diff --git a/container-selinux.tgz b/container-selinux.tgz index cda4d57..5803b56 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 58c9c24..08e0d0d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3090,7 +3090,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..09a9fb3 100644 +index 1d732f1..a7fa09d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3385,16 +3385,18 @@ index 1d732f1..09a9fb3 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,7 +492,8 @@ optional_policy(` +@@ -446,8 +492,9 @@ optional_policy(` # Useradd local policy # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; +-dontaudit useradd_t self:capability sys_tty_config; +allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + - dontaudit useradd_t self:capability sys_tty_config; ++dontaudit useradd_t self:capability { net_admin sys_tty_config }; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; + allow useradd_t self:fd use; @@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -15497,10 +15499,35 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..19d5bea 100644 +index 8416beb..5a4a6f0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if -@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` +@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` + + ######################################## + ## ++## Allow the type to associate to cgroup filesystems. ++## ++## ++## ++## The type of the object to be associated. ++## ++## ++# ++interface(`fs_associate_cgroupfs',` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ allow $1 cgroup_t:filesystem associate; ++') ++ ++######################################## ++## + ## Remount cgroup filesystems. + ## + ## +@@ -631,6 +649,27 @@ interface(`fs_getattr_cgroup',` ######################################## ## @@ -15528,7 +15555,7 @@ index 8416beb..19d5bea 100644 ## Search cgroup directories. ## ## -@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',` +@@ -646,11 +685,31 @@ interface(`fs_search_cgroup_dirs',` ') search_dirs_pattern($1, cgroup_t, cgroup_t) @@ -15560,7 +15587,7 @@ index 8416beb..19d5bea 100644 ## list cgroup directories. ## ## -@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',` +@@ -659,15 +718,35 @@ interface(`fs_search_cgroup_dirs',` ## ## # @@ -15597,7 +15624,7 @@ index 8416beb..19d5bea 100644 ######################################## ## ## Delete cgroup directories. -@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', ` +@@ -684,6 +763,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) @@ -15605,7 +15632,7 @@ index 8416beb..19d5bea 100644 dev_search_sysfs($1) ') -@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',` +@@ -704,6 +784,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) @@ -15613,7 +15640,7 @@ index 8416beb..19d5bea 100644 dev_search_sysfs($1) ') -@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',` +@@ -724,6 +805,8 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) @@ -15622,7 +15649,7 @@ index 8416beb..19d5bea 100644 dev_search_sysfs($1) ') -@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', ` +@@ -743,6 +826,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) @@ -15630,7 +15657,7 @@ index 8416beb..19d5bea 100644 dev_search_sysfs($1) ') -@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',` +@@ -762,7 +846,9 @@ interface(`fs_rw_cgroup_files',` ') @@ -15640,7 +15667,33 @@ index 8416beb..19d5bea 100644 dev_search_sysfs($1) ') -@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',` +@@ -788,6 +874,25 @@ interface(`fs_dontaudit_rw_cgroup_files',` + + ######################################## + ## ++## Relabel cgroup files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_cgroup_files',` ++ gen_require(` ++ type cgroup_t; ++ ++ ') ++ ++ relabel_files_pattern($1, cgroup_t, cgroup_t) ++') ++ ++######################################## ++## + ## Manage cgroup files. + ## + ## +@@ -803,6 +908,8 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -15649,7 +15702,7 @@ index 8416beb..19d5bea 100644 dev_search_sysfs($1) ') -@@ -826,6 +896,25 @@ interface(`fs_mounton_cgroup', ` +@@ -826,6 +933,25 @@ interface(`fs_mounton_cgroup', ` ######################################## ## @@ -15675,7 +15728,7 @@ index 8416beb..19d5bea 100644 ## Do not audit attempts to read ## dirs on a CIFS or SMB filesystem. ## -@@ -920,6 +1009,24 @@ interface(`fs_getattr_cifs',` +@@ -920,6 +1046,24 @@ interface(`fs_getattr_cifs',` ######################################## ## @@ -15700,7 +15753,7 @@ index 8416beb..19d5bea 100644 ## Search directories on a CIFS or SMB filesystem. ## ## -@@ -1107,6 +1214,24 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1107,6 +1251,24 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -15725,7 +15778,7 @@ index 8416beb..19d5bea 100644 ## Do not audit attempts to read all ## noxattrfs files. ## -@@ -1245,7 +1370,7 @@ interface(`fs_append_cifs_files',` +@@ -1245,7 +1407,7 @@ interface(`fs_append_cifs_files',` ######################################## ## @@ -15734,7 +15787,7 @@ index 8416beb..19d5bea 100644 ## on a CIFS filesystem. ## ## -@@ -1265,6 +1390,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1265,6 +1427,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -15777,7 +15830,7 @@ index 8416beb..19d5bea 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1279,7 +1440,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1279,7 +1477,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -15786,7 +15839,7 @@ index 8416beb..19d5bea 100644 ') ######################################## -@@ -1542,6 +1703,63 @@ interface(`fs_cifs_domtrans',` +@@ -1542,6 +1740,63 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -15850,7 +15903,7 @@ index 8416beb..19d5bea 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1580,6 +1798,43 @@ interface(`fs_manage_configfs_files',` +@@ -1580,6 +1835,43 @@ interface(`fs_manage_configfs_files',` manage_files_pattern($1, configfs_t, configfs_t) ') @@ -15894,7 +15947,7 @@ index 8416beb..19d5bea 100644 ######################################## ## ## Mount a DOS filesystem, such as -@@ -1793,63 +2048,70 @@ interface(`fs_read_eventpollfs',` +@@ -1793,58 +2085,257 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -15981,101 +16034,79 @@ index 8416beb..19d5bea 100644 - allow $1 fusefs_t:dir mounton; + read_files_pattern($1, ecryptfs_t, ecryptfs_t) - ') - - ######################################## - ## --## Search directories ++') ++ ++######################################## ++## +## Create, read, write, and delete files - ## on a FUSEFS filesystem. - ## - ## -@@ -1859,18 +2121,19 @@ interface(`fs_mounton_fusefs',` - ## - ## - # --interface(`fs_search_fusefs',` ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# +interface(`fs_manage_ecryptfs_files',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type ecryptfs_t; - ') - -- allow $1 fusefs_t:dir search_dir_perms; ++ ') ++ + manage_files_pattern($1, ecryptfs_t, ecryptfs_t) - ') - - ######################################## - ## --## Do not audit attempts to list the contents --## of directories on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. - ## - ## - ## -@@ -1878,49 +2141,240 @@ interface(`fs_search_fusefs',` - ## - ## - # --interface(`fs_dontaudit_list_fusefs',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`fs_dontaudit_manage_ecryptfs_files',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type ecryptfs_t; - ') - -- dontaudit $1 fusefs_t:dir list_dir_perms; ++ ') ++ + dontaudit $1 ecryptfs_t:file manage_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete directories --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Read symbolic links on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_manage_fusefs_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_read_ecryptfs_symlinks',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type ecryptfs_t; - ') - -- allow $1 fusefs_t:dir manage_dir_perms; ++ ') ++ + allow $1 ecryptfs_t:dir list_dir_perms; + read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) - ') - --######################################## ++') ++ +####################################### - ## --## Do not audit attempts to create, read, --## write, and delete directories --## on a FUSEFS filesystem. ++## +## Dontaudit append files on ecrypt filesystem. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`fs_dontaudit_manage_fusefs_dirs',` ++## ++# +interface(`fs_dontaudit_append_ecryptfs_files',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type ecryptfs_t; + ') + dontaudit $1 ecryptfs_t:file append; @@ -16195,57 +16226,14 @@ index 8416beb..19d5bea 100644 + ') + + allow $1 fusefs_t:dir mounton; -+') -+ -+######################################## -+## -+## Search directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_search_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ') + + ######################################## +@@ -1896,117 +2387,797 @@ interface(`fs_dontaudit_list_fusefs',` + ## Domain allowed access. + ## + ## +-## +## +# +interface(`fs_manage_fusefs_dirs',` @@ -16271,14 +16259,13 @@ index 8416beb..19d5bea 100644 +interface(`fs_dontaudit_manage_fusefs_dirs',` + gen_require(` + type fusefs_t; - ') - - dontaudit $1 fusefs_t:dir manage_dir_perms; -@@ -1928,105 +2382,652 @@ interface(`fs_dontaudit_manage_fusefs_dirs',` - - ######################################## - ## --## Read, a FUSEFS filesystem. ++ ') ++ ++ dontaudit $1 fusefs_t:dir manage_dir_perms; ++') ++ ++######################################## ++## +## Read, a FUSEFS filesystem. +## +## @@ -16812,13 +16799,12 @@ index 8416beb..19d5bea 100644 +## +## Create an object in a hugetlbfs filesystem, with a private +## type using a type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +## +## +## The type of the object to be created. @@ -16834,24 +16820,173 @@ index 8416beb..19d5bea 100644 +## The name of the object being created. +## +## ++# ++interface(`fs_hugetlbfs_filetrans',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $2 hugetlbfs_t:filesystem associate; ++ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Mount an iso9660 filesystem, which ++## is usually used on CDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mount_iso9660_fs',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:filesystem mount; ++') ++ ++######################################## ++## ++## Remount an iso9660 filesystem, which ++## is usually used on CDs. This allows ++## some mount options to be changed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_remount_iso9660_fs',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:filesystem remount; ++') ++ ++######################################## ++## ++## Unmount an iso9660 filesystem, which ++## is usually used on CDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_iso9660_fs',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:filesystem unmount; ++') ++ ++######################################## ++## ++## Get the attributes of an iso9660 ++## filesystem, which is usually used on CDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_getattr_iso9660_fs',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:filesystem getattr; ++') ++ ++######################################## ++## ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. ++## ++## ++## ++## Domain allowed access. ++## ++## + # +-interface(`fs_manage_fusefs_dirs',` ++interface(`fs_getattr_iso9660_files',` + gen_require(` +- type fusefs_t; ++ type iso9660_t; + ') + +- allow $1 fusefs_t:dir manage_dir_perms; ++ allow $1 iso9660_t:dir list_dir_perms; ++ allow $1 iso9660_t:file getattr; + ') + + ######################################## + ## +-## Do not audit attempts to create, read, +-## write, and delete directories +-## on a FUSEFS filesystem. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_dirs',` ++interface(`fs_read_iso9660_files',` + gen_require(` +- type fusefs_t; ++ type iso9660_t; + ') + +- dontaudit $1 fusefs_t:dir manage_dir_perms; ++ allow $1 iso9660_t:dir list_dir_perms; ++ read_files_pattern($1, iso9660_t, iso9660_t) ++ read_lnk_files_pattern($1, iso9660_t, iso9660_t) + ') + ++ + ######################################## + ## +-## Read, a FUSEFS filesystem. ++## Mount kdbus filesystems. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## # -interface(`fs_read_fusefs_files',` -+interface(`fs_hugetlbfs_filetrans',` ++interface(`fs_mount_kdbus', ` gen_require(` - type fusefs_t; -+ type hugetlbfs_t; ++ type kdbusfs_t; ') - read_files_pattern($1, fusefs_t, fusefs_t) -+ allow $2 hugetlbfs_t:filesystem associate; -+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++ allow $1 kdbusfs_t:filesystem mount; ') ######################################## ## -## Execute files on a FUSEFS filesystem. -+## Mount an iso9660 filesystem, which -+## is usually used on CDs. ++## Remount kdbus filesystems. ## ## ## @@ -16861,23 +16996,21 @@ index 8416beb..19d5bea 100644 -## # -interface(`fs_exec_fusefs_files',` -+interface(`fs_mount_iso9660_fs',` ++interface(`fs_remount_kdbus', ` gen_require(` - type fusefs_t; -+ type iso9660_t; ++ type kdbusfs_t; ') - exec_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 iso9660_t:filesystem mount; ++ allow $1 kdbusfs_t:filesystem remount; ') ######################################## ## -## Create, read, write, and delete files -## on a FUSEFS filesystem. -+## Remount an iso9660 filesystem, which -+## is usually used on CDs. This allows -+## some mount options to be changed. ++## Unmount kdbus filesystems. ## ## ## @@ -16887,14 +17020,14 @@ index 8416beb..19d5bea 100644 -## # -interface(`fs_manage_fusefs_files',` -+interface(`fs_remount_iso9660_fs',` ++interface(`fs_unmount_kdbus', ` gen_require(` - type fusefs_t; -+ type iso9660_t; ++ type kdbusfs_t; ') - manage_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 iso9660_t:filesystem remount; ++ allow $1 kdbusfs_t:filesystem unmount; ') ######################################## @@ -16902,8 +17035,7 @@ index 8416beb..19d5bea 100644 -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -+## Unmount an iso9660 filesystem, which -+## is usually used on CDs. ++## Get attributes of kdbus filesystems. ## ## ## @@ -16913,140 +17045,162 @@ index 8416beb..19d5bea 100644 ## # -interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_unmount_iso9660_fs',` ++interface(`fs_getattr_kdbus',` gen_require(` - type fusefs_t; -+ type iso9660_t; ++ type kdbusfs_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; -+ allow $1 iso9660_t:filesystem unmount; ++ allow $1 kdbusfs_t:filesystem getattr; ') ######################################## ## -## Read symbolic links on a FUSEFS filesystem. -+## Get the attributes of an iso9660 -+## filesystem, which is usually used on CDs. ++## Search kdbusfs directories. ## ## ## - ## Domain allowed access. +@@ -2014,19 +3185,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## -+## # -interface(`fs_read_fusefs_symlinks',` -+interface(`fs_getattr_iso9660_fs',` ++interface(`fs_search_kdbus_dirs',` gen_require(` - type fusefs_t; -+ type iso9660_t; ++ type kdbusfs_t; ++ ') - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 iso9660_t:filesystem getattr; ++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Get the attributes of an hugetlbfs -## filesystem. -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. ++## Relabel kdbusfs directories. ## ## ## -@@ -2034,17 +3035,19 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2034,17 +3206,18 @@ interface(`fs_read_fusefs_symlinks',` ## ## # -interface(`fs_getattr_hugetlbfs',` -+interface(`fs_getattr_iso9660_files',` ++interface(`fs_relabel_kdbus_dirs',` gen_require(` - type hugetlbfs_t; -+ type iso9660_t; ++ type kdbusfs_t; ++ ') - allow $1 hugetlbfs_t:filesystem getattr; -+ allow $1 iso9660_t:dir list_dir_perms; -+ allow $1 iso9660_t:file getattr; ++ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ') ######################################## ## -## List hugetlbfs. -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. ++## List kdbusfs directories. ## ## ## -@@ -2052,17 +3055,20 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +3225,38 @@ interface(`fs_getattr_hugetlbfs',` ## ## # -interface(`fs_list_hugetlbfs',` -+interface(`fs_read_iso9660_files',` ++interface(`fs_list_kdbus_dirs',` gen_require(` - type hugetlbfs_t; -+ type iso9660_t; ++ type kdbusfs_t; ') - allow $1 hugetlbfs_t:dir list_dir_perms; -+ allow $1 iso9660_t:dir list_dir_perms; -+ read_files_pattern($1, iso9660_t, iso9660_t) -+ read_lnk_files_pattern($1, iso9660_t, iso9660_t) ++ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++####################################### ++## ++## Do not audit attempts to search kdbusfs directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_search_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ dontaudit $1 kdbusfs_t:dir search_dir_perms; ++ dev_dontaudit_search_sysfs($1) ') -+ ######################################## ## -## Manage hugetlbfs dirs. -+## Mount kdbus filesystems. ++## Delete kdbusfs directories. ## ## ## -@@ -2070,17 +3076,17 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +3264,19 @@ interface(`fs_list_hugetlbfs',` ## ## # -interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_mount_kdbus', ` ++interface(`fs_delete_kdbus_dirs', ` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ allow $1 kdbusfs_t:filesystem mount; ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Read and write hugetlbfs files. -+## Remount kdbus filesystems. ++## Manage kdbusfs directories. ## ## ## -@@ -2088,35 +3094,35 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +3284,41 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # -interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_remount_kdbus', ` ++interface(`fs_manage_kdbus_dirs',` gen_require(` - type hugetlbfs_t; +- ') + type kdbusfs_t; - ') - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ allow $1 kdbusfs_t:filesystem remount; ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Allow the type to associate to hugetlbfs filesystems. -+## Unmount kdbus filesystems. ++## Read kdbusfs files. ## -## +## @@ -17057,51 +17211,57 @@ index 8416beb..19d5bea 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_unmount_kdbus', ` ++interface(`fs_read_kdbus_files',` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ++ ') - allow $1 hugetlbfs_t:filesystem associate; -+ allow $1 kdbusfs_t:filesystem unmount; ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Search inotifyfs filesystem. -+## Get attributes of kdbus filesystems. ++## Write kdbusfs files. ## ## ## -@@ -2124,17 +3130,17 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +3326,19 @@ interface(`fs_associate_hugetlbfs',` ## ## # -interface(`fs_search_inotifyfs',` -+interface(`fs_getattr_kdbus',` ++interface(`fs_write_kdbus_files', ` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ allow $1 kdbusfs_t:filesystem getattr; ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## List inotifyfs filesystem. -+## Search kdbusfs directories. ++## Read and write kdbusfs files. ## ## ## -@@ -2142,71 +3148,118 @@ interface(`fs_search_inotifyfs',` +@@ -2142,17 +3346,23 @@ interface(`fs_search_inotifyfs',` ## ## # -interface(`fs_list_inotifyfs',` -+interface(`fs_search_kdbus_dirs',` ++interface(`fs_rw_kdbus_files',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; @@ -17109,7 +17269,8 @@ index 8416beb..19d5bea 100644 ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17117,32 +17278,32 @@ index 8416beb..19d5bea 100644 ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Relabel kdbusfs directories. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -2160,53 +3370,39 @@ interface(`fs_list_inotifyfs',` ## ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_relabel_kdbus_dirs',` ++interface(`fs_dontaudit_rw_kdbus_files',` gen_require(` - type inotifyfs_t; -+ type cgroup_t; -+ ++ type kdbusfs_t; ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ') ######################################## ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## List kdbusfs directories. ++## Manage kdbusfs files. ## ## ## @@ -17153,81 +17314,30 @@ index 8416beb..19d5bea 100644 -## -## The type of the object to be created. -## -+# -+interface(`fs_list_kdbus_dirs',` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+####################################### -+## -+## Do not audit attempts to search kdbusfs directories. -+## -+## -+## -+## Domain to not audit. -+## - ## +-## -## -+# -+interface(`fs_dontaudit_search_kdbus_dirs', ` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ dontaudit $1 kdbusfs_t:dir search_dir_perms; -+ dev_dontaudit_search_sysfs($1) -+') -+ -+######################################## -+## -+## Delete kdbusfs directories. -+## -+## - ## +-## -## The object class of the object being created. -+## Domain allowed access. - ## - ## +-## +-## -## -+# -+interface(`fs_delete_kdbus_dirs', ` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+######################################## -+## -+## Manage kdbusfs directories. -+## -+## - ## +-## -## The name of the object being created. -+## Domain allowed access. - ## - ## +-## +-## # -interface(`fs_hugetlbfs_filetrans',` -+interface(`fs_manage_kdbus_dirs',` ++interface(`fs_manage_kdbus_files',` gen_require(` - type hugetlbfs_t; -- ') + type kdbusfs_t; ++ + ') - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ ') -+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ manage_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17236,305 +17346,478 @@ index 8416beb..19d5bea 100644 ## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -+## Read kdbusfs files. ++## Mount on kdbusfs directories. ## ## ## -@@ -2214,19 +3267,21 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3410,18 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # -interface(`fs_mount_iso9660_fs',` -+interface(`fs_read_kdbus_files',` ++interface(`fs_mounton_kdbus', ` gen_require(` - type iso9660_t; -+ type cgroup_t; -+ ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem mount; -+ read_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ allow $1 kdbusfs_t:dir mounton; ') ++ ######################################## ## -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -+## Write kdbusfs files. ++## Mount a NFS filesystem. ## ## ## -@@ -2234,18 +3289,19 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3429,18 @@ interface(`fs_mount_iso9660_fs',` ## ## # -interface(`fs_remount_iso9660_fs',` -+interface(`fs_write_kdbus_files', ` ++interface(`fs_mount_nfs',` gen_require(` - type iso9660_t; -+ type kdbusfs_t; ++ type nfs_t; ') - allow $1 iso9660_t:filesystem remount; -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ allow $1 nfs_t:filesystem mount; ') ######################################## ## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -+## Read and write kdbusfs files. ++## Remount a NFS filesystem. This allows ++## some mount options to be changed. ## ## ## -@@ -2253,38 +3309,41 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,58 +3448,54 @@ interface(`fs_remount_iso9660_fs',` ## ## # -interface(`fs_unmount_iso9660_fs',` -+interface(`fs_rw_kdbus_files',` ++interface(`fs_remount_nfs',` gen_require(` - type iso9660_t; -+ type kdbusfs_t; -+ ++ type nfs_t; ') - allow $1 iso9660_t:filesystem unmount; -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ allow $1 nfs_t:filesystem remount; ') ######################################## ## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -+## Do not audit attempts to open, -+## get attributes, read and write -+## cgroup files. ++## Unmount a NFS filesystem. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## -## # -interface(`fs_getattr_iso9660_fs',` -+interface(`fs_dontaudit_rw_kdbus_files',` ++interface(`fs_unmount_nfs',` gen_require(` - type iso9660_t; -+ type kdbusfs_t; ++ type nfs_t; ') - allow $1 iso9660_t:filesystem getattr; -+ dontaudit $1 kdbusfs_t:file rw_file_perms; ++ allow $1 nfs_t:filesystem unmount; ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Manage kdbusfs files. ++## Get the attributes of a NFS filesystem. ## ## ## -@@ -2292,19 +3351,21 @@ interface(`fs_getattr_iso9660_fs',` + ## Domain allowed access. ## ## ++## # -interface(`fs_getattr_iso9660_files',` -+interface(`fs_manage_kdbus_files',` ++interface(`fs_getattr_nfs',` gen_require(` - type iso9660_t; -+ type kdbusfs_t; -+ ++ type nfs_t; ') - allow $1 iso9660_t:dir list_dir_perms; - allow $1 iso9660_t:file getattr; -+ manage_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ allow $1 nfs_t:filesystem getattr; ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Mount on kdbusfs directories. ++## Set the attributes of nfs directories. ## ## ## -@@ -2312,16 +3373,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,19 +3503,17 @@ interface(`fs_getattr_iso9660_files',` ## ## # -interface(`fs_read_iso9660_files',` -+interface(`fs_mounton_kdbus', ` ++interface(`fs_setattr_nfs_dirs',` gen_require(` - type iso9660_t; -+ type kdbusfs_t; ++ type nfs_t; ') - allow $1 iso9660_t:dir list_dir_perms; - read_files_pattern($1, iso9660_t, iso9660_t) - read_lnk_files_pattern($1, iso9660_t, iso9660_t) -+ allow $1 kdbusfs_t:dir mounton; ++ allow $1 nfs_t:dir setattr; ') -+ ######################################## ## - ## Mount a NFS filesystem. -@@ -2398,6 +3458,24 @@ interface(`fs_getattr_nfs',` +-## Mount a NFS filesystem. ++## Search directories on a NFS filesystem. + ## + ## + ## +@@ -2332,18 +3521,17 @@ interface(`fs_read_iso9660_files',` + ## + ## + # +-interface(`fs_mount_nfs',` ++interface(`fs_search_nfs',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:filesystem mount; ++ allow $1 nfs_t:dir search_dir_perms; + ') ######################################## ## -+## Set the attributes of nfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_setattr_nfs_dirs',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:dir setattr; -+') -+ -+######################################## -+## - ## Search directories on a NFS filesystem. +-## Remount a NFS filesystem. This allows +-## some mount options to be changed. ++## List NFS filesystem. + ## + ## + ## +@@ -2351,240 +3539,243 @@ interface(`fs_mount_nfs',` + ## + ## + # +-interface(`fs_remount_nfs',` ++interface(`fs_list_nfs',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:filesystem remount; ++ allow $1 nfs_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Unmount a NFS filesystem. ++## Do not audit attempts to list the contents ++## of directories on a NFS filesystem. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`fs_unmount_nfs',` ++interface(`fs_dontaudit_list_nfs',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:filesystem unmount; ++ dontaudit $1 nfs_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Get the attributes of a NFS filesystem. ++## Mounton a NFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_getattr_nfs',` ++interface(`fs_mounton_nfs',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:filesystem getattr; ++ allow $1 nfs_t:dir mounton; + ') + + ######################################## + ## +-## Search directories on a NFS filesystem. ++## Read files on a NFS filesystem. ## ## -@@ -2485,6 +3563,7 @@ interface(`fs_read_nfs_files',` + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_search_nfs',` ++interface(`fs_read_nfs_files',` + gen_require(` type nfs_t; ') +- allow $1 nfs_t:dir search_dir_perms; + fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir list_dir_perms; - read_files_pattern($1, nfs_t, nfs_t) ++ allow $1 nfs_t:dir list_dir_perms; ++ read_files_pattern($1, nfs_t, nfs_t) + ') + + ######################################## + ## +-## List NFS filesystem. ++## Do not audit attempts to read ++## files on a NFS filesystem. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`fs_list_nfs',` ++interface(`fs_dontaudit_read_nfs_files',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir list_dir_perms; ++ dontaudit $1 nfs_t:file read_file_perms; ') -@@ -2523,6 +3602,7 @@ interface(`fs_write_nfs_files',` + + ######################################## + ## +-## Do not audit attempts to list the contents +-## of directories on a NFS filesystem. ++## Read files on a NFS filesystem. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_list_nfs',` ++interface(`fs_write_nfs_files',` + gen_require(` type nfs_t; ') +- dontaudit $1 nfs_t:dir list_dir_perms; + fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir list_dir_perms; - write_files_pattern($1, nfs_t, nfs_t) ++ allow $1 nfs_t:dir list_dir_perms; ++ write_files_pattern($1, nfs_t, nfs_t) + ') + + ######################################## + ## +-## Mounton a NFS filesystem. ++## Execute files on a NFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_mounton_nfs',` ++interface(`fs_exec_nfs_files',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir mounton; ++ allow $1 nfs_t:dir list_dir_perms; ++ exec_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3629,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## +-## Read files on a NFS filesystem. +## Make general progams in nfs an entrypoint for +## the specified domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## The domain for which nfs_t is an entrypoint. -+## -+## -+# + ## + ## +-## + # +-interface(`fs_read_nfs_files',` +interface(`fs_nfs_entry_type',` -+ gen_require(` -+ type nfs_t; -+ ') -+ + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir list_dir_perms; +- read_files_pattern($1, nfs_t, nfs_t) + domain_entry_file($1, nfs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read +-## files on a NFS filesystem. +## Make general progams in NFS an entrypoint for +## the specified domain. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## The domain for which nfs_t is an entrypoint. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_read_nfs_files',` +interface(`fs_nfs_entrypoint',` -+ gen_require(` -+ type nfs_t; -+ ') -+ + gen_require(` + type nfs_t; + ') + +- dontaudit $1 nfs_t:file read_file_perms; + allow $1 nfs_t:file entrypoint; -+') -+ -+######################################## -+## - ## Append files - ## on a NFS filesystem. + ') + + ######################################## + ## +-## Read files on a NFS filesystem. ++## Append files ++## on a NFS filesystem. ## -@@ -2569,7 +3687,7 @@ interface(`fs_append_nfs_files',` + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_write_nfs_files',` ++interface(`fs_append_nfs_files',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir list_dir_perms; +- write_files_pattern($1, nfs_t, nfs_t) ++ append_files_pattern($1, nfs_t, nfs_t) + ') ######################################## ## --## dontaudit Append files +-## Execute files on a NFS filesystem. +## Do not audit attempts to append files - ## on a NFS filesystem. ++## on a NFS filesystem. ## ## -@@ -2589,6 +3707,42 @@ interface(`fs_dontaudit_append_nfs_files',` + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + ## + # +-interface(`fs_exec_nfs_files',` ++interface(`fs_dontaudit_append_nfs_files',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir list_dir_perms; +- exec_files_pattern($1, nfs_t, nfs_t) ++ dontaudit $1 nfs_t:file append_file_perms; + ') ######################################## ## +-## Append files +-## on a NFS filesystem. +## Read inherited files on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_append_nfs_files',` +interface(`fs_read_inherited_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ + gen_require(` + type nfs_t; + ') + +- append_files_pattern($1, nfs_t, nfs_t) + allow $1 nfs_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## dontaudit Append files +-## on a NFS filesystem. +## Read/write inherited files on a NFS filesystem. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`fs_dontaudit_append_nfs_files',` +interface(`fs_rw_inherited_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ + gen_require(` + type nfs_t; + ') + +- dontaudit $1 nfs_t:file append_file_perms; + allow $1 nfs_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to read or - ## write files on a NFS filesystem. - ## -@@ -2603,7 +3757,7 @@ interface(`fs_dontaudit_rw_nfs_files',` + ') + + ######################################## +@@ -2603,7 +3794,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -17543,7 +17826,7 @@ index 8416beb..19d5bea 100644 ') ######################################## -@@ -2627,7 +3781,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3818,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -17552,7 +17835,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -2719,6 +3873,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3910,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -17618,7 +17901,7 @@ index 8416beb..19d5bea 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3954,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3991,7 @@ interface(`fs_search_removable',` ## ## ## @@ -17627,7 +17910,7 @@ index 8416beb..19d5bea 100644 ## ## # -@@ -2777,7 +3990,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +4027,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -17636,7 +17919,7 @@ index 8416beb..19d5bea 100644 ## ## # -@@ -2970,6 +4183,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4220,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -17644,7 +17927,7 @@ index 8416beb..19d5bea 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4224,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4261,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -17652,7 +17935,7 @@ index 8416beb..19d5bea 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4265,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4302,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -17660,7 +17943,7 @@ index 8416beb..19d5bea 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4353,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4390,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -17685,11 +17968,27 @@ index 8416beb..19d5bea 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3255,17 +4489,182 @@ interface(`fs_list_nfsd_fs',` - ## - ## +@@ -3239,15 +4510,198 @@ interface(`fs_search_nfsd_fs',` # --interface(`fs_getattr_nfsd_files',` + interface(`fs_list_nfsd_fs',` + gen_require(` +- type nfsd_fs_t; ++ type nfsd_fs_t; ++ ') ++ ++ allow $1 nfsd_fs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Getattr files on an nfsd filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_nfsd_files',` + gen_require(` + type nfsd_fs_t; @@ -17856,63 +18155,83 @@ index 8416beb..19d5bea 100644 +## +# +interface(`fs_unmount_nsfs',` - gen_require(` -- type nfsd_fs_t; ++ gen_require(` + type nsfs_t; ') -- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +- allow $1 nfsd_fs_t:dir list_dir_perms; + allow $1 nsfs_t:filesystem unmount; ') ######################################## ## --## Read and write NFS server files. +-## Getattr files on an nfsd filesystem +## Manage NFS server files. ## ## ## -@@ -3273,12 +4672,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3255,35 +4709,35 @@ interface(`fs_list_nfsd_fs',` ## ## # --interface(`fs_rw_nfsd_fs',` +-interface(`fs_getattr_nfsd_files',` +interface(`fs_manage_nfsd_fs',` gen_require(` type nfsd_fs_t; ') -- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ######################################## -@@ -3301,6 +4700,24 @@ interface(`fs_associate_ramfs',` + ## +-## Read and write NFS server files. ++## Allow the type to associate to ramfs filesystems. + ## +-## ++## + ## +-## Domain allowed access. ++## The type of the object to be associated. + ## + ## + # +-interface(`fs_rw_nfsd_fs',` ++interface(`fs_associate_ramfs',` + gen_require(` +- type nfsd_fs_t; ++ type ramfs_t; + ') + +- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ allow $1 ramfs_t:filesystem associate; + ') ######################################## ## +-## Allow the type to associate to ramfs filesystems. +## Allow the type to associate to proc filesystems. -+## -+## -+## -+## The type of the object to be associated. -+## -+## -+# + ## + ## + ## +@@ -3291,12 +4745,12 @@ interface(`fs_rw_nfsd_fs',` + ## + ## + # +-interface(`fs_associate_ramfs',` +interface(`fs_associate_proc',` -+ gen_require(` + gen_require(` +- type ramfs_t; + type proc_t; -+ ') -+ + ') + +- allow $1 ramfs_t:filesystem associate; + allow $1 proc_t:filesystem associate; -+') -+ -+######################################## -+## - ## Mount a RAM filesystem. - ## - ## -@@ -3392,7 +4809,7 @@ interface(`fs_search_ramfs',` + ') + + ######################################## +@@ -3392,7 +4846,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -17921,7 +18240,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -3429,7 +4846,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4883,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -17930,7 +18249,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -3447,7 +4864,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4901,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -17939,7 +18258,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -3779,6 +5196,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5233,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -17964,7 +18283,7 @@ index 8416beb..19d5bea 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5250,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5287,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -17989,7 +18308,7 @@ index 8416beb..19d5bea 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5361,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5398,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -17998,7 +18317,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -3916,17 +5369,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5406,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -18019,7 +18338,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -3934,17 +5387,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5424,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -18040,7 +18359,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -3952,17 +5405,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5442,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -18080,7 +18399,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -3970,31 +5442,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5479,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -18136,7 +18455,7 @@ index 8416beb..19d5bea 100644 ') ######################################## -@@ -4057,23 +5546,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5583,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -18313,7 +18632,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4081,18 +5717,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5754,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -18336,7 +18655,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4100,54 +5736,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5773,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -18403,7 +18722,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4155,17 +5790,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5827,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -18425,7 +18744,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4173,17 +5809,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5846,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -18447,7 +18766,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4191,37 +5828,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5865,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -18493,7 +18812,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4229,18 +5865,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5902,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -18515,7 +18834,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4248,18 +5884,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5921,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -18539,7 +18858,7 @@ index 8416beb..19d5bea 100644 ## ## ## -@@ -4267,32 +5904,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5941,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -18578,7 +18897,7 @@ index 8416beb..19d5bea 100644 ') ######################################## -@@ -4407,6 +6043,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6080,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -18604,7 +18923,7 @@ index 8416beb..19d5bea 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6158,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6195,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -18613,7 +18932,7 @@ index 8416beb..19d5bea 100644 ') ######################################## -@@ -4549,7 +6206,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6243,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -18622,7 +18941,7 @@ index 8416beb..19d5bea 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6253,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6290,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -18649,7 +18968,7 @@ index 8416beb..19d5bea 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6348,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6385,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -18675,7 +18994,7 @@ index 8416beb..19d5bea 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6608,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6645,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -18714,7 +19033,7 @@ index 8416beb..19d5bea 100644 +interface(`fs_tmpfs_filetrans_named_content',` + gen_require(` + type cgroup_t; -+ type devlog_t; ++ type devlog_t; + ') + + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") @@ -18847,13 +19166,13 @@ index 8416beb..19d5bea 100644 +# +interface(`fs_unmount_tracefs', ` + gen_require(` -+ type cgroup_t; ++ type tracefs_t; + ') + + allow $1 tracefs_t:filesystem unmount; +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..b3e6523 100644 +index e7d1738..b10afaf 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,20 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -18877,7 +19196,15 @@ index e7d1738..b3e6523 100644 # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. -@@ -53,6 +59,7 @@ type anon_inodefs_t; +@@ -43,6 +49,7 @@ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); + fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0); + fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); + fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0); + + ############################## + # +@@ -53,6 +60,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -18885,7 +19212,7 @@ index e7d1738..b3e6523 100644 type bdev_t; fs_type(bdev_t) -@@ -63,16 +70,28 @@ fs_type(binfmt_misc_fs_t) +@@ -63,16 +71,28 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -18915,7 +19242,7 @@ index e7d1738..b3e6523 100644 type configfs_t; fs_type(configfs_t) -@@ -88,6 +107,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -88,6 +108,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -18927,7 +19254,7 @@ index e7d1738..b3e6523 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +120,7 @@ type hugetlbfs_t; +@@ -96,6 +121,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -18935,7 +19262,7 @@ index e7d1738..b3e6523 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -111,6 +136,12 @@ type inotifyfs_t; +@@ -111,6 +137,12 @@ type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) @@ -18948,7 +19275,7 @@ index e7d1738..b3e6523 100644 type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; -@@ -118,13 +149,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +150,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -18973,7 +19300,7 @@ index e7d1738..b3e6523 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,17 +191,16 @@ fs_type(spufs_t) +@@ -150,17 +192,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -18995,7 +19322,7 @@ index e7d1738..b3e6523 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -172,6 +212,8 @@ type vxfs_t; +@@ -172,6 +213,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -19004,7 +19331,7 @@ index e7d1738..b3e6523 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +224,8 @@ fs_type(tmpfs_t) +@@ -182,6 +225,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -19013,7 +19340,7 @@ index e7d1738..b3e6523 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +305,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +306,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -19022,7 +19349,7 @@ index e7d1738..b3e6523 100644 files_mountpoint(removable_t) # -@@ -280,6 +326,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +327,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -19030,7 +19357,7 @@ index e7d1738..b3e6523 100644 ######################################## # -@@ -301,9 +348,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +349,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -40804,7 +41131,7 @@ index 9fe8e01..c62c761 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..8828b8a 100644 +index fc28bc3..3be6892 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` @@ -40998,7 +41325,7 @@ index fc28bc3..8828b8a 100644 - files_etc_filetrans($1, locale_t, file) - -+ files_etc_filetrans($1, locale_t, lnk_file) ++ files_etc_filetrans($1, locale_t, { file lnk_file }) + files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) + files_etc_filetrans($1, locale_t, file, "locale.conf" ) + files_etc_filetrans($1, locale_t, file, "timezone" ) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9f9f119..5c3fa78 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12384,7 +12384,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..b4565e3 100644 +index 550b287..80de6d3 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t) @@ -12475,7 +12475,8 @@ index 550b287..b4565e3 100644 optional_policy(` - apache_initrc_domtrans(certmonger_t) - apache_search_config(certmonger_t) +- apache_search_config(certmonger_t) ++ apache_read_config(certmonger_t) apache_signal(certmonger_t) apache_signull(certmonger_t) + apache_systemctl(certmonger_t) @@ -24429,7 +24430,7 @@ index 8ce99ff..1bc5d3a 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003..360db40 100644 +index 77a5003..86a7ed2 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -24462,20 +24463,22 @@ index 77a5003..360db40 100644 ######################################## # # Local policy -@@ -45,11 +49,8 @@ kernel_read_system_state(devicekit_t) +@@ -44,12 +48,10 @@ kernel_read_system_state(devicekit_t) + dev_read_sysfs(devicekit_t) dev_read_urand(devicekit_t) - +- -files_read_etc_files(devicekit_t) - -miscfiles_read_localization(devicekit_t) -- ++dev_getattr_all(devicekit_t) + optional_policy(` + dbus_system_domain(devicekit_t, devicekit_exec_t) dbus_system_bus_client(devicekit_t) allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; -@@ -64,7 +65,8 @@ optional_policy(` +@@ -64,7 +66,8 @@ optional_policy(` # Disk local policy # @@ -24485,7 +24488,7 @@ index 77a5003..360db40 100644 allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -81,17 +83,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; +@@ -81,17 +84,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) @@ -24506,7 +24509,7 @@ index 77a5003..360db40 100644 corecmd_exec_bin(devicekit_disk_t) corecmd_exec_shell(devicekit_disk_t) -@@ -99,6 +102,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) +@@ -99,6 +103,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) @@ -24515,7 +24518,7 @@ index 77a5003..360db40 100644 dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_read_urand(devicekit_disk_t) -@@ -117,8 +122,8 @@ files_getattr_all_pipes(devicekit_disk_t) +@@ -117,8 +123,8 @@ files_getattr_all_pipes(devicekit_disk_t) files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) @@ -24525,7 +24528,7 @@ index 77a5003..360db40 100644 fs_getattr_all_fs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t) -@@ -135,18 +140,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -135,18 +141,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -24547,7 +24550,7 @@ index 77a5003..360db40 100644 dbus_system_bus_client(devicekit_disk_t) allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -170,6 +175,7 @@ optional_policy(` +@@ -170,6 +176,7 @@ optional_policy(` optional_policy(` mount_domtrans(devicekit_disk_t) @@ -24555,7 +24558,7 @@ index 77a5003..360db40 100644 ') optional_policy(` -@@ -183,6 +189,11 @@ optional_policy(` +@@ -183,6 +190,11 @@ optional_policy(` ') optional_policy(` @@ -24567,7 +24570,7 @@ index 77a5003..360db40 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) udev_read_pid_files(devicekit_disk_t) -@@ -192,12 +203,19 @@ optional_policy(` +@@ -192,12 +204,19 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -24588,7 +24591,7 @@ index 77a5003..360db40 100644 allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -@@ -212,9 +230,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -212,9 +231,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) @@ -24599,7 +24602,7 @@ index 77a5003..360db40 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -224,12 +240,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) +@@ -224,12 +241,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) kernel_read_fs_sysctls(devicekit_power_t) kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) @@ -24614,7 +24617,7 @@ index 77a5003..360db40 100644 corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -248,21 +264,18 @@ domain_read_all_domains_state(devicekit_power_t) +@@ -248,21 +265,18 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) @@ -24637,7 +24640,7 @@ index 77a5003..360db40 100644 sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -277,6 +290,12 @@ optional_policy(` +@@ -277,6 +291,12 @@ optional_policy(` ') optional_policy(` @@ -24650,7 +24653,7 @@ index 77a5003..360db40 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -307,8 +326,11 @@ optional_policy(` +@@ -307,8 +327,11 @@ optional_policy(` ') optional_policy(` @@ -24663,7 +24666,7 @@ index 77a5003..360db40 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -347,3 +369,9 @@ optional_policy(` +@@ -347,3 +370,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -42850,10 +42853,10 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..82772f2 +index 0000000..c07a3fe --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,94 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -42883,6 +42886,7 @@ index 0000000..82772f2 +allow keepalived_t self:process { signal_perms }; +allow keepalived_t self:netlink_socket create_socket_perms; +allow keepalived_t self:netlink_generic_socket create_socket_perms; ++allow keepalived_t self:netlink_netfilter_socket create_socket_perms; +allow keepalived_t self:netlink_route_socket nlmsg_write; +allow keepalived_t self:packet_socket create_socket_perms; +allow keepalived_t self:rawip_socket create_socket_perms; @@ -72389,10 +72393,10 @@ index 0000000..47cd0f8 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..efe3ad3 +index 0000000..d8226f9 --- /dev/null +++ b/pki.if -@@ -0,0 +1,442 @@ +@@ -0,0 +1,461 @@ + +## policy for pki + @@ -72818,6 +72822,25 @@ index 0000000..efe3ad3 + +######################################## +## ++## Allow read pki_common_t files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_common_files',` ++ gen_require(` ++ type pki_common_t; ++ ') ++ ++ manage_files_pattern($1, pki_common_t, pki_common_t) ++ manage_dirs_pattern($1, pki_common_t, pki_common_t) ++') ++ ++######################################## ++## +## Connect to pki over an unix +## stream socket. +## @@ -75907,7 +75930,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..9cfa754 100644 +index 5cfb83e..4273d32 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -76000,7 +76023,7 @@ index 5cfb83e..9cfa754 100644 type postfix_data_t; files_type(postfix_data_t) -@@ -105,109 +106,22 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -105,109 +106,23 @@ mta_mailserver_delivery(postfix_virtual_t) ######################################## # @@ -76085,8 +76108,9 @@ index 5cfb83e..9cfa754 100644 -######################################## -# -# Common postfix user domain local policy --# -- ++# Postfix master process local policy + # + -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -76094,10 +76118,10 @@ index 5cfb83e..9cfa754 100644 -######################################## -# -# Master local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; ++dontaudit postfix_master_t self:capability { net_admin }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; @@ -76117,7 +76141,7 @@ index 5cfb83e..9cfa754 100644 allow postfix_master_t postfix_data_t:dir manage_dir_perms; allow postfix_master_t postfix_data_t:file manage_file_perms; -@@ -216,34 +130,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms; +@@ -216,34 +131,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms; allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; @@ -76165,7 +76189,7 @@ index 5cfb83e..9cfa754 100644 create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -@@ -253,16 +165,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d +@@ -253,16 +166,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred") filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") @@ -76183,7 +76207,7 @@ index 5cfb83e..9cfa754 100644 corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -270,50 +174,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -270,50 +175,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -76252,7 +76276,7 @@ index 5cfb83e..9cfa754 100644 optional_policy(` cyrus_stream_connect(postfix_master_t) ') -@@ -324,14 +222,6 @@ optional_policy(` +@@ -324,14 +223,6 @@ optional_policy(` ') optional_policy(` @@ -76267,7 +76291,7 @@ index 5cfb83e..9cfa754 100644 postgrey_search_spool(postfix_master_t) ') -@@ -341,12 +231,14 @@ optional_policy(` +@@ -341,12 +232,14 @@ optional_policy(` ######################################## # @@ -76284,7 +76308,7 @@ index 5cfb83e..9cfa754 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -363,37 +255,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -363,37 +256,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -76331,7 +76355,7 @@ index 5cfb83e..9cfa754 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -401,36 +290,50 @@ optional_policy(` +@@ -401,36 +291,50 @@ optional_policy(` ######################################## # @@ -76391,7 +76415,7 @@ index 5cfb83e..9cfa754 100644 ') optional_policy(` -@@ -442,16 +345,25 @@ optional_policy(` +@@ -442,16 +346,25 @@ optional_policy(` ') optional_policy(` @@ -76417,7 +76441,7 @@ index 5cfb83e..9cfa754 100644 procmail_domtrans(postfix_local_t) ') -@@ -466,15 +378,17 @@ optional_policy(` +@@ -466,15 +379,17 @@ optional_policy(` ######################################## # @@ -76441,7 +76465,7 @@ index 5cfb83e..9cfa754 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -484,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -484,14 +399,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -76461,7 +76485,7 @@ index 5cfb83e..9cfa754 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -500,7 +415,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -500,7 +416,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -76469,7 +76493,7 @@ index 5cfb83e..9cfa754 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -508,21 +422,24 @@ auth_use_nsswitch(postfix_map_t) +@@ -508,21 +423,24 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -76497,7 +76521,7 @@ index 5cfb83e..9cfa754 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -532,21 +449,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -532,21 +450,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -76523,7 +76547,7 @@ index 5cfb83e..9cfa754 100644 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) -@@ -557,6 +474,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) +@@ -557,6 +475,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) corecmd_exec_bin(postfix_pipe_t) optional_policy(` @@ -76534,7 +76558,7 @@ index 5cfb83e..9cfa754 100644 dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -584,19 +505,28 @@ optional_policy(` +@@ -584,19 +506,28 @@ optional_policy(` ######################################## # @@ -76568,7 +76592,7 @@ index 5cfb83e..9cfa754 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +541,7 @@ optional_policy(` +@@ -611,10 +542,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -76580,7 +76604,7 @@ index 5cfb83e..9cfa754 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +556,24 @@ optional_policy(` +@@ -629,17 +557,24 @@ optional_policy(` ####################################### # @@ -76608,7 +76632,7 @@ index 5cfb83e..9cfa754 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +589,78 @@ optional_policy(` +@@ -655,69 +590,80 @@ optional_policy(` ######################################## # @@ -76619,7 +76643,8 @@ index 5cfb83e..9cfa754 100644 -allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; -- ++dontaudit postfix_qmgr_t self:capability { net_admin }; + stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) @@ -76705,7 +76730,7 @@ index 5cfb83e..9cfa754 100644 ') optional_policy(` -@@ -730,28 +673,32 @@ optional_policy(` +@@ -730,28 +676,32 @@ optional_policy(` ######################################## # @@ -76746,7 +76771,7 @@ index 5cfb83e..9cfa754 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +711,7 @@ optional_policy(` +@@ -764,6 +714,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -76754,7 +76779,7 @@ index 5cfb83e..9cfa754 100644 ') optional_policy(` -@@ -774,31 +722,101 @@ optional_policy(` +@@ -774,31 +725,101 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -91214,7 +91239,7 @@ index 13f788f..10e2033 100644 + allow $1 rngd_unit_file_t:service all_service_perms; ') diff --git a/rngd.te b/rngd.te -index a7b7717..861aa31 100644 +index a7b7717..41bca3b 100644 --- a/rngd.te +++ b/rngd.te @@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t) @@ -91227,12 +91252,14 @@ index a7b7717..861aa31 100644 type rngd_var_run_t; files_pid_file(rngd_var_run_t) -@@ -35,8 +38,5 @@ dev_read_urand(rngd_t) +@@ -34,9 +37,7 @@ dev_read_rand(rngd_t) + dev_read_urand(rngd_t) dev_rw_tpm(rngd_t) dev_write_rand(rngd_t) - --files_read_etc_files(rngd_t) - +-files_read_etc_files(rngd_t) ++dev_read_sysfs(rngd_t) + logging_send_syslog_msg(rngd_t) -miscfiles_read_localization(rngd_t) @@ -105702,7 +105729,7 @@ index 0000000..821e158 +') + diff --git a/sssd.fc b/sssd.fc -index dbb005a..47b49ea 100644 +index dbb005a..2655c75 100644 --- a/sssd.fc +++ b/sssd.fc @@ -1,15 +1,30 @@ @@ -105740,8 +105767,8 @@ index dbb005a..47b49ea 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -+/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0) -+/var/run/.heim_org.h5l.kcm-socket -- gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if index a240455..aac2584 100644 --- a/sssd.if @@ -106240,7 +106267,7 @@ index a240455..aac2584 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..f0f3862 100644 +index 2d8db1f..07606ba 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) @@ -106295,8 +106322,9 @@ index 2d8db1f..f0f3862 100644 manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +-files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) - files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) ++files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -111022,10 +111050,10 @@ index 0000000..e5cec8f +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..cc0c5fe +index 0000000..cf2b1a7 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,99 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -111054,7 +111082,7 @@ index 0000000..cc0c5fe + pki_manage_tomcat_etc_rw(tomcat_t) + pki_search_log_dirs(tomcat_t) + pki_manage_tomcat_log(tomcat_t) -+ pki_read_common_files(tomcat_t) ++ pki_manage_common_files(tomcat_t) + pki_stream_connect(tomcat_t) +') + @@ -111100,6 +111128,7 @@ index 0000000..cc0c5fe +corenet_tcp_connect_http_cache_port(tomcat_domain) +corenet_tcp_connect_postgresql_port(tomcat_domain) +corenet_tcp_connect_amqp_port(tomcat_domain) ++corenet_tcp_connect_oracle_port(tomcat_domain) + +dev_read_rand(tomcat_domain) +dev_read_urand(tomcat_domain) @@ -111113,8 +111142,17 @@ index 0000000..cc0c5fe +sysnet_dns_name_resolve(tomcat_domain) + +optional_policy(` ++ cobbler_read_lib_files(tomcat_domain) ++') ++ ++optional_policy(` + tomcat_search_lib(tomcat_domain) +') ++ ++optional_policy(` ++ rpm_exec(tomcat_domain) ++ rpm_read_db(tomcat_domain) ++') diff --git a/tor.fc b/tor.fc index dce42ec..b6b67bf 100644 --- a/tor.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index f591cb1..69d7900 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 254%{?dist} +Release: 255%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -689,6 +689,28 @@ exit 0 %endif %changelog +* Thu May 18 2017 Lukas Vrabec - 3.13.1-255 +- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t +- Add interface pki_manage_common_files() +- Allow rngd domain read sysfs_t +- Allow tomcat_t domain to manage pki_common_t files and dirs +- Merge pull request #3 from rhatdan/devicekit +- Merge pull request #12 from lslebodn/sssd_sockets_fc +- Allow certmonger reads httpd_config_t files +- Allow keepalived_t domain creating netlink_netfilter_socket. +- Use stricter fc rules for sssd sockets in /var/run +- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. +- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ +- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit +- ejabberd small fixes +- Update targetd policy to accommodate changes in the service +- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls +- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit +- Dontaudit net_admin capability for useradd_t domain +- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723) +- Make able deply overcloud via neutron_t to label nsfs as fs_t +- Add fs_manage_configfs_lnk_files() interface + * Mon May 15 2017 Lukas Vrabec - 3.13.1-254 - Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit - ejabberd small fixes