diff --git a/container-selinux.tgz b/container-selinux.tgz index 99a1c17..b681098 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 98851bf..08f8a56 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -4246,7 +4246,7 @@ index 33e0f8dad..6fd767031 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a68..cb425934b 100644 +index 9e9263a68..464be5733 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -4377,14 +4377,16 @@ index 9e9263a68..cb425934b 100644 manage_files_pattern($1, bin_t, bin_t) ') -@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',` +@@ -398,7 +444,8 @@ interface(`corecmd_mmap_bin_files',` type bin_t; ') +- mmap_files_pattern($1, bin_t, bin_t) + corecmd_read_bin_symlinks($1) - mmap_files_pattern($1, bin_t, bin_t) ++ mmap_exec_files_pattern($1, bin_t, bin_t) ') + ######################################## @@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` interface(`corecmd_bin_spec_domtrans',` gen_require(` @@ -4480,10 +4482,13 @@ index 9e9263a68..cb425934b 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1145,74 @@ interface(`corecmd_mmap_all_executables',` +@@ -1089,5 +1143,76 @@ interface(`corecmd_mmap_all_executables',` + type bin_t; + ') - mmap_files_pattern($1, bin_t, exec_type) - ') +- mmap_files_pattern($1, bin_t, exec_type) ++ mmap_exec_files_pattern($1, bin_t, exec_type) ++') + +######################################## +## @@ -4554,7 +4559,7 @@ index 9e9263a68..cb425934b 100644 + ') + + filetrans_pattern($1, bin_t, $2, $3, $4) -+') + ') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 20c76cff9..cc63dcc9c 100644 --- a/policy/modules/kernel/corecommands.te @@ -11517,7 +11522,7 @@ index 0b1a8715a..849b00191 100644 +dev_getattr_all(devices_unconfined_type) + diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d156..452a80549 100644 +index 6a1e4d156..5fd375329 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -11556,7 +11561,13 @@ index 6a1e4d156..452a80549 100644 ') ######################################## -@@ -133,6 +108,10 @@ interface(`domain_entry_file',` +@@ -128,11 +103,15 @@ interface(`domain_entry_file',` + ') + + allow $1 $2:file entrypoint; +- allow $1 $2:file { mmap_file_perms ioctl lock }; ++ allow $1 $2:file { mmap_exec_file_perms ioctl lock }; + typeattribute $2 entry_type; corecmd_executable_file($2) @@ -11706,6 +11717,15 @@ index 6a1e4d156..452a80549 100644 ## Relabel to and from all entry point ## file types. ## +@@ -1390,7 +1462,7 @@ interface(`domain_mmap_all_entry_files',` + attribute entry_type; + ') + +- allow $1 entry_type:file mmap_file_perms; ++ allow $1 entry_type:file mmap_exec_file_perms; + ') + + ######################################## @@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',` ## ## Ability to mmap a low area of the address @@ -32841,7 +32861,7 @@ index 6bf0ecc2d..a6b6087eb 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..f17b76dec 100644 +index 8b403774f..676215ff3 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -33234,12 +33254,12 @@ index 8b403774f..f17b76dec 100644 +allow xdm_t xauth_home_t:file manage_file_perms; + +allow xdm_t xserver_unconfined_type:process { signull }; - --allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+ + +-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +xserver_filetrans_home_content(xdm_t) @@ -33712,7 +33732,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -518,8 +918,36 @@ optional_policy(` +@@ -518,8 +918,40 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -33731,8 +33751,7 @@ index 8b403774f..f17b76dec 100644 + cpufreqselector_dbus_chat(xdm_t) + ') + - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') @@ -33741,16 +33760,21 @@ index 8b403774f..f17b76dec 100644 + hal_dbus_chat(xdm_t) + ') + -+ optional_policy(` + optional_policy(` +- accountsd_dbus_chat(xdm_t) + gnomeclock_dbus_chat(xdm_t) + ') + + optional_policy(` ++ modemmanager_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(xdm_t) ') ') -@@ -530,6 +958,20 @@ optional_policy(` +@@ -530,6 +962,20 @@ optional_policy(` ') optional_policy(` @@ -33771,7 +33795,7 @@ index 8b403774f..f17b76dec 100644 hostname_exec(xdm_t) ') -@@ -547,28 +989,78 @@ optional_policy(` +@@ -547,28 +993,78 @@ optional_policy(` ') optional_policy(` @@ -33859,7 +33883,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -580,6 +1072,14 @@ optional_policy(` +@@ -580,6 +1076,14 @@ optional_policy(` ') optional_policy(` @@ -33874,7 +33898,7 @@ index 8b403774f..f17b76dec 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1094,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1098,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -33883,7 +33907,7 @@ index 8b403774f..f17b76dec 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1104,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1108,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -33896,7 +33920,7 @@ index 8b403774f..f17b76dec 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1121,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1125,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -33912,7 +33936,7 @@ index 8b403774f..f17b76dec 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,36 +1137,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,36 +1141,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -33970,7 +33994,7 @@ index 8b403774f..f17b76dec 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1204,29 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1208,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -34003,7 +34027,7 @@ index 8b403774f..f17b76dec 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1238,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1242,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -34018,7 +34042,7 @@ index 8b403774f..f17b76dec 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,28 +1259,25 @@ init_getpgid(xserver_t) +@@ -718,28 +1263,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -34051,7 +34075,7 @@ index 8b403774f..f17b76dec 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; -@@ -785,17 +1323,54 @@ optional_policy(` +@@ -785,17 +1327,54 @@ optional_policy(` ') optional_policy(` @@ -34108,7 +34132,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -803,6 +1378,10 @@ optional_policy(` +@@ -803,6 +1382,10 @@ optional_policy(` ') optional_policy(` @@ -34119,7 +34143,7 @@ index 8b403774f..f17b76dec 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1397,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1401,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -34144,7 +34168,7 @@ index 8b403774f..f17b76dec 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1420,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1424,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -34179,7 +34203,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -912,7 +1485,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1489,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -34188,7 +34212,7 @@ index 8b403774f..f17b76dec 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1539,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1543,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -34220,7 +34244,7 @@ index 8b403774f..f17b76dec 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1585,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1589,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -41631,7 +41655,7 @@ index 73bb3c00c..4ddc8145a 100644 +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +/usr/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93eb..b717d9709 100644 +index 808ba93eb..16ed55e55 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -41660,9 +41684,12 @@ index 808ba93eb..b717d9709 100644 ## Use the dynamic link/loader for automatic loading ## of shared libraries. ## -@@ -86,7 +105,7 @@ interface(`libs_use_ld_so',` +@@ -84,9 +103,9 @@ interface(`libs_use_ld_so',` + allow $1 lib_t:dir list_dir_perms; + read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_files_pattern($1, lib_t, ld_so_t) +- mmap_files_pattern($1, lib_t, ld_so_t) ++ mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t }) - allow $1 ld_so_cache_t:file read_file_perms; + allow $1 ld_so_cache_t:file { map read_file_perms }; @@ -41810,7 +41837,7 @@ index 808ba93eb..b717d9709 100644 - mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; + read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) -+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ++ mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) +# allow $1 lib_t:file execmod; allow $1 textrel_shlib_t:file execmod; ') @@ -43066,7 +43093,7 @@ index 4e9488463..c54641fbb 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..e9545b961 100644 +index 59b04c1a2..d4fd81a7b 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -43498,7 +43525,7 @@ index 59b04c1a2..e9545b961 100644 ') optional_policy(` -@@ -507,15 +625,44 @@ optional_policy(` +@@ -507,15 +625,45 @@ optional_policy(` ') optional_policy(` @@ -43536,6 +43563,7 @@ index 59b04c1a2..e9545b961 100644 + +optional_policy(` + systemd_rw_coredump_tmpfs_files(syslogd_t) ++ systemd_read_unit_files(syslogd_t) +') + +optional_policy(` @@ -43543,7 +43571,7 @@ index 59b04c1a2..e9545b961 100644 ') optional_policy(` -@@ -526,3 +673,29 @@ optional_policy(` +@@ -526,3 +674,29 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -47050,7 +47078,7 @@ index 38220721d..abac74231 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc4642022..5b26b2de2 100644 +index dc4642022..d3320bdd9 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -47473,7 +47501,7 @@ index dc4642022..5b26b2de2 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +512,86 @@ optional_policy(` +@@ -440,81 +512,87 @@ optional_policy(` # semodule local policy # @@ -47541,6 +47569,7 @@ index dc4642022..5b26b2de2 100644 -seutil_manage_module_store(semanage_t) -seutil_get_semanage_trans_lock(semanage_t) -seutil_get_semanage_read_lock(semanage_t) ++seutil_rw_login_config(semanage_t) +seutil_domtrans_setfiles(semanage_t) + +#seutil_run_setfiles(semanage_t, semanage_roles) @@ -47616,7 +47645,7 @@ index dc4642022..5b26b2de2 100644 ') ######################################## -@@ -522,111 +599,204 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +600,204 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -49077,10 +49106,10 @@ index a392fc4bc..4870f76fd 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 000000000..121b42208 +index 000000000..ce07ba149 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,81 @@ +@@ -0,0 +1,82 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -49108,6 +49137,7 @@ index 000000000..121b42208 +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/run/systemd/units(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0) @@ -53555,7 +53585,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..3f5aa5f3b 100644 +index 9dc60c6c0..8c0b17aa8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -55723,7 +55753,39 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Mmap user home files. ## ## -@@ -1875,14 +2634,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1858,12 +2617,30 @@ interface(`userdom_mmap_user_home_content_files',` + type user_home_dir_t, user_home_t; + ') + +- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + files_search_home($1) + ') + + ######################################## + ## ++## map user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_map_user_home_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file map; ++') ++ ++######################################## ++## + ## Read user home files. + ## + ## +@@ -1875,14 +2652,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -55761,7 +55823,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2674,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2692,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -55779,7 +55841,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -1938,7 +2722,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2740,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -55788,7 +55850,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -1946,10 +2730,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2748,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -55801,7 +55863,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2741,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2759,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -55810,7 +55872,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -1966,12 +2749,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2767,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -55879,7 +55941,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2007,8 +2844,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2862,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -55889,7 +55951,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2024,20 +2860,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2878,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -55914,7 +55976,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## -@@ -2075,6 +2905,7 @@ interface(`userdom_manage_user_home_content_files',` +@@ -2075,6 +2923,7 @@ interface(`userdom_manage_user_home_content_files',` manage_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; @@ -55922,7 +55984,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 files_search_home($1) ') -@@ -2120,7 +2951,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2969,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -55931,7 +55993,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2128,19 +2959,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2977,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -55955,7 +56017,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2148,12 +2977,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2995,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -55971,7 +56033,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2388,18 +3217,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3235,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -56029,7 +56091,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3279,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3297,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -56038,7 +56100,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2455,6 +3320,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3338,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -56064,7 +56126,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## -@@ -2538,7 +3422,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3440,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -56073,75 +56135,24 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2546,19 +3430,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,7 +3448,27 @@ interface(`userdom_manage_user_tmp_files',` ## ## # -interface(`userdom_manage_user_tmp_symlinks',` +interface(`userdom_filetrans_named_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - -- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ gen_require(` ++ type user_tmp_t; ++ ') ++ + files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") - files_search_tmp($1) - ') - - ######################################## - ## - ## Create, read, write, and delete user --## temporary named pipes. -+## temporary symbolic links. - ## - ## - ## -@@ -2566,19 +3450,19 @@ interface(`userdom_manage_user_tmp_symlinks',` - ## - ## - # --interface(`userdom_manage_user_tmp_pipes',` -+interface(`userdom_manage_user_tmp_symlinks',` - gen_require(` - type user_tmp_t; - ') - -- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - ') - - ######################################## - ## - ## Create, read, write, and delete user --## temporary named sockets. -+## temporary named pipes. - ## - ## - ## -@@ -2586,20 +3470,61 @@ interface(`userdom_manage_user_tmp_pipes',` - ## - ## - # --interface(`userdom_manage_user_tmp_sockets',` -+interface(`userdom_rw_inherited_user_tmp_pipes',` - gen_require(` - type user_tmp_t; - ') - -- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - files_search_tmp($1) - ') - ++ files_search_tmp($1) ++') + - ######################################## - ## --## Create objects in a user temporary directory --## with an automatic type transition to --## a specified private type. ++######################################## ++## +## Create, read, write, and delete user -+## temporary named pipes. ++## temporary symbolic links. +## +## +## @@ -56149,19 +56160,28 @@ index 9dc60c6c0..3f5aa5f3b 100644 +## +## +# -+interface(`userdom_manage_user_tmp_pipes',` ++interface(`userdom_manage_user_tmp_symlinks',` + gen_require(` + type user_tmp_t; + ') +@@ -2566,6 +3488,27 @@ interface(`userdom_manage_user_tmp_symlinks',` + ## + ## + # ++interface(`userdom_rw_inherited_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + -+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) ++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp($1) +') + ++ +######################################## +## +## Create, read, write, and delete user -+## temporary named sockets. ++## temporary named pipes. +## +## +## @@ -56169,24 +56189,10 @@ index 9dc60c6c0..3f5aa5f3b 100644 +## +## +# -+interface(`userdom_manage_user_tmp_sockets',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create objects in a user temporary directory -+## with an automatic type transition to -+## a specified private type. - ## - ## - ## -@@ -2661,6 +3586,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` + interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; +@@ -2661,6 +3604,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -56208,7 +56214,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3612,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3630,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -56230,7 +56236,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2692,19 +3627,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3645,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -56253,7 +56259,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2713,13 +3642,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3660,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -56314,7 +56320,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2814,6 +3786,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3804,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -56339,7 +56345,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3822,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3840,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -56382,7 +56388,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2856,14 +3858,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3876,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -56420,7 +56426,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2882,8 +3903,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3921,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -56450,7 +56456,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2955,6 +3995,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +4013,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -56493,7 +56499,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4054,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4072,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -56518,7 +56524,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4072,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4090,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -56530,7 +56536,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## memory segments. ## ## -@@ -3025,17 +4083,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4101,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -56551,7 +56557,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## memory segments. ## ## -@@ -3044,12 +4102,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4120,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -56566,7 +56572,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -3094,7 +4152,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4170,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -56575,7 +56581,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4168,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4186,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -56609,7 +56615,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -3214,7 +4256,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4274,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -56636,7 +56642,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -3269,12 +4329,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4347,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -56652,7 +56658,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -3282,46 +4343,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4361,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -56710,32 +56716,37 @@ index 9dc60c6c0..3f5aa5f3b 100644 gen_require(` - attribute userdomain; + type user_tmp_t; -+ ') -+ + ') + +- allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Inherit the file descriptors from all user domains +## Allow domain to read/write inherited users +## fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3337,17 +4418,91 @@ interface(`userdom_getattr_all_users',` + ## + ## + # +-interface(`userdom_use_all_users_fds',` +interface(`userdom_rw_inherited_user_pipes',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ + gen_require(` + attribute userdomain; + ') + +- allow $1 userdomain:fd use; + allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to inherit the file +## Do not audit attempts to use user ttys. +## +## @@ -56785,10 +56796,36 @@ index 9dc60c6c0..3f5aa5f3b 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; - ') - - allow $1 userdomain:process getattr; -@@ -3382,6 +4519,42 @@ interface(`userdom_signal_all_users',` ++ ') ++ ++ allow $1 userdomain:process getattr; ++') ++ ++######################################## ++## ++## Inherit the file descriptors from all user domains ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_all_users_fds',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:fd use; ++') ++ ++######################################## ++## ++## Do not audit attempts to inherit the file + ## descriptors from any user domains. + ## + ## +@@ -3382,6 +4537,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -56831,7 +56868,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4575,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4593,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -56892,7 +56929,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4662,1853 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4680,1853 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -58747,7 +58784,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38dc7..0fce86e80 100644 +index f4ac38dc7..8bbc532c5 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -58836,7 +58873,7 @@ index f4ac38dc7..0fce86e80 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,399 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,400 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -58949,6 +58986,7 @@ index f4ac38dc7..0fce86e80 100644 +read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +userdom_search_user_home_content(userdom_home_reader_certs_type) ++allow userdom_home_reader_certs_type home_cert_t:file map; + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_certs_type) @@ -59267,6 +59305,58 @@ index db3cbca45..3cc5cf448 100644 +policycap nnp_nosuid_transition; + + +diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt +index 8b785c9a3..8aa8c3610 100644 +--- a/policy/support/file_patterns.spt ++++ b/policy/support/file_patterns.spt +@@ -99,9 +99,21 @@ define(`read_files_pattern',` + allow $1 $3:file read_file_perms; + ') + ++define(`mmap_read_files_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:file mmap_read_file_perms; ++') ++ + define(`mmap_files_pattern',` ++ # deprecated 20171213 ++ refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') + allow $1 $2:dir search_dir_perms; +- allow $1 $3:file mmap_file_perms; ++ allow $1 $3:file mmap_exec_file_perms; ++') ++ ++define(`mmap_exec_files_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:file mmap_exec_file_perms; + ') + + define(`exec_files_pattern',` +@@ -124,6 +136,11 @@ define(`rw_files_pattern',` + allow $1 $3:file rw_file_perms; + ') + ++define(`mmap_rw_files_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:file mmap_rw_file_perms; ++') ++ + define(`create_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:file create_file_perms; +diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt +index 4ca5688c3..355ff953c 100644 +--- a/policy/support/misc_macros.spt ++++ b/policy/support/misc_macros.spt +@@ -67,7 +67,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if + # + # can_exec(domain,executable) + # +-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') ++define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };') + + ######################################## + # diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d54501..101086d66 100644 --- a/policy/support/misc_patterns.spt @@ -59299,7 +59389,7 @@ index e79d54501..101086d66 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e9131723..528c5d2d1 100644 +index 6e9131723..d63bb8b45 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -59321,7 +59411,7 @@ index 6e9131723..528c5d2d1 100644 # # Permissions for creating and using sockets. -@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') +@@ -153,12 +152,22 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -59334,6 +59424,10 @@ index 6e9131723..528c5d2d1 100644 +define(`read_inherited_file_perms',`{ getattr read ioctl lock }') +define(`read_file_perms',`{ open read_inherited_file_perms }') +define(`mmap_file_perms',`{ getattr open map read execute ioctl }') ++define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }') ++define(`mmap_read_file_perms',`{ getattr open map read ioctl }') ++define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }') ++define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }') +define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') +define(`append_inherited_file_perms',`{ getattr append }') +define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }') @@ -59341,10 +59435,12 @@ index 6e9131723..528c5d2d1 100644 +define(`write_file_perms',`{ open write_inherited_file_perms }') +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_file_perms',`{ open rw_inherited_file_perms }') ++define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }') ++define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') -@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +@@ -179,7 +188,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') @@ -59353,7 +59449,7 @@ index 6e9131723..528c5d2d1 100644 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') +@@ -192,7 +201,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') @@ -59363,7 +59459,7 @@ index 6e9131723..528c5d2d1 100644 define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }') +@@ -208,8 +218,9 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') @@ -59375,7 +59471,7 @@ index 6e9131723..528c5d2d1 100644 define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') -@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }') +@@ -225,7 +236,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') @@ -59385,7 +59481,7 @@ index 6e9131723..528c5d2d1 100644 define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') -@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }') +@@ -242,7 +254,8 @@ define(`setattr_chr_file_perms',`{ setattr }') define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') @@ -59395,7 +59491,7 @@ index 6e9131723..528c5d2d1 100644 define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') -@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') +@@ -259,7 +272,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # @@ -59405,7 +59501,7 @@ index 6e9131723..528c5d2d1 100644 # # Sockets -@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept +@@ -271,3 +285,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3e59f8b..c0fc473 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12792,10 +12792,10 @@ index 550b287ce..73104ec93 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 171fafb99..38614a0e9 100644 +index 171fafb99..6cf8b7957 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t; +@@ -18,35 +18,48 @@ role certwatch_roles types certwatch_t; # Local policy # @@ -12827,6 +12827,7 @@ index 171fafb99..38614a0e9 100644 miscfiles_read_all_certs(certwatch_t) -miscfiles_read_localization(certwatch_t) +miscfiles_manage_generic_cert_dirs(certwatch_t) ++miscfiles_map_generic_certs(certwatch_t) + +sysnet_read_config(certwatch_t) @@ -20020,7 +20021,7 @@ index 1303b3036..f5bd4aee8 100644 + logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") ') diff --git a/cron.te b/cron.te -index 7de385956..46400791a 100644 +index 7de385956..31053c2a9 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20439,7 +20440,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -354,103 +314,141 @@ optional_policy(` +@@ -354,103 +314,145 @@ optional_policy(` ') optional_policy(` @@ -20448,22 +20449,20 @@ index 7de385956..46400791a 100644 - optional_policy(` - hal_dbus_chat(crond_t) - ') -- -- optional_policy(` -- unconfined_dbus_send(crond_t) -- ') + djbdns_search_tinydns_keys(crond_t) + djbdns_link_tinydns_keys(crond_t) - ') ++') - optional_policy(` -- amanda_search_var_lib(crond_t) +- optional_policy(` +- unconfined_dbus_send(crond_t) +- ') ++optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) ') optional_policy(` -- amavis_search_lib(crond_t) +- amanda_search_var_lib(crond_t) + # these should probably be unconfined_crond_t + dbus_system_bus_client(crond_t) + init_dbus_send_script(crond_t) @@ -20471,31 +20470,35 @@ index 7de385956..46400791a 100644 ') optional_policy(` -- djbdns_search_tinydns_keys(crond_t) -- djbdns_link_tinydns_keys(crond_t) +- amavis_search_lib(crond_t) + amanda_search_var_lib(crond_t) ') optional_policy(` -- hal_write_log(crond_t) +- djbdns_search_tinydns_keys(crond_t) +- djbdns_link_tinydns_keys(crond_t) + antivirus_search_db(crond_t) ') optional_policy(` -- locallogin_search_keys(crond_t) -- locallogin_link_keys(crond_t) + hal_dbus_chat(crond_t) -+ hal_write_log(crond_t) + hal_write_log(crond_t) + hal_dbus_chat(system_cronjob_t) ') optional_policy(` -- mta_send_mail(crond_t) +- locallogin_search_keys(crond_t) +- locallogin_link_keys(crond_t) + # cjp: why? + munin_search_lib(crond_t) ') optional_policy(` +- mta_send_mail(crond_t) ++ pcp_read_lib_files(crond_t) + ') + + optional_policy(` - munin_search_lib(crond_t) + rpc_search_nfs_state_data(crond_t) ') @@ -20613,7 +20616,7 @@ index 7de385956..46400791a 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -461,11 +463,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -20626,7 +20629,7 @@ index 7de385956..46400791a 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -485,6 +487,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -20634,7 +20637,7 @@ index 7de385956..46400791a 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t) +@@ -495,17 +498,22 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -20659,7 +20662,7 @@ index 7de385956..46400791a 100644 auth_use_nsswitch(system_cronjob_t) -@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t) +@@ -516,20 +524,28 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -20690,7 +20693,7 @@ index 7de385956..46400791a 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +555,26 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -20717,7 +20720,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -551,10 +579,6 @@ optional_policy(` +@@ -551,10 +583,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -20728,7 +20731,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -567,6 +591,10 @@ optional_policy(` +@@ -567,6 +595,10 @@ optional_policy(` ') optional_policy(` @@ -20739,7 +20742,7 @@ index 7de385956..46400791a 100644 ftp_read_log(system_cronjob_t) ') -@@ -591,6 +619,8 @@ optional_policy(` +@@ -591,6 +623,8 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -20748,7 +20751,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -598,7 +628,31 @@ optional_policy(` +@@ -598,7 +632,31 @@ optional_policy(` ') optional_policy(` @@ -20780,7 +20783,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -607,7 +661,12 @@ optional_policy(` +@@ -607,7 +665,12 @@ optional_policy(` ') optional_policy(` @@ -20793,7 +20796,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -615,12 +674,27 @@ optional_policy(` +@@ -615,12 +678,27 @@ optional_policy(` ') optional_policy(` @@ -20823,7 +20826,7 @@ index 7de385956..46400791a 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +706,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20857,7 +20860,7 @@ index 7de385956..46400791a 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +739,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -23031,7 +23034,7 @@ index dda905b9c..60806a524 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb46..c0c2ed47d 100644 +index 62d22cb46..d9c0343da 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -23109,7 +23112,7 @@ index 62d22cb46..c0c2ed47d 100644 - - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + # For connecting to the bus -+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms }; ++ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms create }; + allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; @@ -23561,7 +23564,7 @@ index 62d22cb46..c0c2ed47d 100644 ## ## ## Type to be used as a domain. -@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',` +@@ -397,199 +410,251 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -23881,6 +23884,7 @@ index 62d22cb46..c0c2ed47d 100644 - allow $1 system_dbusd_t:fd use; + dontaudit $1 system_dbusd_t:unix_stream_socket connectto; ++ dontaudit $1 system_dbusd_t:sock_file write; ') ######################################## @@ -23892,7 +23896,7 @@ index 62d22cb46..c0c2ed47d 100644 ## ## ## -@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +662,68 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -23970,7 +23974,7 @@ index 62d22cb46..c0c2ed47d 100644 + manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ') diff --git a/dbus.te b/dbus.te -index c9998c80d..328aa81d2 100644 +index c9998c80d..5a9dfdf1e 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -24004,7 +24008,15 @@ index c9998c80d..328aa81d2 100644 type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t) +@@ -36,12 +31,16 @@ init_system_domain(system_dbusd_t, dbusd_exec_t) + type system_dbusd_tmp_t; + files_tmp_file(system_dbusd_tmp_t) + ++type system_dbusd_tmpfs_t; ++files_tmpfs_file(system_dbusd_tmpfs_t) ++ + type system_dbusd_var_lib_t; + files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) @@ -24014,7 +24026,7 @@ index c9998c80d..328aa81d2 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,64 @@ ifdef(`enable_mls',` +@@ -51,59 +50,69 @@ ifdef(`enable_mls',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') @@ -24050,6 +24062,11 @@ index c9998c80d..328aa81d2 100644 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) ++ ++manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) ++manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) ++fs_tmpfs_filetrans(system_dbusd_t, system_dbusd_tmpfs_t, { dir file }) ++allow system_dbusd_t system_dbusd_tmpfs_t:file map; read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) @@ -24097,7 +24114,7 @@ index c9998c80d..328aa81d2 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +132,177 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -24175,14 +24192,14 @@ index c9998c80d..328aa81d2 100644 + +optional_policy(` + snapper_read_inherited_pipe(system_dbusd_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_dhcpc(system_dbusd_t) ') optional_policy(` - seutil_sigchld_newrole(system_dbusd_t) -+ sysnet_domtrans_dhcpc(system_dbusd_t) -+') -+ -+optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -24216,7 +24233,7 @@ index c9998c80d..328aa81d2 100644 # +role system_r types system_bus_type; +dontaudit system_bus_type self:capability net_admin; -+ + +allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms; + +fs_search_all(system_bus_type) @@ -24250,7 +24267,7 @@ index c9998c80d..328aa81d2 100644 +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') - ++ +######################################## +# +# session_bus_type rules @@ -24289,7 +24306,7 @@ index c9998c80d..328aa81d2 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +311,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -24314,7 +24331,7 @@ index c9998c80d..328aa81d2 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +330,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -24322,7 +24339,7 @@ index c9998c80d..328aa81d2 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +339,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -24364,7 +24381,7 @@ index c9998c80d..328aa81d2 100644 ') ######################################## -@@ -244,5 +368,9 @@ optional_policy(` +@@ -244,5 +376,9 @@ optional_policy(` # Unconfined access to this module # @@ -28598,7 +28615,7 @@ index 18f245250..a446210f0 100644 + ') diff --git a/dspam.te b/dspam.te -index ef6236335..084171673 100644 +index ef6236335..25dcb975a 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -28624,7 +28641,7 @@ index ef6236335..084171673 100644 files_search_spool(dspam_t) -@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t) +@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t) logging_send_syslog_msg(dspam_t) @@ -28634,6 +28651,9 @@ index ef6236335..084171673 100644 apache_content_template(dspam) + apache_content_alias_template(dspam, dspam) + ++ manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) ++ manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) ++ + read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) + + auth_read_passwd(dspam_script_t) @@ -28641,14 +28661,14 @@ index ef6236335..084171673 100644 + files_search_var_lib(dspam_script_t) + + domain_dontaudit_read_all_domains_state(dspam_script_t) -+ -+ term_dontaudit_search_ptys(dspam_script_t) -+ term_dontaudit_getattr_all_ttys(dspam_script_t) -+ term_dontaudit_getattr_all_ptys(dspam_script_t) - list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) - manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) - manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) ++ term_dontaudit_search_ptys(dspam_script_t) ++ term_dontaudit_getattr_all_ttys(dspam_script_t) ++ term_dontaudit_getattr_all_ptys(dspam_script_t) ++ + init_read_utmp(dspam_script_t) + + logging_send_syslog_msg(dspam_script_t) @@ -28662,7 +28682,7 @@ index ef6236335..084171673 100644 ') optional_policy(` -@@ -87,3 +114,12 @@ optional_policy(` +@@ -87,3 +117,12 @@ optional_policy(` postgresql_tcp_connect(dspam_t) ') @@ -50810,7 +50830,7 @@ index 1d4eb19b8..650014e0f 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index 29b752160..8c41e59db 100644 +index 29b752160..5000dd91c 100644 --- a/memcached.te +++ b/memcached.te @@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1) @@ -50830,7 +50850,16 @@ index 29b752160..8c41e59db 100644 dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket { accept listen }; -@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t) +@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen }; + allow memcached_t self:fifo_file rw_fifo_file_perms; + allow memcached_t self:unix_stream_socket create_stream_socket_perms; + ++allow memcached_t memcached_exec_t:file map; ++ + manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) + manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) + manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t) auth_use_nsswitch(memcached_t) @@ -54082,7 +54111,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..bb6533dae 100644 +index 11ac8e4fc..7e6607cab 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -54536,7 +54565,7 @@ index 11ac8e4fc..bb6533dae 100644 ') optional_policy(` -@@ -300,259 +340,265 @@ optional_policy(` +@@ -300,259 +340,266 @@ optional_policy(` ######################################## # @@ -54833,6 +54862,7 @@ index 11ac8e4fc..bb6533dae 100644 +userdom_read_user_tmp_symlinks(mozilla_plugin_t) +userdom_stream_connect(mozilla_plugin_t) +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) ++userdom_map_user_home_files(mozilla_plugin_t) -ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) @@ -54948,7 +54978,7 @@ index 11ac8e4fc..bb6533dae 100644 ') optional_policy(` -@@ -560,7 +606,11 @@ optional_policy(` +@@ -560,7 +607,11 @@ optional_policy(` ') optional_policy(` @@ -54961,7 +54991,7 @@ index 11ac8e4fc..bb6533dae 100644 ') optional_policy(` -@@ -568,108 +618,144 @@ optional_policy(` +@@ -568,108 +619,144 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index fcd5987..92ae0c9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 306%{?dist} +Release: 307%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,16 @@ exit 0 %endif %changelog +* Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307 +- Allow crond_t to read pcp lib files BZ(1525420) +- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) +- Allow certwatch_t to mmap generic certs. BZ(1527173) +- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) +- Add interface userdom_map_user_home_files() +- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) +- Allow xdm_t dbus chat with modemmanager_t BZ(1526722) +- All domains accessing home_cert_t objects should also mmap it. BZ(1519810) + * Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306 - Allow thumb_t domain to dosfs_t BZ(1517720) - Allow gssd_t to read realmd_var_lib_t files BZ(1521125)