ -29044,7 +29759,7 @@ index 9a0da94..714f905 100644 #################################### ## ## All of the rules required to administrate -@@ -75,9 +212,9 @@ interface(`chronyd_read_log',` +@@ -75,31 +212,36 @@ interface(`chronyd_read_log',` # interface(`chronyd_admin',` gen_require(` @@ -29056,8 +29771,16 @@ index 9a0da94..714f905 100644 + type chronyd_keys_t; ') - allow $1 chronyd_t:process { ptrace signal_perms }; -@@ -88,18 +225,19 @@ interface(`chronyd_admin',` +- allow $1 chronyd_t:process { ptrace signal_perms }; ++ allow $1 chronyd_t:process signal_perms; + ps_process_pattern($1, chronyd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 chronyd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, chronyd_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 chronyd_initrc_exec_t system_r; allow $2 system_r; @@ -29155,7 +29878,7 @@ index e8e9a21..89fc935 100644 /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if -index 1f11572..9eb2461 100644 +index 1f11572..717fb8d 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -33,6 +33,7 @@ interface(`clamav_stream_connect',` @@ -29208,7 +29931,7 @@ index 1f11572..9eb2461 100644 ## All of the rules required to administrate ## an clamav environment ## -@@ -151,9 +171,8 @@ interface(`clamav_exec_clamscan',` +@@ -151,19 +171,24 @@ interface(`clamav_exec_clamscan',` interface(`clamav_admin',` gen_require(` type clamd_t, clamd_etc_t, clamd_tmp_t; @@ -29220,6 +29943,25 @@ index 1f11572..9eb2461 100644 type freshclam_t, freshclam_var_log_t; ') +- allow $1 clamd_t:process { ptrace signal_perms }; ++ allow $1 clamd_t:process signal_perms; + ps_process_pattern($1, clamd_t) + +- allow $1 clamscan_t:process { ptrace signal_perms }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 clamd_t:process ptrace; ++ allow $1 clamscan_t:process ptrace; ++ allow $1 freshclam_t:process ptrace; ++ ') ++ ++ allow $1 clamscan_t:process signal_perms; + ps_process_pattern($1, clamscan_t) + +- allow $1 freshclam_t:process { ptrace signal_perms }; ++ allow $1 freshclam_t:process signal_perms; + ps_process_pattern($1, freshclam_t) + + init_labeled_script_domtrans($1, clamd_initrc_exec_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index f758323..8cd02e2 100644 --- a/policy/modules/services/clamav.te @@ -29763,7 +30505,7 @@ index 049e2b6..dcc7de8 100644 /var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if -index f8463c0..bed51fb 100644 +index f8463c0..126b293 100644 --- a/policy/modules/services/cmirrord.if +++ b/policy/modules/services/cmirrord.if @@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',` @@ -29779,6 +30521,21 @@ index f8463c0..bed51fb 100644 read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) fs_search_tmpfs($1) ') +@@ -100,9 +101,13 @@ interface(`cmirrord_admin',` + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + ') + +- allow $1 cmirrord_t:process { ptrace signal_perms }; ++ allow $1 cmirrord_t:process signal_perms; + ps_process_pattern($1, cmirrord_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cmorrord_t:process ptrace; ++ ') ++ + cmirrord_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cmirrord_initrc_exec_t system_r; diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc index 1cf6c4e..e4bac67 100644 --- a/policy/modules/services/cobbler.fc @@ -29823,7 +30580,7 @@ index 1cf6c4e..e4bac67 100644 -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if -index 116d60f..82306eb 100644 +index 116d60f..11f6a31 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -1,12 +1,12 @@ @@ -29964,7 +30721,7 @@ index 116d60f..82306eb 100644 ## All of the rules required to administrate ## an cobblerd environment ## -@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',` +@@ -161,25 +185,38 @@ interface(`cobbler_manage_lib_files',` interface(`cobblerd_admin',` gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; @@ -29975,10 +30732,14 @@ index 116d60f..82306eb 100644 - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, cobblerd_t, cobblerd_t) -+ allow $1 cobblerd_t:process { ptrace signal_perms }; ++ allow $1 cobblerd_t:process signal_perms; + ps_process_pattern($1, cobblerd_t) - files_search_etc($1) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cobblerd_t:process ptrace; ++ ') ++ + files_list_etc($1) admin_pattern($1, cobbler_etc_t) @@ -30005,7 +30766,7 @@ index 116d60f..82306eb 100644 + ') ') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te -index 0258b48..c6dcdfe 100644 +index 0258b48..1328a63 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0) @@ -30066,7 +30827,7 @@ index 0258b48..c6dcdfe 100644 -allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; +allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; -+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config }; ++dontaudit cobblerd_t self:capability sys_tty_config; + allow cobblerd_t self:process { getsched setsched signal }; allow cobblerd_t self:fifo_file rw_fifo_file_perms; @@ -30269,10 +31030,10 @@ index 0000000..9d06a27 + diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if new file mode 100644 -index 0000000..ed13d1e +index 0000000..40a0157 --- /dev/null +++ b/policy/modules/services/collectd.if -@@ -0,0 +1,157 @@ +@@ -0,0 +1,161 @@ + +## policy for collectd + @@ -30417,9 +31178,13 @@ index 0000000..ed13d1e + type collectd_var_lib_t; + ') + -+ allow $1 collectd_t:process { ptrace signal_perms }; ++ allow $1 collectd_t:process signal_perms; + ps_process_pattern($1, collectd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 collectd_t:process ptrace; ++ ') ++ + collectd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 collectd_initrc_exec_t system_r; @@ -30714,10 +31479,10 @@ index fd15dfe..d33cc41 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index e67a003..192332a 100644 +index e67a003..5b322ca 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te -@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t) +@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t) type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -30727,13 +31492,22 @@ index e67a003..192332a 100644 ######################################## # # consolekit local policy -@@ -69,11 +72,14 @@ logging_send_audit_msgs(consolekit_t) + # + +-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; ++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice }; ++ + allow consolekit_t self:process { getsched signal }; + allow consolekit_t self:fifo_file rw_fifo_file_perms; + allow consolekit_t self:unix_stream_socket create_stream_socket_perms; +@@ -69,11 +73,15 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) +systemd_exec_systemctl(consolekit_t) + +# consolekit needs to be able to ptrace all logged in users ++userdom_read_all_users_state(consolekit_t) +userdom_ptrace_all_users(consolekit_t) userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_dontaudit_getattr_admin_home_files(consolekit_t) @@ -30744,7 +31518,7 @@ index e67a003..192332a 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(consolekit_t) ') -@@ -83,6 +89,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -83,6 +91,14 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -30759,7 +31533,7 @@ index e67a003..192332a 100644 dbus_system_domain(consolekit_t, consolekit_exec_t) optional_policy(` -@@ -99,6 +113,10 @@ optional_policy(` +@@ -99,6 +115,10 @@ optional_policy(` ') optional_policy(` @@ -30770,7 +31544,7 @@ index e67a003..192332a 100644 policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) -@@ -106,9 +124,10 @@ optional_policy(` +@@ -106,9 +126,10 @@ optional_policy(` ') optional_policy(` @@ -30783,11 +31557,13 @@ index e67a003..192332a 100644 xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -125,5 +144,6 @@ optional_policy(` +@@ -125,5 +146,8 @@ optional_policy(` optional_policy(` #reading .Xauthity -+ unconfined_ptrace(consolekit_t) ++ tunable_policy(`deny_ptrace',`',` ++ unconfined_ptrace(consolekit_t) ++ ') unconfined_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc @@ -30806,7 +31582,7 @@ index 3a6d7eb..3f0e601 100644 /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if -index 5220c9d..a2e6830 100644 +index 5220c9d..db158cc 100644 --- a/policy/modules/services/corosync.if +++ b/policy/modules/services/corosync.if @@ -18,6 +18,25 @@ interface(`corosync_domtrans',` @@ -30835,8 +31611,23 @@ index 5220c9d..a2e6830 100644 ####################################### ## ## Allow the specified domain to read corosync's log files. +@@ -82,9 +101,13 @@ interface(`corosyncd_admin',` + type corosync_initrc_exec_t; + ') + +- allow $1 corosync_t:process { ptrace signal_perms }; ++ allow $1 corosync_t:process signal_perms; + ps_process_pattern($1, corosync_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 corosync_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, corosync_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 corosync_initrc_exec_t system_r; diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 04969e5..b55d7bf 100644 +index 04969e5..0f56485 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) @@ -30853,7 +31644,7 @@ index 04969e5..b55d7bf 100644 -allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal }; -+allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock }; ++allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock }; +allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; @@ -31181,7 +31972,7 @@ index 2eefc08..6ea5693 100644 + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if -index 35241ed..445ced4 100644 +index 35241ed..7a0913c 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -12,6 +12,11 @@ @@ -31285,7 +32076,7 @@ index 35241ed..445ced4 100644 ') role $1 types { cronjob_t crontab_t }; -@@ -116,9 +131,16 @@ interface(`cron_role',` +@@ -116,9 +131,20 @@ interface(`cron_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, crontab_t) @@ -31299,11 +32090,15 @@ index 35241ed..445ced4 100644 # crontab shows up in user ps ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process signal; -+ allow $2 crontab_t:process { ptrace signal_perms }; ++ allow $2 crontab_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 crontab_t:process ptrace; ++ ') # Run helper programs as the user domain #corecmd_bin_domtrans(crontab_t, $2) -@@ -132,9 +154,8 @@ interface(`cron_role',` +@@ -132,9 +158,8 @@ interface(`cron_role',` ') dbus_stub(cronjob_t) @@ -31314,7 +32109,7 @@ index 35241ed..445ced4 100644 ') ######################################## -@@ -151,29 +172,18 @@ interface(`cron_role',` +@@ -151,29 +176,21 @@ interface(`cron_role',` ## User domain for the role ## ## @@ -31344,11 +32139,14 @@ index 35241ed..445ced4 100644 - #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) -+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; ++ allow $2 unconfined_cronjob_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 unconfined_cronjob_t:process ptrace; ++ ') optional_policy(` gen_require(` -@@ -181,9 +191,8 @@ interface(`cron_unconfined_role',` +@@ -181,9 +198,8 @@ interface(`cron_unconfined_role',` ') dbus_stub(unconfined_cronjob_t) @@ -31359,7 +32157,7 @@ index 35241ed..445ced4 100644 ') ######################################## -@@ -200,6 +209,7 @@ interface(`cron_unconfined_role',` +@@ -200,6 +216,7 @@ interface(`cron_unconfined_role',` ## User domain for the role ## ## @@ -31367,16 +32165,19 @@ index 35241ed..445ced4 100644 # interface(`cron_admin_role',` gen_require(` -@@ -220,7 +230,7 @@ interface(`cron_admin_role',` +@@ -220,7 +237,10 @@ interface(`cron_admin_role',` # crontab shows up in user ps ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process signal; -+ allow $2 admin_crontab_t:process { ptrace signal_perms }; ++ allow $2 admin_crontab_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 admin_crontab_t:process ptrace; ++ ') # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) -@@ -234,9 +244,8 @@ interface(`cron_admin_role',` +@@ -234,9 +254,8 @@ interface(`cron_admin_role',` ') dbus_stub(admin_cronjob_t) @@ -31387,7 +32188,7 @@ index 35241ed..445ced4 100644 ') ######################################## -@@ -304,7 +313,7 @@ interface(`cron_exec',` +@@ -304,7 +323,7 @@ interface(`cron_exec',` ######################################## ## @@ -31396,7 +32197,7 @@ index 35241ed..445ced4 100644 ## ## ## -@@ -322,6 +331,29 @@ interface(`cron_initrc_domtrans',` +@@ -322,6 +341,29 @@ interface(`cron_initrc_domtrans',` ######################################## ## @@ -31426,7 +32227,7 @@ index 35241ed..445ced4 100644 ## Inherit and use a file descriptor ## from the cron daemon. ## -@@ -377,6 +409,47 @@ interface(`cron_read_pipes',` +@@ -377,6 +419,47 @@ interface(`cron_read_pipes',` ######################################## ## @@ -31474,7 +32275,7 @@ index 35241ed..445ced4 100644 ## Do not audit attempts to write cron daemon unnamed pipes. ## ## -@@ -390,6 +463,7 @@ interface(`cron_dontaudit_write_pipes',` +@@ -390,6 +473,7 @@ interface(`cron_dontaudit_write_pipes',` type crond_t; ') @@ -31482,7 +32283,7 @@ index 35241ed..445ced4 100644 dontaudit $1 crond_t:fifo_file write; ') -@@ -408,7 +482,43 @@ interface(`cron_rw_pipes',` +@@ -408,7 +492,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -31527,7 +32328,7 @@ index 35241ed..445ced4 100644 ') ######################################## -@@ -468,6 +578,25 @@ interface(`cron_search_spool',` +@@ -468,6 +588,25 @@ interface(`cron_search_spool',` ######################################## ## @@ -31553,7 +32354,7 @@ index 35241ed..445ced4 100644 ## Manage pid files used by cron ## ## -@@ -481,6 +610,7 @@ interface(`cron_manage_pid_files',` +@@ -481,6 +620,7 @@ interface(`cron_manage_pid_files',` type crond_var_run_t; ') @@ -31561,7 +32362,7 @@ index 35241ed..445ced4 100644 manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') -@@ -536,7 +666,7 @@ interface(`cron_write_system_job_pipes',` +@@ -536,7 +676,7 @@ interface(`cron_write_system_job_pipes',` type system_cronjob_t; ') @@ -31570,7 +32371,7 @@ index 35241ed..445ced4 100644 ') ######################################## -@@ -554,7 +684,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -554,7 +694,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -31579,7 +32380,7 @@ index 35241ed..445ced4 100644 ') ######################################## -@@ -587,11 +717,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -587,11 +727,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -31595,7 +32396,7 @@ index 35241ed..445ced4 100644 ') ######################################## -@@ -627,7 +760,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -627,7 +770,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -31644,7 +32445,7 @@ index 35241ed..445ced4 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..4100ff7 100644 +index f7583ab..258a3d7 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -31846,7 +32647,7 @@ index f7583ab..4100ff7 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -250,11 +279,30 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +279,31 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -31867,6 +32668,7 @@ index f7583ab..4100ff7 100644 + # these should probably be unconfined_crond_t + dbus_system_bus_client(crond_t) + init_dbus_send_script(crond_t) ++ init_dbus_chat(crond_t) +') + +optional_policy(` @@ -31877,7 +32679,7 @@ index f7583ab..4100ff7 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +312,8 @@ optional_policy(` +@@ -264,6 +313,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -31886,7 +32688,7 @@ index f7583ab..4100ff7 100644 ') optional_policy(` -@@ -286,15 +336,26 @@ optional_policy(` +@@ -286,15 +337,25 @@ optional_policy(` ') optional_policy(` @@ -31908,7 +32710,6 @@ index f7583ab..4100ff7 100644 # allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -+dontaudit system_cronjob_t self:capability sys_ptrace; + allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; @@ -32106,10 +32907,10 @@ index 0000000..2db6b61 + diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if new file mode 100644 -index 0000000..1171f34 +index 0000000..5c1e8b0 --- /dev/null +++ b/policy/modules/services/ctdbd.if -@@ -0,0 +1,256 @@ +@@ -0,0 +1,259 @@ + +## policy for ctdbd + @@ -32348,8 +33149,11 @@ index 0000000..1171f34 + type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; + ') + -+ allow $1 ctdbd_t:process { ptrace signal_perms }; ++ allow $1 ctdbd_t:process signal_perms; + ps_process_pattern($1, ctdbd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ctdbd_t:process ptrace; ++ ') + + ctdbd_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -32368,7 +33172,7 @@ index 0000000..1171f34 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..5a15b82 +index 0000000..284fbae --- /dev/null +++ b/policy/modules/services/ctdbd.te @@ -0,0 +1,114 @@ @@ -32407,7 +33211,7 @@ index 0000000..5a15b82 +# ctdbd local policy +# + -+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace }; ++allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; +allow ctdbd_t self:process { setpgid signal_perms setsched }; + +allow ctdbd_t self:fifo_file rw_fifo_file_perms; @@ -32529,7 +33333,7 @@ index 1b492ed..c79454d 100644 + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if -index 305ddf4..173cd16 100644 +index 305ddf4..2746e6f 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -9,6 +9,11 @@ @@ -32557,7 +33361,7 @@ index 305ddf4..173cd16 100644 read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) ') -@@ -314,11 +321,10 @@ interface(`cups_stream_connect_ptal',` +@@ -314,16 +321,19 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; @@ -32572,8 +33376,18 @@ index 305ddf4..173cd16 100644 + type ptal_var_run_t; ') - allow $1 cupsd_t:process { ptrace signal_perms }; -@@ -341,15 +347,14 @@ interface(`cups_admin',` +- allow $1 cupsd_t:process { ptrace signal_perms }; ++ allow $1 cupsd_t:process signal_perms; + ps_process_pattern($1, cupsd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cupsd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cupsd_initrc_exec_t system_r; +@@ -341,15 +351,14 @@ interface(`cups_admin',` admin_pattern($1, cupsd_lpd_var_run_t) @@ -32818,7 +33632,7 @@ index 0f28095..825cafb 100644 optional_policy(` dbus_system_bus_client(hplip_t) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if -index c43ff4c..6ca9a6b 100644 +index c43ff4c..5da88b5 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -1,5 +1,23 @@ @@ -32845,7 +33659,7 @@ index c43ff4c..6ca9a6b 100644 ######################################## ## ## Read the CVS data and metadata. -@@ -58,9 +76,8 @@ interface(`cvs_exec',` +@@ -58,14 +76,17 @@ interface(`cvs_exec',` # interface(`cvs_admin',` gen_require(` @@ -32855,7 +33669,17 @@ index c43ff4c..6ca9a6b 100644 - type cvs_initrc_exec_t; ') - allow $1 cvs_t:process { ptrace signal_perms }; +- allow $1 cvs_t:process { ptrace signal_perms }; ++ allow $1 cvs_t:process signal_perms; + ps_process_pattern($1, cvs_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cvs_t:process ptrace; ++ ') ++ + # Allow cvs_t to restart the apache service + init_labeled_script_domtrans($1, cvs_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 88e7e97..e18dc0b 100644 --- a/policy/modules/services/cvs.te @@ -32923,6 +33747,25 @@ index 25546bc..4def4f7 100644 /var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) +diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if +index e4e86d0..7c30655 100644 +--- a/policy/modules/services/cyrus.if ++++ b/policy/modules/services/cyrus.if +@@ -62,9 +62,13 @@ interface(`cyrus_admin',` + type cyrus_var_run_t, cyrus_initrc_exec_t; + ') + +- allow $1 cyrus_t:process { ptrace signal_perms }; ++ allow $1 cyrus_t:process signal_perms; + ps_process_pattern($1, cyrus_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cyrus_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index a01be9d..01f2f23 100644 --- a/policy/modules/services/cyrus.te @@ -32989,7 +33832,7 @@ index 81eba14..d0ab56c 100644 /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 1a1becd..843d5fd 100644 +index 1a1becd..3558f18 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -33014,7 +33857,7 @@ index 1a1becd..843d5fd 100644 ubac_constrained($1_dbusd_t) role $2 types $1_dbusd_t; -@@ -62,107 +61,26 @@ template(`dbus_role_template',` +@@ -62,107 +61,30 @@ template(`dbus_role_template',` # Local policy # @@ -33039,16 +33882,19 @@ index 1a1becd..843d5fd 100644 - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) -- ++ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + - manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) -- - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) -- allow $3 $1_dbusd_t:process { signull sigkill signal }; -+ + ps_process_pattern($3, $1_dbusd_t) -+ allow $3 $1_dbusd_t:process { ptrace signal_perms }; ++ allow $3 $1_dbusd_t:process signal_perms; + +- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) +- allow $3 $1_dbusd_t:process { signull sigkill signal }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $3 $1_dbusd_t:process ptrace; ++ ') # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) @@ -33129,7 +33975,7 @@ index 1a1becd..843d5fd 100644 ') ####################################### -@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',` +@@ -181,11 +103,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -33143,7 +33989,7 @@ index 1a1becd..843d5fd 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',` +@@ -198,6 +121,34 @@ interface(`dbus_system_bus_client',` ####################################### ## @@ -33178,7 +34024,7 @@ index 1a1becd..843d5fd 100644 ## Template for creating connections to ## a user DBUS. ## -@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',` +@@ -218,6 +169,8 @@ interface(`dbus_session_bus_client',` # For connecting to the bus allow $1 session_bus_type:unix_stream_socket connectto; @@ -33187,7 +34033,7 @@ index 1a1becd..843d5fd 100644 ') ######################################## -@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',` +@@ -322,6 +275,11 @@ interface(`dbus_connect_session_bus',` ## Allow a application domain to be started ## by the session dbus. ## @@ -33199,7 +34045,7 @@ index 1a1becd..843d5fd 100644 ## ## ## Type to be used as a domain. -@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',` +@@ -336,13 +294,13 @@ interface(`dbus_connect_session_bus',` # interface(`dbus_session_domain',` gen_require(` @@ -33217,7 +34063,7 @@ index 1a1becd..843d5fd 100644 ') ######################################## -@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',` +@@ -421,27 +379,16 @@ interface(`dbus_system_bus_unconfined',` # interface(`dbus_system_domain',` gen_require(` @@ -33247,7 +34093,7 @@ index 1a1becd..843d5fd 100644 ') ######################################## -@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',` +@@ -464,26 +411,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## @@ -33280,7 +34126,7 @@ index 1a1becd..843d5fd 100644 ## ## ## -@@ -491,10 +433,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -491,10 +437,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -33653,10 +34499,10 @@ index ec19ff4..2f84017 100644 ######################################## # diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if -index 0a1a61b..da508f4 100644 +index 0a1a61b..64742c6 100644 --- a/policy/modules/services/ddclient.if +++ b/policy/modules/services/ddclient.if -@@ -64,8 +64,8 @@ interface(`ddclient_run',` +@@ -64,13 +64,17 @@ interface(`ddclient_run',` interface(`ddclient_admin',` gen_require(` type ddclient_t, ddclient_etc_t, ddclient_log_t; @@ -33666,7 +34512,17 @@ index 0a1a61b..da508f4 100644 + type ddclient_var_run_t; ') - allow $1 ddclient_t:process { ptrace signal_perms }; +- allow $1 ddclient_t:process { ptrace signal_perms }; ++ allow $1 ddclient_t:process signal_perms; + ps_process_pattern($1, ddclient_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ddclient_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, ddclient_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te index 24ba98a..b8d064a 100644 --- a/policy/modules/services/ddclient.te @@ -33727,7 +34583,7 @@ index 24ba98a..b8d064a 100644 miscfiles_read_localization(ddclient_t) diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if -index 567865f..9c9e65c 100644 +index 567865f..3a57eb9 100644 --- a/policy/modules/services/denyhosts.if +++ b/policy/modules/services/denyhosts.if @@ -13,12 +13,12 @@ @@ -33755,7 +34611,7 @@ index 567865f..9c9e65c 100644 gen_require(` type denyhosts_initrc_exec_t; ') -@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', ` +@@ -59,27 +59,32 @@ interface(`denyhosts_initrc_domtrans', ` ## Role allowed access. ## ## @@ -33766,7 +34622,18 @@ index 567865f..9c9e65c 100644 gen_require(` type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; type denyhosts_var_log_t, denyhosts_initrc_exec_t; -@@ -74,12 +75,12 @@ interface(`denyhosts_admin', ` + ') + +- allow $1 denyhosts_t:process { ptrace signal_perms }; ++ allow $1 denyhosts_t:process signal_perms; + ps_process_pattern($1, denyhosts_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 denyhosts_t:process ptrace; ++ ') ++ + denyhosts_initrc_domtrans($1) + domain_system_change_exemption($1) role_transition $2 denyhosts_initrc_exec_t system_r; allow $2 system_r; @@ -33850,7 +34717,7 @@ index 418a5a0..c25fbdc 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..5001351 100644 +index f706b99..b62f5a9 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -34059,20 +34926,25 @@ index f706b99..5001351 100644 ## ## ## -@@ -165,21 +308,39 @@ interface(`devicekit_admin',` +@@ -165,21 +308,44 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') - allow $1 devicekit_t:process { ptrace signal_perms getattr }; -+ allow $1 devicekit_t:process { ptrace signal_perms }; ++ allow $1 devicekit_t:process signal_perms; ps_process_pattern($1, devicekit_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 devicekit_t:process ptrace; ++ allow $1 devicekit_disk_t:process ptrace; ++ allow $1 devicekit_power_t:process ptrace; ++ ') - allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; -+ allow $1 devicekit_disk_t:process { ptrace signal_perms }; ++ allow $1 devicekit_disk_t:process signal_perms; ps_process_pattern($1, devicekit_disk_t) - allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; -+ allow $1 devicekit_power_t:process { ptrace signal_perms }; ++ allow $1 devicekit_power_t:process signal_perms; ps_process_pattern($1, devicekit_power_t) admin_pattern($1, devicekit_tmp_t) @@ -34106,7 +34978,7 @@ index f706b99..5001351 100644 + files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..8cc1f09 100644 +index f231f17..f277ea6 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -34119,7 +34991,17 @@ index f231f17..8cc1f09 100644 ######################################## # # DeviceKit local policy -@@ -75,10 +78,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -62,7 +65,8 @@ optional_policy(` + # DeviceKit disk local policy + # + +-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; ++ + allow devicekit_disk_t self:process { getsched signal_perms }; + allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; + allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -75,10 +79,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -34133,7 +35015,7 @@ index f231f17..8cc1f09 100644 kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -97,6 +103,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) +@@ -97,6 +104,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) @@ -34141,7 +35023,7 @@ index f231f17..8cc1f09 100644 domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) -@@ -105,14 +112,17 @@ domain_read_all_domains_state(devicekit_disk_t) +@@ -105,14 +113,17 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -34160,7 +35042,7 @@ index f231f17..8cc1f09 100644 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) -@@ -127,7 +137,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -127,7 +138,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -34169,7 +35051,7 @@ index f231f17..8cc1f09 100644 auth_use_nsswitch(devicekit_disk_t) -@@ -178,55 +188,84 @@ optional_policy(` +@@ -178,55 +189,84 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -34184,8 +35066,9 @@ index f231f17..8cc1f09 100644 # DeviceKit-Power local policy # - allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process getsched; ++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; +allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; @@ -34258,7 +35141,7 @@ index f231f17..8cc1f09 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,7 +274,12 @@ optional_policy(` +@@ -235,7 +275,12 @@ optional_policy(` ') optional_policy(` @@ -34271,7 +35154,7 @@ index f231f17..8cc1f09 100644 ') optional_policy(` -@@ -261,14 +305,21 @@ optional_policy(` +@@ -261,14 +306,21 @@ optional_policy(` ') optional_policy(` @@ -34294,7 +35177,7 @@ index f231f17..8cc1f09 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +327,30 @@ optional_policy(` +@@ -276,9 +328,30 @@ optional_policy(` ') optional_policy(` @@ -34343,7 +35226,7 @@ index 767e0c7..4fbde9d 100644 -/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if -index 5e2cea8..7a18800 100644 +index 5e2cea8..8eec089 100644 --- a/policy/modules/services/dhcp.if +++ b/policy/modules/services/dhcp.if @@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` @@ -34386,7 +35269,7 @@ index 5e2cea8..7a18800 100644 ## All of the rules required to administrate ## an dhcp environment ## -@@ -77,7 +101,7 @@ interface(`dhcpd_initrc_domtrans',` +@@ -77,12 +101,15 @@ interface(`dhcpd_initrc_domtrans',` # interface(`dhcpd_admin',` gen_require(` @@ -34395,7 +35278,16 @@ index 5e2cea8..7a18800 100644 type dhcpd_var_run_t, dhcpd_initrc_exec_t; ') -@@ -96,4 +120,6 @@ interface(`dhcpd_admin',` +- allow $1 dhcpd_t:process { ptrace signal_perms }; ++ allow $1 dhcpd_t:process signal_perms; + ps_process_pattern($1, dhcpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dhcpd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -96,4 +123,6 @@ interface(`dhcpd_admin',` files_list_pids($1) admin_pattern($1, dhcpd_var_run_t) @@ -34448,6 +35340,23 @@ index d4424ad..f90959a 100644 dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') +diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if +index a0d23ce..83a7ca5 100644 +--- a/policy/modules/services/dictd.if ++++ b/policy/modules/services/dictd.if +@@ -38,8 +38,11 @@ interface(`dictd_admin',` + type dictd_var_run_t, dictd_initrc_exec_t; + ') + +- allow $1 dictd_t:process { ptrace signal_perms }; ++ allow $1 dictd_t:process signal_perms; + ps_process_pattern($1, dictd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dictd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, dictd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te index d2d9359..ee10625 100644 --- a/policy/modules/services/dictd.te @@ -35278,7 +36187,7 @@ index b886676..ab3af9c 100644 /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if -index 9bd812b..982c0ea 100644 +index 9bd812b..144cbb7 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -10,7 +10,6 @@ @@ -35464,7 +36373,20 @@ index 9bd812b..982c0ea 100644 ## All of the rules required to administrate ## an dnsmasq environment ## -@@ -208,4 +311,6 @@ interface(`dnsmasq_admin',` +@@ -195,8 +298,11 @@ interface(`dnsmasq_admin',` + type dnsmasq_initrc_exec_t; + ') + +- allow $1 dnsmasq_t:process { ptrace signal_perms }; ++ allow $1 dnsmasq_t:process signal_perms; + ps_process_pattern($1, dnsmasq_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dnsmasq_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) + domain_system_change_exemption($1) +@@ -208,4 +314,6 @@ interface(`dnsmasq_admin',` files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) @@ -35550,7 +36472,7 @@ index bfc880b..9a1dcba 100644 ') diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if -index e1d7dc5..673f185 100644 +index e1d7dc5..0557be0 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if @@ -1,5 +1,24 @@ @@ -35601,7 +36523,7 @@ index e1d7dc5..673f185 100644 manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) ') -@@ -93,12 +113,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',` +@@ -93,16 +113,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',` # interface(`dovecot_admin',` gen_require(` @@ -35617,8 +36539,16 @@ index e1d7dc5..673f185 100644 + type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; ') - allow $1 dovecot_t:process { ptrace signal_perms }; -@@ -112,8 +130,11 @@ interface(`dovecot_admin',` +- allow $1 dovecot_t:process { ptrace signal_perms }; ++ allow $1 dovecot_t:process signal_perms; + ps_process_pattern($1, dovecot_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dovecot_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + domain_system_change_exemption($1) +@@ -112,8 +133,11 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, dovecot_etc_t) @@ -35632,7 +36562,7 @@ index e1d7dc5..673f185 100644 files_list_spool($1) admin_pattern($1, dovecot_spool_t) -@@ -121,6 +142,9 @@ interface(`dovecot_admin',` +@@ -121,6 +145,9 @@ interface(`dovecot_admin',` files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) @@ -35877,10 +36807,10 @@ index 0000000..f96c4f2 + diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if new file mode 100644 -index 0000000..63f11d9 +index 0000000..f92ef50 --- /dev/null +++ b/policy/modules/services/drbd.if -@@ -0,0 +1,130 @@ +@@ -0,0 +1,133 @@ + +## policy for drbd + @@ -36003,8 +36933,11 @@ index 0000000..63f11d9 + type drbd_var_lib_t; + ') + -+ allow $1 drbd_t:process { ptrace signal_perms }; ++ allow $1 drbd_t:process signal_perms; + ps_process_pattern($1, drbd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 drbd_t:process ptrace; ++ ') + + files_search_var_lib($1) + admin_pattern($1, drbd_var_lib_t) @@ -36091,10 +37024,10 @@ index 0000000..cc0815b +/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0) diff --git a/policy/modules/services/dspam.if b/policy/modules/services/dspam.if new file mode 100644 -index 0000000..d7a7118 +index 0000000..a446210 --- /dev/null +++ b/policy/modules/services/dspam.if -@@ -0,0 +1,264 @@ +@@ -0,0 +1,267 @@ + +## policy for dspam + @@ -36341,8 +37274,11 @@ index 0000000..d7a7118 + type dspam_var_run_t; + ') + -+ allow $1 dspam_t:process { ptrace signal_perms }; ++ allow $1 dspam_t:process signal_perms; + ps_process_pattern($1, dspam_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dspam_t:process ptrace; ++ ') + + dspam_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -36474,7 +37410,7 @@ index 298f066..b54de69 100644 /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if -index 6bef7f8..885cd43 100644 +index 6bef7f8..fb2fd2f 100644 --- a/policy/modules/services/exim.if +++ b/policy/modules/services/exim.if @@ -5,9 +5,9 @@ @@ -36551,7 +37487,7 @@ index 6bef7f8..885cd43 100644 ## # interface(`exim_append_log',` -@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',` +@@ -194,3 +237,49 @@ interface(`exim_manage_spool_files',` manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) ') @@ -36578,8 +37514,11 @@ index 6bef7f8..885cd43 100644 + type exim_tmp_t, exim_spool_t, exim_var_run_t; + ') + -+ allow $1 exim_t:process { ptrace signal_perms }; ++ allow $1 exim_t:process signal_perms; + ps_process_pattern($1, exim_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 exim_t:process ptrace; ++ ') + + exim_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -36713,7 +37652,7 @@ index 0de2b83..b93171c 100644 /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if -index f590a1f..338e5bf 100644 +index f590a1f..18bdd33 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -5,9 +5,9 @@ @@ -36802,7 +37741,7 @@ index f590a1f..338e5bf 100644 ## All of the rules required to administrate ## an fail2ban environment ## -@@ -155,12 +194,13 @@ interface(`fail2ban_read_pid_files',` +@@ -155,12 +194,16 @@ interface(`fail2ban_read_pid_files',` # interface(`fail2ban_admin',` gen_require(` @@ -36815,12 +37754,15 @@ index f590a1f..338e5bf 100644 - allow $1 fail2ban_t:process { ptrace signal_perms }; - ps_process_pattern($1, fail2ban_t) -+ allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; ++ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; ++ ') init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) domain_system_change_exemption($1) -@@ -172,4 +212,10 @@ interface(`fail2ban_admin',` +@@ -172,4 +215,10 @@ interface(`fail2ban_admin',` files_list_pids($1) admin_pattern($1, fail2ban_var_run_t) @@ -36938,10 +37880,10 @@ index 0000000..83279fb +/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0) diff --git a/policy/modules/services/fcoemon.if b/policy/modules/services/fcoemon.if new file mode 100644 -index 0000000..d827274 +index 0000000..f25a1cb --- /dev/null +++ b/policy/modules/services/fcoemon.if -@@ -0,0 +1,91 @@ +@@ -0,0 +1,94 @@ + +## policy for fcoemon + @@ -37025,8 +37967,11 @@ index 0000000..d827274 + type fcoemon_var_run_t; + ') + -+ allow $1 fcoemon_t:process { ptrace signal_perms }; ++ allow $1 fcoemon_t:process signal_perms; + ps_process_pattern($1, fcoemon_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 fcoemon_t:process ptrace; ++ ') + + files_search_pids($1) + admin_pattern($1, fcoemon_var_run_t) @@ -37100,17 +38045,21 @@ index 455c620..c263c70 100644 # # /etc diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if -index 6537214..7d64c0a 100644 +index 6537214..8629354 100644 --- a/policy/modules/services/fetchmail.if +++ b/policy/modules/services/fetchmail.if -@@ -18,6 +18,7 @@ interface(`fetchmail_admin',` +@@ -18,7 +18,11 @@ interface(`fetchmail_admin',` type fetchmail_var_run_t; ') -+ allow $1 fetchmail_t:process { ptrace signal_perms }; ++ allow $1 fetchmail_t:process signal_perms; ps_process_pattern($1, fetchmail_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 fetchmail_t:process ptrace; ++ ') files_list_etc($1) + admin_pattern($1, fetchmail_etc_t) diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index 3459d93..3d4e162 100644 --- a/policy/modules/services/fetchmail.te @@ -37203,10 +38152,10 @@ index 0000000..ba9a7a9 +/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0) diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if new file mode 100644 -index 0000000..84d1768 +index 0000000..06462d4 --- /dev/null +++ b/policy/modules/services/firewalld.if -@@ -0,0 +1,73 @@ +@@ -0,0 +1,76 @@ + +## policy for firewalld + @@ -37271,8 +38220,11 @@ index 0000000..84d1768 + type firewalld_initrc_exec_t; + ') + -+ allow $1 firewalld_t:process { ptrace signal_perms }; ++ allow $1 firewalld_t:process signal_perms; + ps_process_pattern($1, firewalld_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 firewalld_t:process ptrace; ++ ') + + firewalld_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -37376,22 +38328,23 @@ index ebad8c4..c02062c 100644 ') - diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te -index 7df52c7..899feaf 100644 +index 7df52c7..8512254 100644 --- a/policy/modules/services/fprintd.te +++ b/policy/modules/services/fprintd.te -@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t) +@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t) # Local policy # -allow fprintd_t self:capability sys_ptrace; -+allow fprintd_t self:capability { sys_nice sys_ptrace }; ++allow fprintd_t self:capability sys_nice; ++ allow fprintd_t self:fifo_file rw_fifo_file_perms; -allow fprintd_t self:process { getsched signal }; +allow fprintd_t self:process { getsched setsched signal }; manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -54,4 +54,5 @@ optional_policy(` +@@ -54,4 +55,5 @@ optional_policy(` policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) @@ -37417,7 +38370,7 @@ index 69dcd2a..80eefd3 100644 /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if -index 9d3201b..7da7267 100644 +index 9d3201b..41c2c99 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -1,5 +1,66 @@ @@ -37487,7 +38440,20 @@ index 9d3201b..7da7267 100644 ####################################### ## ## Allow domain dyntransition to sftpd_anon domain. -@@ -203,4 +264,6 @@ interface(`ftp_admin',` +@@ -176,8 +237,11 @@ interface(`ftp_admin',` + type ftpd_initrc_exec_t; + ') + +- allow $1 ftpd_t:process { ptrace signal_perms }; ++ allow $1 ftpd_t:process signal_perms; + ps_process_pattern($1, ftpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ftpd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, ftpd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -203,4 +267,6 @@ interface(`ftp_admin',` logging_list_logs($1) admin_pattern($1, xferlog_t) @@ -37784,10 +38750,10 @@ index 54f0737..44a9663 100644 +/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if -index 458aac6..8e83609 100644 +index 458aac6..27945d1 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if -@@ -1 +1,539 @@ +@@ -1 +1,542 @@ -## GIT revision control system +## Fast Version Control System. +## @@ -37833,8 +38799,11 @@ index 458aac6..8e83609 100644 + + domtrans_pattern($2, gitd_exec_t, git_session_t) + -+ allow $2 git_session_t:process { ptrace signal_perms }; ++ allow $2 git_session_t:process signal_perms; + ps_process_pattern($2, git_session_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 git_session_t:process ptrace; ++ ') +') + +######################################## @@ -38555,10 +39524,10 @@ index 0000000..7d27335 +/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if new file mode 100644 -index 0000000..3b1870a +index 0000000..8cc6d17 --- /dev/null +++ b/policy/modules/services/glance.if -@@ -0,0 +1,272 @@ +@@ -0,0 +1,276 @@ + +## policy for glance + @@ -38806,10 +39775,14 @@ index 0000000..3b1870a + type glance_api_initrc_exec_t; + ') + -+ allow $1 glance_registry_t:process { ptrace signal_perms }; ++ allow $1 glance_registry_t:process signal_perms; + ps_process_pattern($1, glance_registry_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 glance_registry_t:process ptrace; ++ allow $1 glance_api_t:process ptrace; ++ ') + -+ allow $1 glance_api_t:process { ptrace signal_perms }; ++ allow $1 glance_api_t:process signal_perms; + ps_process_pattern($1, glance_api_t) + + init_labeled_script_domtrans($1, glance_registry_initrc_exec_t) @@ -38983,14 +39956,16 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..4978f18 100644 +index 4fde46b..a1d38a3 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -14,19 +14,26 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + # gnomeclock local policy # - allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; +-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -allow gnomeclock_t self:process { getattr getsched }; ++allow gnomeclock_t self:capability { sys_nice sys_time }; +allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; @@ -39112,7 +40087,7 @@ index a627b34..c4cfc6d 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te -index 03742d8..d5795a5 100644 +index 03742d8..f38c5db 100644 --- a/policy/modules/services/gpsd.te +++ b/policy/modules/services/gpsd.te @@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t) @@ -39122,7 +40097,7 @@ index 03742d8..d5795a5 100644 -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config }; -allow gpsd_t self:process setsched; +allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; -+dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace }; ++dontaudit gpsd_t self:capability { dac_read_search dac_override }; +allow gpsd_t self:process { setsched signal_perms }; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -39167,7 +40142,7 @@ index 03742d8..d5795a5 100644 ') diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if -index 2d0b4e1..1e40c00 100644 +index 2d0b4e1..6437f07 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if @@ -91,7 +91,7 @@ template(`hadoop_domain_template',` @@ -39187,7 +40162,16 @@ index 2d0b4e1..1e40c00 100644 hadoop_match_lan_spd(hadoop_$1_t) -@@ -132,10 +133,6 @@ template(`hadoop_domain_template',` +@@ -126,16 +127,14 @@ template(`hadoop_domain_template',` + + hadoop_exec_config(hadoop_$1_t) + +- java_exec(hadoop_$1_t) ++ optional_policy(` ++ java_exec(hadoop_$1_t) ++ ') + + kerberos_use(hadoop_$1_t) su_exec(hadoop_$1_t) @@ -39198,7 +40182,7 @@ index 2d0b4e1..1e40c00 100644 #################################### # # Shared hadoop_$1 initrc policy. -@@ -175,8 +172,6 @@ template(`hadoop_domain_template',` +@@ -175,8 +174,6 @@ template(`hadoop_domain_template',` files_read_etc_files(hadoop_$1_initrc_t) files_read_usr_files(hadoop_$1_initrc_t) @@ -39207,7 +40191,7 @@ index 2d0b4e1..1e40c00 100644 fs_getattr_xattr_fs(hadoop_$1_initrc_t) fs_search_cgroup_dirs(hadoop_$1_initrc_t) -@@ -184,6 +179,8 @@ template(`hadoop_domain_template',` +@@ -184,6 +181,8 @@ template(`hadoop_domain_template',` hadoop_exec_config(hadoop_$1_initrc_t) @@ -39216,7 +40200,7 @@ index 2d0b4e1..1e40c00 100644 init_rw_utmp(hadoop_$1_initrc_t) init_use_fds(hadoop_$1_initrc_t) init_use_script_ptys(hadoop_$1_initrc_t) -@@ -196,8 +193,9 @@ template(`hadoop_domain_template',` +@@ -196,8 +195,9 @@ template(`hadoop_domain_template',` userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) optional_policy(` @@ -39227,39 +40211,64 @@ index 2d0b4e1..1e40c00 100644 ') ######################################## +@@ -224,14 +224,21 @@ interface(`hadoop_role',` + hadoop_domtrans($2) + role $1 types hadoop_t; + +- allow $2 hadoop_t:process { ptrace signal_perms }; ++ allow $2 hadoop_t:process signal_perms; + ps_process_pattern($2, hadoop_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 hadoop_t:process ptrace; ++ ') + + hadoop_domtrans_zookeeper_client($2) + role $1 types zookeeper_t; + +- allow $2 zookeeper_t:process { ptrace signal_perms }; ++ allow $2 zookeeper_t:process signal_perms; + ps_process_pattern($2, zookeeper_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 zookeeper_t:process ptrace; ++ ') ++ + ') + + ######################################## diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te -index 7d3a469..3889dc9 100644 +index 7d3a469..c6824f1 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te -@@ -161,24 +161,16 @@ files_read_usr_files(hadoop_t) +@@ -161,23 +161,17 @@ files_read_usr_files(hadoop_t) fs_getattr_xattr_fs(hadoop_t) -miscfiles_read_localization(hadoop_t) +- +-sysnet_read_config(hadoop_t) +- +-userdom_use_user_terminals(hadoop_t) +auth_use_nsswitch(hadoop_t) --sysnet_read_config(hadoop_t) +-java_exec(hadoop_t) +miscfiles_read_localization(hadoop_t) --userdom_use_user_terminals(hadoop_t) +-kerberos_use(hadoop_t) +userdom_use_inherited_user_terminals(hadoop_t) - java_exec(hadoop_t) - - kerberos_use(hadoop_t) - --optional_policy(` + optional_policy(` - nis_use_ypbind(hadoop_t) --') -- ++ java_exec(hadoop_t) + ') + -optional_policy(` - nscd_socket_use(hadoop_t) -') -- ++kerberos_use(hadoop_t) + ######################################## # - # Hadoop datanode policy. -@@ -341,19 +333,17 @@ domain_use_interactive_fds(zookeeper_t) +@@ -341,17 +335,17 @@ domain_use_interactive_fds(zookeeper_t) files_read_etc_files(zookeeper_t) files_read_usr_files(zookeeper_t) @@ -39273,15 +40282,22 @@ index 7d3a469..3889dc9 100644 +userdom_use_inherited_user_terminals(zookeeper_t) userdom_dontaudit_search_user_home_dirs(zookeeper_t) - java_exec(zookeeper_t) - --optional_policy(` -- nscd_socket_use(zookeeper_t) --') +-java_exec(zookeeper_t) - + optional_policy(` +- nscd_socket_use(zookeeper_t) ++ java_exec(zookeeper_t) + ') + ######################################## - # - # Hadoop zookeeper server policy. +@@ -437,4 +431,6 @@ miscfiles_read_localization(zookeeper_server_t) + + sysnet_read_config(zookeeper_server_t) + +-java_exec(zookeeper_server_t) ++optional_policy(` ++ java_exec(zookeeper_server_t) ++') diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index c98b0df..3b1a051 100644 --- a/policy/modules/services/hal.fc @@ -39301,7 +40317,7 @@ index c98b0df..3b1a051 100644 /var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if -index 7cf6763..ce32fe5 100644 +index 7cf6763..4a7bc56 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -51,6 +51,7 @@ interface(`hal_read_state',` @@ -39312,7 +40328,18 @@ index 7cf6763..ce32fe5 100644 ps_process_pattern($1, hald_t) ') -@@ -87,7 +88,7 @@ interface(`hal_use_fds',` +@@ -69,7 +70,9 @@ interface(`hal_ptrace',` + type hald_t; + ') + +- allow $1 hald_t:process ptrace; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 hald_t:process ptrace; ++ ') + ') + + ######################################## +@@ -87,7 +90,7 @@ interface(`hal_use_fds',` type hald_t; ') @@ -39321,7 +40348,7 @@ index 7cf6763..ce32fe5 100644 ') ######################################## -@@ -105,7 +106,7 @@ interface(`hal_dontaudit_use_fds',` +@@ -105,7 +108,7 @@ interface(`hal_dontaudit_use_fds',` type hald_t; ') @@ -39330,7 +40357,7 @@ index 7cf6763..ce32fe5 100644 ') ######################################## -@@ -124,7 +125,7 @@ interface(`hal_rw_pipes',` +@@ -124,7 +127,7 @@ interface(`hal_rw_pipes',` type hald_t; ') @@ -39339,7 +40366,7 @@ index 7cf6763..ce32fe5 100644 ') ######################################## -@@ -143,7 +144,7 @@ interface(`hal_dontaudit_rw_pipes',` +@@ -143,7 +146,7 @@ interface(`hal_dontaudit_rw_pipes',` type hald_t; ') @@ -39348,7 +40375,7 @@ index 7cf6763..ce32fe5 100644 ') ######################################## -@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',` +@@ -377,6 +380,25 @@ interface(`hal_read_pid_files',` ######################################## ## @@ -39374,7 +40401,7 @@ index 7cf6763..ce32fe5 100644 ## Read/Write hald PID files. ## ## -@@ -431,3 +451,25 @@ interface(`hal_manage_pid_files',` +@@ -431,3 +453,25 @@ interface(`hal_manage_pid_files',` files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') @@ -39401,7 +40428,7 @@ index 7cf6763..ce32fe5 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te -index 24c6253..bc08625 100644 +index 24c6253..6fdb0cd 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -39414,6 +40441,15 @@ index 24c6253..bc08625 100644 ######################################## # # Local policy +@@ -61,7 +64,7 @@ files_type(hald_var_lib_t) + + # execute openvt which needs setuid + allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; +-dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; ++dontaudit hald_t self:capability sys_tty_config; + allow hald_t self:process { getsched getattr signal_perms }; + allow hald_t self:fifo_file rw_fifo_file_perms; + allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -99,7 +102,7 @@ kernel_read_fs_sysctls(hald_t) kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) @@ -39610,10 +40646,23 @@ index 24c6253..bc08625 100644 optional_policy(` dbus_system_bus_client(hald_dccm_t) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if -index 87b4531..db2d189 100644 +index 87b4531..901d905 100644 --- a/policy/modules/services/hddtemp.if +++ b/policy/modules/services/hddtemp.if -@@ -69,9 +69,5 @@ interface(`hddtemp_admin',` +@@ -60,8 +60,11 @@ interface(`hddtemp_admin',` + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; + ') + +- allow $1 hddtemp_t:process { ptrace signal_perms }; ++ allow $1 hddtemp_t:process signal_perms; + ps_process_pattern($1, hddtemp_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 hddtemp_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) + domain_system_change_exemption($1) +@@ -69,9 +72,5 @@ interface(`hddtemp_admin',` allow $2 system_r; admin_pattern($1, hddtemp_etc_t) @@ -39647,7 +40696,7 @@ index c234b32..6c0a73d 100644 + sysnet_dns_name_resolve(hddtemp_t) +') diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if -index ecab47a..40affd8 100644 +index ecab47a..6ba84cf 100644 --- a/policy/modules/services/icecast.if +++ b/policy/modules/services/icecast.if @@ -5,9 +5,9 @@ @@ -39674,15 +40723,19 @@ index ecab47a..40affd8 100644 ## # interface(`icecast_append_log',` -@@ -173,6 +173,7 @@ interface(`icecast_admin',` +@@ -173,7 +173,11 @@ interface(`icecast_admin',` type icecast_t, icecast_initrc_exec_t; ') -+ allow $1 icecast_t:process { ptrace signal_perms }; ++ allow $1 icecast_t:process signal_perms; ps_process_pattern($1, icecast_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 icecast_t:process ptrace; ++ ') # Allow icecast_t to restart the apache service -@@ -182,7 +183,5 @@ interface(`icecast_admin',` + icecast_initrc_domtrans($1) +@@ -182,7 +186,5 @@ interface(`icecast_admin',` allow $2 system_r; icecast_manage_pid_files($1) @@ -39691,7 +40744,7 @@ index ecab47a..40affd8 100644 - ') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te -index fdb7e9a..1c02a45 100644 +index fdb7e9a..17ed705 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te @@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0) @@ -39718,9 +40771,14 @@ index fdb7e9a..1c02a45 100644 manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +@@ -39,7 +47,18 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) + kernel_read_system_state(icecast_t) ++dev_read_sysfs(icecast_t) ++dev_read_urand(icecast_t) ++dev_read_rand(icecast_t) ++ corenet_tcp_bind_soundd_port(icecast_t) +corenet_tcp_connect_soundd_port(icecast_t) + @@ -39733,7 +40791,7 @@ index fdb7e9a..1c02a45 100644 # Init script handling domain_use_interactive_fds(icecast_t) diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if -index dfb4232..7665429 100644 +index dfb4232..fa1b91d 100644 --- a/policy/modules/services/ifplugd.if +++ b/policy/modules/services/ifplugd.if @@ -5,9 +5,9 @@ @@ -39748,7 +40806,7 @@ index dfb4232..7665429 100644 ## # interface(`ifplugd_domtrans',` -@@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',` +@@ -113,11 +113,11 @@ interface(`ifplugd_read_pid_files',` # interface(`ifplugd_admin',` gen_require(` @@ -39758,9 +40816,13 @@ index dfb4232..7665429 100644 + type ifplugd_initrc_exec_t; ') - allow $1 ifplugd_t:process { ptrace signal_perms }; +- allow $1 ifplugd_t:process { ptrace signal_perms }; ++ allow $1 ifplugd_t:process signal_perms; + ps_process_pattern($1, ifplugd_t) + + init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te -index 978c32f..81c5ca2 100644 +index 978c32f..9bf1f1e 100644 --- a/policy/modules/services/ifplugd.te +++ b/policy/modules/services/ifplugd.te @@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t) @@ -39772,6 +40834,15 @@ index 978c32f..81c5ca2 100644 type ifplugd_initrc_exec_t; init_script_file(ifplugd_initrc_exec_t) +@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t) + # + + allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; +-dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; ++dontaudit ifplugd_t self:capability sys_tty_config; + allow ifplugd_t self:process { signal signull }; + allow ifplugd_t self:fifo_file rw_fifo_file_perms; + allow ifplugd_t self:tcp_socket create_stream_socket_perms; @@ -54,7 +54,7 @@ corecmd_exec_bin(ifplugd_t) # reading of hardware information dev_read_sysfs(ifplugd_t) @@ -39902,7 +40973,7 @@ index 8ca038d..8507ee2 100644 /var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if -index ebc9e0d..a0c625d 100644 +index ebc9e0d..617f52f 100644 --- a/policy/modules/services/inn.if +++ b/policy/modules/services/inn.if @@ -13,7 +13,7 @@ @@ -39938,7 +41009,7 @@ index ebc9e0d..a0c625d 100644 allow $1 news_spool_t:dir list_dir_perms; allow $1 news_spool_t:file read_file_perms; allow $1 news_spool_t:lnk_file read_lnk_file_perms; -@@ -195,8 +198,8 @@ interface(`inn_domtrans',` +@@ -195,12 +198,15 @@ interface(`inn_domtrans',` interface(`inn_admin',` gen_require(` type innd_t, innd_etc_t, innd_log_t; @@ -39948,7 +41019,15 @@ index ebc9e0d..a0c625d 100644 + type innd_initrc_exec_t; ') - allow $1 innd_t:process { ptrace signal_perms }; +- allow $1 innd_t:process { ptrace signal_perms }; ++ allow $1 innd_t:process signal_perms; + ps_process_pattern($1, innd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 innd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, innd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index 9fab1dc..2462aa7 100644 --- a/policy/modules/services/inn.te @@ -40045,16 +41124,15 @@ index 4c9acec..9a9ca2a 100644 + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if -index 9878499..81fcd0f 100644 +index 9878499..8643cd3 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if -@@ -1,8 +1,109 @@ +@@ -1,8 +1,71 @@ ## Jabber instant messaging server -######################################## +##################################### - ## --## Connect to jabber over a TCP socket (Deprecated) ++## +## Creates types and rules for a basic +## jabber init daemon domain. +## @@ -40117,15 +41195,18 @@ index 9878499..81fcd0f 100644 +') + +####################################### -+## + ## +-## Connect to jabber over a TCP socket (Deprecated) +## Read jabberd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -10,8 +73,51 @@ + ## + ## + # +-interface(`jabber_tcp_connect',` +- refpolicywarn(`$0($*) has been deprecated.') +interface(`jabberd_read_lib_files',` + gen_require(` + type jabberd_var_lib_t; @@ -40157,15 +41238,13 @@ index 9878499..81fcd0f 100644 +## +## Create, read, write, and delete +## jabberd lib files. - ## - ## - ## -@@ -10,8 +111,13 @@ - ## - ## - # --interface(`jabber_tcp_connect',` -- refpolicywarn(`$0($*) has been deprecated.') ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`jabberd_manage_lib_files',` + gen_require(` + type jabberd_var_lib_t; @@ -40176,7 +41255,7 @@ index 9878499..81fcd0f 100644 ') ######################################## -@@ -33,24 +139,21 @@ interface(`jabber_tcp_connect',` +@@ -33,24 +139,25 @@ interface(`jabber_tcp_connect',` # interface(`jabber_admin',` gen_require(` @@ -40186,12 +41265,17 @@ index 9878499..81fcd0f 100644 + type jabberd_initrc_exec_t, jabberd_router_t; ') - allow $1 jabberd_t:process { ptrace signal_perms }; +- allow $1 jabberd_t:process { ptrace signal_perms }; ++ allow $1 jabberd_t:process signal_perms; ps_process_pattern($1, jabberd_t) - -+ allow $1 jabberd_router_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, jabberd_router_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 jabberd_t:process ptrace; ++ allow $1 jabberd_router_t:process ptrace; ++ ') + ++ allow $1 jabberd_router_t:process signal_perms; ++ ps_process_pattern($1, jabberd_router_t) + init_labeled_script_domtrans($1, jabberd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 jabberd_initrc_exec_t system_r; @@ -40440,7 +41524,7 @@ index 3525d24..033de90 100644 +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..1b608a7 100644 +index 604f67b..91ef376 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -40560,7 +41644,7 @@ index 604f67b..1b608a7 100644 ## All of the rules required to administrate ## an kerberos environment ## -@@ -338,9 +336,8 @@ interface(`kerberos_admin',` +@@ -338,18 +336,22 @@ interface(`kerberos_admin',` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; @@ -40570,8 +41654,25 @@ index 604f67b..1b608a7 100644 - type kpropd_t; ') - allow $1 kadmind_t:process { ptrace signal_perms }; -@@ -378,3 +375,109 @@ interface(`kerberos_admin',` +- allow $1 kadmind_t:process { ptrace signal_perms }; ++ allow $1 kadmind_t:process signal_perms; + ps_process_pattern($1, kadmind_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kadmind_t:process ptrace; ++ allow $1 krb5kdc_t:process ptrace; ++ allow $1 kpropd_t:process ptrace; ++ ') + +- allow $1 krb5kdc_t:process { ptrace signal_perms }; ++ allow $1 krb5kdc_t:process signal_perms; + ps_process_pattern($1, krb5kdc_t) + +- allow $1 kpropd_t:process { ptrace signal_perms }; ++ allow $1 kpropd_t:process signal_perms; + ps_process_pattern($1, kpropd_t) + + init_labeled_script_domtrans($1, kerberos_initrc_exec_t) +@@ -378,3 +380,109 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -40832,7 +41933,7 @@ index 8edc29b..92dde2c 100644 ') diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if -index 835b16b..dd32883 100644 +index 835b16b..a0f9bc6 100644 --- a/policy/modules/services/kerneloops.if +++ b/policy/modules/services/kerneloops.if @@ -5,15 +5,14 @@ @@ -40854,7 +41955,7 @@ index 835b16b..dd32883 100644 ') domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) -@@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',` +@@ -99,17 +98,20 @@ interface(`kerneloops_manage_tmp_files',` # interface(`kerneloops_admin',` gen_require(` @@ -40863,8 +41964,15 @@ index 835b16b..dd32883 100644 + type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; ') - allow $1 kerneloops_t:process { ptrace signal_perms }; -@@ -111,5 +109,6 @@ interface(`kerneloops_admin',` +- allow $1 kerneloops_t:process { ptrace signal_perms }; ++ allow $1 kerneloops_t:process signal_perms; + ps_process_pattern($1, kerneloops_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kerneloops_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; allow $2 system_r; @@ -40967,7 +42075,7 @@ index 9c0c835..8360166 100644 + +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if -index 6fd0b4c..b733e45 100644 +index 6fd0b4c..5024e1e 100644 --- a/policy/modules/services/ksmtuned.if +++ b/policy/modules/services/ksmtuned.if @@ -5,9 +5,9 @@ @@ -40982,7 +42090,7 @@ index 6fd0b4c..b733e45 100644 ## # interface(`ksmtuned_domtrans',` -@@ -55,12 +55,11 @@ interface(`ksmtuned_initrc_domtrans',` +@@ -55,12 +55,14 @@ interface(`ksmtuned_initrc_domtrans',` # interface(`ksmtuned_admin',` gen_require(` @@ -40991,20 +42099,24 @@ index 6fd0b4c..b733e45 100644 + type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ') - allow $1 ksmtuned_t:process { ptrace signal_perms }; +- allow $1 ksmtuned_t:process { ptrace signal_perms }; - ps_process_pattern(ksmtumed_t) ++ allow $1 ksmtuned_t:process signal_perms; + ps_process_pattern($1, ksmtuned_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ksmtuned_t:process ptrace; ++ ') files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) -@@ -70,5 +69,4 @@ interface(`ksmtuned_admin',` +@@ -70,5 +72,4 @@ interface(`ksmtuned_admin',` domain_system_change_exemption($1) role_transition $2 ksmtuned_initrc_exec_t system_r; allow $2 system_r; - ') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te -index a73b7a1..2fcd590 100644 +index a73b7a1..d845f46 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -9,6 +9,9 @@ type ksmtuned_t; @@ -41017,8 +42129,12 @@ index a73b7a1..2fcd590 100644 type ksmtuned_initrc_exec_t; init_script_file(ksmtuned_initrc_exec_t) -@@ -23,6 +26,10 @@ files_pid_file(ksmtuned_var_run_t) - allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; +@@ -20,9 +23,13 @@ files_pid_file(ksmtuned_var_run_t) + # ksmtuned local policy + # + +-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; ++allow ksmtuned_t self:capability sys_tty_config; allow ksmtuned_t self:fifo_file rw_file_perms; +manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) @@ -41080,10 +42196,10 @@ index 0000000..76d879e + diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if new file mode 100644 -index 0000000..5783d58 +index 0000000..c8b246f --- /dev/null +++ b/policy/modules/services/l2tpd.if -@@ -0,0 +1,115 @@ +@@ -0,0 +1,118 @@ + +## policy for l2tpd + @@ -41187,8 +42303,11 @@ index 0000000..5783d58 + type l2tpd_var_run_t; + ') + -+ allow $1 l2tpd_t:process { ptrace signal_perms }; ++ allow $1 l2tpd_t:process signal_perms; + ps_process_pattern($1, l2tpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 l2tpd_t:process ptrace; ++ ') + + l2tpd_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -41283,7 +42402,7 @@ index c62f23e..f8a4301 100644 /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if -index 3aa8fa7..40b10fa 100644 +index 3aa8fa7..21b3ecd 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -1,5 +1,64 @@ @@ -41387,7 +42506,20 @@ index 3aa8fa7..40b10fa 100644 ') ######################################## -@@ -110,6 +187,7 @@ interface(`ldap_admin',` +@@ -97,8 +174,11 @@ interface(`ldap_admin',` + type slapd_initrc_exec_t; + ') + +- allow $1 slapd_t:process { ptrace signal_perms }; ++ allow $1 slapd_t:process signal_perms; + ps_process_pattern($1, slapd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 slapd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, slapd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -110,6 +190,7 @@ interface(`ldap_admin',` admin_pattern($1, slapd_lock_t) @@ -41395,7 +42527,7 @@ index 3aa8fa7..40b10fa 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -117,4 +195,6 @@ interface(`ldap_admin',` +@@ -117,4 +198,6 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -41518,6 +42650,23 @@ index 49e04e5..69db026 100644 /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) +diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if +index 418cc81..cdb2561 100644 +--- a/policy/modules/services/lircd.if ++++ b/policy/modules/services/lircd.if +@@ -80,8 +80,11 @@ interface(`lircd_admin',` + type lircd_initrc_exec_t, lircd_etc_t; + ') + +- allow $1 lircd_t:process { ptrace signal_perms }; ++ allow $1 lircd_t:process signal_perms; + ps_process_pattern($1, lircd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 lircd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, lircd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te index 6a78de1..8db7d14 100644 --- a/policy/modules/services/lircd.te @@ -41578,10 +42727,10 @@ index 0000000..83a4348 +/var/run/lldpad\.pid -- gen_context(system_u:object_r:lldpad_var_run_t,s0) diff --git a/policy/modules/services/lldpad.if b/policy/modules/services/lldpad.if new file mode 100644 -index 0000000..9d1bac3 +index 0000000..6550968 --- /dev/null +++ b/policy/modules/services/lldpad.if -@@ -0,0 +1,198 @@ +@@ -0,0 +1,201 @@ + +## policy for lldpad + @@ -41764,8 +42913,11 @@ index 0000000..9d1bac3 + type lldpad_var_run_t; + ') + -+ allow $1 lldpad_t:process { ptrace signal_perms }; ++ allow $1 lldpad_t:process signal_perms; + ps_process_pattern($1, lldpad_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 lldpad_t:process ptrace; ++ ') + + lldpad_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -41858,8 +43010,17 @@ index 0000000..b7f4268 +optional_policy(` + fcoemon_dgram_send(lldpad_t) +') +diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc +index 5c9eb68..ca4fd2b 100644 +--- a/policy/modules/services/lpd.fc ++++ b/policy/modules/services/lpd.fc +@@ -35,3 +35,4 @@ + /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) + /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) + /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) ++/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if -index a4f32f5..ea7dca0 100644 +index a4f32f5..32824fb 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -14,6 +14,7 @@ @@ -41870,16 +43031,19 @@ index a4f32f5..ea7dca0 100644 # interface(`lpd_role',` gen_require(` -@@ -27,7 +28,7 @@ interface(`lpd_role',` +@@ -27,7 +28,10 @@ interface(`lpd_role',` dontaudit lpr_t $2:unix_stream_socket { read write }; ps_process_pattern($2, lpr_t) - allow $2 lpr_t:process signull; -+ allow $2 lpr_t:process { ptrace signal_perms }; ++ allow $2 lpr_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 lpr_t:process ptrace; ++ ') optional_policy(` cups_read_config($2) -@@ -153,7 +154,7 @@ interface(`lpd_relabel_spool',` +@@ -153,7 +157,7 @@ interface(`lpd_relabel_spool',` ') files_search_spool($1) @@ -41888,7 +43052,7 @@ index a4f32f5..ea7dca0 100644 ') ######################################## -@@ -186,7 +187,7 @@ interface(`lpd_read_config',` +@@ -186,7 +190,7 @@ interface(`lpd_read_config',` ## ## # @@ -42179,10 +43343,10 @@ index 0000000..827e22e +/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0) diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if new file mode 100644 -index 0000000..39c12cb +index 0000000..bd1d48e --- /dev/null +++ b/policy/modules/services/mailscanner.if -@@ -0,0 +1,58 @@ +@@ -0,0 +1,61 @@ +## E-mail security and anti-spam package for e-mail gateway systems. + +######################################## @@ -42232,8 +43396,11 @@ index 0000000..39c12cb + role_transition $2 mscan_initrc_exec_t system_r; + allow $2 system_r; + -+ allow $1 mscan_t:process { ptrace signal_perms }; ++ allow $1 mscan_t:process signal_perms; + ps_process_pattern($1, mscan_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mscan_t:process ptrace; ++ ') + + admin_pattern($1, mscan_etc_t) + files_list_etc($1) @@ -42628,10 +43795,10 @@ index 0000000..0d771fd +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..215407c +index 0000000..372ed05 --- /dev/null +++ b/policy/modules/services/matahari.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,97 @@ +policy_module(matahari,1.0.0) + +######################################## @@ -42659,9 +43826,6 @@ index 0000000..215407c +# +# matahari_hostd local policy +# -+ -+allow matahari_hostd_t self:capability sys_ptrace; -+ +kernel_read_network_state(matahari_hostd_t) + +dev_read_sysfs(matahari_hostd_t) @@ -42778,7 +43942,7 @@ index 98d28b4..1c1d012 100644 + delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if -index db4fd6f..5008a6c 100644 +index db4fd6f..ce07b3f 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -5,15 +5,14 @@ @@ -42800,7 +43964,7 @@ index db4fd6f..5008a6c 100644 ') domtrans_pattern($1, memcached_exec_t, memcached_t) -@@ -57,8 +56,7 @@ interface(`memcached_read_pid_files',` +@@ -57,17 +56,20 @@ interface(`memcached_read_pid_files',` # interface(`memcached_admin',` gen_require(` @@ -42809,8 +43973,15 @@ index db4fd6f..5008a6c 100644 + type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') - allow $1 memcached_t:process { ptrace signal_perms }; -@@ -69,5 +67,6 @@ interface(`memcached_admin',` +- allow $1 memcached_t:process { ptrace signal_perms }; ++ allow $1 memcached_t:process signal_perms; + ps_process_pattern($1, memcached_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 memcached_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, memcached_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 memcached_initrc_exec_t system_r; allow $2 system_r; @@ -43039,10 +44210,10 @@ index 0000000..8d0e473 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if new file mode 100644 -index 0000000..0615cc5 +index 0000000..1d76fb8 --- /dev/null +++ b/policy/modules/services/mock.if -@@ -0,0 +1,306 @@ +@@ -0,0 +1,313 @@ +## policy for mock + +######################################## @@ -43290,7 +44461,10 @@ index 0000000..0615cc5 + mock_run($2, $1) + + ps_process_pattern($2, mock_t) -+ allow $2 mock_t:process { ptrace signal_perms }; ++ allow $2 mock_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 mock_t:process ptrace; ++ ') +') + +####################################### @@ -43334,10 +44508,14 @@ index 0000000..0615cc5 + type mock_build_t, mock_etc_t, mock_tmp_t; + ') + -+ allow $1 mock_t:process { ptrace signal_perms }; ++ allow $1 mock_t:process signal_perms; + ps_process_pattern($1, mock_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mock_t:process ptrace; ++ allow $1 mock_build_t:process ptrace; ++ ') + -+ allow $1 mock_build_t:process { ptrace signal_perms }; ++ allow $1 mock_build_t:process signal_perms; + ps_process_pattern($1, mock_build_t) + + files_list_var_lib($1) @@ -43351,7 +44529,7 @@ index 0000000..0615cc5 +') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te new file mode 100644 -index 0000000..b7e5bcc +index 0000000..b1107b5 --- /dev/null +++ b/policy/modules/services/mock.te @@ -0,0 +1,250 @@ @@ -43398,7 +44576,7 @@ index 0000000..b7e5bcc +# mock local policy +# + -+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; +# Needed because mock can run java and mono withing build environment +allow mock_t self:process { execmem execstack }; @@ -43521,7 +44699,7 @@ index 0000000..b7e5bcc +# +# mock_build local policy +# -+allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; +dontaudit mock_build_t self:capability audit_write; +allow mock_build_t self:process { fork setsched setpgid signal_perms }; +allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; @@ -43664,10 +44842,10 @@ index b3ace16..6c9f30c 100644 optional_policy(` udev_read_db(modemmanager_t) diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if -index 657a9fc..88e7330 100644 +index 657a9fc..0b9bf04 100644 --- a/policy/modules/services/mojomojo.if +++ b/policy/modules/services/mojomojo.if -@@ -19,18 +19,20 @@ +@@ -19,18 +19,23 @@ # interface(`mojomojo_admin',` gen_require(` @@ -43680,16 +44858,20 @@ index 657a9fc..88e7330 100644 + type httpd_mojomojo_script_exec_t; ') - allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; +- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; ++ allow $1 httpd_mojomojo_script_t:process signal_perms; ps_process_pattern($1, httpd_mojomojo_script_t) - -- files_search_var_lib(httpd_mojomojo_script_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 httpd_mojomo_script_t:process ptrace; ++ ') ++ + files_list_tmp($1) + admin_pattern($1, httpd_mojomojo_tmp_t) -- apache_search_sys_content($1) +- files_search_var_lib(httpd_mojomojo_script_t) + files_list_var_lib(httpd_mojomojo_script_t) -+ + +- apache_search_sys_content($1) + apache_list_sys_content($1) admin_pattern($1, httpd_mojomojo_script_exec_t) admin_pattern($1, httpd_mojomojo_script_t) @@ -43719,6 +44901,23 @@ index 83f002c..ed69996 100644 corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) +diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if +index d72276f..cb8c563 100644 +--- a/policy/modules/services/mpd.if ++++ b/policy/modules/services/mpd.if +@@ -244,8 +244,11 @@ interface(`mpd_admin',` + type mpd_tmpfs_t; + ') + +- allow $1 mpd_t:process { ptrace signal_perms }; ++ allow $1 mpd_t:process signal_perms; + ps_process_pattern($1, mpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mpd_t:process ptrace; ++ ') + + mpd_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te index 7f68872..e4ac35e 100644 --- a/policy/modules/services/mpd.te @@ -44258,7 +45457,7 @@ index 343cee3..e5519fd 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..c84e80f 100644 +index 64268e4..65fd01f 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -44505,7 +45704,7 @@ index 64268e4..c84e80f 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(user_mail_t) fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +316,46 @@ optional_policy(` +@@ -292,3 +316,47 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -44519,6 +45718,7 @@ index 64268e4..c84e80f 100644 +allow user_mail_domain mta_exec_type:file entrypoint; + +append_files_pattern(user_mail_domain, mail_home_t, mail_home_t) ++read_files_pattern(user_mail_domain, mail_home_t, mail_home_t) + +read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t) + @@ -44573,7 +45773,7 @@ index fd71d69..bf90863 100644 /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if -index c358d8f..fec6a97 100644 +index c358d8f..7c097ec 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -13,10 +13,11 @@ @@ -44650,7 +45850,7 @@ index c358d8f..fec6a97 100644 ####################################### ## ## Append to the munin log. -@@ -172,8 +180,7 @@ interface(`munin_admin',` +@@ -172,12 +180,14 @@ interface(`munin_admin',` gen_require(` type munin_t, munin_etc_t, munin_tmp_t; type munin_log_t, munin_var_lib_t, munin_var_run_t; @@ -44659,9 +45859,17 @@ index c358d8f..fec6a97 100644 + type httpd_munin_content_t, munin_initrc_exec_t; ') - allow $1 munin_t:process { ptrace signal_perms }; +- allow $1 munin_t:process { ptrace signal_perms }; ++ allow $1 munin_t:process signal_perms; + ps_process_pattern($1, munin_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 munin_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, munin_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..6b17513 100644 +index f17583b..9850f4d 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -44778,15 +45986,16 @@ index f17583b..6b17513 100644 ') optional_policy(` -@@ -245,6 +253,7 @@ optional_policy(` +@@ -245,6 +253,8 @@ optional_policy(` # local policy for service plugins # ++allow services_munin_plugin_t self:shm create_sem_perms; +allow services_munin_plugin_t self:sem create_sem_perms; allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +264,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -44801,7 +46010,7 @@ index f17583b..6b17513 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +292,10 @@ optional_policy(` +@@ -286,6 +293,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -44812,7 +46021,7 @@ index f17583b..6b17513 100644 ################################## # # local policy for system plugins -@@ -295,13 +305,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -44829,7 +46038,7 @@ index f17583b..6b17513 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +322,31 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -44862,7 +46071,7 @@ index f17583b..6b17513 100644 + +miscfiles_read_localization(munin_plugin_domain) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if -index e9c0982..14af30a 100644 +index e9c0982..ac7e846 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -18,6 +18,24 @@ interface(`mysql_domtrans',` @@ -44963,7 +46172,7 @@ index e9c0982..14af30a 100644 ##################################### ## ## Read MySQL PID files. -@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',` +@@ -329,27 +384,35 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` @@ -44976,8 +46185,15 @@ index e9c0982..14af30a 100644 + type mysqld_etc_t; ') - allow $1 mysqld_t:process { ptrace signal_perms }; -@@ -343,13 +397,19 @@ interface(`mysql_admin',` +- allow $1 mysqld_t:process { ptrace signal_perms }; ++ allow $1 mysqld_t:process signal_perms; + ps_process_pattern($1, mysqld_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mysqld_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, mysqld_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; @@ -44998,7 +46214,7 @@ index e9c0982..14af30a 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..91de41a 100644 +index 0a0d63c..d19d2d2 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -45057,15 +46273,16 @@ index 0a0d63c..91de41a 100644 ') tunable_policy(`mysql_connect_any',` -@@ -155,6 +159,7 @@ optional_policy(` +@@ -154,7 +158,7 @@ optional_policy(` + # allow mysqld_safe_t self:capability { chown dac_override fowner kill }; - dontaudit mysqld_safe_t self:capability sys_ptrace; +-dontaudit mysqld_safe_t self:capability sys_ptrace; +allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,21 +179,27 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -45238,7 +46455,7 @@ index 1fc9905..1d05c60 100644 -/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if -index 8581040..2367841 100644 +index 8581040..039bfa0 100644 --- a/policy/modules/services/nagios.if +++ b/policy/modules/services/nagios.if @@ -12,10 +12,8 @@ @@ -45313,7 +46530,7 @@ index 8581040..2367841 100644 ## Execute the nagios NRPE with ## a domain transition. ## -@@ -195,11 +220,9 @@ interface(`nagios_domtrans_nrpe',` +@@ -195,15 +220,16 @@ interface(`nagios_domtrans_nrpe',` # interface(`nagios_admin',` gen_require(` @@ -45327,7 +46544,15 @@ index 8581040..2367841 100644 + type nagios_etc_t, nrpe_etc_t, nagios_spool_t; ') - allow $1 nagios_t:process { ptrace signal_perms }; +- allow $1 nagios_t:process { ptrace signal_perms }; ++ allow $1 nagios_t:process signal_perms; + ps_process_pattern($1, nagios_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 nagios_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, nagios_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index bf64a4c..1147e19 100644 --- a/policy/modules/services/nagios.te @@ -45683,7 +46908,7 @@ index 2324d9e..8666a3c 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..c985b07 100644 +index 0619395..e5fb258 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -45702,18 +46927,24 @@ index 0619395..c985b07 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -35,16 +44,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -35,16 +44,25 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; - dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; ++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; ++dontaudit NetworkManager_t self:capability sys_tty_config; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit NetworkManager_t self:capability sys_module; +') - allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; ++allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; ++tunable_policy(`deny_ptrace',`',` ++ allow NetworkManager_t self:process ptrace; ++') ++ allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; @@ -45726,7 +46957,7 @@ index 0619395..c985b07 100644 allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -52,9 +66,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; +@@ -52,9 +70,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; can_exec(NetworkManager_t, NetworkManager_exec_t) @@ -45747,7 +46978,7 @@ index 0619395..c985b07 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t) +@@ -100,6 +129,7 @@ dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) @@ -45755,7 +46986,7 @@ index 0619395..c985b07 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,7 +143,7 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -45764,7 +46995,7 @@ index 0619395..c985b07 100644 files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) -@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t) +@@ -133,30 +163,37 @@ logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) @@ -45804,19 +47035,14 @@ index 0619395..c985b07 100644 ') optional_policy(` -@@ -172,14 +205,21 @@ optional_policy(` +@@ -176,10 +213,17 @@ optional_policy(` ') optional_policy(` -- consoletype_exec(NetworkManager_t) -+ consoletype_domtrans(NetworkManager_t) ++ cron_read_system_job_lib_files(NetworkManager_t) +') + +optional_policy(` -+ cron_read_system_job_lib_files(NetworkManager_t) - ') - - optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + init_dbus_chat(NetworkManager_t) @@ -45827,7 +47053,7 @@ index 0619395..c985b07 100644 ') ') -@@ -191,6 +231,7 @@ optional_policy(` +@@ -191,6 +235,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -45835,7 +47061,7 @@ index 0619395..c985b07 100644 ') optional_policy(` -@@ -202,23 +243,45 @@ optional_policy(` +@@ -202,23 +247,45 @@ optional_policy(` ') optional_policy(` @@ -45881,7 +47107,7 @@ index 0619395..c985b07 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -241,6 +304,7 @@ optional_policy(` +@@ -241,6 +308,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -45889,7 +47115,7 @@ index 0619395..c985b07 100644 ') optional_policy(` -@@ -263,6 +327,7 @@ optional_policy(` +@@ -263,6 +331,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -45930,7 +47156,7 @@ index 15448d5..3587f6a 100644 +/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..2214d71 100644 +index abe3f7f..d3595cf 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -46040,7 +47266,7 @@ index abe3f7f..2214d71 100644 ## All of the rules required to administrate ## an nis environment ## -@@ -354,10 +384,10 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -354,22 +384,28 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -46052,8 +47278,30 @@ index abe3f7f..2214d71 100644 + type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; ') - allow $1 ypbind_t:process { ptrace signal_perms }; -@@ -384,6 +414,7 @@ interface(`nis_admin',` +- allow $1 ypbind_t:process { ptrace signal_perms }; ++ allow $1 ypbind_t:process signal_perms; + ps_process_pattern($1, ypbind_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ypbind_t:process ptrace; ++ allow $1 yppasswdd_t:process ptrace; ++ allow $1 ypserv_t:process ptrace; ++ allow $1 ypxfr_t:process ptrace; ++ ') + +- allow $1 yppasswdd_t:process { ptrace signal_perms }; ++ allow $1 yppasswdd_t:process signal_perms; + ps_process_pattern($1, yppasswdd_t) + +- allow $1 ypserv_t:process { ptrace signal_perms }; ++ allow $1 ypserv_t:process signal_perms; + ps_process_pattern($1, ypserv_t) + +- allow $1 ypxfr_t:process { ptrace signal_perms }; ++ allow $1 ypxfr_t:process signal_perms; + ps_process_pattern($1, ypxfr_t) + + nis_initrc_domtrans($1) +@@ -384,6 +420,7 @@ interface(`nis_admin',` files_list_pids($1) admin_pattern($1, ypbind_var_run_t) @@ -46061,7 +47309,7 @@ index abe3f7f..2214d71 100644 admin_pattern($1, yppasswdd_var_run_t) -@@ -393,4 +424,5 @@ interface(`nis_admin',` +@@ -393,4 +430,5 @@ interface(`nis_admin',` admin_pattern($1, ypserv_tmp_t) admin_pattern($1, ypserv_var_run_t) @@ -46503,7 +47751,7 @@ index 0000000..49acffa +') + diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if -index 85188dc..56dd1f0 100644 +index 85188dc..0a96e14 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -116,7 +116,26 @@ interface(`nscd_socket_use',` @@ -46599,7 +47847,20 @@ index 85188dc..56dd1f0 100644 ## All of the rules required to administrate ## an nscd environment ## -@@ -288,4 +334,6 @@ interface(`nscd_admin',` +@@ -275,8 +321,11 @@ interface(`nscd_admin',` + type nscd_initrc_exec_t; + ') + +- allow $1 nscd_t:process { ptrace signal_perms }; ++ allow $1 nscd_t:process signal_perms; + ps_process_pattern($1, nscd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 nscd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -288,4 +337,6 @@ interface(`nscd_admin',` files_list_pids($1) admin_pattern($1, nscd_var_run_t) @@ -46607,7 +47868,7 @@ index 85188dc..56dd1f0 100644 + nscd_systemctl($1) ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te -index 7936e09..812f966 100644 +index 7936e09..2f6a98f 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,9 +1,16 @@ @@ -46638,15 +47899,6 @@ index 7936e09..812f966 100644 type nscd_log_t; logging_log_file(nscd_log_t) -@@ -30,7 +40,7 @@ logging_log_file(nscd_log_t) - # Local policy - # - --allow nscd_t self:capability { kill setgid setuid }; -+allow nscd_t self:capability { kill setgid setuid sys_ptrace }; - dontaudit nscd_t self:capability sys_tty_config; - allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; - allow nscd_t self:fifo_file read_fifo_file_perms; @@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file manage_file_perms; logging_log_filetrans(nscd_t, nscd_log_t, file) @@ -46697,7 +47949,7 @@ index 7936e09..812f966 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if -index 23c769c..be5a5b4 100644 +index 23c769c..549d7f8 100644 --- a/policy/modules/services/nslcd.if +++ b/policy/modules/services/nslcd.if @@ -5,9 +5,9 @@ @@ -46712,7 +47964,7 @@ index 23c769c..be5a5b4 100644 ## # interface(`nslcd_domtrans',` -@@ -93,8 +93,8 @@ interface(`nslcd_stream_connect',` +@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',` # interface(`nslcd_admin',` gen_require(` @@ -46723,7 +47975,15 @@ index 23c769c..be5a5b4 100644 ') ps_process_pattern($1, nslcd_t) -@@ -106,9 +106,9 @@ interface(`nslcd_admin',` +- allow $1 nslcd_t:process { ptrace signal_perms }; ++ allow $1 nslcd_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 nslcd_t:process ptrace; ++ ') + + # Allow nslcd_t to restart the apache service + nslcd_initrc_domtrans($1) +@@ -106,9 +109,9 @@ interface(`nslcd_admin',` role_transition $2 nslcd_initrc_exec_t system_r; allow $2 system_r; @@ -46800,7 +48060,7 @@ index e79dccc..50202ef 100644 /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..9e9091c 100644 +index e80f8c0..3d17408 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',` @@ -46878,7 +48138,7 @@ index e80f8c0..9e9091c 100644 ## All of the rules required to administrate ## an ntp environment ## -@@ -140,11 +201,10 @@ interface(`ntp_rw_shm',` +@@ -140,12 +201,14 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -46888,11 +48148,15 @@ index e80f8c0..9e9091c 100644 ') - allow $1 ntpd_t:process { ptrace signal_perms getattr }; -+ allow $1 ntpd_t:process { ptrace signal_perms }; ++ allow $1 ntpd_t:process signal_perms; ps_process_pattern($1, ntpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ntpd_t:process ptrace; ++ ') init_labeled_script_domtrans($1, ntpd_initrc_exec_t) -@@ -162,4 +222,6 @@ interface(`ntp_admin',` + domain_system_change_exemption($1) +@@ -162,4 +225,6 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -47193,7 +48457,7 @@ index cadfc63..c8f4d64 100644 +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if -index bb4fae5..b1b5e51 100644 +index bb4fae5..044486c 100644 --- a/policy/modules/services/oident.if +++ b/policy/modules/services/oident.if @@ -18,7 +18,7 @@ @@ -47223,7 +48487,7 @@ index bb4fae5..b1b5e51 100644 gen_require(` type oidentd_home_t; ') -@@ -66,3 +66,37 @@ interface(`oident_relabel_user_content', ` +@@ -66,3 +66,40 @@ interface(`oident_relabel_user_content', ` allow $1 oidentd_home_t:file relabel_file_perms; userdom_search_user_home_dirs($1) ') @@ -47250,8 +48514,11 @@ index bb4fae5..b1b5e51 100644 + type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; + ') + -+ allow $1 oidentd_t:process { ptrace signal_perms }; ++ allow $1 oidentd_t:process signal_perms; + ps_process_pattern($1, oidentd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 oidentd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, oidentd_initrc_exec_t) + domain_system_change_exemption($1) @@ -47308,6 +48575,23 @@ index 9d0a67b..9197ef0 100644 ## # interface(`openct_domtrans',` +diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if +index d883214..d6afa87 100644 +--- a/policy/modules/services/openvpn.if ++++ b/policy/modules/services/openvpn.if +@@ -144,8 +144,11 @@ interface(`openvpn_admin',` + type openvpn_var_run_t, openvpn_initrc_exec_t; + ') + +- allow $1 openvpn_t:process { ptrace signal_perms }; ++ allow $1 openvpn_t:process signal_perms; + ps_process_pattern($1, openvpn_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 openvpn_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, openvpn_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 8b550f4..ed5aae9 100644 --- a/policy/modules/services/openvpn.te @@ -47441,10 +48725,10 @@ index 0870c56..6d5fb1d 100644 -/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) +/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if -index 8ac407e..8235fb6 100644 +index 8ac407e..45673ad 100644 --- a/policy/modules/services/pads.if +++ b/policy/modules/services/pads.if -@@ -25,10 +25,10 @@ +@@ -25,20 +25,26 @@ ## ## # @@ -47457,8 +48741,15 @@ index 8ac407e..8235fb6 100644 + type pads_var_run_t; ') - allow $1 pads_t:process { ptrace signal_perms }; -@@ -39,6 +39,9 @@ interface(`pads_admin', ` +- allow $1 pads_t:process { ptrace signal_perms }; ++ allow $1 pads_t:process signal_perms; + ps_process_pattern($1, pads_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pads_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, pads_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 pads_initrc_exec_t system_r; allow $2 system_r; @@ -47699,7 +48990,7 @@ index 3185114..4abd429 100644 + xen_stream_connect_xenstore(pegasus_t) +') diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if -index 8688aae..1bfd8d2 100644 +index 8688aae..f1c3000 100644 --- a/policy/modules/services/pingd.if +++ b/policy/modules/services/pingd.if @@ -5,9 +5,9 @@ @@ -47722,7 +49013,7 @@ index 8688aae..1bfd8d2 100644 ') ####################################### -@@ -77,8 +76,8 @@ interface(`pingd_manage_config',` +@@ -77,12 +76,15 @@ interface(`pingd_manage_config',` # interface(`pingd_admin',` gen_require(` @@ -47732,7 +49023,15 @@ index 8688aae..1bfd8d2 100644 + type pingd_initrc_exec_t; ') - allow $1 pingd_t:process { ptrace signal_perms }; +- allow $1 pingd_t:process { ptrace signal_perms }; ++ allow $1 pingd_t:process signal_perms; + ps_process_pattern($1, pingd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pingd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, pingd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te index e9cf8a4..9a7e5dc 100644 --- a/policy/modules/services/pingd.te @@ -47970,10 +49269,10 @@ index 0000000..548d0a2 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..9c4df9f +index 0000000..1c69a1a --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,299 @@ +@@ -0,0 +1,304 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -48041,7 +49340,11 @@ index 0000000..9c4df9f +# + +allow piranha_web_t self:capability { setuid sys_nice kill setgid }; -+allow piranha_web_t self:process { getsched setsched signal signull ptrace }; ++allow piranha_web_t self:process { getsched setsched signal signull }; ++tunable_policy(`deny_ptrace',`',` ++ allow piranha_web_t self:process ptrace; ++') ++ +allow piranha_web_t self:rawip_socket create_socket_perms; +allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; +allow piranha_web_t self:sem create_sem_perms; @@ -48077,6 +49380,7 @@ index 0000000..9c4df9f +corenet_tcp_bind_piranha_port(piranha_web_t) +corenet_tcp_connect_ricci_port(piranha_web_t) + ++dev_read_rand(piranha_web_t) +dev_read_urand(piranha_web_t) + +domain_read_all_domains_state(piranha_web_t) @@ -48284,7 +49588,7 @@ index 5702ca4..08528da 100644 + +#/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if -index 9759ed8..48a5431 100644 +index 9759ed8..34b79af 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if @@ -5,12 +5,12 @@ @@ -48472,7 +49776,7 @@ index 9759ed8..48a5431 100644 ## All of the rules required to administrate ## an plymouthd environment ## -@@ -243,18 +285,20 @@ interface(`plymouthd_read_pid_files', ` +@@ -243,18 +285,23 @@ interface(`plymouthd_read_pid_files', ` ## ## # @@ -48485,8 +49789,11 @@ index 9759ed8..48a5431 100644 - allow $1 plymouthd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, plymouthd_t, plymouthd_t) -+ allow $1 plymouthd_t:process { ptrace signal_perms }; ++ allow $1 plymouthd_t:process signal_perms; + ps_process_pattern($1, plymouthd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 plymouthd_t:process ptrace; ++ ') + files_list_var_lib($1) admin_pattern($1, plymouthd_spool_t) @@ -48497,7 +49804,7 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index 06e217d..48c56f9 100644 +index 06e217d..cadc832 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1) @@ -48534,7 +49841,7 @@ index 06e217d..48c56f9 100644 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -60,10 +68,30 @@ domain_use_interactive_fds(plymouthd_t) +@@ -60,10 +68,32 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -48545,6 +49852,8 @@ index 06e217d..48c56f9 100644 +logging_link_generic_logs(plymouthd_t) +logging_delete_generic_logs(plymouthd_t) + ++auth_read_passwd(plymouthd_t) ++ miscfiles_read_localization(plymouthd_t) miscfiles_read_fonts(plymouthd_t) miscfiles_manage_fonts_cache(plymouthd_t) @@ -48565,7 +49874,7 @@ index 06e217d..48c56f9 100644 ######################################## # # Plymouth private policy -@@ -74,6 +102,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +104,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -48573,7 +49882,7 @@ index 06e217d..48c56f9 100644 domain_use_interactive_fds(plymouth_t) -@@ -87,7 +116,7 @@ sysnet_read_config(plymouth_t) +@@ -87,7 +118,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) @@ -48745,7 +50054,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te -index 1e7169d..add05dd 100644 +index 1e7169d..9cdbfa8 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) @@ -48765,7 +50074,7 @@ index 1e7169d..add05dd 100644 -allow policykit_t self:capability { setgid setuid }; -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; -+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; ++allow policykit_t self:capability { dac_override dac_read_search setgid setuid }; +allow policykit_t self:process { getsched getattr signal }; +allow policykit_t self:fifo_file rw_fifo_file_perms; allow policykit_t self:unix_dgram_socket create_socket_perms; @@ -48929,9 +50238,12 @@ index 1e7169d..add05dd 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -169,7 +237,8 @@ optional_policy(` +@@ -167,9 +235,10 @@ optional_policy(` + # polkit_resolve local policy + # - allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; +-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; ++allow policykit_resolve_t self:capability { setuid sys_nice }; allow policykit_resolve_t self:process getattr; -allow policykit_resolve_t self:fifo_file rw_file_perms; +allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; @@ -48966,10 +50278,10 @@ index 0000000..8a06f66 +/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0) diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if new file mode 100644 -index 0000000..b11f37a +index 0000000..7dc2c0c --- /dev/null +++ b/policy/modules/services/polipo.if -@@ -0,0 +1,185 @@ +@@ -0,0 +1,191 @@ +## Caching web proxy. + +######################################## @@ -49004,8 +50316,11 @@ index 0000000..b11f37a + # Policy + # + -+ allow $2 polipo_session_t:process { ptrace signal_perms }; ++ allow $2 polipo_session_t:process signal_perms; + ps_process_pattern($2, polipo_session_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 polipo_session_t:process ptrace; ++ ') + + tunable_policy(`polipo_session_users',` + domtrans_pattern($2, polipo_exec_t, polipo_session_t) @@ -49135,8 +50450,11 @@ index 0000000..b11f37a + type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; + ') + -+ allow $1 polipo_t:process { ptrace signal_perms }; ++ allow $1 polipo_t:process signal_perms; + ps_process_pattern($1, polipo_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 polipo_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, polipo_initrc_exec_t) + domain_system_change_exemption($1) @@ -49379,6 +50697,23 @@ index 4313a6f..1d9fa76 100644 /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) +diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if +index 7719d16..d283895 100644 +--- a/policy/modules/services/portreserve.if ++++ b/policy/modules/services/portreserve.if +@@ -104,8 +104,11 @@ interface(`portreserve_admin',` + type portreserve_initrc_exec_t; + ') + +- allow $1 portreserve_t:process { ptrace signal_perms }; ++ allow $1 portreserve_t:process signal_perms; + ps_process_pattern($1, portreserve_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 portreserve_t:process ptrace; ++ ') + + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te index 152af92..1594066 100644 --- a/policy/modules/services/portreserve.te @@ -49469,7 +50804,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..ca32d30 100644 +index 46bee12..e50a72c 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -49714,7 +51049,7 @@ index 46bee12..ca32d30 100644 ') ######################################## -@@ -621,3 +701,125 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +701,136 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -49746,25 +51081,36 @@ index 46bee12..ca32d30 100644 + type postfix_smtpd_t, postfix_var_run_t; + ') + -+ allow $1 postfix_bounce_t:process { ptrace signal_perms }; ++ allow $1 postfix_bounce_t:process signal_perms; + ps_process_pattern($1, postfix_bounce_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postfix_bounce_t:process ptrace; ++ ') + -+ allow $1 postfix_cleanup_t:process { ptrace signal_perms }; ++ allow $1 postfix_cleanup_t:process signal_perms; + ps_process_pattern($1, postfix_cleanup_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postfix_cleanup_t:process ptrace; ++ allow $1 postfix_local_t:process ptrace; ++ allow $1 postfix_master_t:process ptrace; ++ allow $1 postfix_pickup_t:process ptrace; ++ allow $1 postfix_qmgr_t:process ptrace; ++ allow $1 postfix_smtpd_t:process ptrace; ++ ') + -+ allow $1 postfix_local_t:process { ptrace signal_perms }; ++ allow $1 postfix_local_t:process signal_perms; + ps_process_pattern($1, postfix_local_t) + -+ allow $1 postfix_master_t:process { ptrace signal_perms }; ++ allow $1 postfix_master_t:process signal_perms; + ps_process_pattern($1, postfix_master_t) + -+ allow $1 postfix_pickup_t:process { ptrace signal_perms }; ++ allow $1 postfix_pickup_t:process signal_perms; + ps_process_pattern($1, postfix_pickup_t) + -+ allow $1 postfix_qmgr_t:process { ptrace signal_perms }; ++ allow $1 postfix_qmgr_t:process signal_perms; + ps_process_pattern($1, postfix_qmgr_t) + -+ allow $1 postfix_smtpd_t:process { ptrace signal_perms }; ++ allow $1 postfix_smtpd_t:process signal_perms; + ps_process_pattern($1, postfix_smtpd_t) + + postfix_run_map($1, $2) @@ -50256,10 +51602,10 @@ index a32c4b3..3a59bac 100644 +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if -index feae93b..d960d3f 100644 +index feae93b..b2af729 100644 --- a/policy/modules/services/postfixpolicyd.if +++ b/policy/modules/services/postfixpolicyd.if -@@ -20,8 +20,7 @@ +@@ -20,12 +20,14 @@ interface(`postfixpolicyd_admin',` gen_require(` type postfix_policyd_t, postfix_policyd_conf_t; @@ -50268,7 +51614,15 @@ index feae93b..d960d3f 100644 + type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') - allow $1 postfix_policyd_t:process { ptrace signal_perms }; +- allow $1 postfix_policyd_t:process { ptrace signal_perms }; ++ allow $1 postfix_policyd_t:process signal_perms; + ps_process_pattern($1, postfix_policyd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postfix_policyd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te index 7257526..7d73656 100644 --- a/policy/modules/services/postfixpolicyd.te @@ -50309,7 +51663,7 @@ index f03fad4..1865d8f 100644 ifdef(`distro_debian', ` /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 09aeffa..f8a0d88 100644 +index 09aeffa..d728f3a 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,7 +10,7 @@ @@ -50420,7 +51774,7 @@ index 09aeffa..f8a0d88 100644 ') ######################################## -@@ -531,13 +533,10 @@ interface(`postgresql_unconfined',` +@@ -531,33 +533,38 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` @@ -50438,7 +51792,16 @@ index 09aeffa..f8a0d88 100644 ') typeattribute $1 sepgsql_admin_type; -@@ -550,14 +549,19 @@ interface(`postgresql_admin',` + +- allow $1 postgresql_t:process { ptrace signal_perms }; ++ allow $1 postgresql_t:process signal_perms; + ps_process_pattern($1, postgresql_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postgresql_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, postgresql_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 postgresql_initrc_exec_t system_r; allow $2 system_r; @@ -50459,7 +51822,7 @@ index 09aeffa..f8a0d88 100644 postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 4a5387a..acf8ed1 100644 +index 4a5387a..6a6dd0e 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,16 +19,16 @@ gen_require(` @@ -50504,8 +51867,17 @@ index 4a5387a..acf8ed1 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) +@@ -330,7 +329,7 @@ userdom_dontaudit_use_user_terminals(postgresql_t) + + mta_getattr_spool(postgresql_t) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow postgresql_t self:process execmem; + ') + diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if -index ad15fde..6f55445 100644 +index ad15fde..12202e1 100644 --- a/policy/modules/services/postgrey.if +++ b/policy/modules/services/postgrey.if @@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',` @@ -50528,7 +51900,7 @@ index ad15fde..6f55445 100644 allow $1 postgrey_spool_t:dir search_dir_perms; ') -@@ -57,9 +58,8 @@ interface(`postgrey_search_spool',` +@@ -57,13 +58,15 @@ interface(`postgrey_search_spool',` # interface(`postgrey_admin',` gen_require(` @@ -50538,7 +51910,15 @@ index ad15fde..6f55445 100644 - type postgrey_initrc_exec_t; ') - allow $1 postgrey_t:process { ptrace signal_perms }; +- allow $1 postgrey_t:process { ptrace signal_perms }; ++ allow $1 postgrey_t:process signal_perms; + ps_process_pattern($1, postgrey_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postgrey_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, postgrey_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index db843e2..4389e81 100644 --- a/policy/modules/services/postgrey.te @@ -50581,7 +51961,7 @@ index 2d82c6d..adf5731 100644 -/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if -index b524673..921a60f 100644 +index b524673..3089841 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -66,7 +66,6 @@ interface(`ppp_sigchld',` @@ -50650,7 +52030,7 @@ index b524673..921a60f 100644 ## All of the rules required to administrate ## an ppp environment ## -@@ -348,21 +371,27 @@ interface(`ppp_initrc_domtrans',` +@@ -348,20 +371,30 @@ interface(`ppp_initrc_domtrans',` ## Domain allowed access. ## ## @@ -50674,16 +52054,19 @@ index b524673..921a60f 100644 ') - allow $1 pppd_t:process { ptrace signal_perms getattr }; -+ allow $1 pppd_t:process { ptrace signal_perms }; ++ allow $1 pppd_t:process signal_perms; ps_process_pattern($1, pppd_t) - -+ allow $1 pptp_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pptp_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pppd_t:process ptrace; ++ allow $1 pptp_t:process ptrace; ++ ') + ++ allow $1 pptp_t:process signal_perms; ++ ps_process_pattern($1, pptp_t) + ppp_initrc_domtrans($1) domain_system_change_exemption($1) - role_transition $2 pppd_initrc_exec_t system_r; -@@ -374,6 +403,7 @@ interface(`ppp_admin',` +@@ -374,6 +407,7 @@ interface(`ppp_admin',` logging_list_logs($1) admin_pattern($1, pppd_log_t) @@ -50691,7 +52074,7 @@ index b524673..921a60f 100644 admin_pattern($1, pppd_lock_t) files_list_etc($1) -@@ -386,10 +416,9 @@ interface(`ppp_admin',` +@@ -386,10 +420,9 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) @@ -50864,7 +52247,7 @@ index 2af42e7..20f5d6b 100644 files_read_etc_files(pptp_t) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if -index 2316653..77ef768 100644 +index 2316653..b295b91 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -5,9 +5,9 @@ @@ -50915,7 +52298,7 @@ index 2316653..77ef768 100644 ## # interface(`prelude_manage_spool',` -@@ -112,13 +112,10 @@ interface(`prelude_manage_spool',` +@@ -112,22 +112,24 @@ interface(`prelude_manage_spool',` # interface(`prelude_admin',` gen_require(` @@ -50932,8 +52315,25 @@ index 2316653..77ef768 100644 + type prelude_lml_t; ') - allow $1 prelude_t:process { ptrace signal_perms }; -@@ -135,10 +132,17 @@ interface(`prelude_admin',` +- allow $1 prelude_t:process { ptrace signal_perms }; ++ allow $1 prelude_t:process signal_perms; + ps_process_pattern($1, prelude_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 prelude_t:process ptrace; ++ allow $1 prelude_audisp_t:process ptrace; ++ allow $1 prelude_lml_t:process ptrace; ++ ') + +- allow $1 prelude_audisp_t:process { ptrace signal_perms }; ++ allow $1 prelude_audisp_t:process signal_perms; + ps_process_pattern($1, prelude_audisp_t) + +- allow $1 prelude_lml_t:process { ptrace signal_perms }; ++ allow $1 prelude_lml_t:process signal_perms; + ps_process_pattern($1, prelude_lml_t) + + init_labeled_script_domtrans($1, prelude_initrc_exec_t) +@@ -135,10 +137,17 @@ interface(`prelude_admin',` role_transition $2 prelude_initrc_exec_t system_r; allow $2 system_r; @@ -50998,6 +52398,23 @@ index b1bc02c..e0c0f70 100644 corenet_tcp_connect_prelude_port(prelude_lml_t) dev_read_rand(prelude_lml_t) +diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if +index afd1751..5aff531 100644 +--- a/policy/modules/services/privoxy.if ++++ b/policy/modules/services/privoxy.if +@@ -23,8 +23,11 @@ interface(`privoxy_admin',` + type privoxy_etc_rw_t, privoxy_var_run_t; + ') + +- allow $1 privoxy_t:process { ptrace signal_perms }; ++ allow $1 privoxy_t:process signal_perms; + ps_process_pattern($1, privoxy_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 privoxy_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, privoxy_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 2dbf4d4..28d7fe5 100644 --- a/policy/modules/services/privoxy.te @@ -51142,7 +52559,7 @@ index 29b9295..6451f82 100644 optional_policy(` diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if -index bc329d1..0589f97 100644 +index bc329d1..20bb463 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -91,7 +91,6 @@ interface(`psad_manage_config',` @@ -51244,7 +52661,7 @@ index bc329d1..0589f97 100644 ## Read and write psad tmp files. ## ## -@@ -233,7 +291,7 @@ interface(`psad_rw_tmp_files',` +@@ -233,30 +291,33 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; @@ -51253,7 +52670,15 @@ index bc329d1..0589f97 100644 type psad_tmp_t; ') -@@ -245,18 +303,18 @@ interface(`psad_admin',` +- allow $1 psad_t:process { ptrace signal_perms }; ++ allow $1 psad_t:process signal_perms; + ps_process_pattern($1, psad_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 psad_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, psad_initrc_exec_t) + domain_system_change_exemption($1) role_transition $2 psad_initrc_exec_t system_r; allow $2 system_r; @@ -51498,7 +52923,7 @@ index 2855a44..58bb459 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..5f6e7b8 100644 +index 64c5f95..fb500de 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -51536,6 +52961,15 @@ index 64c5f95..5f6e7b8 100644 type puppetmaster_t; type puppetmaster_exec_t; init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) +@@ -50,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t) + # Puppet personal policy + # + +-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; ++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; + allow puppet_t self:process { signal signull getsched setsched }; + allow puppet_t self:fifo_file rw_fifo_file_perms; + allow puppet_t self:netlink_route_socket create_netlink_socket_perms; @@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) files_search_var_lib(puppet_t) @@ -51545,7 +52979,42 @@ index 64c5f95..5f6e7b8 100644 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) -@@ -132,7 +144,7 @@ sysnet_dns_name_resolve(puppet_t) +@@ -80,7 +92,10 @@ kernel_dontaudit_search_sysctl(puppet_t) + kernel_dontaudit_search_kernel_sysctl(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) + ++corecmd_read_all_executables(puppet_t) ++corecmd_dontaudit_access_all_executables(puppet_t) + corecmd_exec_bin(puppet_t) + corecmd_exec_shell(puppet_t) + +@@ -103,6 +118,7 @@ files_manage_config_files(puppet_t) + files_manage_config_dirs(puppet_t) + files_manage_etc_dirs(puppet_t) + files_manage_etc_files(puppet_t) ++files_read_usr_files(puppet_t) + files_read_usr_symlinks(puppet_t) + files_relabel_config_dirs(puppet_t) + files_relabel_config_files(puppet_t) +@@ -115,6 +131,9 @@ selinux_validate_context(puppet_t) + term_dontaudit_getattr_unallocated_ttys(puppet_t) + term_dontaudit_getattr_all_ttys(puppet_t) + ++auth_use_nsswitch(puppet_t) ++auth_read_passwd(puppet_t) ++ + init_all_labeled_script_domtrans(puppet_t) + init_domtrans_script(puppet_t) + init_read_utmp(puppet_t) +@@ -127,16 +146,21 @@ miscfiles_read_localization(puppet_t) + + seutil_domtrans_setfiles(puppet_t) + seutil_domtrans_semanage(puppet_t) ++seutil_read_file_contexts(puppet_t) + + sysnet_dns_name_resolve(puppet_t) sysnet_run_ifconfig(puppet_t, system_r) tunable_policy(`puppet_manage_all_files',` @@ -51554,7 +53023,16 @@ index 64c5f95..5f6e7b8 100644 ') optional_policy(` -@@ -144,6 +156,10 @@ optional_policy(` +- consoletype_domtrans(puppet_t) ++ cfengine_read_lib_files(puppet_t) ++') ++ ++optional_policy(` ++ consoletype_exec(puppet_t) + ') + + optional_policy(` +@@ -144,6 +168,14 @@ optional_policy(` ') optional_policy(` @@ -51562,14 +53040,26 @@ index 64c5f95..5f6e7b8 100644 +') + +optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` files_rw_var_files(puppet_t) rpm_domtrans(puppet_t) -@@ -162,7 +178,60 @@ optional_policy(` +@@ -156,13 +188,68 @@ optional_policy(` + ') - ######################################## - # --# Pupper master personal policy + optional_policy(` +- usermanage_domtrans_groupadd(puppet_t) +- usermanage_domtrans_useradd(puppet_t) ++ usermanage_access_check_groupadd(puppet_t) ++ usermanage_access_check_passwd(puppet_t) ++ usermanage_access_check_useradd(puppet_t) ++') ++ ++######################################## ++# +# PuppetCA personal policy +# + @@ -51617,17 +53107,19 @@ index 64c5f95..5f6e7b8 100644 +') + +optional_policy(` -+ usermanage_access_check_passwd(puppetca_t) -+ usermanage_access_check_useradd(puppetca_t) -+') -+ -+######################################## -+# ++ usermanage_access_check_groupadd(puppet_t) ++ usermanage_access_check_passwd(puppet_t) ++ usermanage_access_check_useradd(puppet_t) + ') + + ######################################## + # +-# Pupper master personal policy +# Puppet master personal policy # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -171,29 +240,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +@@ -171,29 +258,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; @@ -51666,7 +53158,7 @@ index 64c5f95..5f6e7b8 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +281,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +299,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -51716,7 +53208,7 @@ index 64c5f95..5f6e7b8 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +331,9 @@ optional_policy(` +@@ -231,3 +349,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -51755,7 +53247,7 @@ index d4a7750..705196e 100644 /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if -index 494f7e2..aa3d0b4 100644 +index 494f7e2..2c411af 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -14,6 +14,7 @@ @@ -51766,16 +53258,19 @@ index 494f7e2..aa3d0b4 100644 # interface(`pyzor_role',` gen_require(` -@@ -28,7 +29,7 @@ interface(`pyzor_role',` +@@ -28,7 +29,10 @@ interface(`pyzor_role',` # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) - allow $2 pyzor_t:process signal; -+ allow $2 pyzor_t:process { ptrace signal_perms }; ++ allow $2 pyzor_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 pyzor_t:process ptrace; ++ ') ') ######################################## -@@ -88,3 +89,47 @@ interface(`pyzor_exec',` +@@ -88,3 +92,50 @@ interface(`pyzor_exec',` corecmd_search_bin($1) can_exec($1, pyzor_exec_t) ') @@ -51803,8 +53298,11 @@ index 494f7e2..aa3d0b4 100644 + type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; + ') + -+ allow $1 pyzord_t:process { ptrace signal_perms }; ++ allow $1 pyzord_t:process signal_perms; + ps_process_pattern($1, pyzord_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pyzord_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + domain_system_change_exemption($1) @@ -52232,7 +53730,7 @@ index 4f94229..f3b89e4 100644 /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if -index 5a9630c..c403abc 100644 +index 5a9630c..61f0099 100644 --- a/policy/modules/services/qpid.if +++ b/policy/modules/services/qpid.if @@ -1,4 +1,4 @@ @@ -52410,7 +53908,20 @@ index 5a9630c..c403abc 100644 ') ######################################## -@@ -180,7 +186,43 @@ interface(`qpidd_admin',` +@@ -171,8 +177,11 @@ interface(`qpidd_admin',` + type qpidd_t, qpidd_initrc_exec_t; + ') + +- allow $1 qpidd_t:process { ptrace signal_perms }; ++ allow $1 qpidd_t:process signal_perms; + ps_process_pattern($1, qpidd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 qpidd_t:process ptrace; ++ ') + + # Allow qpidd_t to restart the apache service + qpidd_initrc_domtrans($1) +@@ -180,7 +189,43 @@ interface(`qpidd_admin',` role_transition $2 qpidd_initrc_exec_t system_r; allow $2 system_r; @@ -52419,8 +53930,7 @@ index 5a9630c..c403abc 100644 + + qpidd_manage_var_lib($1) +') - -- admin_pattern($1, qpidd_var_run_t) ++ +##################################### +## +## Allow read and write access to qpidd semaphores. @@ -52453,7 +53963,8 @@ index 5a9630c..c403abc 100644 + gen_require(` + type qpidd_t; + ') -+ + +- admin_pattern($1, qpidd_var_run_t) + allow $1 qpidd_t:shm rw_shm_perms; ') diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te @@ -52655,6 +54166,23 @@ index 0000000..55aaca1 + +miscfiles_read_localization(rabbitmq_epmd_t) + +diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if +index 75e5dc4..87d75fe 100644 +--- a/policy/modules/services/radius.if ++++ b/policy/modules/services/radius.if +@@ -38,8 +38,11 @@ interface(`radius_admin',` + type radiusd_initrc_exec_t; + ') + +- allow $1 radiusd_t:process { ptrace signal_perms }; ++ allow $1 radiusd_t:process signal_perms; + ps_process_pattern($1, radiusd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 radiusd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, radiusd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index b1ed1bf..124971d 100644 --- a/policy/modules/services/radius.te @@ -52676,10 +54204,10 @@ index b1ed1bf..124971d 100644 corenet_tcp_connect_snmp_port(radiusd_t) corenet_sendrecv_radius_server_packets(radiusd_t) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if -index be05bff..2bd662a 100644 +index be05bff..7b00e1e 100644 --- a/policy/modules/services/radvd.if +++ b/policy/modules/services/radvd.if -@@ -19,8 +19,8 @@ +@@ -19,12 +19,15 @@ # interface(`radvd_admin',` gen_require(` @@ -52689,7 +54217,15 @@ index be05bff..2bd662a 100644 + type radvd_var_run_t; ') - allow $1 radvd_t:process { ptrace signal_perms }; +- allow $1 radvd_t:process { ptrace signal_perms }; ++ allow $1 radvd_t:process signal_perms; + ps_process_pattern($1, radvd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 radvd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, radvd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc index 1efba0c..71d657c 100644 --- a/policy/modules/services/razor.fc @@ -52700,7 +54236,7 @@ index 1efba0c..71d657c 100644 /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if -index f04a595..3203212 100644 +index f04a595..d6a6e1a 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -26,6 +26,7 @@ template(`razor_common_domain_template',` @@ -52728,16 +54264,19 @@ index f04a595..3203212 100644 # interface(`razor_role',` gen_require(` -@@ -130,7 +132,7 @@ interface(`razor_role',` +@@ -130,7 +132,10 @@ interface(`razor_role',` # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; -+ allow $2 razor_t:process { ptrace signal_perms }; ++ allow $2 razor_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 razor_t:process ptrace; ++ ') manage_dirs_pattern($2, razor_home_t, razor_home_t) manage_files_pattern($2, razor_home_t, razor_home_t) -@@ -157,3 +159,43 @@ interface(`razor_domtrans',` +@@ -157,3 +162,43 @@ interface(`razor_domtrans',` domtrans_pattern($1, razor_exec_t, razor_t) ') @@ -53133,7 +54672,7 @@ index 3c97ef0..c025d59 100644 /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if -index 7dc38d1..9c2c963 100644 +index 7dc38d1..e3bdea7 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -5,9 +5,9 @@ @@ -53148,7 +54687,7 @@ index 7dc38d1..9c2c963 100644 ## # interface(`rgmanager_domtrans',` -@@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',` +@@ -75,3 +75,67 @@ interface(`rgmanager_manage_tmpfs_files',` fs_search_tmpfs($1) manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) ') @@ -53194,8 +54733,11 @@ index 7dc38d1..9c2c963 100644 + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; + ') + -+ allow $1 rgmanager_t:process { ptrace signal_perms }; ++ allow $1 rgmanager_t:process signal_perms; + ps_process_pattern($1, rgmanager_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rgmanager_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + domain_system_change_exemption($1) @@ -53214,7 +54756,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..bac3e66 100644 +index 00fa514..d3d5f2b 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -53241,16 +54783,18 @@ index 00fa514..bac3e66 100644 type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) -@@ -37,7 +39,7 @@ files_pid_file(rgmanager_var_run_t) +@@ -35,9 +37,8 @@ files_pid_file(rgmanager_var_run_t) + # + allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; - dontaudit rgmanager_t self:capability { sys_ptrace }; +-dontaudit rgmanager_t self:capability { sys_ptrace }; allow rgmanager_t self:process { setsched signal }; -dontaudit rgmanager_t self:process { ptrace }; +dontaudit rgmanager_t self:process ptrace; allow rgmanager_t self:fifo_file rw_fifo_file_perms; allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; -@@ -55,11 +57,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) +@@ -55,11 +56,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) @@ -53266,7 +54810,7 @@ index 00fa514..bac3e66 100644 kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -67,7 +72,6 @@ kernel_search_network_state(rgmanager_t) +@@ -67,7 +71,6 @@ kernel_search_network_state(rgmanager_t) corecmd_exec_bin(rgmanager_t) corecmd_exec_shell(rgmanager_t) @@ -53274,7 +54818,7 @@ index 00fa514..bac3e66 100644 # need to write to /dev/misc/dlm-control dev_rw_dlm_control(rgmanager_t) -@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t) +@@ -78,29 +81,35 @@ domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -53314,7 +54858,7 @@ index 00fa514..bac3e66 100644 tunable_policy(`rgmanager_can_network_connect',` corenet_tcp_connect_all_ports(rgmanager_t) -@@ -118,6 +128,14 @@ optional_policy(` +@@ -118,6 +127,14 @@ optional_policy(` ') optional_policy(` @@ -53329,7 +54873,7 @@ index 00fa514..bac3e66 100644 fstools_domtrans(rgmanager_t) ') -@@ -140,6 +158,16 @@ optional_policy(` +@@ -140,6 +157,16 @@ optional_policy(` ') optional_policy(` @@ -53346,7 +54890,7 @@ index 00fa514..bac3e66 100644 mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') -@@ -165,6 +193,8 @@ optional_policy(` +@@ -165,6 +192,8 @@ optional_policy(` optional_policy(` rpc_initrc_domtrans_nfsd(rgmanager_t) rpc_initrc_domtrans_rpcd(rgmanager_t) @@ -54085,10 +55629,10 @@ index 0000000..5094d93 +/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if new file mode 100644 -index 0000000..811c52e +index 0000000..61d0a4c --- /dev/null +++ b/policy/modules/services/rhsmcertd.if -@@ -0,0 +1,305 @@ +@@ -0,0 +1,308 @@ + +## Subscription Management Certificate Daemon policy + @@ -54375,8 +55919,11 @@ index 0000000..811c52e + type rhsmcertd_var_run_t; + ') + -+ allow $1 rhsmcertd_t:process { ptrace signal_perms }; ++ allow $1 rhsmcertd_t:process signal_perms; + ps_process_pattern($1, rhsmcertd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rhsmcertd_t:process ptrace; ++ ') + + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -54473,7 +56020,7 @@ index 5b08327..ed5dc05 100644 /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if -index f7826f9..679d185 100644 +index f7826f9..62ccd55 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -5,9 +5,9 @@ @@ -54609,7 +56156,7 @@ index f7826f9..679d185 100644 ## # interface(`ricci_domtrans_modstorage',` -@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',` +@@ -165,3 +201,70 @@ interface(`ricci_domtrans_modstorage',` domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') @@ -54657,8 +56204,11 @@ index f7826f9..679d185 100644 + type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; + ') + -+ allow $1 ricci_t:process { ptrace signal_perms }; ++ allow $1 ricci_t:process signal_perms; + ps_process_pattern($1, ricci_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ricci_t:process ptrace; ++ ') + + ricci_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -55018,6 +56568,23 @@ index 779fa44..4bcaacc 100644 +optional_policy(` tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) ') +diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if +index 30c4b75..e07c2ff 100644 +--- a/policy/modules/services/roundup.if ++++ b/policy/modules/services/roundup.if +@@ -23,8 +23,11 @@ interface(`roundup_admin',` + type roundup_initrc_exec_t; + ') + +- allow $1 roundup_t:process { ptrace signal_perms }; ++ allow $1 roundup_t:process signal_perms; + ps_process_pattern($1, roundup_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 roundup_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, roundup_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc index 5c70c0c..f9f0f54 100644 --- a/policy/modules/services/rpc.fc @@ -55387,7 +56954,7 @@ index f5c47d6..5a965e9 100644 /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if -index a96249c..3942dfc 100644 +index a96249c..b4f950d 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -5,9 +5,9 @@ @@ -55437,9 +57004,16 @@ index a96249c..3942dfc 100644 ## All of the rules required to administrate ## an rpcbind environment ## -@@ -141,8 +158,14 @@ interface(`rpcbind_admin',` - allow $1 rpcbind_t:process { ptrace signal_perms }; +@@ -138,11 +155,20 @@ interface(`rpcbind_admin',` + type rpcbind_initrc_exec_t; + ') + +- allow $1 rpcbind_t:process { ptrace signal_perms }; ++ allow $1 rpcbind_t:process signal_perms; ps_process_pattern($1, rpcbind_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rpcbind_t:process ptrace; ++ ') - init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) + init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) @@ -55693,10 +57267,10 @@ index 46dad1f..6586da0 100644 allow rtkit_daemon_t $1:process { getsched setsched }; rtkit_daemon_dbus_chat($1) diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te -index 6f8e268..7d64285 100644 +index 6f8e268..a53e4f0 100644 --- a/policy/modules/services/rtkit.te +++ b/policy/modules/services/rtkit.te -@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0) +@@ -8,13 +8,14 @@ policy_module(rtkit, 1.1.0) type rtkit_daemon_t; type rtkit_daemon_exec_t; dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) @@ -55704,8 +57278,16 @@ index 6f8e268..7d64285 100644 ######################################## # + # rtkit_daemon local policy + # + +-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; ++allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice }; + allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; + + kernel_read_system_state(rtkit_daemon_t) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if -index 71ea0ea..664e68e 100644 +index 71ea0ea..26af97f 100644 --- a/policy/modules/services/rwho.if +++ b/policy/modules/services/rwho.if @@ -5,9 +5,9 @@ @@ -55720,6 +57302,19 @@ index 71ea0ea..664e68e 100644 ## # interface(`rwho_domtrans',` +@@ -138,8 +138,11 @@ interface(`rwho_admin',` + type rwho_initrc_exec_t; + ') + +- allow $1 rwho_t:process { ptrace signal_perms }; ++ allow $1 rwho_t:process signal_perms; + ps_process_pattern($1, rwho_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rwho_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, rwho_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te index a07b2f4..ee39810 100644 --- a/policy/modules/services/rwho.te @@ -55775,7 +57370,7 @@ index 69a6074..596dbb3 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..0a29f68 100644 +index 82cb169..48c023e 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',` @@ -55986,7 +57581,7 @@ index 82cb169..0a29f68 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,21 +776,12 @@ interface(`samba_stream_connect_winbind',` +@@ -661,29 +776,28 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -56013,18 +57608,26 @@ index 82cb169..0a29f68 100644 + type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ') - allow $1 smbd_t:process { ptrace signal_perms }; -@@ -684,6 +790,9 @@ interface(`samba_admin',` - allow $1 nmbd_t:process { ptrace signal_perms }; +- allow $1 smbd_t:process { ptrace signal_perms }; ++ allow $1 smbd_t:process signal_perms; + ps_process_pattern($1, smbd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 smbd_t:process ptrace; ++ allow $1 nmbd_t:process ptrace; ++ allow $1 samba_unconfined_script_t:process ptrace; ++ ') + +- allow $1 nmbd_t:process { ptrace signal_perms }; ++ allow $1 nmbd_t:process signal_perms; ps_process_pattern($1, nmbd_t) -+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; ++ allow $1 samba_unconfined_script_t:process signal_perms; + ps_process_pattern($1, samba_unconfined_script_t) + samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -709,9 +818,6 @@ interface(`samba_admin',` +@@ -709,9 +823,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -56034,7 +57637,7 @@ index 82cb169..0a29f68 100644 admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +833,7 @@ interface(`samba_admin',` +@@ -727,4 +838,7 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -56043,7 +57646,7 @@ index 82cb169..0a29f68 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..9010ac2 100644 +index e30bb63..d893f99 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -56207,8 +57810,16 @@ index e30bb63..9010ac2 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +565,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -555,18 +560,21 @@ optional_policy(` + # smbcontrol local policy + # + ++ ++allow smbcontrol_t self:process signal; + # internal communication is often done using fifo and unix sockets. + allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; ++allow smbcontrol_t self:process { signal signull }; allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) @@ -56225,7 +57836,7 @@ index e30bb63..9010ac2 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -574,11 +579,19 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -574,11 +582,19 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -56246,7 +57857,7 @@ index e30bb63..9010ac2 100644 ######################################## # -@@ -644,19 +657,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +660,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -56271,7 +57882,7 @@ index e30bb63..9010ac2 100644 ######################################## # # SWAT Local policy -@@ -677,7 +692,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +695,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -56280,7 +57891,7 @@ index e30bb63..9010ac2 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +707,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +710,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -56295,7 +57906,7 @@ index e30bb63..9010ac2 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +727,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +730,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -56303,7 +57914,7 @@ index e30bb63..9010ac2 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +772,8 @@ logging_search_logs(swat_t) +@@ -754,6 +775,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -56312,7 +57923,7 @@ index e30bb63..9010ac2 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +803,7 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +806,7 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -56321,7 +57932,7 @@ index e30bb63..9010ac2 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +829,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -56343,7 +57954,7 @@ index e30bb63..9010ac2 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +854,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +857,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -56351,7 +57962,7 @@ index e30bb63..9010ac2 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -863,6 +885,12 @@ userdom_manage_user_home_content_pipes(winbind_t) +@@ -863,6 +888,12 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) @@ -56364,7 +57975,7 @@ index e30bb63..9010ac2 100644 optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +932,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +935,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -56373,7 +57984,7 @@ index e30bb63..9010ac2 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +950,18 @@ optional_policy(` +@@ -922,6 +953,18 @@ optional_policy(` # optional_policy(` @@ -56392,7 +58003,7 @@ index e30bb63..9010ac2 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +972,12 @@ optional_policy(` +@@ -932,9 +975,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -56406,6 +58017,27 @@ index e30bb63..9010ac2 100644 +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') +diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if +index c040ebf..2b601a5 100644 +--- a/policy/modules/services/samhain.if ++++ b/policy/modules/services/samhain.if +@@ -271,10 +271,14 @@ interface(`samhain_admin',` + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; + ') + +- allow $1 samhain_t:process { ptrace signal_perms }; ++ allow $1 samhain_t:process signal_perms; + ps_process_pattern($1, samhain_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 samhain_t:process ptrace; ++ allow $1 samhaind_t:process ptrace; ++ ') + +- allow $1 samhaind_t:process { ptrace signal_perms }; ++ allow $1 samhaind_t:process signal_perms; + ps_process_pattern($1, samhaind_t) + + files_list_var_lib($1) diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te index 150c85d..71e9315 100644 --- a/policy/modules/services/samhain.te @@ -56435,10 +58067,10 @@ index 0000000..630960e +/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if new file mode 100644 -index 0000000..486d53d +index 0000000..0d53457 --- /dev/null +++ b/policy/modules/services/sanlock.if -@@ -0,0 +1,110 @@ +@@ -0,0 +1,113 @@ + +## policy for sanlock + @@ -56540,8 +58172,11 @@ index 0000000..486d53d + type sanlock_initrc_exec_t; + ') + -+ allow $1 sanlock_t:process { ptrace signal_perms }; ++ allow $1 sanlock_t:process signal_perms; + ps_process_pattern($1, sanlock_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sanlock_t:process ptrace; ++ ') + + sanlock_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -56628,10 +58263,10 @@ index 0000000..0c1e385 + virt_signal_svirt(sanlock_t) +') diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if -index f1aea88..a5a75a8 100644 +index f1aea88..3e6a93f 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if -@@ -38,11 +38,11 @@ interface(`sasl_connect',` +@@ -38,21 +38,21 @@ interface(`sasl_connect',` # interface(`sasl_admin',` gen_require(` @@ -56641,11 +58276,14 @@ index f1aea88..a5a75a8 100644 ') - allow $1 saslauthd_t:process { ptrace signal_perms getattr }; -+ allow $1 saslauthd_t:process { ptrace signal_perms }; ++ allow $1 saslauthd_t:process signal_perms; ps_process_pattern($1, saslauthd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 saslauthd_t:process ptrace; ++ ') init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) -@@ -50,9 +50,6 @@ interface(`sasl_admin',` + domain_system_change_exemption($1) role_transition $2 saslauthd_initrc_exec_t system_r; allow $2 system_r; @@ -56715,10 +58353,10 @@ index 0000000..d5c3c3f +/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if new file mode 100644 -index 0000000..b077a62 +index 0000000..40d0049 --- /dev/null +++ b/policy/modules/services/sblim.if -@@ -0,0 +1,78 @@ +@@ -0,0 +1,82 @@ + +## policy for SBLIM Gatherer + @@ -56786,11 +58424,15 @@ index 0000000..b077a62 + type sblim_var_run_t; + ') + -+ allow $1 sblim_gatherd_t:process { ptrace signal_perms }; ++ allow $1 sblim_gatherd_t:process signal_perms; + ps_process_pattern($1, sblim_gatherd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sblim_gatherd_t:process ptrace; ++ allow $1 sblim_reposd_t:process ptrace; ++ ') + -+ allow $1 sblim_reposd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, sblim_reposd_t) ++ allow $1 sblim_reposd_t:process signal_perms; ++ ps_process_pattern($1, sblim_reposd_t) + + files_search_pids($1) + admin_pattern($1, sblim_var_run_t) @@ -56799,7 +58441,7 @@ index 0000000..b077a62 + diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te new file mode 100644 -index 0000000..067c552 +index 0000000..c4d9192 --- /dev/null +++ b/policy/modules/services/sblim.te @@ -0,0 +1,108 @@ @@ -56829,7 +58471,7 @@ index 0000000..067c552 +# + +#needed by ps -+allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override }; ++allow sblim_gatherd_t self:capability { kill dac_override }; +allow sblim_gatherd_t self:process signal; + +allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; @@ -56923,7 +58565,7 @@ index a86ec50..ef4199b 100644 /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if -index 7e94c7c..5700fb8 100644 +index 7e94c7c..e918b16 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -51,10 +51,24 @@ interface(`sendmail_domtrans',` @@ -56931,10 +58573,7 @@ index 7e94c7c..5700fb8 100644 mta_sendmail_domtrans($1, sendmail_t) +') - -- allow sendmail_t $1:fd use; -- allow sendmail_t $1:fifo_file rw_file_perms; -- allow sendmail_t $1:process sigchld; ++ +####################################### +## +## Execute sendmail in the sendmail domain. @@ -56949,7 +58588,10 @@ index 7e94c7c..5700fb8 100644 + gen_require(` + type sendmail_initrc_exec_t; + ') -+ + +- allow sendmail_t $1:fd use; +- allow sendmail_t $1:fifo_file rw_file_perms; +- allow sendmail_t $1:process sigchld; + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) ') @@ -56972,7 +58614,7 @@ index 7e94c7c..5700fb8 100644 ') ######################################## -@@ -295,3 +309,50 @@ interface(`sendmail_run_unconfined',` +@@ -295,3 +309,54 @@ interface(`sendmail_run_unconfined',` sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; ') @@ -57001,10 +58643,14 @@ index 7e94c7c..5700fb8 100644 + type mail_spool_t; + ') + -+ allow $1 sendmail_t:process { ptrace signal_perms }; ++ allow $1 sendmail_t:process signal_perms; + ps_process_pattern($1, sendmail_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sendmail_t:process ptrace; ++ allow $1 unconfined_sendmail_t:process ptrace; ++ ') + -+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; ++ allow $1 unconfined_sendmail_t:process signal_perms; + ps_process_pattern($1, unconfined_sendmail_t) + + sendmail_initrc_domtrans($1) @@ -57108,7 +58754,7 @@ index 22dac1f..1c27bd6 100644 + uucp_domtrans_uux(sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if -index bcdd16c..7c379a8 100644 +index bcdd16c..b1c92f9 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',` @@ -57137,7 +58783,7 @@ index bcdd16c..7c379a8 100644 ## All of the rules required to administrate ## an setroubleshoot environment ## -@@ -117,15 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` +@@ -117,15 +136,18 @@ interface(`setroubleshoot_dbus_chat_fixit',` # interface(`setroubleshoot_admin',` gen_require(` @@ -57147,8 +58793,12 @@ index bcdd16c..7c379a8 100644 + type setroubleshoot_var_lib_t; ') - allow $1 setroubleshootd_t:process { ptrace signal_perms }; +- allow $1 setroubleshootd_t:process { ptrace signal_perms }; ++ allow $1 setroubleshootd_t:process signal_perms; ps_process_pattern($1, setroubleshootd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 setroubleshootd_t:process ptrace; ++ ') logging_list_logs($1) - admin_pattern($1, setroubleshoot_log_t) @@ -57277,7 +58927,7 @@ index e5e72fd..92eecec 100644 type slrnpull_log_t; logging_log_file(slrnpull_log_t) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if -index adea9f9..d5b2d93 100644 +index adea9f9..145adbd 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',` @@ -57288,15 +58938,19 @@ index adea9f9..d5b2d93 100644 allow $1 fsdaemon_tmp_t:file read_file_perms; ') -@@ -41,7 +42,7 @@ interface(`smartmon_admin',` +@@ -41,8 +42,11 @@ interface(`smartmon_admin',` type fsdaemon_initrc_exec_t; ') - allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; -+ allow $1 fsdaemon_t:process { ptrace signal_perms }; ++ allow $1 fsdaemon_t:process signal_perms; ps_process_pattern($1, fsdaemon_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 smartmon_t:process ptrace; ++ ') init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 606a098..5e4d100 100644 --- a/policy/modules/services/smartmon.te @@ -57339,6 +58993,23 @@ index 606a098..5e4d100 100644 libs_exec_ld_so(fsdaemon_t) libs_exec_lib_files(fsdaemon_t) +diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if +index 8265278..017b923 100644 +--- a/policy/modules/services/smokeping.if ++++ b/policy/modules/services/smokeping.if +@@ -153,8 +153,11 @@ interface(`smokeping_admin',` + type smokeping_t, smokeping_initrc_exec_t; + ') + +- allow $1 smokeping_t:process { ptrace signal_perms }; ++ allow $1 smokeping_t:process signal_perms; + ps_process_pattern($1, smokeping_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 smokeping_t:process ptrace; ++ ') + + smokeping_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te index 740994a..a92ba26 100644 --- a/policy/modules/services/smokeping.te @@ -57367,7 +59038,7 @@ index 623c8fa..0a802f7 100644 /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if -index 275f9fb..4f4a192 100644 +index 275f9fb..ad10bef 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -11,12 +11,12 @@ @@ -57453,7 +59124,7 @@ index 275f9fb..4f4a192 100644 ') ######################################## -@@ -123,12 +164,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` +@@ -123,13 +164,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` # interface(`snmp_admin',` gen_require(` @@ -57464,12 +59135,16 @@ index 275f9fb..4f4a192 100644 ') - allow $1 snmpd_t:process { ptrace signal_perms getattr }; -+ allow $1 snmpd_t:process { ptrace signal_perms }; ++ allow $1 snmpd_t:process signal_perms; ps_process_pattern($1, snmpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 snmpd_t:process ptrace; ++ ') init_labeled_script_domtrans($1, snmpd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..9509742 100644 +index 3d8d1b3..9c747d4 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -57480,13 +59155,14 @@ index 3d8d1b3..9509742 100644 type snmpd_t; type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) -@@ -24,12 +25,13 @@ files_type(snmpd_var_lib_t) +@@ -24,12 +25,14 @@ files_type(snmpd_var_lib_t) # # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; + -+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; ++allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config }; ++ dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; @@ -57496,7 +59172,7 @@ index 3d8d1b3..9509742 100644 allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; -@@ -41,10 +43,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +@@ -41,10 +44,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) @@ -57510,7 +59186,7 @@ index 3d8d1b3..9509742 100644 kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) -@@ -94,15 +97,19 @@ files_search_home(snmpd_t) +@@ -94,15 +98,19 @@ files_search_home(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) fs_search_auto_mountpoints(snmpd_t) @@ -57531,7 +59207,7 @@ index 3d8d1b3..9509742 100644 logging_send_syslog_msg(snmpd_t) -@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t) +@@ -115,7 +123,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -57541,7 +59217,7 @@ index 3d8d1b3..9509742 100644 rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if -index c117e8b..88ebedb 100644 +index c117e8b..e428bb9 100644 --- a/policy/modules/services/snort.if +++ b/policy/modules/services/snort.if @@ -5,9 +5,9 @@ @@ -57556,7 +59232,20 @@ index c117e8b..88ebedb 100644 ## # interface(`snort_domtrans',` -@@ -50,11 +50,11 @@ interface(`snort_admin',` +@@ -41,8 +41,11 @@ interface(`snort_admin',` + type snort_etc_t, snort_initrc_exec_t; + ') + +- allow $1 snort_t:process { ptrace signal_perms }; ++ allow $1 snort_t:process signal_perms; + ps_process_pattern($1, snort_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 snort_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, snort_initrc_exec_t) + domain_system_change_exemption($1) +@@ -50,11 +53,11 @@ interface(`snort_admin',` allow $2 system_r; admin_pattern($1, snort_etc_t) @@ -57597,10 +59286,10 @@ index 179bc1b..735c400 100644 manage_files_pattern(snort_t, snort_log_t, snort_log_t) create_dirs_pattern(snort_t, snort_log_t, snort_log_t) diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if -index 93fe7bf..4a15633 100644 +index 93fe7bf..1b07ed4 100644 --- a/policy/modules/services/soundserver.if +++ b/policy/modules/services/soundserver.if -@@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',` +@@ -33,13 +33,15 @@ interface(`soundserver_tcp_connect',` # interface(`soundserver_admin',` gen_require(` @@ -57610,7 +59299,15 @@ index 93fe7bf..4a15633 100644 - type soundd_initrc_exec_t; ') - allow $1 soundd_t:process { ptrace signal_perms }; +- allow $1 soundd_t:process { ptrace signal_perms }; ++ allow $1 soundd_t:process signal_perms; + ps_process_pattern($1, soundd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 soundd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, soundd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index 6b3abf9..a785741 100644 --- a/policy/modules/services/spamassassin.fc @@ -57647,7 +59344,7 @@ index 6b3abf9..a785741 100644 +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if -index c954f31..c7cadcb 100644 +index c954f31..85e8212 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -14,6 +14,7 @@ @@ -57663,12 +59360,12 @@ index c954f31..c7cadcb 100644 domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + -+ allow $2 spamassassin_t:process { ptrace signal_perms }; ++ allow $2 spamassassin_t:process signal_perms; ps_process_pattern($2, spamassassin_t) domtrans_pattern($2, spamc_exec_t, spamc_t) + -+ allow $2 spamc_t:process { ptrace signal_perms }; ++ allow $2 spamc_t:process signal_perms; ps_process_pattern($2, spamc_t) manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) @@ -57766,7 +59463,7 @@ index c954f31..c7cadcb 100644 allow $1 spamd_tmp_t:file read_file_perms; ') -@@ -223,5 +291,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +@@ -223,5 +291,75 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` type spamd_tmp_t; ') @@ -57817,8 +59514,11 @@ index c954f31..c7cadcb 100644 + type spamd_initrc_exec_t; + ') + -+ allow $1 spamd_t:process { ptrace signal_perms }; ++ allow $1 spamd_t:process signal_perms; + ps_process_pattern($1, spamd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 spamd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, spamd_initrc_exec_t) + domain_system_change_exemption($1) @@ -58311,7 +60011,7 @@ index 6cc4a90..2015152 100644 /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if -index d2496bd..1d0c078 100644 +index d2496bd..c7614d7 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',` @@ -58331,7 +60031,7 @@ index d2496bd..1d0c078 100644 # interface(`squid_dontaudit_search_cache',` gen_require(` -@@ -207,8 +206,7 @@ interface(`squid_use',` +@@ -207,12 +206,14 @@ interface(`squid_use',` interface(`squid_admin',` gen_require(` type squid_t, squid_cache_t, squid_conf_t; @@ -58340,7 +60040,15 @@ index d2496bd..1d0c078 100644 + type squid_log_t, squid_var_run_t, squid_initrc_exec_t; ') - allow $1 squid_t:process { ptrace signal_perms }; +- allow $1 squid_t:process { ptrace signal_perms }; ++ allow $1 squid_t:process signal_perms; + ps_process_pattern($1, squid_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 squid_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, squid_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 4b2230e..950e65a 100644 --- a/policy/modules/services/squid.te @@ -58429,7 +60137,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..b13cd67 100644 +index 22adaca..5439f7e 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -58634,7 +60342,7 @@ index 22adaca..b13cd67 100644 # allow ps to show ssh ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process signal; -+ allow $3 ssh_t:process { ptrace signal_perms }; ++ allow $3 ssh_t:process signal_perms; # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; @@ -58656,7 +60364,7 @@ index 22adaca..b13cd67 100644 # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process signal; -+ allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; ++ allow $3 $1_ssh_agent_t:process signal_perms; # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) @@ -59421,7 +61129,7 @@ index 2dad3c8..02e70c9 100644 + ssh_rw_dgram_sockets(chroot_user_t) ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if -index 941380a..ce8c972 100644 +index 941380a..4afc698 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -5,9 +5,9 @@ @@ -59468,7 +61176,7 @@ index 941380a..ce8c972 100644 ') ######################################## -@@ -225,21 +227,15 @@ interface(`sssd_stream_connect',` +@@ -225,21 +227,18 @@ interface(`sssd_stream_connect',` ## The role to be allowed to manage the sssd domain. ## ## @@ -59488,8 +61196,11 @@ index 941380a..ce8c972 100644 - allow $1 sssd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, sssd_t, sssd_t) -+ allow $1 sssd_t:process { ptrace signal_perms }; ++ allow $1 sssd_t:process signal_perms; + ps_process_pattern($1, sssd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sssd_t:process ptrace; ++ ') # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) @@ -59754,10 +61465,23 @@ index 7038b55..4e84f23 100644 type tcpd_tmp_t; files_tmp_file(tcpd_tmp_t) diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if -index 595f5a7..459d773 100644 +index 595f5a7..0f12947 100644 --- a/policy/modules/services/tcsd.if +++ b/policy/modules/services/tcsd.if -@@ -147,4 +147,5 @@ interface(`tcsd_admin',` +@@ -137,8 +137,11 @@ interface(`tcsd_admin',` + type tcsd_var_lib_t; + ') + +- allow $1 tcsd_t:process { ptrace signal_perms }; ++ allow $1 tcsd_t:process signal_perms; + ps_process_pattern($1, tcsd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tcsd_t:process ptrace; ++ ') + + tcsd_initrc_domtrans($1) + domain_system_change_exemption($1) +@@ -147,4 +150,5 @@ interface(`tcsd_admin',` files_search_var_lib($1) admin_pattern($1, tcsd_var_lib_t) @@ -59882,7 +61606,7 @@ index f40e67b..8d1e658 100644 + remotelogin_domtrans(telnetd_t) +') diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if -index 38bb312..414e03f 100644 +index 38bb312..0fee098 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -13,9 +13,33 @@ @@ -59956,13 +61680,16 @@ index 38bb312..414e03f 100644 ## All of the rules required to administrate ## an tftp environment ## -@@ -55,9 +109,10 @@ interface(`tftp_admin',` +@@ -55,9 +109,13 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') - allow $1 tftpd_t:process { ptrace signal_perms getattr }; -+ allow $1 tftpd_t:process { ptrace signal_perms }; ++ allow $1 tftpd_t:process signal_perms; ps_process_pattern($1, tftpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tftp_t:process ptrace; ++ ') + files_list_var_lib($1) admin_pattern($1, tftpdir_rw_t) @@ -60080,18 +61807,22 @@ index 665bf7c..d100080 100644 + iscsi_manage_semaphores(tgtd_t) +') diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if -index 904f13e..464347f 100644 +index 904f13e..f9d007b 100644 --- a/policy/modules/services/tor.if +++ b/policy/modules/services/tor.if -@@ -42,7 +42,7 @@ interface(`tor_admin',` +@@ -42,8 +42,11 @@ interface(`tor_admin',` type tor_initrc_exec_t; ') - allow $1 tor_t:process { ptrace signal_perms getattr }; -+ allow $1 tor_t:process { ptrace signal_perms }; ++ allow $1 tor_t:process signal_perms; ps_process_pattern($1, tor_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tor_t:process ptrace; ++ ') init_labeled_script_domtrans($1, tor_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index c842cad..1136b10 100644 --- a/policy/modules/services/tor.te @@ -60117,7 +61848,7 @@ index c842cad..1136b10 100644 domain_use_interactive_fds(tor_t) diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if -index 54b8605..752697f 100644 +index 54b8605..a04f013 100644 --- a/policy/modules/services/tuned.if +++ b/policy/modules/services/tuned.if @@ -5,9 +5,9 @@ @@ -60132,7 +61863,7 @@ index 54b8605..752697f 100644 ## # interface(`tuned_domtrans',` -@@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',` +@@ -112,18 +112,20 @@ interface(`tuned_initrc_domtrans',` # interface(`tuned_admin',` gen_require(` @@ -60141,8 +61872,15 @@ index 54b8605..752697f 100644 + type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; ') - allow $1 tuned_t:process { ptrace signal_perms }; -@@ -124,6 +123,6 @@ interface(`tuned_admin',` +- allow $1 tuned_t:process { ptrace signal_perms }; ++ allow $1 tuned_t:process signal_perms; + ps_process_pattern($1, tuned_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tuned_t:process ptrace; ++ ') + + tuned_initrc_domtrans($1) + domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; allow $2 system_r; @@ -60243,6 +61981,23 @@ index 831b4a3..8590730 100644 /usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) /var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) +diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if +index d23be5c..a05cd68 100644 +--- a/policy/modules/services/ulogd.if ++++ b/policy/modules/services/ulogd.if +@@ -123,8 +123,11 @@ interface(`ulogd_admin',` + type ulogd_var_log_t, ulogd_initrc_exec_t; + ') + +- allow $1 ulogd_t:process { ptrace signal_perms }; ++ allow $1 ulogd_t:process signal_perms; + ps_process_pattern($1, ulogd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ulogd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, ulogd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te index 3b953f5..70f687a 100644 --- a/policy/modules/services/ulogd.te @@ -60305,6 +62060,23 @@ index 4440aa6..34ffbfd 100644 +optional_policy(` + virt_dontaudit_read_chr_dev(usbmuxd_t) +') +diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if +index ebc5414..8f8ac45 100644 +--- a/policy/modules/services/uucp.if ++++ b/policy/modules/services/uucp.if +@@ -99,8 +99,11 @@ interface(`uucp_admin',` + type uucpd_var_run_t; + ') + +- allow $1 uucpd_t:process { ptrace signal_perms }; ++ allow $1 uucpd_t:process signal_perms; + ps_process_pattern($1, uucpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 uucpd_t:process ptrace; ++ ') + + logging_list_logs($1) + admin_pattern($1, uucpd_log_t) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index d4349e9..f14d337 100644 --- a/policy/modules/services/uucp.te @@ -60351,10 +62123,10 @@ index 0000000..c184667 +/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if new file mode 100644 -index 0000000..5a2fd4c +index 0000000..c82f178 --- /dev/null +++ b/policy/modules/services/uuidd.if -@@ -0,0 +1,193 @@ +@@ -0,0 +1,196 @@ +## policy for uuidd + +######################################## @@ -60534,8 +62306,11 @@ index 0000000..5a2fd4c + type uuidd_var_run_t; + ') + -+ allow $1 uuidd_t:process { ptrace signal_perms }; ++ allow $1 uuidd_t:process signal_perms; + ps_process_pattern($1, uuidd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 uuidd_t:process ptrace; ++ ') + + uuidd_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -60600,6 +62375,36 @@ index 0000000..ac053f3 + +miscfiles_read_localization(uuidd_t) + +diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if +index 93975d6..7a665ff 100644 +--- a/policy/modules/services/varnishd.if ++++ b/policy/modules/services/varnishd.if +@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',` + type varnishlog_var_run_t; + ') + +- allow $1 varnishlog_t:process { ptrace signal_perms }; ++ allow $1 varnishlog_t:process signal_perms; + ps_process_pattern($1, varnishlog_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 varnishd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) + domain_system_change_exemption($1) +@@ -194,8 +197,11 @@ interface(`varnishd_admin',` + type varnishd_initrc_exec_t; + ') + +- allow $1 varnishd_t:process { ptrace signal_perms }; ++ allow $1 varnishd_t:process signal_perms; + ps_process_pattern($1, varnishd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 varnishd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, varnishd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index f9310f3..7a350f1 100644 --- a/policy/modules/services/varnishd.te @@ -60656,10 +62461,10 @@ index 0000000..71d9784 + diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 -index 0000000..7647279 +index 0000000..57471cc --- /dev/null +++ b/policy/modules/services/vdagent.if -@@ -0,0 +1,128 @@ +@@ -0,0 +1,131 @@ + +## policy for vdagent + @@ -60780,8 +62585,11 @@ index 0000000..7647279 + type vdagent_var_run_t; + ') + -+ allow $1 vdagent_t:process { ptrace signal_perms }; ++ allow $1 vdagent_t:process signal_perms; + ps_process_pattern($1, vdagent_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 vdagent_t:process ptrace; ++ ') + + files_search_pids($1) + admin_pattern($1, vdagent_var_run_t) @@ -60849,7 +62657,7 @@ index 0000000..4fd2377 +') + diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if -index 1f872b5..da605ba 100644 +index 1f872b5..1250e30 100644 --- a/policy/modules/services/vhostmd.if +++ b/policy/modules/services/vhostmd.if @@ -5,9 +5,9 @@ @@ -60901,44 +62709,57 @@ index 1f872b5..da605ba 100644 ') ######################################## -@@ -209,7 +210,7 @@ interface(`vhostmd_admin',` +@@ -209,8 +210,11 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') - allow $1 vhostmd_t:process { ptrace signal_perms getattr }; -+ allow $1 vhostmd_t:process { ptrace signal_perms }; ++ allow $1 vhostmd_t:process signal_perms; ps_process_pattern($1, vhostmd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 vhostmd_t:process ptrace; ++ ') vhostmd_initrc_domtrans($1) -@@ -220,5 +221,4 @@ interface(`vhostmd_admin',` + domain_system_change_exemption($1) +@@ -220,5 +224,4 @@ interface(`vhostmd_admin',` vhostmd_manage_tmpfs_files($1) vhostmd_manage_pid_files($1) - ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te -index 32a3c13..7baeb6f 100644 +index 32a3c13..e3d91ad 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te -@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t) +@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t) + # allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; - allow vhostmd_t self:process { setsched getsched }; +-allow vhostmd_t self:process { setsched getsched }; -allow vhostmd_t self:fifo_file rw_file_perms; ++allow vhostmd_t self:process { setsched getsched signal }; +allow vhostmd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -@@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t) +@@ -44,9 +44,15 @@ corecmd_exec_shell(vhostmd_t) corenet_tcp_connect_soundd_port(vhostmd_t) ++dev_read_rand(vhostmd_t) ++dev_read_sysfs(vhostmd_t) ++ +# 579803 +files_list_tmp(vhostmd_t) files_read_etc_files(vhostmd_t) files_read_usr_files(vhostmd_t) -@@ -66,6 +68,7 @@ optional_policy(` ++dev_read_rand(vhostmd_t) + dev_read_sysfs(vhostmd_t) + + auth_use_nsswitch(vhostmd_t) +@@ -66,6 +72,7 @@ optional_policy(` optional_policy(` virt_stream_connect(vhostmd_t) @@ -61003,10 +62824,10 @@ index 2124b6a..49c15d1 100644 +# support for nova-stack +/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..fc6beb9 100644 +index 7c5d8d8..3fd8f12 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if -@@ -13,39 +13,44 @@ +@@ -13,39 +13,45 @@ # template(`virt_domain_template',` gen_require(` @@ -61016,10 +62837,12 @@ index 7c5d8d8..fc6beb9 100644 + attribute virt_image_type, virt_domain; + attribute virt_tmpfs_type; + attribute virt_ptynode; ++ type qemu_exec_t; ') type $1_t, virt_domain; - domain_type($1_t) +- domain_type($1_t) ++ application_domain($1_t, qemu_exec_t) domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_untrusted_proc($1_t) @@ -61059,7 +62882,7 @@ index 7c5d8d8..fc6beb9 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +62,6 @@ template(`virt_domain_template',` +@@ -57,18 +63,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -61078,7 +62901,7 @@ index 7c5d8d8..fc6beb9 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -96,14 +89,32 @@ interface(`virt_image',` +@@ -96,14 +90,32 @@ interface(`virt_image',` dev_node($1) ') @@ -61113,7 +62936,7 @@ index 7c5d8d8..fc6beb9 100644 ## # interface(`virt_domtrans',` -@@ -114,6 +125,25 @@ interface(`virt_domtrans',` +@@ -114,6 +126,25 @@ interface(`virt_domtrans',` domtrans_pattern($1, virtd_exec_t, virtd_t) ') @@ -61139,7 +62962,7 @@ index 7c5d8d8..fc6beb9 100644 ####################################### ## ## Connect to virt over an unix domain stream socket. -@@ -164,13 +194,13 @@ interface(`virt_attach_tun_iface',` +@@ -164,13 +195,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -61155,7 +62978,7 @@ index 7c5d8d8..fc6beb9 100644 ') ######################################## -@@ -185,13 +215,13 @@ interface(`virt_read_config',` +@@ -185,13 +216,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -61171,7 +62994,7 @@ index 7c5d8d8..fc6beb9 100644 ') ######################################## -@@ -231,6 +261,24 @@ interface(`virt_read_content',` +@@ -231,6 +262,24 @@ interface(`virt_read_content',` ######################################## ## @@ -61196,7 +63019,7 @@ index 7c5d8d8..fc6beb9 100644 ## Read virt PID files. ## ## -@@ -269,6 +317,36 @@ interface(`virt_manage_pid_files',` +@@ -269,6 +318,36 @@ interface(`virt_manage_pid_files',` ######################################## ## @@ -61233,7 +63056,7 @@ index 7c5d8d8..fc6beb9 100644 ## Search virt lib directories. ## ## -@@ -308,6 +386,24 @@ interface(`virt_read_lib_files',` +@@ -308,6 +387,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -61258,7 +63081,7 @@ index 7c5d8d8..fc6beb9 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +448,9 @@ interface(`virt_read_log',` +@@ -352,9 +449,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -61270,7 +63093,7 @@ index 7c5d8d8..fc6beb9 100644 ## # interface(`virt_append_log',` -@@ -408,6 +504,7 @@ interface(`virt_read_images',` +@@ -408,6 +505,7 @@ interface(`virt_read_images',` read_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) read_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -61278,7 +63101,7 @@ index 7c5d8d8..fc6beb9 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -424,6 +521,24 @@ interface(`virt_read_images',` +@@ -424,6 +522,24 @@ interface(`virt_read_images',` ######################################## ## @@ -61303,7 +63126,7 @@ index 7c5d8d8..fc6beb9 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +548,15 @@ interface(`virt_read_images',` +@@ -433,15 +549,15 @@ interface(`virt_read_images',` ## ## # @@ -61324,7 +63147,7 @@ index 7c5d8d8..fc6beb9 100644 ') ######################################## -@@ -466,6 +581,7 @@ interface(`virt_manage_images',` +@@ -466,6 +582,7 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -61332,7 +63155,7 @@ index 7c5d8d8..fc6beb9 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) -@@ -500,11 +616,16 @@ interface(`virt_manage_images',` +@@ -500,10 +617,19 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -61340,23 +63163,27 @@ index 7c5d8d8..fc6beb9 100644 + type virt_lxc_t; ') - allow $1 virtd_t:process { ptrace signal_perms }; +- allow $1 virtd_t:process { ptrace signal_perms }; ++ allow $1 virtd_t:process signal_perms; ps_process_pattern($1, virtd_t) - -+ allow $1 virt_lxc_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, virt_lxc_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 virtd_t:process ptrace; ++ allow $1 virt_lxc_t:process ptrace; ++ ') + ++ allow $1 virt_lxc_t:process signal_perms; ++ ps_process_pattern($1, virt_lxc_t) + init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; -@@ -515,4 +636,213 @@ interface(`virt_admin',` +@@ -515,4 +641,231 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) + + virt_manage_images($1) + -+ allow $1 virt_domain:process { ptrace signal_perms }; ++ allow $1 virt_domain:process signal_perms; +') + +######################################## @@ -61563,11 +63390,29 @@ index 7c5d8d8..fc6beb9 100644 + role system_r types $1_t; +') + ++######################################## ++## ++## Execute a qemu_exec_t in the callers domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_exec_qemu',` ++ gen_require(` ++ type qemu_exec_t; ++ ') ++ ++ can_exec($1, qemu_exec_t) ++') ++ diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..54e53fb 100644 +index 3eca020..3619ec3 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te -@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) +@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0) # Declarations # @@ -61657,20 +63502,23 @@ index 3eca020..54e53fb 100644 virt_domain_template(svirt) role system_r types svirt_t; - +- -type svirt_cache_t; -files_type(svirt_cache_t) -- ++typealias svirt_t alias qemu_t; + attribute virt_domain; attribute virt_image_type; +attribute virt_tmpfs_type; + ++type qemu_exec_t; ++ +type virt_cache_t alias svirt_cache_t; +files_type(virt_cache_t) type virt_etc_t; files_config_file(virt_etc_t) -@@ -62,23 +87,31 @@ files_config_file(virt_etc_t) +@@ -62,23 +90,31 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) @@ -61703,7 +63551,7 @@ index 3eca020..54e53fb 100644 type virtd_t; type virtd_exec_t; -@@ -89,6 +122,11 @@ domain_subj_id_change_exemption(virtd_t) +@@ -89,6 +125,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -61715,7 +63563,7 @@ index 3eca020..54e53fb 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -97,6 +135,27 @@ ifdef(`enable_mls',` +@@ -97,6 +138,27 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -61743,7 +63591,7 @@ index 3eca020..54e53fb 100644 ######################################## # # svirt local policy -@@ -104,15 +163,12 @@ ifdef(`enable_mls',` +@@ -104,15 +166,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -61760,7 +63608,7 @@ index 3eca020..54e53fb 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -130,9 +186,13 @@ corenet_tcp_connect_all_ports(svirt_t) +@@ -130,9 +189,13 @@ corenet_tcp_connect_all_ports(svirt_t) dev_list_sysfs(svirt_t) @@ -61774,7 +63622,7 @@ index 3eca020..54e53fb 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +207,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +210,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -61790,7 +63638,7 @@ index 3eca020..54e53fb 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +224,24 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +227,24 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -61815,11 +63663,13 @@ index 3eca020..54e53fb 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +251,36 @@ optional_policy(` +@@ -173,22 +253,40 @@ optional_policy(` + # virtd local policy # - allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; ++allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code @@ -61849,6 +63699,9 @@ index 3eca020..54e53fb 100644 +allow virt_domain virtd_t:fd use; +dontaudit virt_domain virtd_t:unix_stream_socket { read write }; + ++can_exec(virtd_t, qemu_exec_t) ++can_exec(virt_domain, qemu_exec_t) ++ +allow virtd_t qemu_var_run_t:file relabel_file_perms; +manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) @@ -61858,7 +63711,7 @@ index 3eca020..54e53fb 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -199,9 +291,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -199,9 +297,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -61879,7 +63732,7 @@ index 3eca020..54e53fb 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +318,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +324,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -61895,7 +63748,7 @@ index 3eca020..54e53fb 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +346,33 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +352,33 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -61930,7 +63783,7 @@ index 3eca020..54e53fb 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +386,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -61949,14 +63802,23 @@ index 3eca020..54e53fb 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +415,30 @@ modutils_read_module_config(virtd_t) +@@ -276,6 +412,8 @@ term_use_ptmx(virtd_t) + + auth_use_nsswitch(virtd_t) + ++init_dbus_chat(virtd_t) ++ + miscfiles_read_localization(virtd_t) + miscfiles_read_generic_certs(virtd_t) + miscfiles_read_hwdata(virtd_t) +@@ -285,16 +423,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -61980,7 +63842,7 @@ index 3eca020..54e53fb 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +457,10 @@ optional_policy(` +@@ -313,6 +465,10 @@ optional_policy(` ') optional_policy(` @@ -61991,7 +63853,7 @@ index 3eca020..54e53fb 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,16 +477,23 @@ optional_policy(` +@@ -329,16 +485,23 @@ optional_policy(` ') optional_policy(` @@ -62015,7 +63877,7 @@ index 3eca020..54e53fb 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -360,11 +515,11 @@ optional_policy(` +@@ -360,11 +523,11 @@ optional_policy(` ') optional_policy(` @@ -62032,7 +63894,7 @@ index 3eca020..54e53fb 100644 ') optional_policy(` -@@ -394,20 +549,36 @@ optional_policy(` +@@ -394,20 +557,36 @@ optional_policy(` # virtual domains common policy # @@ -62072,7 +63934,7 @@ index 3eca020..54e53fb 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +597,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -62085,7 +63947,7 @@ index 3eca020..54e53fb 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +601,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +609,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -62098,7 +63960,7 @@ index 3eca020..54e53fb 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +614,367 @@ files_search_all(virt_domain) +@@ -440,25 +622,362 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -62106,12 +63968,12 @@ index 3eca020..54e53fb 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -62136,11 +63998,6 @@ index 3eca020..54e53fb 100644 +') + +optional_policy(` -+ qemu_entry_type(virt_domain) -+ qemu_exec(virt_domain) -+') -+ -+optional_policy(` virt_read_config(virt_domain) virt_read_lib_files(virt_domain) virt_read_content(virt_domain) @@ -62344,7 +64201,6 @@ index 3eca020..54e53fb 100644 +# virt_lxc_domain local policy +# +allow svirt_lxc_domain self:capability { kill setuid setgid dac_override }; -+dontaudit svirt_lxc_domain self:capability sys_ptrace; + +allow virtd_t svirt_lxc_domain:process { signal_perms }; +allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; @@ -62394,6 +64250,7 @@ index 3eca020..54e53fb 100644 +fs_list_inotifyfs(svirt_lxc_domain) +fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain) + ++auth_dontaudit_read_passwd(svirt_lxc_domain) +auth_dontaudit_read_login_records(svirt_lxc_domain) +auth_dontaudit_write_login_records(svirt_lxc_domain) +auth_search_pam_console_data(svirt_lxc_domain) @@ -62479,7 +64336,7 @@ index 11533cc..4d81b99 100644 /usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if -index 727fe95..21af852 100644 +index 727fe95..adbb3fb 100644 --- a/policy/modules/services/vnstatd.if +++ b/policy/modules/services/vnstatd.if @@ -113,6 +113,7 @@ interface(`vnstatd_manage_lib_files',` @@ -62490,6 +64347,19 @@ index 727fe95..21af852 100644 ######################################## ## ## All of the rules required to administrate +@@ -135,8 +136,11 @@ interface(`vnstatd_admin',` + type vnstatd_t, vnstatd_var_lib_t; + ') + +- allow $1 vnstatd_t:process { ptrace signal_perms }; ++ allow $1 vnstatd_t:process signal_perms; + ps_process_pattern($1, vnstatd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 vnstatd_t:process ptrace; ++ ') + + files_list_var_lib($1) + admin_pattern($1, vnstatd_var_lib_t) diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te index 8121937..5a462fb 100644 --- a/policy/modules/services/vnstatd.te @@ -62559,10 +64429,10 @@ index 0000000..2f21759 +/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if new file mode 100644 -index 0000000..a554011 +index 0000000..955f1ac --- /dev/null +++ b/policy/modules/services/wdmd.if -@@ -0,0 +1,111 @@ +@@ -0,0 +1,114 @@ + +## policy for wdmd + @@ -62627,8 +64497,11 @@ index 0000000..a554011 + type wdmd_initrc_exec_t; + ') + -+ allow $1 wdmd_t:process { ptrace signal_perms }; ++ allow $1 wdmd_t:process signal_perms; + ps_process_pattern($1, wdmd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 wdmd_t:process ptrace; ++ ') + + wdmd_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -64072,7 +65945,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..40e56f1 100644 +index 143c893..743ea2b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -64397,14 +66270,17 @@ index 143c893..40e56f1 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -304,20 +417,36 @@ optional_policy(` - # XDM Local policy +@@ -305,19 +418,40 @@ optional_policy(` # --allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; + allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace }; ++ ++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate }; ++tunable_policy(`deny_ptrace',`',` ++ allow xdm_t self:process ptrace; ++') ++ allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; @@ -64438,7 +66314,7 @@ index 143c893..40e56f1 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,43 +454,63 @@ can_exec(xdm_t, xdm_exec_t) +@@ -325,43 +459,63 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -64508,7 +66384,7 @@ index 143c893..40e56f1 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -370,18 +524,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -64536,7 +66412,7 @@ index 143c893..40e56f1 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -393,38 +555,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -64590,7 +66466,7 @@ index 143c893..40e56f1 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +603,24 @@ files_list_mnt(xdm_t) +@@ -435,9 +608,24 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -64615,7 +66491,7 @@ index 143c893..40e56f1 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +634,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -64655,7 +66531,7 @@ index 143c893..40e56f1 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +673,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -64686,7 +66562,7 @@ index 143c893..40e56f1 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +712,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -64701,7 +66577,7 @@ index 143c893..40e56f1 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +733,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -64723,7 +66599,7 @@ index 143c893..40e56f1 100644 ') optional_policy(` -@@ -519,12 +750,63 @@ optional_policy(` +@@ -519,12 +755,63 @@ optional_policy(` ') optional_policy(` @@ -64787,7 +66663,7 @@ index 143c893..40e56f1 100644 hostname_exec(xdm_t) ') -@@ -542,28 +824,69 @@ optional_policy(` +@@ -542,28 +829,69 @@ optional_policy(` ') optional_policy(` @@ -64866,7 +66742,7 @@ index 143c893..40e56f1 100644 ') optional_policy(` -@@ -575,6 +898,14 @@ optional_policy(` +@@ -575,6 +903,14 @@ optional_policy(` ') optional_policy(` @@ -64881,16 +66757,15 @@ index 143c893..40e56f1 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +930,7 @@ allow xserver_t input_xevent_t:x_event send; - # execheap needed until the X module loader is fixed. +@@ -600,6 +936,7 @@ allow xserver_t input_xevent_t:x_event send; # NVIDIA Needs execstack --allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++ dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +944,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -64906,7 +66781,7 @@ index 143c893..40e56f1 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +971,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -64928,7 +66803,7 @@ index 143c893..40e56f1 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +991,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +997,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -64936,7 +66811,7 @@ index 143c893..40e56f1 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,21 +1018,28 @@ dev_rw_apm_bios(xserver_t) +@@ -672,21 +1024,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -64967,7 +66842,7 @@ index 143c893..40e56f1 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1050,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1056,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -64981,7 +66856,7 @@ index 143c893..40e56f1 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1069,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1075,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -64990,7 +66865,7 @@ index 143c893..40e56f1 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1076,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1082,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -65005,7 +66880,7 @@ index 143c893..40e56f1 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1135,40 @@ optional_policy(` +@@ -778,16 +1141,40 @@ optional_policy(` ') optional_policy(` @@ -65047,7 +66922,7 @@ index 143c893..40e56f1 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1177,10 @@ optional_policy(` +@@ -796,6 +1183,10 @@ optional_policy(` ') optional_policy(` @@ -65058,7 +66933,7 @@ index 143c893..40e56f1 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1196,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1202,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -65072,7 +66947,7 @@ index 143c893..40e56f1 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1207,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1213,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -65081,7 +66956,7 @@ index 143c893..40e56f1 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1220,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1226,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -65091,7 +66966,7 @@ index 143c893..40e56f1 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1230,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1236,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -65103,7 +66978,7 @@ index 143c893..40e56f1 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1243,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1249,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -65120,7 +66995,7 @@ index 143c893..40e56f1 100644 ') optional_policy(` -@@ -862,6 +1258,10 @@ optional_policy(` +@@ -862,6 +1264,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -65131,7 +67006,7 @@ index 143c893..40e56f1 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1311,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -65140,7 +67015,7 @@ index 143c893..40e56f1 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1359,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1365,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -65172,7 +67047,7 @@ index 143c893..40e56f1 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1405,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1411,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -65196,7 +67071,7 @@ index 143c893..40e56f1 100644 +') + +# Hack to handle the problem of using the nvidia blobs -+tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow xdm_t self:process execmem; +') + @@ -65239,7 +67114,7 @@ index 664cd7a..e3eaec5 100644 /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if -index c9981d1..11013a6 100644 +index c9981d1..0629472 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -5,9 +5,9 @@ @@ -65275,6 +67150,19 @@ index c9981d1..11013a6 100644 ') corenet_sendrecv_zabbix_agent_client_packets($1) +@@ -142,8 +142,11 @@ interface(`zabbix_admin',` + type zabbix_initrc_exec_t; + ') + +- allow $1 zabbix_t:process { ptrace signal_perms }; ++ allow $1 zabbix_t:process signal_perms; + ps_process_pattern($1, zabbix_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 zabbix_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, zabbix_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index 7f88f5f..bd6493d 100644 --- a/policy/modules/services/zabbix.te @@ -65468,7 +67356,7 @@ index 9fb4747..6e2c42a 100644 miscfiles_read_localization(zarafa_domain) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if -index 6b87605..347f754 100644 +index 6b87605..ef64e73 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -38,8 +38,7 @@ interface(`zebra_stream_connect',` @@ -65481,7 +67369,7 @@ index 6b87605..347f754 100644 ') ######################################## -@@ -62,8 +61,7 @@ interface(`zebra_stream_connect',` +@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',` interface(`zebra_admin',` gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; @@ -65490,7 +67378,15 @@ index 6b87605..347f754 100644 + type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') - allow $1 zebra_t:process { ptrace signal_perms }; +- allow $1 zebra_t:process { ptrace signal_perms }; ++ allow $1 zebra_t:process signal_perms; + ps_process_pattern($1, zebra_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 zebra_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, zebra_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index ade6c2c..2b78f0d 100644 --- a/policy/modules/services/zebra.te @@ -65621,18 +67517,22 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..59742f4 100644 +index 28ad538..02a592a 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -5,6 +5,7 @@ +@@ -5,7 +5,11 @@ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) +/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0) /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) -@@ -30,6 +31,7 @@ ifdef(`distro_gentoo', ` + /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) +@@ -30,6 +34,7 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -65640,14 +67540,14 @@ index 28ad538..59742f4 100644 /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', ` +@@ -45,5 +50,4 @@ ifdef(`distro_gentoo', ` /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..6a25dd6 100644 +index 73554ec..6355d14 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -65709,13 +67609,14 @@ index 73554ec..6a25dd6 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -123,13 +141,19 @@ interface(`auth_login_pgm_domain',` +@@ -123,13 +141,20 @@ interface(`auth_login_pgm_domain',` # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) + tunable_policy(`authlogin_radius',` + corenet_udp_bind_all_unreserved_ports($1) + ') ++ corenet_tcp_connect_pki_ca_port($1) + # for fingerprint readers dev_rw_input_dev($1) @@ -65730,7 +67631,7 @@ index 73554ec..6a25dd6 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -145,6 +169,8 @@ interface(`auth_login_pgm_domain',` +@@ -145,6 +170,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -65739,7 +67640,7 @@ index 73554ec..6a25dd6 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +181,83 @@ interface(`auth_login_pgm_domain',` +@@ -155,13 +182,87 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -65779,16 +67680,16 @@ index 73554ec..6a25dd6 100644 + + optional_policy(` + fprintd_dbus_chat($1) - ') ++ ') + + optional_policy(` + ssh_agent_exec($1) + ssh_read_user_home_files($1) -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Read authlogin state files. +## +## @@ -65822,10 +67723,14 @@ index 73554ec..6a25dd6 100644 + ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## -@@ -368,13 +468,15 @@ interface(`auth_domtrans_chk_passwd',` ++') ++ ++######################################## ++## + ## Use the login program as an entry point program. + ## + ## +@@ -368,13 +469,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -65842,7 +67747,7 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -421,6 +523,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +524,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -65868,7 +67773,26 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -736,7 +857,47 @@ interface(`auth_rw_faillog',` +@@ -440,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',` + + domtrans_pattern($1, updpwd_exec_t, updpwd_t) + auth_dontaudit_read_shadow($1) +- + ') + + ######################################## +@@ -637,6 +758,10 @@ interface(`auth_manage_shadow',` + + allow $1 shadow_t:file manage_file_perms; + typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ++ files_var_filetrans($1, shadow_t, file, "shadow") ++ files_var_filetrans($1, shadow_t, file, "shadow-") ++ files_etc_filetrans($1, shadow_t, file, ".pwd.lock") ++ files_etc_filetrans($1, shadow_t, file, "gshadow") + ') + + ####################################### +@@ -736,7 +861,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -65914,10 +67838,13 @@ index 73554ec..6a25dd6 100644 + files_search_pids($1) + allow $1 faillog_t:dir manage_dir_perms; + allow $1 faillog_t:file manage_file_perms; ++ logging_log_named_filetrans($1, faillog_t, file, "tallylog") ++ logging_log_named_filetrans($1, faillog_t, file, "faillog") ++ logging_log_named_filetrans($1, faillog_t, file, "btmp") ') ####################################### -@@ -932,9 +1093,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1100,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -65951,7 +67878,7 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -1387,6 +1569,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1576,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -65977,35 +67904,73 @@ index 73554ec..6a25dd6 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1742,6 @@ interface(`auth_manage_login_records',` +@@ -1537,37 +1745,49 @@ interface(`auth_manage_login_records',` + + logging_rw_generic_log_dirs($1) + allow $1 wtmp_t:file manage_file_perms; ++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") + ') ######################################## ## -## Relabel login record files. --## --## --## --## Domain allowed access. --## --## --# ++## Use nsswitch to look up user, password, group, or ++## host information. + ## ++## ++##

++## Allow the specified domain to look up user, password, ++## group, or host information using the name service. ++## The most common use of this interface is for services ++## that do host name resolution (usually DNS resolution). ++##

++## + ## + ## + ## Domain allowed access. + ## + ## ++## + # -interface(`auth_relabel_login_records',` -- gen_require(` ++interface(`auth_use_nsswitch',` + gen_require(` - type wtmp_t; -- ') -- ++ attribute nsswitch_domain; + ') + - allow $1 wtmp_t:file relabel_file_perms; --') -- --######################################## --## - ## Use nsswitch to look up user, password, group, or - ## host information. ++ typeattribute $1 nsswitch_domain; + ') + + ######################################## + ## +-## Use nsswitch to look up user, password, group, or +-## host information. ++## Unconfined access to the authlogin module. ## -@@ -1578,54 +1761,11 @@ interface(`auth_relabel_login_records',` - ## + ## + ##

+-## Allow the specified domain to look up user, password, +-## group, or host information using the name service. +-## The most common use of this interface is for services +-## that do host name resolution (usually DNS resolution). ++## Unconfined access to the authlogin module. ++##

++##

++## Currently, this only allows assertions for ++## the shadow passwords file (/etc/shadow) to ++## be passed. No access is granted yet. + ##

+ ## + ## +@@ -1575,87 +1795,149 @@ interface(`auth_relabel_login_records',` + ## Domain allowed access. + ## + ## +-## # - interface(`auth_use_nsswitch',` +-interface(`auth_use_nsswitch',` - - files_list_var_lib($1) - @@ -66013,89 +67978,197 @@ index 73554ec..6a25dd6 100644 - files_read_etc_files($1) - - miscfiles_read_generic_certs($1) -- ++interface(`auth_unconfined',` ++ gen_require(` ++ attribute can_read_shadow_passwords; ++ attribute can_write_shadow_passwords; ++ attribute can_relabelto_shadow_passwords; ++ ') + - sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) -- ++ typeattribute $1 can_read_shadow_passwords; ++ typeattribute $1 can_write_shadow_passwords; ++ typeattribute $1 can_relabelto_shadow_passwords; ++') + - optional_policy(` - avahi_stream_connect($1) -- ') -- ++######################################## ++## ++## Transition to authlogin named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authlogin_filetrans_named_content',` ++ gen_require(` ++ type shadow_t; ++ type passwd_file_t; ++ type faillog_t; ++ type wtmp_t; + ') + - optional_policy(` - ldap_stream_connect($1) - ') -- ++ files_etc_filetrans($1, passwd_file_t, file, "group") ++ files_etc_filetrans($1, passwd_file_t, file, "group-") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd-") ++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") ++ files_etc_filetrans($1, shadow_t, file, "shadow") ++ files_etc_filetrans($1, shadow_t, file, "shadow-") ++ files_etc_filetrans($1, shadow_t, file, ".pwd.lock") ++ files_etc_filetrans($1, shadow_t, file, "gshadow") ++ logging_log_named_filetrans($1, faillog_t, file, "tallylog") ++ logging_log_named_filetrans($1, faillog_t, file, "faillog") ++ logging_log_named_filetrans($1, faillog_t, file, "btmp") ++ files_pid_filetrans($1, faillog_t, file, "faillog") ++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") ++') + - optional_policy(` - likewise_stream_connect_lsassd($1) -- ') -- ++######################################## ++## ++## Get the attributes of the passwd passwords file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_getattr_passwd',` ++ gen_require(` ++ type passwd_file_t; + ') + - optional_policy(` - kerberos_use($1) - ') -- ++ files_search_etc($1) ++ allow $1 passwd_file_t:file getattr; ++') + - optional_policy(` - nis_use_ypbind($1) -- ') -- ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of the passwd passwords file. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`auth_dontaudit_getattr_passwd',` ++ gen_require(` ++ type passwd_file_t; + ') + - optional_policy(` - nscd_socket_use($1) - ') -- ++ dontaudit $1 passwd_file_t:file getattr; ++') + - optional_policy(` - nslcd_stream_connect($1) -- ') -- -- optional_policy(` -- sssd_stream_connect($1) ++######################################## ++## ++## Read the passwd passwords file (/etc/passwd) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_read_passwd',` + gen_require(` -+ attribute nsswitch_domain; ++ type passwd_file_t; ') - optional_policy(` +- sssd_stream_connect($1) +- ') ++ allow $1 passwd_file_t:file read_file_perms; ++') + +- optional_policy(` - samba_stream_connect_winbind($1) - samba_read_var_files($1) - samba_dontaudit_write_var_files($1) -- ') -+ typeattribute $1 nsswitch_domain; - ') - - ######################################## -@@ -1659,3 +1799,33 @@ interface(`auth_unconfined',` - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; - ') -+ +######################################## +## -+## Transition to authlogin named content ++## Do not audit attempts to read the passwd ++## password file (/etc/passwd). +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`authlogin_filetrans_named_content',` ++interface(`auth_dontaudit_read_passwd',` + gen_require(` -+ type shadow_t; -+ type faillog_t; -+ type wtmp_t; -+ ') ++ type passwd_file_t; + ') + -+ files_etc_filetrans($1, shadow_t, file, "shadow") -+ files_etc_filetrans($1, shadow_t, file, "shadow-") -+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock") -+ files_etc_filetrans($1, shadow_t, file, "gshadow") -+ files_var_filetrans($1, shadow_t, file, "shadow") -+ files_var_filetrans($1, shadow_t, file, "shadow-") -+ logging_log_named_filetrans($1, faillog_t, file, "tallylog") -+ logging_log_named_filetrans($1, faillog_t, file, "faillog") -+ logging_log_named_filetrans($1, faillog_t, file, "btmp") -+ files_pid_filetrans($1, faillog_t, file, "faillog") -+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") -+') ++ dontaudit $1 passwd_file_t:file read_file_perms; + ') + + ######################################## + ## +-## Unconfined access to the authlogin module. ++## Create, read, write, and delete the passwd ++## password file. + ## +-## +-##

+-## Unconfined access to the authlogin module. +-##

+-##

+-## Currently, this only allows assertions for +-## the shadow passwords file (/etc/shadow) to +-## be passed. No access is granted yet. +-##

+-## + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`auth_unconfined',` ++interface(`auth_manage_passwd',` + gen_require(` +- attribute can_read_shadow_passwords; +- attribute can_write_shadow_passwords; +- attribute can_relabelto_shadow_passwords; ++ type passwd_file_t; + ') + +- typeattribute $1 can_read_shadow_passwords; +- typeattribute $1 can_write_shadow_passwords; +- typeattribute $1 can_relabelto_shadow_passwords; ++ files_rw_etc_dirs($1) ++ allow $1 passwd_file_t:file manage_file_perms; ++ files_etc_filetrans($1, passwd_file_t, file, "passwd") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd-") ++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") ++ files_etc_filetrans($1, passwd_file_t, file, "group") ++ files_etc_filetrans($1, passwd_file_t, file, "group-") + ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index b7a5f00..7edafde 100644 +index b7a5f00..39d91d4 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1) @@ -66132,7 +68205,17 @@ index b7a5f00..7edafde 100644 type lastlog_t; logging_log_file(lastlog_t) -@@ -100,6 +117,8 @@ dev_read_urand(chkpwd_t) +@@ -55,6 +72,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; + neverallow ~can_write_shadow_passwords shadow_t:file { create write }; + neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; + ++type passwd_file_t; ++files_type(passwd_file_t) ++ + type updpwd_t; + type updpwd_exec_t; + domain_type(updpwd_t) +@@ -100,6 +120,8 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd files_dontaudit_search_var(chkpwd_t) @@ -66141,7 +68224,7 @@ index b7a5f00..7edafde 100644 fs_dontaudit_getattr_xattr_fs(chkpwd_t) -@@ -118,7 +137,7 @@ miscfiles_read_localization(chkpwd_t) +@@ -118,7 +140,7 @@ miscfiles_read_localization(chkpwd_t) seutil_read_config(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) @@ -66150,7 +68233,15 @@ index b7a5f00..7edafde 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -343,7 +362,7 @@ logging_send_syslog_msg(updpwd_t) +@@ -332,6 +354,7 @@ kernel_read_system_state(updpwd_t) + dev_read_urand(updpwd_t) + + files_manage_etc_files(updpwd_t) ++auth_manage_passwd(updpwd_t) + + term_dontaudit_use_console(updpwd_t) + term_dontaudit_use_unallocated_ttys(updpwd_t) +@@ -343,7 +366,7 @@ logging_send_syslog_msg(updpwd_t) miscfiles_read_localization(updpwd_t) @@ -66159,7 +68250,7 @@ index b7a5f00..7edafde 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -371,13 +390,15 @@ term_dontaudit_use_all_ttys(utempter_t) +@@ -371,13 +394,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) @@ -66176,7 +68267,7 @@ index b7a5f00..7edafde 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -388,10 +409,71 @@ ifdef(`distro_ubuntu',` +@@ -388,10 +413,74 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -66197,6 +68288,9 @@ index b7a5f00..7edafde 100644 + ') +') + ++ ++auth_read_passwd(nsswitch_domain) ++ +# read /etc/nsswitch.conf +files_read_etc_files(nsswitch_domain) + @@ -66576,9 +68670,18 @@ index 40eb10c..2a0a32c 100644 corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te -index 1a3d970..ba2f286 100644 +index 1a3d970..0995a02 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te +@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) + # + + allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; +-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; ++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit hotplug_t self:capability { dac_override dac_read_search }; + allow hotplug_t self:process { setpgid getsession getattr signal_perms }; @@ -96,6 +96,8 @@ init_domtrans_script(hotplug_t) # kernel threads inherit from shared descriptor table used by init init_dontaudit_rw_initctl(hotplug_t) @@ -66648,7 +68751,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..b5e5c70 100644 +index 94fd8dd..5a963ef 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -67025,7 +69128,7 @@ index 94fd8dd..b5e5c70 100644 ') ') -@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,23 +935,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -67048,11 +69151,11 @@ index 94fd8dd..b5e5c70 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -67065,12 +69168,16 @@ index 94fd8dd..b5e5c70 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## @@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` @@ -67086,7 +69193,18 @@ index 94fd8dd..b5e5c70 100644 files_search_etc($1) ') -@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',` +@@ -961,7 +1123,9 @@ interface(`init_ptrace',` + type init_t; + ') + +- allow $1 init_t:process ptrace; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 init_t:process ptrace; ++ ') + ') + + ######################################## +@@ -1079,6 +1243,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -67111,7 +69229,7 @@ index 94fd8dd..b5e5c70 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1312,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -67125,7 +69243,7 @@ index 94fd8dd..b5e5c70 100644 ') ######################################## -@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1552,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -67153,7 +69271,7 @@ index 94fd8dd..b5e5c70 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1659,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -67179,7 +69297,7 @@ index 94fd8dd..b5e5c70 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1736,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -67204,7 +69322,7 @@ index 94fd8dd..b5e5c70 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',` +@@ -1586,6 +1821,24 @@ interface(`init_read_utmp',` ######################################## ## @@ -67229,7 +69347,7 @@ index 94fd8dd..b5e5c70 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1927,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -67238,7 +69356,7 @@ index 94fd8dd..b5e5c70 100644 ') ######################################## -@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1968,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -67367,7 +69485,7 @@ index 94fd8dd..b5e5c70 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2124,194 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -67563,7 +69681,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..7752aa1 100644 +index 29a9565..75f6d6b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -67635,7 +69753,7 @@ index 29a9565..7752aa1 100644 # Use capabilities. old rule: -allow init_t self:capability ~sys_module; -+allow init_t self:capability ~{ audit_control audit_write sys_module }; ++allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -67757,7 +69875,7 @@ index 29a9565..7752aa1 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +251,138 @@ tunable_policy(`init_upstart',` +@@ -186,16 +251,139 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -67807,6 +69925,7 @@ index 29a9565..7752aa1 100644 + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) + files_manage_all_pid_dirs(init_t) ++ files_manage_generic_tmp_dirs(init_t) + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) @@ -67898,7 +70017,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -203,6 +390,17 @@ optional_policy(` +@@ -203,6 +391,17 @@ optional_policy(` ') optional_policy(` @@ -67916,16 +70035,17 @@ index 29a9565..7752aa1 100644 unconfined_domain(init_t) ') -@@ -212,7 +410,7 @@ optional_policy(` +@@ -212,7 +411,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; -+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; ++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; ++ dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +439,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +441,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -67941,7 +70061,7 @@ index 29a9565..7752aa1 100644 init_write_initctl(initrc_t) -@@ -258,20 +459,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +461,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -67978,7 +70098,7 @@ index 29a9565..7752aa1 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +492,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +494,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -67986,7 +70106,7 @@ index 29a9565..7752aa1 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +503,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +505,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -67997,7 +70117,7 @@ index 29a9565..7752aa1 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +514,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +516,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -68013,7 +70133,7 @@ index 29a9565..7752aa1 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +532,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +534,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -68021,7 +70141,7 @@ index 29a9565..7752aa1 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +540,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +542,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -68033,7 +70153,7 @@ index 29a9565..7752aa1 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +559,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +561,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -68047,7 +70167,7 @@ index 29a9565..7752aa1 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,8 +574,12 @@ fs_mount_all_fs(initrc_t) +@@ -351,8 +576,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -68060,7 +70180,7 @@ index 29a9565..7752aa1 100644 mcs_ptrace_all(initrc_t) mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -363,6 +590,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +592,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -68068,7 +70188,7 @@ index 29a9565..7752aa1 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +602,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +604,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -68076,7 +70196,7 @@ index 29a9565..7752aa1 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +623,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +625,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -68098,7 +70218,7 @@ index 29a9565..7752aa1 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +686,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +688,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -68109,7 +70229,7 @@ index 29a9565..7752aa1 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +710,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +712,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -68118,7 +70238,7 @@ index 29a9565..7752aa1 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +725,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +727,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -68126,7 +70246,7 @@ index 29a9565..7752aa1 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +755,34 @@ ifdef(`distro_redhat',` +@@ -522,8 +757,34 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -68161,7 +70281,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -531,10 +790,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +792,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -68184,7 +70304,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -549,6 +820,39 @@ ifdef(`distro_suse',` +@@ -549,6 +822,39 @@ ifdef(`distro_suse',` ') ') @@ -68224,7 +70344,7 @@ index 29a9565..7752aa1 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +865,8 @@ optional_policy(` +@@ -561,6 +867,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -68233,7 +70353,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -577,6 +883,7 @@ optional_policy(` +@@ -577,6 +885,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -68241,7 +70361,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -589,6 +896,17 @@ optional_policy(` +@@ -589,6 +898,17 @@ optional_policy(` ') optional_policy(` @@ -68259,7 +70379,7 @@ index 29a9565..7752aa1 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +923,13 @@ optional_policy(` +@@ -605,9 +925,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -68273,7 +70393,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -632,6 +954,10 @@ optional_policy(` +@@ -632,6 +956,10 @@ optional_policy(` ') optional_policy(` @@ -68284,7 +70404,7 @@ index 29a9565..7752aa1 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +975,11 @@ optional_policy(` +@@ -649,6 +977,11 @@ optional_policy(` ') optional_policy(` @@ -68296,7 +70416,7 @@ index 29a9565..7752aa1 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1020,7 @@ optional_policy(` +@@ -689,6 +1022,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -68304,7 +70424,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -706,7 +1038,13 @@ optional_policy(` +@@ -706,7 +1040,13 @@ optional_policy(` ') optional_policy(` @@ -68318,7 +70438,7 @@ index 29a9565..7752aa1 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1067,10 @@ optional_policy(` +@@ -729,6 +1069,10 @@ optional_policy(` ') optional_policy(` @@ -68329,7 +70449,7 @@ index 29a9565..7752aa1 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1080,20 @@ optional_policy(` +@@ -738,10 +1082,20 @@ optional_policy(` ') optional_policy(` @@ -68350,7 +70470,7 @@ index 29a9565..7752aa1 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1102,10 @@ optional_policy(` +@@ -750,6 +1104,10 @@ optional_policy(` ') optional_policy(` @@ -68361,7 +70481,7 @@ index 29a9565..7752aa1 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1127,6 @@ optional_policy(` +@@ -771,8 +1129,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -68370,7 +70490,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -790,10 +1144,12 @@ optional_policy(` +@@ -790,10 +1146,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -68383,7 +70503,7 @@ index 29a9565..7752aa1 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1161,6 @@ optional_policy(` +@@ -805,7 +1163,6 @@ optional_policy(` ') optional_policy(` @@ -68391,7 +70511,7 @@ index 29a9565..7752aa1 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1170,26 @@ optional_policy(` +@@ -815,11 +1172,26 @@ optional_policy(` ') optional_policy(` @@ -68419,7 +70539,7 @@ index 29a9565..7752aa1 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1199,25 @@ optional_policy(` +@@ -829,6 +1201,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -68445,7 +70565,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -844,6 +1233,10 @@ optional_policy(` +@@ -844,6 +1235,10 @@ optional_policy(` ') optional_policy(` @@ -68456,7 +70576,7 @@ index 29a9565..7752aa1 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1247,160 @@ optional_policy(` +@@ -854,3 +1249,160 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -68692,10 +70812,18 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 55a6cd8..2af2952 100644 +index 55a6cd8..94e11eb 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te -@@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms; +@@ -73,13 +73,15 @@ role system_r types setkey_t; + # + + allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; ++dontaudit ipsec_t self:capability sys_tty_config; + allow ipsec_t self:process { getcap setcap getsched signal setsched }; + allow ipsec_t self:tcp_socket create_stream_socket_perms; + allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; @@ -68742,13 +70870,21 @@ index 55a6cd8..2af2952 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -245,6 +251,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -187,8 +193,8 @@ optional_policy(` + # + + allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; +-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; +-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; ++dontaudit ipsec_mgmt_t self:capability sys_tty_config; ++allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; + allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; + allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; + allow ipsec_mgmt_t self:udp_socket create_socket_perms; +@@ -245,6 +251,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) -+# don't audit using of lsof -+dontaudit ipsec_mgmt_t self:capability sys_ptrace; -+ +domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) +domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) + @@ -68762,7 +70898,7 @@ index 55a6cd8..2af2952 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -277,9 +296,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +293,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -68774,7 +70910,7 @@ index 55a6cd8..2af2952 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -297,7 +317,7 @@ sysnet_manage_config(ipsec_mgmt_t) +@@ -297,7 +314,7 @@ sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) @@ -68783,7 +70919,7 @@ index 55a6cd8..2af2952 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -324,10 +344,6 @@ optional_policy(` +@@ -324,10 +341,6 @@ optional_policy(` modutils_domtrans_insmod(ipsec_mgmt_t) ') @@ -68794,7 +70930,7 @@ index 55a6cd8..2af2952 100644 ifdef(`TODO',` # ideally it would not need this. It wants to write to /root/.rnd file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) -@@ -377,12 +393,12 @@ corecmd_exec_shell(racoon_t) +@@ -377,12 +390,12 @@ corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) @@ -68813,7 +70949,7 @@ index 55a6cd8..2af2952 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -411,6 +427,8 @@ miscfiles_read_localization(racoon_t) +@@ -411,6 +424,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -68822,7 +70958,7 @@ index 55a6cd8..2af2952 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -448,5 +466,6 @@ miscfiles_read_localization(setkey_t) +@@ -448,5 +463,6 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) @@ -69010,10 +71146,18 @@ index f3e1b57..d7fd7fb 100644 ') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te -index ddbd8be..ac8e814 100644 +index ddbd8be..65b5762 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te -@@ -66,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) +@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t) + # + + allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; +-dontaudit iscsid_t self:capability sys_ptrace; + allow iscsid_t self:process { setrlimit setsched signal }; + allow iscsid_t self:fifo_file rw_fifo_file_perms; + allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -66,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) @@ -69021,7 +71165,7 @@ index ddbd8be..ac8e814 100644 corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) -@@ -78,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t) +@@ -78,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t) dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) @@ -69737,7 +71881,7 @@ index 0e3c2a9..40adf5a 100644 +') + diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index a0b379d..bf90918 100644 +index a0b379d..37a5bb4 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -17,6 +17,9 @@ type local_login_tmp_t; @@ -69757,7 +71901,7 @@ index a0b379d..bf90918 100644 -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; -+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config }; ++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; @@ -69921,7 +72065,7 @@ index 02f4c97..cd16709 100644 + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 831b909..efe1038 100644 +index 831b909..0410fa3 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -491,6 +491,63 @@ interface(`logging_log_filetrans',` @@ -70114,15 +72258,40 @@ index 831b909..efe1038 100644 ## Write generic log files. ## ## -@@ -990,6 +1141,7 @@ interface(`logging_admin_syslog',` +@@ -944,9 +1095,13 @@ interface(`logging_admin_audit',` + type auditd_initrc_exec_t; + ') + +- allow $1 auditd_t:process { ptrace signal_perms }; ++ allow $1 auditd_t:process signal_perms; + ps_process_pattern($1, auditd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 auditd_t:process ptrace; ++ ') ++ + manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) + manage_files_pattern($1, auditd_etc_t, auditd_etc_t) + +@@ -990,10 +1145,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') +- allow $1 syslogd_t:process { ptrace signal_perms }; +- allow $1 klogd_t:process { ptrace signal_perms }; + allow $1 self:capability2 syslog; - allow $1 syslogd_t:process { ptrace signal_perms }; - allow $1 klogd_t:process { ptrace signal_perms }; ++ allow $1 syslogd_t:process signal_perms; ++ allow $1 klogd_t:process signal_perms; ps_process_pattern($1, syslogd_t) -@@ -1015,6 +1167,8 @@ interface(`logging_admin_syslog',` + ps_process_pattern($1, klogd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 syslogd_t:process ptrace; ++ allow $1 klogd_t:process ptrace; ++ ') + + manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) + manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) +@@ -1015,6 +1175,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -71388,7 +73557,7 @@ index 8b5c196..da41726 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..4930474 100644 +index 15832c7..f1121f7 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,17 +17,29 @@ type mount_exec_t; @@ -71426,20 +73595,24 @@ index 15832c7..4930474 100644 ######################################## # -@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t) +@@ -35,7 +47,15 @@ application_domain(unconfined_mount_t, mount_exec_t) # # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; -+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; ++allow mount_t self:process { getcap getsched setcap setrlimit signal }; ++tunable_policy(`deny_ptrace',`',` ++ allow mount_t self:process ptrace; ++') ++ +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t) +@@ -46,9 +66,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -71465,7 +73638,7 @@ index 15832c7..4930474 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,65 +88,93 @@ kernel_request_load_module(mount_t) +@@ -57,65 +92,93 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -71568,7 +73741,7 @@ index 15832c7..4930474 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +185,8 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +189,8 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -71577,7 +73750,7 @@ index 15832c7..4930474 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +202,28 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',` ') ') @@ -71616,7 +73789,7 @@ index 15832c7..4930474 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +237,8 @@ optional_policy(` +@@ -174,6 +241,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -71625,7 +73798,7 @@ index 15832c7..4930474 100644 ') optional_policy(` -@@ -181,6 +246,28 @@ optional_policy(` +@@ -181,6 +250,28 @@ optional_policy(` ') optional_policy(` @@ -71654,7 +73827,7 @@ index 15832c7..4930474 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,21 +275,87 @@ optional_policy(` +@@ -188,21 +279,87 @@ optional_policy(` ') ') @@ -71697,20 +73870,20 @@ index 15832c7..4930474 100644 +optional_policy(` + ssh_exec(mount_t) +') - - optional_policy(` -- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -- unconfined_domain(unconfined_mount_t) -+ usbmuxd_stream_connect(mount_t) - ') + +optional_policy(` -+ userhelper_exec_console(mount_t) ++ usbmuxd_stream_connect(mount_t) +') + +optional_policy(` -+ virt_read_blk_images(mount_t) ++ userhelper_exec_console(mount_t) +') + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) ++ virt_read_blk_images(mount_t) + ') + +optional_policy(` + vmware_exec_host(mount_t) @@ -72934,10 +75107,21 @@ index 694fd94..334e80e 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index ff80d0a..be800df 100644 +index ff80d0a..22c9f0d 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if -@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` +@@ -49,10 +49,6 @@ interface(`sysnet_run_dhcpc',` + sysnet_run_ifconfig(dhcpc_t, $2) + + optional_policy(` +- consoletype_run(dhcpc_t, $2) +- ') +- +- optional_policy(` + hostname_run(dhcpc_t, $2) + ') + +@@ -60,6 +56,24 @@ interface(`sysnet_run_dhcpc',` netutils_run(dhcpc_t, $2) netutils_run_ping(dhcpc_t, $2) ') @@ -72962,7 +75146,7 @@ index ff80d0a..be800df 100644 ') ######################################## -@@ -269,6 +287,43 @@ interface(`sysnet_delete_dhcpc_state',` +@@ -269,6 +283,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -73006,7 +75190,7 @@ index ff80d0a..be800df 100644 ####################################### ## ## Set the attributes of network config files. -@@ -290,6 +345,44 @@ interface(`sysnet_setattr_config',` +@@ -290,6 +341,44 @@ interface(`sysnet_setattr_config',` ####################################### ## @@ -73051,7 +75235,7 @@ index ff80d0a..be800df 100644 ## Read network config files. ## ## -@@ -405,7 +498,7 @@ interface(`sysnet_etc_filetrans_config',` +@@ -405,7 +494,7 @@ interface(`sysnet_etc_filetrans_config',` type net_conf_t; ') @@ -73060,7 +75244,7 @@ index ff80d0a..be800df 100644 ') ####################################### -@@ -426,6 +519,7 @@ interface(`sysnet_manage_config',` +@@ -426,6 +515,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -73068,7 +75252,7 @@ index ff80d0a..be800df 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -464,6 +558,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -464,6 +554,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -73076,7 +75260,7 @@ index ff80d0a..be800df 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -554,6 +649,25 @@ interface(`sysnet_signal_ifconfig',` +@@ -554,6 +645,25 @@ interface(`sysnet_signal_ifconfig',` ######################################## ## @@ -73102,7 +75286,7 @@ index ff80d0a..be800df 100644 ## Read the DHCP configuration files. ## ## -@@ -661,6 +775,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -661,6 +771,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -73111,7 +75295,7 @@ index ff80d0a..be800df 100644 sysnet_read_config($1) optional_policy(` -@@ -698,6 +814,9 @@ interface(`sysnet_use_ldap',` +@@ -698,6 +810,9 @@ interface(`sysnet_use_ldap',` corenet_sendrecv_ldap_client_packets($1) sysnet_read_config($1) @@ -73121,7 +75305,7 @@ index ff80d0a..be800df 100644 ') ######################################## -@@ -731,3 +850,73 @@ interface(`sysnet_use_portmap',` +@@ -731,3 +846,73 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -73196,7 +75380,7 @@ index ff80d0a..be800df 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..767ccbd 100644 +index 34d0ec5..8aa3908 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -73223,7 +75407,7 @@ index 34d0ec5..767ccbd 100644 type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -34,7 +44,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) +@@ -34,17 +44,20 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; @@ -73232,7 +75416,22 @@ index 34d0ec5..767ccbd 100644 ######################################## # -@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) + # DHCP client local policy + # + allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; ++dontaudit dhcpc_t self:capability sys_tty_config; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; ++allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms }; ++tunable_policy(`deny_ptrace',`',` ++ allow dhcpc_t self:process ptrace; ++') + + allow dhcpc_t self:fifo_file rw_fifo_file_perms; + allow dhcpc_t self:tcp_socket create_stream_socket_perms; +@@ -57,8 +70,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -73244,7 +75443,7 @@ index 34d0ec5..767ccbd 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) +@@ -66,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -73253,7 +75452,7 @@ index 34d0ec5..767ccbd 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t) +@@ -91,25 +109,28 @@ corecmd_exec_shell(dhcpc_t) corenet_all_recvfrom_unlabeled(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) @@ -73290,7 +75489,7 @@ index 34d0ec5..767ccbd 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,13 +148,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) +@@ -130,13 +151,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) init_rw_utmp(dhcpc_t) @@ -73307,24 +75506,27 @@ index 34d0ec5..767ccbd 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -155,6 +174,16 @@ optional_policy(` +@@ -151,7 +173,18 @@ ifdef(`distro_ubuntu',` ') optional_policy(` +- consoletype_domtrans(dhcpc_t) ++ consoletype_exec(dhcpc_t) ++') ++ ++optional_policy(` + chronyd_initrc_domtrans(dhcpc_t) + chronyd_systemctl(dhcpc_t) ++ chronyd_read_keys(dhcpc_t) +') + +optional_policy(` + devicekit_dontaudit_rw_log(dhcpc_t) + devicekit_dontaudit_read_pid_files(dhcpc_t) -+') -+ -+optional_policy(` - init_dbus_chat_script(dhcpc_t) + ') - dbus_system_bus_client(dhcpc_t) -@@ -171,6 +200,8 @@ optional_policy(` + optional_policy(` +@@ -171,6 +204,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -73333,7 +75535,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -192,17 +223,31 @@ optional_policy(` +@@ -192,17 +227,31 @@ optional_policy(` ') optional_policy(` @@ -73365,7 +75567,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -213,6 +258,11 @@ optional_policy(` +@@ -213,6 +262,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -73377,7 +75579,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -255,6 +305,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +309,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -73385,7 +75587,7 @@ index 34d0ec5..767ccbd 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +327,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +331,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -73397,7 +75599,7 @@ index 34d0ec5..767ccbd 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -301,11 +355,12 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +359,12 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -73412,7 +75614,7 @@ index 34d0ec5..767ccbd 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +369,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +373,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -73431,7 +75633,7 @@ index 34d0ec5..767ccbd 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +391,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +395,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -73446,7 +75648,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -335,6 +407,18 @@ optional_policy(` +@@ -335,6 +411,18 @@ optional_policy(` ') optional_policy(` @@ -73465,7 +75667,7 @@ index 34d0ec5..767ccbd 100644 nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +440,9 @@ optional_policy(` +@@ -356,3 +444,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -74621,7 +76823,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..c31aeb2 100644 +index d88f7c3..6a93c64 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -74640,20 +76842,29 @@ index d88f7c3..c31aeb2 100644 ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) -@@ -38,6 +36,12 @@ ifdef(`enable_mcs',` +@@ -36,9 +34,19 @@ ifdef(`enable_mcs',` + # Local policy + # - allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; ++allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; dontaudit udev_t self:capability sys_tty_config; +-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit udev_t self:capability sys_module; +') + - allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++tunable_policy(`deny_ptrace',`',` ++ allow udev_t self:process ptrace; ++') ++ allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; -@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; + allow udev_t self:fifo_file rw_fifo_file_perms; +@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -74661,7 +76872,7 @@ index d88f7c3..c31aeb2 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -62,17 +67,17 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -62,17 +71,17 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -74685,7 +76896,7 @@ index d88f7c3..c31aeb2 100644 kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -87,6 +92,7 @@ kernel_rw_unix_dgram_sockets(udev_t) +@@ -87,6 +96,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) kernel_search_debugfs(udev_t) @@ -74693,7 +76904,7 @@ index d88f7c3..c31aeb2 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -97,6 +103,7 @@ corecmd_exec_all_executables(udev_t) +@@ -97,6 +107,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -74701,7 +76912,7 @@ index d88f7c3..c31aeb2 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +112,30 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,21 +116,30 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -74733,7 +76944,7 @@ index d88f7c3..c31aeb2 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +163,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -74741,7 +76952,7 @@ index d88f7c3..c31aeb2 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +190,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -74750,7 +76961,7 @@ index d88f7c3..c31aeb2 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -186,8 +205,9 @@ ifdef(`distro_redhat',` +@@ -186,8 +209,9 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -74761,16 +76972,15 @@ index d88f7c3..c31aeb2 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -216,11 +236,16 @@ optional_policy(` +@@ -216,11 +240,16 @@ optional_policy(` ') optional_policy(` -- consoletype_exec(udev_t) + consolekit_read_pid_files(udev_t) +') + +optional_policy(` -+ consoletype_domtrans(udev_t) + consoletype_exec(udev_t) ') optional_policy(` @@ -74779,7 +76989,7 @@ index d88f7c3..c31aeb2 100644 ') optional_policy(` -@@ -230,10 +255,20 @@ optional_policy(` +@@ -230,10 +259,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -74800,7 +77010,7 @@ index d88f7c3..c31aeb2 100644 ') optional_policy(` -@@ -259,6 +294,10 @@ optional_policy(` +@@ -259,6 +298,10 @@ optional_policy(` ') optional_policy(` @@ -74811,7 +77021,7 @@ index d88f7c3..c31aeb2 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +312,11 @@ optional_policy(` +@@ -273,6 +316,11 @@ optional_policy(` ') optional_policy(` @@ -74844,10 +77054,10 @@ index ce2fbb9..8b34dbc 100644 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 416e668..46f9aaf 100644 +index 416e668..3d4780b 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if -@@ -12,27 +12,29 @@ +@@ -12,27 +12,34 @@ # interface(`unconfined_domain_noaudit',` gen_require(` @@ -74860,7 +77070,12 @@ index 416e668..46f9aaf 100644 # Use any Linux capability. - allow $1 self:capability *; - allow $1 self:fifo_file manage_fifo_file_perms; -+ allow $1 self:capability ~sys_module; ++ ++ allow $1 self:capability ~{ sys_module sys_ptrace }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 self:capability sys_ptrace; ++ ') ++ + allow $1 self:capability2 syslog; + allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; @@ -74884,7 +77099,7 @@ index 416e668..46f9aaf 100644 kernel_unconfined($1) corenet_unconfined($1) -@@ -43,6 +45,13 @@ interface(`unconfined_domain_noaudit',` +@@ -43,22 +50,27 @@ interface(`unconfined_domain_noaudit',` files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) @@ -74898,7 +77113,25 @@ index 416e668..46f9aaf 100644 tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. -@@ -69,6 +78,7 @@ interface(`unconfined_domain_noaudit',` + allow $1 self:process execheap; + ') + +- tunable_policy(`allow_execmem',` ++ tunable_policy(`deny_execmem',`',` + # Allow making anonymous memory executable, e.g. + # for runtime-code generation or executable stack. + allow $1 self:process execmem; + ') + + tunable_policy(`allow_execstack',` +- # Allow making the stack executable via mprotect; +- # execstack implies execmem; +- allow $1 self:process { execstack execmem }; ++ allow $1 self:process execstack; + # auditallow $1 self:process execstack; + ') + +@@ -69,6 +81,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -74906,7 +77139,7 @@ index 416e668..46f9aaf 100644 ') optional_policy(` -@@ -122,6 +132,10 @@ interface(`unconfined_domain_noaudit',` +@@ -122,6 +135,10 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -74917,7 +77150,7 @@ index 416e668..46f9aaf 100644 unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` -@@ -150,7 +164,7 @@ interface(`unconfined_domain',` +@@ -150,7 +167,7 @@ interface(`unconfined_domain',` ## # interface(`unconfined_alias_domain',` @@ -74926,7 +77159,7 @@ index 416e668..46f9aaf 100644 ') ######################################## -@@ -176,414 +190,5 @@ interface(`unconfined_alias_domain',` +@@ -176,414 +193,5 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` @@ -75605,7 +77838,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..9b49159 100644 +index 4b2878a..31047e8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -75621,7 +77854,7 @@ index 4b2878a..9b49159 100644 corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -43,69 +45,106 @@ template(`userdom_base_user_template',` +@@ -43,79 +45,133 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -75642,7 +77875,10 @@ index 4b2878a..9b49159 100644 - term_create_pty($1_t, user_devpts_t) + term_dontaudit_getattr_generic_ptys($1_t) + -+ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; ++ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1_usertype $1_usertype:process ptrace; ++ ') + allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_t:key { create view read write search link setattr }; + @@ -75775,9 +78011,14 @@ index 4b2878a..9b49159 100644 + + systemd_dbus_chat_logind($1_usertype) - tunable_policy(`allow_execmem',` +- tunable_policy(`allow_execmem',` ++ tunable_policy(`deny_execmem',`', ` # Allow loading DSOs that require executable stack. -@@ -116,6 +155,20 @@ template(`userdom_base_user_template',` + allow $1_t self:process execmem; + ') + +- tunable_policy(`allow_execmem && allow_execstack',` ++ tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -75798,7 +78039,7 @@ index 4b2878a..9b49159 100644 ') ####################################### -@@ -149,6 +202,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +205,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -75807,7 +78048,7 @@ index 4b2878a..9b49159 100644 ############################## # # Domain access to home dir -@@ -166,27 +221,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +224,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -75835,7 +78076,7 @@ index 4b2878a..9b49159 100644 ') ####################################### -@@ -218,8 +252,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +255,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -75847,7 +78088,7 @@ index 4b2878a..9b49159 100644 ############################## # # Domain access to home dir -@@ -228,17 +265,21 @@ interface(`userdom_manage_home_role',` +@@ -228,43 +268,47 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -75877,9 +78118,11 @@ index 4b2878a..9b49159 100644 + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) ++ userdom_filetrans_home_content($2) ++ files_list_home($2) -@@ -246,25 +287,23 @@ interface(`userdom_manage_home_role',` + # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -75909,7 +78152,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -286,17 +325,63 @@ interface(`userdom_manage_home_role',` +@@ -286,17 +330,63 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -75978,7 +78221,7 @@ index 4b2878a..9b49159 100644 ') ####################################### -@@ -316,6 +401,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +406,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -75986,7 +78229,7 @@ index 4b2878a..9b49159 100644 files_search_tmp($1) ') -@@ -347,59 +433,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,59 +438,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -76081,7 +78324,7 @@ index 4b2878a..9b49159 100644 ') ####################################### -@@ -430,6 +519,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +524,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -76089,7 +78332,7 @@ index 4b2878a..9b49159 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -462,8 +552,8 @@ template(`userdom_change_password_template',` +@@ -462,8 +557,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -76100,7 +78343,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -490,7 +580,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +585,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -76109,7 +78352,7 @@ index 4b2878a..9b49159 100644 ############################## # -@@ -500,73 +590,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +595,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -76131,27 +78374,27 @@ index 4b2878a..9b49159 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -76175,10 +78418,10 @@ index 4b2878a..9b49159 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) ++ ++ application_getattr_socket($1_usertype) - fs_rw_cgroup_files($1_t) -+ application_getattr_socket($1_usertype) -+ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -76233,7 +78476,7 @@ index 4b2878a..9b49159 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +672,117 @@ template(`userdom_common_user_template',` +@@ -574,67 +677,117 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -76242,25 +78485,25 @@ index 4b2878a..9b49159 100644 - alsa_relabel_home_files($1_t) + # Allow graphical boot to check battery lifespan + apm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ canna_stream_connect($1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ canna_stream_connect($1_usertype) ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) ++ colord_read_lib_files($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ colord_read_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -76268,66 +78511,64 @@ index 4b2878a..9b49159 100644 + optional_policy(` + avahi_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ policykit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ bluetooth_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ ') -+ -+ optional_policy(` -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ gnome_dbus_chat_gconfdefault($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ policykit_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpn_dbus_chat($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') - ') - - optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) ++ ++ optional_policy(` ++ gnome_dbus_chat_gconfdefault($1_usertype) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ kde_dbus_chat_backlighthelper($1_usertype) ++ ') ++ ++ optional_policy(` ++ modemmanager_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ++ ') ++ ++ optional_policy(` ++ vpn_dbus_chat($1_usertype) ++ ') ++ ') ++ ++ optional_policy(` + git_session_role($1_r, $1_usertype) + ') + @@ -76337,20 +78578,22 @@ index 4b2878a..9b49159 100644 ') optional_policy(` -- inn_read_config($1_t) -- inn_read_news_lib($1_t) -- inn_read_news_spool($1_t) +- inetd_use_fds($1_t) +- inetd_rw_tcp_sockets($1_t) + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) ') optional_policy(` -- locate_read_lib_files($1_t) +- inn_read_config($1_t) +- inn_read_news_lib($1_t) +- inn_read_news_spool($1_t) + lircd_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- locate_read_lib_files($1_t) + locate_read_lib_files($1_usertype) ') @@ -76358,21 +78601,21 @@ index 4b2878a..9b49159 100644 optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ mta_filetrans_home_content($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ++ mta_filetrans_home_content($1_usertype) ++ ') ++ ++ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -650,40 +798,52 @@ template(`userdom_common_user_template',` +@@ -650,40 +803,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -76408,51 +78651,49 @@ index 4b2878a..9b49159 100644 + + optional_policy(` + rpcbind_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ slrnpull_search_spool($1_usertype) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ slrnpull_search_spool($1_usertype) -+ ') -+ -+ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') -@@ -712,13 +872,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +877,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -76460,7 +78701,9 @@ index 4b2878a..9b49159 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -76468,7 +78711,14 @@ index 4b2878a..9b49159 100644 userdom_change_password_template($1) -@@ -736,72 +909,76 @@ template(`userdom_login_user_template', ` +@@ -730,78 +908,82 @@ template(`userdom_login_user_template', ` + allow $1_t self:capability { setgid chown fowner }; + dontaudit $1_t self:capability { sys_nice fsetid }; + +- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; ++ allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; + dontaudit $1_t self:process setrlimit; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; allow $1_t self:context contains; @@ -76536,49 +78786,49 @@ index 4b2878a..9b49159 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) ++ optional_policy(` ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ++ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) ++ kerberos_use($1_usertype) ++ kerberos_filetrans_home_content($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ kerberos_use($1_usertype) -+ kerberos_filetrans_home_content($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) -+ ') -+ -+ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1015,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -76588,7 +78838,7 @@ index 4b2878a..9b49159 100644 ############################## # # Local policy -@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1059,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -76718,7 +78968,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1205,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -76727,7 +78977,7 @@ index 4b2878a..9b49159 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1214,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -76745,7 +78995,7 @@ index 4b2878a..9b49159 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1234,72 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1239,64 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -76780,11 +79030,9 @@ index 4b2878a..9b49159 100644 + + optional_policy(` + cron_role($1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + games_rw_data($1_usertype) + ') + @@ -76801,18 +79049,12 @@ index 4b2878a..9b49159 100644 + ') + + optional_policy(` -+ execmem_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ java_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + mono_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) + ') @@ -76827,7 +79069,7 @@ index 4b2878a..9b49159 100644 ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -76838,7 +79080,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -76847,10 +79089,15 @@ index 4b2878a..9b49159 100644 ') ############################## -@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',` +@@ -1065,7 +1369,11 @@ template(`userdom_admin_user_template',` + # $1_t local policy # - allow $1_t self:capability ~{ sys_module audit_control audit_write }; +- allow $1_t self:capability ~{ sys_module audit_control audit_write }; ++ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1_t self:capability sys_ptrace; ++ ') + allow $1_t self:capability2 syslog; allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; @@ -77086,16 +79333,18 @@ index 4b2878a..9b49159 100644 ## ## ## -@@ -1334,7 +1686,44 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,12 +1686,49 @@ interface(`userdom_setattr_user_ptys',` ## ## # -interface(`userdom_create_user_pty',` +interface(`userdom_attach_admin_tun_iface',` -+ gen_require(` + gen_require(` +- type user_devpts_t; + attribute admindomain; -+ ') -+ + ') + +- term_create_pty($1, user_devpts_t) + allow $1 admindomain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') @@ -77129,9 +79378,14 @@ index 4b2878a..9b49159 100644 +## +# +interface(`userdom_create_user_pty',` - gen_require(` - type user_devpts_t; - ') ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ term_create_pty($1, user_devpts_t) + ') + + ######################################## @@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',` ') @@ -78001,7 +80255,7 @@ index 4b2878a..9b49159 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3922,1094 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3922,1146 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -78092,7 +80346,9 @@ index 4b2878a..9b49159 100644 + attribute userdomain; + ') + -+ allow $1 userdomain:process ptrace; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 userdomain:process ptrace; ++ ') +') + +######################################## @@ -78728,6 +80984,29 @@ index 4b2878a..9b49159 100644 + read_lnk_files_pattern($1, home_cert_t, home_cert_t) +') + ++######################################## ++## ++## Manage system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ allow $1 home_cert_t:dir list_dir_perms; ++ manage_files_pattern($1, home_cert_t, home_cert_t) ++ manage_lnk_files_pattern($1, home_cert_t, home_cert_t) ++ ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") ++') ++ +####################################### +## +## Dontaudit Write system SSL certificates in the users homedir. @@ -79096,6 +81375,33 @@ index 4b2878a..9b49159 100644 + + allow $1 unpriv_userdomain:sem rw_sem_perms; +') ++ ++######################################## ++## ++## Transition to userdom named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_filetrans_home_content',` ++ gen_require(` ++ type home_bin_t, home_cert_t; ++ type audio_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") ++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") ++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") ++ ++ #optional_policy(` ++ # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin") ++ #') ++') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 9b4a930..d6c3860 100644 --- a/policy/modules/system/userdomain.te @@ -79335,7 +81641,7 @@ index 77d41b6..7ccb440 100644 files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index 4350ba0..e50a784 100644 +index 4350ba0..5d6dbad 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1) @@ -79366,16 +81672,17 @@ index 4350ba0..e50a784 100644 ######################################## # # blktap local policy -@@ -208,7 +205,7 @@ tunable_policy(`xend_run_qemu',` +@@ -208,8 +205,7 @@ tunable_policy(`xend_run_qemu',` # xend local policy # -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; +-dontaudit xend_t self:capability { sys_ptrace }; +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; - dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { signal sigkill }; dontaudit xend_t self:process ptrace; -@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t) + # internal communication is often done using fifo and unix sockets. +@@ -320,12 +316,9 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -79388,7 +81695,7 @@ index 4350ba0..e50a784 100644 sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) -@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) +@@ -339,8 +332,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -79397,7 +81704,7 @@ index 4350ba0..e50a784 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +341,22 @@ optional_policy(` +@@ -349,6 +340,22 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -79420,7 +81727,7 @@ index 4350ba0..e50a784 100644 ######################################## # # Xen console local policy -@@ -413,9 +421,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +420,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -79432,7 +81739,7 @@ index 4350ba0..e50a784 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +451,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +450,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -79444,7 +81751,7 @@ index 4350ba0..e50a784 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +468,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +467,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -79541,7 +81848,7 @@ index 4350ba0..e50a784 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +483,4 @@ optional_policy(` +@@ -559,8 +482,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 4f24b43..726dd6c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 56%{?dist} +Release: 57%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Nov 11 2011 Dan Walsh 3.10.0-57 +- Pulseaudio changes +- Merge patches + * Thu Nov 10 2011 Dan Walsh 3.10.0-56 - Merge patches back into git repository.