diff --git a/policy-F15.patch b/policy-F15.patch index 8871ef6..cc26057 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -208,6 +208,32 @@ index af90ef2..7534872 100644 + (( h1 dom h2 ) or ( t1 == mcsnetwrite )); + ') dnl end enable_mcs +diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if +index e66c296..61f738b 100644 +--- a/policy/modules/admin/acct.if ++++ b/policy/modules/admin/acct.if +@@ -78,3 +78,21 @@ interface(`acct_manage_data',` + manage_files_pattern($1, acct_data_t, acct_data_t) + manage_lnk_files_pattern($1, acct_data_t, acct_data_t) + ') ++ ++######################################## ++## ++## Dontaudit Attempts to list acct_data directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`acct_dontaudit_list_data',` ++ gen_require(` ++ type acct_data_t; ++ ') ++ ++ dontaudit $1 acct_data_t:dir list_dir_perms; ++') diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if index 90d5203..1392679 100644 --- a/policy/modules/admin/alsa.if @@ -1034,9 +1060,18 @@ index c633aea..b773bc3 100644 type portage_cache_t; files_type(portage_cache_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..7d2fcff 100644 +index af55369..bc4ae6d 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te +@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) + # Local policy + # + +-allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; ++allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource }; + allow prelink_t self:process { execheap execmem execstack signal }; + allow prelink_t self:fifo_file rw_fifo_file_perms; + @@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) @@ -5074,10 +5109,10 @@ index 0000000..4f9cb05 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..7b483f3 +index 0000000..aedbcbe --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,314 @@ +@@ -0,0 +1,315 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -5187,6 +5222,7 @@ index 0000000..7b483f3 + +domain_dontaudit_read_all_domains_state(nsplugin_t) + ++dev_read_urand(nsplugin_t) +dev_read_rand(nsplugin_t) +dev_read_sound(nsplugin_t) +dev_write_sound(nsplugin_t) @@ -5816,7 +5852,7 @@ index c1d5f50..989f88c 100644 + + diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te -index 5ef2f7d..5a13201 100644 +index 5ef2f7d..d5ed1df 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true) @@ -5828,7 +5864,15 @@ index 5ef2f7d..5a13201 100644 ##

## gen_tunable(qemu_use_comm, false) -@@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',` +@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t) + + userdom_search_user_home_content(qemu_t) + userdom_read_user_tmpfs_files(qemu_t) ++userdom_stream_connect(qemu_t) + + tunable_policy(`qemu_full_network',` + allow qemu_t self:udp_socket create_socket_perms; +@@ -90,7 +91,9 @@ tunable_policy(`qemu_use_usb',` ') optional_policy(` @@ -5839,7 +5883,7 @@ index 5ef2f7d..5a13201 100644 ') optional_policy(` -@@ -102,6 +104,10 @@ optional_policy(` +@@ -102,6 +105,10 @@ optional_policy(` xen_rw_image_files(qemu_t) ') @@ -5850,7 +5894,7 @@ index 5ef2f7d..5a13201 100644 ######################################## # # Unconfined qemu local policy -@@ -112,6 +118,8 @@ optional_policy(` +@@ -112,6 +119,8 @@ optional_policy(` typealias unconfined_qemu_t alias qemu_unconfined_t; application_type(unconfined_qemu_t) unconfined_domain(unconfined_qemu_t) @@ -7104,10 +7148,10 @@ index 0000000..46368cc +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..7d62b71 +index 0000000..2ace399 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,333 @@ +@@ -0,0 +1,328 @@ + +policy_module(telepathy, 1.0.0) + @@ -7180,8 +7224,6 @@ index 0000000..7d62b71 +corecmd_exec_shell(telepathy_msn_t) +corecmd_read_bin_symlinks(telepathy_msn_t) + -+dev_read_urand(telepathy_msn_t) -+ +files_read_etc_files(telepathy_msn_t) +files_read_usr_files(telepathy_msn_t) + @@ -7239,7 +7281,6 @@ index 0000000..7d62b71 +corenet_tcp_connect_vnc_port(telepathy_gabble_t) + +dev_read_rand(telepathy_gabble_t) -+dev_read_urand(telepathy_gabble_t) + +files_read_config_files(telepathy_gabble_t) +files_read_usr_files(telepathy_gabble_t) @@ -7276,6 +7317,8 @@ index 0000000..7d62b71 +corenet_sendrecv_ircd_client_packets(telepathy_idle_t) +corenet_tcp_connect_ircd_port(telepathy_idle_t) + ++dev_read_rand(telepathy_idle_t) ++ +files_read_etc_files(telepathy_idle_t) + +sysnet_read_config(telepathy_idle_t) @@ -7334,8 +7377,6 @@ index 0000000..7d62b71 +corenet_tcp_bind_presence_port(telepathy_salut_t) +corenet_tcp_connect_presence_port(telepathy_salut_t) + -+dev_read_urand(telepathy_salut_t) -+ +files_read_etc_files(telepathy_salut_t) + +sysnet_read_config(telepathy_salut_t) @@ -7360,8 +7401,6 @@ index 0000000..7d62b71 +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) +corenet_tcp_connect_sip_port(telepathy_sofiasip_t) + -+dev_read_urand(telepathy_sofiasip_t) -+ +kernel_request_load_module(telepathy_sofiasip_t) + +sysnet_read_config(telepathy_sofiasip_t) @@ -7381,8 +7420,6 @@ index 0000000..7d62b71 + +corecmd_exec_bin(telepathy_sunshine_t) + -+dev_read_urand(telepathy_sunshine_t) -+ +files_read_etc_files(telepathy_sunshine_t) +files_read_usr_files(telepathy_sunshine_t) + @@ -7411,6 +7448,8 @@ index 0000000..7d62b71 +corenet_tcp_sendrecv_generic_node(telepathy_domain) +corenet_udp_bind_generic_node(telepathy_domain) + ++dev_read_urand(telepathy_domain) ++ +kernel_read_system_state(telepathy_domain) + +fs_search_auto_mountpoints(telepathy_domain) @@ -7807,7 +7846,7 @@ index 82842a0..4111a1d 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..6e68bd2 100644 +index 34c9d01..93e0ee8 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -7848,6 +7887,14 @@ index 34c9d01..6e68bd2 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) +@@ -319,6 +324,7 @@ ifdef(`distro_redhat', ` + /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 9e9263a..24018ce 100644 --- a/policy/modules/kernel/corecommands.if @@ -8913,7 +8960,7 @@ index 3517db2..4dd4bef 100644 + +/usr/lib/debug <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ed203b2..bfb7926 100644 +index ed203b2..7825dd2 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -9066,7 +9113,39 @@ index ed203b2..bfb7926 100644 ## Execute generic files in /etc. ## ## -@@ -2623,6 +2730,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2583,6 +2690,31 @@ interface(`files_create_boot_flag',` + + ######################################## + ## ++## Delete a boot flag. ++## ++## ++##

++## Delete a boot flag, such as ++## /.autorelabel and /.autofsck. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_delete_boot_flag',` ++ gen_require(` ++ type root_t, etc_runtime_t; ++ ') ++ ++ delete_files_pattern($1, root_t, etc_runtime_t) ++') ++ ++######################################## ++## + ## Read files in /etc that are dynamically + ## created on boot, such as mtab. + ## +@@ -2623,6 +2755,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -9091,7 +9170,7 @@ index ed203b2..bfb7926 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -3104,6 +3229,7 @@ interface(`files_getattr_home_dir',` +@@ -3104,6 +3254,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -9099,7 +9178,7 @@ index ed203b2..bfb7926 100644 ') ######################################## -@@ -3124,6 +3250,7 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3124,6 +3275,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -9107,7 +9186,7 @@ index ed203b2..bfb7926 100644 ') ######################################## -@@ -3365,6 +3492,24 @@ interface(`files_list_mnt',` +@@ -3365,6 +3517,24 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -9132,7 +9211,7 @@ index ed203b2..bfb7926 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3438,6 +3583,24 @@ interface(`files_read_mnt_files',` +@@ -3438,6 +3608,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -9157,7 +9236,7 @@ index ed203b2..bfb7926 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3729,6 +3892,100 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3917,100 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -9258,7 +9337,7 @@ index ed203b2..bfb7926 100644 ######################################## ## ## Allow the specified type to associate -@@ -3914,6 +4171,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,6 +4196,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -9291,29 +9370,184 @@ index ed203b2..bfb7926 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3968,6 +4251,84 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,7 +4276,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## +-## Set the attributes of all tmp directories. +## Relabel a dir from the type used in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3976,17 +4284,17 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` +interface(`files_relabelfrom_tmp_dirs',` -+ gen_require(` + gen_require(` +- attribute tmpfile; + type tmp_t; + ') + +- allow $1 tmpfile:dir { search_dir_perms setattr }; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## List all tmp directories. ++## Relabel a file from the type used in /tmp. + ## + ## + ## +@@ -3994,74 +4302,77 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. ++## Relabel all tmp dirs. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` + attribute tmpfile; ++ type var_t; + ') + +- dontaudit $1 tmpfile:file getattr; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Allow attempts to get the attributes +-## of all tmp files. ++## Relabel all tmp files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_getattr_all_tmp_files',` ++interface(`files_relabel_all_tmp_files',` + gen_require(` + attribute tmpfile; ++ type var_t; + ') + +- allow $1 tmpfile:file getattr; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Set the attributes of all tmp directories. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` + attribute tmpfile; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; + ') + + ######################################## + ## +-## Read all tmp files. ++## List all tmp directories. + ## + ## + ## +@@ -4069,36 +4380,111 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` + ## + ## + # +-interface(`files_read_all_tmp_files',` ++interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; + ') + +- read_files_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:dir list_dir_perms; + ') + + ######################################## + ## +-## Create an object in the tmp directories, with a private +-## type using a type transition. ++## Do not audit attempts to get the attributes ++## of all tmp files. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. ++## Domain not to audit. + ## + ## + # +-interface(`files_tmp_filetrans',` ++interface(`files_dontaudit_getattr_all_tmp_files',` ++ gen_require(` ++ attribute tmpfile; + ') + -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmpfile:file getattr; +') + +######################################## +## -+## Relabel a file from the type used in /tmp. ++## Allow attempts to get the attributes ++## of all tmp files. +## +## +## @@ -9321,62 +9555,77 @@ index ed203b2..bfb7926 100644 +## +## +# -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_getattr_all_tmp_files',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; + ') + -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file getattr; +') + +######################################## +## -+## Relabel all tmp dirs. ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. +## +## +## -+## Domain allowed access. ++## Domain not to audit. +## +## -+## +# -+interface(`files_relabel_all_tmp_dirs',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` + attribute tmpfile; -+ type var_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) ++ dontaudit $1 tmpfile:sock_file getattr; +') + +######################################## +## -+## Relabel all tmp files. ++## Read all tmp files. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_relabel_all_tmp_files',` ++interface(`files_read_all_tmp_files',` + gen_require(` + attribute tmpfile; -+ type var_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) ++ read_files_pattern($1, tmpfile, tmpfile) +') + +######################################## +## - ## Set the attributes of all tmp directories. - ## - ## -@@ -4127,6 +4488,13 @@ interface(`files_purge_tmp',` ++## Create an object in the tmp directories, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++# ++interface(`files_tmp_filetrans',` + gen_require(` + type tmp_t; + ') +@@ -4127,6 +4513,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -9390,79 +9639,32 @@ index ed203b2..bfb7926 100644 ') ######################################## -@@ -4736,7 +5104,7 @@ interface(`files_read_var_files',` +@@ -4736,6 +5129,24 @@ interface(`files_read_var_files',` ######################################## ## --## Read and write files in the /var directory. +## Append files in the /var directory. - ## - ## - ## -@@ -4744,36 +5112,54 @@ interface(`files_read_var_files',` - ## - ## - # --interface(`files_rw_var_files',` -+interface(`files_append_var_files',` - gen_require(` - type var_t; - ') - -- rw_files_pattern($1, var_t, var_t) -+ append_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Do not audit attempts to read and write --## files in the /var directory. -+## Read and write files in the /var directory. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_rw_var_files',` -+interface(`files_rw_var_files',` - gen_require(` - type var_t; - ') - -- dontaudit $1 var_t:file rw_file_perms; -+ rw_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /var directory. -+## Do not audit attempts to read and write -+## files in the /var directory. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_rw_var_files',` ++interface(`files_append_var_files',` + gen_require(` + type var_t; + ') + -+ dontaudit $1 var_t:file rw_file_perms; ++ append_files_pattern($1, var_t, var_t) +') + +######################################## +## -+## Create, read, write, and delete files in the /var directory. + ## Read and write files in the /var directory. ## ## - ## -@@ -5071,6 +5457,24 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5482,24 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -9487,7 +9689,7 @@ index ed203b2..bfb7926 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5156,12 +5560,12 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5585,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -9504,7 +9706,7 @@ index ed203b2..bfb7926 100644 ') ######################################## -@@ -5207,6 +5611,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5636,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -9532,7 +9734,7 @@ index ed203b2..bfb7926 100644 ## Read all lock files. ## ## -@@ -5335,6 +5760,43 @@ interface(`files_search_pids',` +@@ -5335,6 +5785,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -9576,7 +9778,7 @@ index ed203b2..bfb7926 100644 ######################################## ## ## Do not audit attempts to search -@@ -5542,6 +6004,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6029,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -9639,7 +9841,7 @@ index ed203b2..bfb7926 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6077,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6102,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -9684,7 +9886,7 @@ index ed203b2..bfb7926 100644 ') ######################################## -@@ -5844,3 +6400,247 @@ interface(`files_unconfined',` +@@ -5844,3 +6425,247 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -11232,7 +11434,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..96d3fbf 100644 +index 2be17d2..faaf889 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) @@ -11284,7 +11486,7 @@ index 2be17d2..96d3fbf 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +63,104 @@ optional_policy(` +@@ -27,25 +63,108 @@ optional_policy(` ') optional_policy(` @@ -11322,6 +11524,10 @@ index 2be17d2..96d3fbf 100644 +') + +optional_policy(` ++ mysql_exec(staff_t) ++') ++ ++optional_policy(` postgresql_role(staff_r, staff_t) ') @@ -11391,7 +11597,7 @@ index 2be17d2..96d3fbf 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -137,10 +252,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +256,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19529,7 +19735,7 @@ index 9d44538..7e9057e 100644 # interface(`cyphesis_domtrans',` diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te -index e182bf4..f80e725 100644 +index e182bf4..aab657c 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -19541,7 +19747,18 @@ index e182bf4..f80e725 100644 dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -135,6 +135,7 @@ optional_policy(` +@@ -119,6 +119,10 @@ optional_policy(` + ') + + optional_policy(` ++ dirsrv_stream_connect(cyrus_t) ++') ++ ++optional_policy(` + kerberos_keytab_template(cyrus, cyrus_t) + ') + +@@ -135,6 +139,7 @@ optional_policy(` ') optional_policy(` @@ -20614,10 +20831,10 @@ index 0000000..0070a0d +/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if new file mode 100644 -index 0000000..440a6c5 +index 0000000..9d8f5de --- /dev/null +++ b/policy/modules/services/dirsrv.if -@@ -0,0 +1,193 @@ +@@ -0,0 +1,212 @@ +## policy for dirsrv + +######################################## @@ -20718,6 +20935,25 @@ index 0000000..440a6c5 + allow $1 dirsrv_var_lib_t:file manage_file_perms; +') + ++######################################## ++## ++## Connect to dirsrv over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_stream_connect',` ++ gen_require(` ++ type dirsrv_t, dirsrv_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) ++') ++ +####################################### +## +## Allow a domain to manage dirsrv /var/run files. @@ -21013,6 +21249,16 @@ index 03b5286..fcafa0b 100644 ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) ######################################## +diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc +index dc1056c..bd60100 100644 +--- a/policy/modules/services/dkim.fc ++++ b/policy/modules/services/dkim.fc +@@ -7,3 +7,5 @@ + /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) ++ ++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc index b886676..ad3210e 100644 --- a/policy/modules/services/dnsmasq.fc @@ -21077,7 +21323,7 @@ index 9bd812b..c808b31 100644 ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..c516b94 100644 +index fdaeeba..dc4eb3d 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) @@ -21091,7 +21337,16 @@ index fdaeeba..c516b94 100644 kernel_read_kernel_sysctls(dnsmasq_t) kernel_read_system_state(dnsmasq_t) -@@ -96,10 +97,18 @@ optional_policy(` +@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t) + + miscfiles_read_localization(dnsmasq_t) + ++sysnet_dns_name_resolve(dnsmasq_t) ++ + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) + userdom_dontaudit_search_user_home_dirs(dnsmasq_t) + +@@ -96,10 +99,18 @@ optional_policy(` ') optional_policy(` @@ -21110,7 +21365,7 @@ index fdaeeba..c516b94 100644 seutil_sigchld_newrole(dnsmasq_t) ') -@@ -114,4 +123,5 @@ optional_policy(` +@@ -114,4 +125,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) @@ -24168,7 +24423,7 @@ index c62f23e..335fda1 100644 /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if -index 3aa8fa7..c51c1f6 100644 +index 3aa8fa7..8fa74c3 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -1,5 +1,41 @@ @@ -24239,40 +24494,17 @@ index 3aa8fa7..c51c1f6 100644 ## Read the OpenLDAP configuration files. ## ## -@@ -69,8 +124,30 @@ interface(`ldap_stream_connect',` +@@ -69,8 +124,7 @@ interface(`ldap_stream_connect',` ') files_search_pids($1) - allow $1 slapd_var_run_t:sock_file write; - allow $1 slapd_t:unix_stream_socket connectto; + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) -+ -+ optional_policy(` -+ ldap_stream_connect_dirsrv($1) -+ ') -+') -+ -+######################################## -+## -+## Connect to dirsrv over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ldap_stream_connect_dirsrv',` -+ gen_require(` -+ type dirsrv_t, dirsrv_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) ') ######################################## -@@ -110,6 +187,7 @@ interface(`ldap_admin',` +@@ -110,6 +164,7 @@ interface(`ldap_admin',` admin_pattern($1, slapd_lock_t) @@ -24624,17 +24856,18 @@ index db4fd6f..5008a6c 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc -index 55a3e2f..613c69d 100644 +index 55a3e2f..bc489e0 100644 --- a/policy/modules/services/milter.fc +++ b/policy/modules/services/milter.fc -@@ -1,3 +1,6 @@ +@@ -1,10 +1,15 @@ +/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) -@@ -5,6 +8,7 @@ + ++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) @@ -24812,10 +25045,10 @@ index 0000000..42bb2a3 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if new file mode 100644 -index 0000000..d76fb11 +index 0000000..6395ec8 --- /dev/null +++ b/policy/modules/services/mock.if -@@ -0,0 +1,236 @@ +@@ -0,0 +1,254 @@ +## policy for mock + +######################################## @@ -24876,6 +25109,24 @@ index 0000000..d76fb11 + +######################################## +## ++## Getattr on mock lib file,dir,sock_file ... ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_getattr_lib',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ allow $1 mock_var_lib_t:dir_file_class_set getattr; ++') ++ ++######################################## ++## +## Create, read, write, and delete +## mock lib files. +## @@ -26497,10 +26748,35 @@ index f17583b..8f01394 100644 + +miscfiles_read_localization(munin_plugin_domain) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if -index e9c0982..4d3b208 100644 +index e9c0982..06034b8 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if -@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',` +@@ -18,6 +18,24 @@ interface(`mysql_domtrans',` + domtrans_pattern($1, mysqld_exec_t, mysqld_t) + ') + ++###################################### ++## ++## Execute MySQL in the coller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_exec',` ++ gen_require(` ++ type mysqld_exec_t; ++ ') ++ ++ can_exec($1, mysqld_exec_t) ++') ++ + ######################################## + ## + ## Send a generic signal to MySQL. +@@ -73,6 +91,7 @@ interface(`mysql_stream_connect',` type mysqld_t, mysqld_var_run_t, mysqld_db_t; ') @@ -26508,7 +26784,7 @@ index e9c0982..4d3b208 100644 stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') -@@ -252,7 +253,7 @@ interface(`mysql_write_log',` +@@ -252,7 +271,7 @@ interface(`mysql_write_log',` ') logging_search_logs($1) @@ -26517,7 +26793,7 @@ index e9c0982..4d3b208 100644 ') ###################################### -@@ -329,10 +330,9 @@ interface(`mysql_search_pid_files',` +@@ -329,10 +348,9 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` @@ -26531,7 +26807,7 @@ index e9c0982..4d3b208 100644 ') allow $1 mysqld_t:process { ptrace signal_perms }; -@@ -343,13 +343,17 @@ interface(`mysql_admin',` +@@ -343,13 +361,17 @@ interface(`mysql_admin',` role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; @@ -27957,19 +28233,29 @@ index b246bdd..f414173 100644 files_etc_filetrans(pads_t, pads_config_t, file) diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc new file mode 100644 -index 0000000..8d00972 +index 0000000..fbd07f6 --- /dev/null +++ b/policy/modules/services/passenger.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,16 @@ + +/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) + ++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) ++ ++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++ ++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++ ++ ++/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) ++/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0) ++ +/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) + +/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if new file mode 100644 -index 0000000..66f9799 +index 0000000..9ef0492 --- /dev/null +++ b/policy/modules/services/passenger.if @@ -0,0 +1,67 @@ @@ -27995,7 +28281,7 @@ index 0000000..66f9799 + allow $1 passenger_t:process signal; + + domtrans_pattern($1, passenger_exec_t, passenger_t) -+ allow $1 passenger_t:unix_stream_socket { read write shutdown }; ++ allow $1 passenger_t:unix_stream_socket { read write connectto shutdown }; + allow passenger_t $1:unix_stream_socket { read write }; +') + @@ -28042,10 +28328,10 @@ index 0000000..66f9799 +') diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te new file mode 100644 -index 0000000..ba9fdb9 +index 0000000..efa9336 --- /dev/null +++ b/policy/modules/services/passenger.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,76 @@ +policy_module(passanger, 1.0.0) + +######################################## @@ -28062,6 +28348,9 @@ index 0000000..ba9fdb9 +type passenger_tmp_t; +files_tmp_file(passenger_tmp_t) + ++type passenger_log_t; ++logging_log_file(passenger_log_t) ++ +type passenger_var_lib_t; +files_type(passenger_var_lib_t) + @@ -28075,11 +28364,16 @@ index 0000000..ba9fdb9 +# passanger local policy +# + -+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid }; -+allow passenger_t self:process signal; ++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice }; ++allow passenger_t self:process { setpgid setsched sigkill signal }; ++ +allow passenger_t self:fifo_file rw_fifo_file_perms; +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; + ++manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) ++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) ++logging_log_filetrans(passenger_t, passenger_log_t, file) ++ +files_search_var_lib(passenger_t) +manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) +manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) @@ -28090,6 +28384,8 @@ index 0000000..ba9fdb9 +manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) + ++can_exec(passenger_t, passenger_exec_t) ++ +kernel_read_system_state(passenger_t) +kernel_read_kernel_sysctls(passenger_t) + @@ -28738,6 +29034,16 @@ index 0000000..5793840 +miscfiles_read_localization(piranha_domain) + +sysnet_read_config(piranha_domain) +diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc +index 5702ca4..5df5316 100644 +--- a/policy/modules/services/plymouthd.fc ++++ b/policy/modules/services/plymouthd.fc +@@ -5,3 +5,5 @@ + /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) + /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) + /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) ++ ++/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if index 9759ed8..07dd3ff 100644 --- a/policy/modules/services/plymouthd.if @@ -28903,10 +29209,31 @@ index 9759ed8..07dd3ff 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index fb8dc84..56cc327 100644 +index fb8dc84..ef11559 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te -@@ -60,10 +60,20 @@ domain_use_interactive_fds(plymouthd_t) +@@ -19,6 +19,9 @@ files_type(plymouthd_spool_t) + type plymouthd_var_lib_t; + files_type(plymouthd_var_lib_t) + ++type plymouthd_var_log_t; ++logging_log_file(plymouthd_var_log_t) ++ + type plymouthd_var_run_t; + files_pid_file(plymouthd_var_run_t) + +@@ -42,6 +45,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) + manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) + files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) + ++manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) ++manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) ++logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) ++ + manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) + manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) + files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) +@@ -60,10 +67,20 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -28927,7 +29254,7 @@ index fb8dc84..56cc327 100644 ######################################## # # Plymouth private policy -@@ -74,6 +84,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +91,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -28935,7 +29262,7 @@ index fb8dc84..56cc327 100644 domain_use_interactive_fds(plymouth_t) -@@ -87,7 +98,7 @@ sysnet_read_config(plymouth_t) +@@ -87,7 +105,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) @@ -34250,7 +34577,7 @@ index 22dfeb4..d9f5dbc 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..679558c 100644 +index 086cd5f..b0ee422 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) @@ -34281,7 +34608,7 @@ index 086cd5f..679558c 100644 corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -121,6 +126,10 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,6 +126,14 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -34289,10 +34616,14 @@ index 086cd5f..679558c 100644 +') + +optional_policy(` ++ mock_getattr_lib(setroubleshootd_t) ++') ++ ++optional_policy(` dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +161,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -152,6 +165,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) @@ -34300,7 +34631,7 @@ index 086cd5f..679558c 100644 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +174,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +178,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -35579,7 +35910,7 @@ index 22adaca..784c363 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..4877b5a 100644 +index 2dad3c8..4cdb5c2 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -35705,7 +36036,15 @@ index 2dad3c8..4877b5a 100644 dev_read_urand(ssh_t) -@@ -169,14 +173,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) +@@ -162,6 +166,7 @@ logging_read_generic_logs(ssh_t) + auth_use_nsswitch(ssh_t) + + miscfiles_read_localization(ssh_t) ++miscfiles_read_generic_certs(ssh_t) + + seutil_read_config(ssh_t) + +@@ -169,14 +174,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -35724,7 +36063,7 @@ index 2dad3c8..4877b5a 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -200,6 +203,57 @@ optional_policy(` +@@ -200,6 +204,57 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -35782,7 +36121,7 @@ index 2dad3c8..4877b5a 100644 ############################## # # ssh_keysign_t local policy -@@ -209,7 +263,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,7 +264,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -35791,7 +36130,7 @@ index 2dad3c8..4877b5a 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +286,39 @@ optional_policy(` +@@ -232,33 +287,39 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -35840,7 +36179,7 @@ index 2dad3c8..4877b5a 100644 ') optional_policy(` -@@ -266,11 +326,24 @@ optional_policy(` +@@ -266,11 +327,24 @@ optional_policy(` ') optional_policy(` @@ -35866,7 +36205,7 @@ index 2dad3c8..4877b5a 100644 ') optional_policy(` -@@ -284,6 +357,11 @@ optional_policy(` +@@ -284,6 +358,11 @@ optional_policy(` ') optional_policy(` @@ -35878,7 +36217,7 @@ index 2dad3c8..4877b5a 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +370,26 @@ optional_policy(` +@@ -292,26 +371,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -35924,7 +36263,7 @@ index 2dad3c8..4877b5a 100644 ') dnl endif TODO ######################################## -@@ -324,7 +402,6 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -35932,7 +36271,7 @@ index 2dad3c8..4877b5a 100644 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; -@@ -353,10 +430,6 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,10 +431,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -36001,7 +36340,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..7113802 100644 +index 8ffa257..12d37a2 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -36035,15 +36374,49 @@ index 8ffa257..7113802 100644 kernel_read_system_state(sssd_t) corecmd_exec_bin(sssd_t) -@@ -80,6 +83,8 @@ logging_send_audit_msgs(sssd_t) +@@ -60,6 +63,7 @@ domain_obj_id_change_exemption(sssd_t) + files_list_tmp(sssd_t) + files_read_etc_files(sssd_t) + files_read_usr_files(sssd_t) ++files_list_var_lib(sssd_t) - miscfiles_read_localization(sssd_t) + fs_list_inotifyfs(sssd_t) -+userdom_manage_tmp_role(system_r, sssd_t) +@@ -69,7 +73,8 @@ seutil_read_file_contexts(sssd_t) + + mls_file_read_to_clearance(sssd_t) + +-auth_use_nsswitch(sssd_t) + ++# auth_use_nsswitch(sssd_t) + auth_domtrans_chk_passwd(sssd_t) + auth_domtrans_upd_passwd(sssd_t) + +@@ -79,6 +84,12 @@ logging_send_syslog_msg(sssd_t) + logging_send_audit_msgs(sssd_t) + + miscfiles_read_localization(sssd_t) ++miscfiles_read_generic_certs(sssd_t) ++ ++sysnet_dns_name_resolve(sssd_t) ++sysnet_use_ldap(sssd_t) ++ ++userdom_manage_tmp_role(system_r, sssd_t) + optional_policy(` dbus_system_bus_client(sssd_t) - dbus_connect_system_bus(sssd_t) +@@ -88,3 +99,11 @@ optional_policy(` + optional_policy(` + kerberos_manage_host_rcache(sssd_t) + ') ++ ++optional_policy(` ++ dirsrv_stream_connect(sssd_t) ++') ++ ++optional_policy(` ++ ldap_stream_connect(sssd_t) ++') diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if index 6073656..eaf49b2 100644 --- a/policy/modules/services/stunnel.if @@ -37301,7 +37674,7 @@ index 7c5d8d8..8822e63 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..a48a862 100644 +index 3eca020..333a07f 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) @@ -37558,7 +37931,12 @@ index 3eca020..a48a862 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -243,18 +291,27 @@ dev_read_rand(virtd_t) +@@ -239,22 +287,32 @@ corenet_tcp_connect_soundd_port(virtd_t) + corenet_rw_tun_tap_dev(virtd_t) + + dev_rw_sysfs(virtd_t) ++dev_read_urand(virtd_t) + dev_read_rand(virtd_t) dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) @@ -37587,7 +37965,7 @@ index 3eca020..a48a862 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +319,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -37606,7 +37984,7 @@ index 3eca020..a48a862 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +354,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -37637,7 +38015,7 @@ index 3eca020..a48a862 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -365,6 +448,8 @@ optional_policy(` +@@ -365,6 +449,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -37646,7 +38024,7 @@ index 3eca020..a48a862 100644 ') optional_policy(` -@@ -396,12 +481,25 @@ optional_policy(` +@@ -396,12 +482,25 @@ optional_policy(` allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; @@ -37673,7 +38051,7 @@ index 3eca020..a48a862 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +520,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +521,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -37681,7 +38059,7 @@ index 3eca020..a48a862 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +528,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +529,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -37694,7 +38072,7 @@ index 3eca020..a48a862 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +541,11 @@ files_search_all(virt_domain) +@@ -440,6 +542,11 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -37706,7 +38084,7 @@ index 3eca020..a48a862 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +563,117 @@ optional_policy(` +@@ -457,8 +564,117 @@ optional_policy(` ') optional_policy(` @@ -39209,7 +39587,7 @@ index da2601a..6b12229 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 145fc4b..6b4d8c9 100644 +index 145fc4b..05cbefe 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -39828,7 +40206,7 @@ index 145fc4b..6b4d8c9 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -504,11 +714,17 @@ tunable_policy(`xdm_sysadm_login',` +@@ -504,11 +714,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -39836,6 +40214,10 @@ index 145fc4b..6b4d8c9 100644 +') + +optional_policy(` ++ acct_dontaudit_list_data(xdm_t) ++') ++ ++optional_policy(` alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) ') @@ -39846,7 +40228,7 @@ index 145fc4b..6b4d8c9 100644 ') optional_policy(` -@@ -516,12 +732,49 @@ optional_policy(` +@@ -516,12 +736,49 @@ optional_policy(` ') optional_policy(` @@ -39896,7 +40278,7 @@ index 145fc4b..6b4d8c9 100644 hostname_exec(xdm_t) ') -@@ -539,28 +792,63 @@ optional_policy(` +@@ -539,28 +796,63 @@ optional_policy(` ') optional_policy(` @@ -39969,7 +40351,7 @@ index 145fc4b..6b4d8c9 100644 ') optional_policy(` -@@ -572,6 +860,10 @@ optional_policy(` +@@ -572,6 +864,10 @@ optional_policy(` ') optional_policy(` @@ -39980,7 +40362,7 @@ index 145fc4b..6b4d8c9 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +888,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +892,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -39989,7 +40371,7 @@ index 145fc4b..6b4d8c9 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +902,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +906,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -40004,7 +40386,7 @@ index 145fc4b..6b4d8c9 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +929,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +933,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -40026,7 +40408,7 @@ index 145fc4b..6b4d8c9 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +949,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +953,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -40034,7 +40416,7 @@ index 145fc4b..6b4d8c9 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +976,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +980,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -40042,7 +40424,7 @@ index 145fc4b..6b4d8c9 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,11 +985,17 @@ dev_wx_raw_memory(xserver_t) +@@ -678,11 +989,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -40060,7 +40442,7 @@ index 145fc4b..6b4d8c9 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -693,8 +1006,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +1010,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -40074,7 +40456,7 @@ index 145fc4b..6b4d8c9 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1034,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1038,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -40089,7 +40471,7 @@ index 145fc4b..6b4d8c9 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1094,28 @@ optional_policy(` +@@ -773,12 +1098,28 @@ optional_policy(` ') optional_policy(` @@ -40119,7 +40501,7 @@ index 145fc4b..6b4d8c9 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1124,10 @@ optional_policy(` +@@ -787,6 +1128,10 @@ optional_policy(` ') optional_policy(` @@ -40130,7 +40512,7 @@ index 145fc4b..6b4d8c9 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1143,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1147,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -40144,7 +40526,7 @@ index 145fc4b..6b4d8c9 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1154,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -813,7 +1158,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -40153,7 +40535,7 @@ index 145fc4b..6b4d8c9 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1167,9 @@ init_use_fds(xserver_t) +@@ -826,6 +1171,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -40163,7 +40545,7 @@ index 145fc4b..6b4d8c9 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -833,6 +1177,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -833,6 +1181,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -40175,7 +40557,7 @@ index 145fc4b..6b4d8c9 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -841,11 +1190,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1194,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -40192,7 +40574,7 @@ index 145fc4b..6b4d8c9 100644 ') optional_policy(` -@@ -853,6 +1205,10 @@ optional_policy(` +@@ -853,6 +1209,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -40203,7 +40585,7 @@ index 145fc4b..6b4d8c9 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1252,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -896,7 +1256,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -40212,7 +40594,7 @@ index 145fc4b..6b4d8c9 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1306,31 @@ allow x_domain self:x_resource { read write }; +@@ -950,11 +1310,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -40244,7 +40626,7 @@ index 145fc4b..6b4d8c9 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1352,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -976,18 +1356,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -40871,7 +41253,7 @@ index 1c4b1e7..ffa4134 100644 /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..716da1d 100644 +index bea0ade..cbd62c5 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -41198,37 +41580,88 @@ index bea0ade..716da1d 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1500,6 +1692,8 @@ interface(`auth_manage_login_records',` +@@ -1500,28 +1692,38 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` -+ allow $1 self:netlink_route_socket r_netlink_socket_perms; +- files_list_var_lib($1) +- + # read /etc/nsswitch.conf + files_read_etc_files($1) + +- miscfiles_read_generic_certs($1) +- + sysnet_dns_name_resolve($1) +- sysnet_use_ldap($1) + - files_list_var_lib($1) ++ tunable_policy(`authlogin_use_sssd',`', ` ++ files_list_var_lib($1) ++ ++ miscfiles_read_generic_certs($1) ++ ++ sysnet_use_ldap($1) ++ ') - # read /etc/nsswitch.conf -@@ -1531,7 +1725,15 @@ interface(`auth_use_nsswitch',` + optional_policy(` +- avahi_stream_connect($1) ++ tunable_policy(`authlogin_use_sssd',`', ` ++ dirsrv_stream_connect($1) ++ ') + ') + + optional_policy(` +- ldap_stream_connect($1) ++ tunable_policy(`authlogin_use_sssd',`', ` ++ ldap_stream_connect($1) ++ ') + ') + + optional_policy(` +- likewise_stream_connect_lsassd($1) ++ tunable_policy(`authlogin_use_sssd',`', ` ++ likewise_stream_connect_lsassd($1) ++ ') + ') + ++ # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. + optional_policy(` + kerberos_use($1) + ') +@@ -1531,13 +1733,25 @@ interface(`auth_use_nsswitch',` ') optional_policy(` - nscd_socket_use($1) + nscd_use($1) + ') + + optional_policy(` +- samba_stream_connect_winbind($1) +- samba_read_var_files($1) +- samba_dontaudit_write_var_files($1) ++ tunable_policy(`authlogin_use_sssd',`', ` ++ nslcd_stream_connect($1) ++ ') + ') + + optional_policy(` -+ nslcd_stream_connect($1) ++ sssd_stream_connect($1) + ') + + optional_policy(` -+ sssd_stream_connect($1) ++ tunable_policy(`authlogin_use_sssd',`', ` ++ samba_stream_connect_winbind($1) ++ samba_read_var_files($1) ++ samba_dontaudit_write_var_files($1) ++ ') ') + ') - optional_policy(` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 54d122b..7413dc4 100644 +index 54d122b..c2a3970 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -5,9 +5,17 @@ policy_module(authlogin, 2.2.0) +@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0) # Declarations # @@ -41239,6 +41672,13 @@ index 54d122b..7413dc4 100644 +## +gen_tunable(authlogin_radius, false) + ++## ++##

++## Allow users to login using a sssd server ++##

++##
++gen_tunable(authlogin_use_sssd, false) ++ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; @@ -41246,7 +41686,7 @@ index 54d122b..7413dc4 100644 type auth_cache_t; logging_log_file(auth_cache_t) -@@ -44,7 +52,7 @@ type pam_tmp_t; +@@ -44,7 +59,7 @@ type pam_tmp_t; files_tmp_file(pam_tmp_t) type pam_var_console_t; @@ -41255,7 +41695,7 @@ index 54d122b..7413dc4 100644 type pam_var_run_t; files_pid_file(pam_var_run_t) -@@ -83,7 +91,7 @@ logging_log_file(wtmp_t) +@@ -83,7 +98,7 @@ logging_log_file(wtmp_t) allow chkpwd_t self:capability { dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; @@ -41264,7 +41704,7 @@ index 54d122b..7413dc4 100644 allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) -@@ -394,3 +402,11 @@ optional_policy(` +@@ -394,3 +409,11 @@ optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -41591,10 +42031,10 @@ index c310775..d5fc685 100644 term_dontaudit_use_console(hostname_t) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 9775375..299b718 100644 +index 6fed22c..06e5395 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -24,7 +24,21 @@ ifdef(`distro_gentoo',` +@@ -33,7 +33,21 @@ ifdef(`distro_gentoo', ` # # /sbin # @@ -41616,7 +42056,7 @@ index 9775375..299b718 100644 ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -@@ -44,6 +58,9 @@ ifdef(`distro_gentoo', ` +@@ -53,6 +67,9 @@ ifdef(`distro_gentoo', ` /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -41627,7 +42067,7 @@ index 9775375..299b718 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index df3fa64..473d2b4 100644 +index ed152c4..be3bb8f 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -41675,9 +42115,9 @@ index df3fa64..473d2b4 100644 role system_r types $1; -- domtrans_pattern(init_t,$2,$1) +- domtrans_pattern(init_t, $2, $1) + tunable_policy(`init_systemd',`', ` -+ domtrans_pattern(init_t,$2,$1) ++ domtrans_pattern(init_t, $2, $1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + ') @@ -41695,10 +42135,12 @@ index df3fa64..473d2b4 100644 ') typeattribute $1 daemon; -@@ -205,6 +245,21 @@ interface(`init_daemon_domain',` +@@ -204,7 +244,22 @@ interface(`init_daemon_domain',` + role system_r types $1; - domtrans_pattern(initrc_t,$2,$1) +- domtrans_pattern(initrc_t, $2, $1) ++ domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; + allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + allow $1 initrc_transition_domain:fd use; @@ -41724,8 +42166,8 @@ index df3fa64..473d2b4 100644 + type init_t; ') -- init_daemon_domain($1,$2) -+# init_daemon_domain($1,$2) +- init_daemon_domain($1, $2) ++# init_daemon_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; @@ -41739,7 +42181,7 @@ index df3fa64..473d2b4 100644 ') ') -@@ -336,8 +394,10 @@ interface(`init_ranged_daemon_domain',` +@@ -336,15 +394,31 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -41749,11 +42191,12 @@ index df3fa64..473d2b4 100644 + attribute initrc_transition_domain; ') - application_domain($1,$2) -@@ -345,6 +405,20 @@ interface(`init_system_domain',` + application_domain($1, $2) + role system_r types $1; - domtrans_pattern(initrc_t,$2,$1) +- domtrans_pattern(initrc_t, $2, $1) ++ domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; + allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + allow $1 initrc_transition_domain:fd use; @@ -41816,7 +42259,7 @@ index df3fa64..473d2b4 100644 + type init_t; ') - init_system_domain($1,$2) + init_system_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; @@ -41826,10 +42269,10 @@ index df3fa64..473d2b4 100644 ifdef(`enable_mls',` range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; + mls_rangetrans_target($1) ') ') - -@@ -687,19 +795,24 @@ interface(`init_telinit',` +@@ -688,19 +796,24 @@ interface(`init_telinit',` type initctl_t; ') @@ -41855,7 +42298,7 @@ index df3fa64..473d2b4 100644 ') ') -@@ -772,18 +885,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +886,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -41879,7 +42322,7 @@ index df3fa64..473d2b4 100644 ') ') -@@ -799,19 +913,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +914,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -41925,7 +42368,7 @@ index df3fa64..473d2b4 100644 ') ######################################## -@@ -867,8 +1003,12 @@ interface(`init_script_file_domtrans',` +@@ -868,8 +1004,12 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -41938,7 +42381,7 @@ index df3fa64..473d2b4 100644 domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1129,12 +1269,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1270,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -41952,7 +42395,7 @@ index df3fa64..473d2b4 100644 ') ######################################## -@@ -1374,6 +1509,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1510,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -41980,7 +42423,7 @@ index df3fa64..473d2b4 100644 ## init scripts over dbus. ## ## -@@ -1460,6 +1616,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1617,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -42006,7 +42449,7 @@ index df3fa64..473d2b4 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1673,7 +1848,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1849,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -42015,7 +42458,7 @@ index df3fa64..473d2b4 100644 ') ######################################## -@@ -1748,3 +1923,93 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +1924,93 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -42110,7 +42553,7 @@ index df3fa64..473d2b4 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 2fbb25a..2cba7c4 100644 +index 0580e7c..28fd86c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -42277,7 +42720,7 @@ index 2fbb25a..2cba7c4 100644 + dev_write_kmsg(init_t) + dev_write_urand(init_t) + dev_rw_autofs(init_t) -+ dev_create_generic_symlinks(init_t) ++ dev_manage_generic_symlinks(init_t) + dev_manage_generic_dirs(init_t) + dev_manage_generic_files(init_t) + dev_read_generic_chr_files(init_t) @@ -42534,7 +42977,7 @@ index 2fbb25a..2cba7c4 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +658,7 @@ ifdef(`distro_redhat',` +@@ -474,7 +659,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -42543,7 +42986,7 @@ index 2fbb25a..2cba7c4 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +704,23 @@ ifdef(`distro_redhat',` +@@ -520,6 +705,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -42567,7 +43010,7 @@ index 2fbb25a..2cba7c4 100644 ') optional_policy(` -@@ -526,10 +728,17 @@ ifdef(`distro_redhat',` +@@ -527,10 +729,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -42585,7 +43028,7 @@ index 2fbb25a..2cba7c4 100644 ') optional_policy(` -@@ -544,6 +753,35 @@ ifdef(`distro_suse',` +@@ -545,6 +754,35 @@ ifdef(`distro_suse',` ') ') @@ -42621,7 +43064,7 @@ index 2fbb25a..2cba7c4 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +794,8 @@ optional_policy(` +@@ -557,6 +795,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -42630,7 +43073,7 @@ index 2fbb25a..2cba7c4 100644 ') optional_policy(` -@@ -572,6 +812,7 @@ optional_policy(` +@@ -573,6 +813,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -42638,7 +43081,7 @@ index 2fbb25a..2cba7c4 100644 ') optional_policy(` -@@ -584,6 +825,11 @@ optional_policy(` +@@ -585,6 +826,11 @@ optional_policy(` ') optional_policy(` @@ -42650,7 +43093,7 @@ index 2fbb25a..2cba7c4 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,9 +846,13 @@ optional_policy(` +@@ -601,9 +847,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -42664,7 +43107,7 @@ index 2fbb25a..2cba7c4 100644 ') optional_policy(` -@@ -701,7 +951,13 @@ optional_policy(` +@@ -702,7 +952,13 @@ optional_policy(` ') optional_policy(` @@ -42678,7 +43121,7 @@ index 2fbb25a..2cba7c4 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +980,10 @@ optional_policy(` +@@ -725,6 +981,10 @@ optional_policy(` ') optional_policy(` @@ -42689,7 +43132,7 @@ index 2fbb25a..2cba7c4 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -737,6 +997,10 @@ optional_policy(` +@@ -738,6 +998,10 @@ optional_policy(` ') optional_policy(` @@ -42700,7 +43143,7 @@ index 2fbb25a..2cba7c4 100644 quota_manage_flags(initrc_t) ') -@@ -745,6 +1009,10 @@ optional_policy(` +@@ -746,6 +1010,10 @@ optional_policy(` ') optional_policy(` @@ -42711,7 +43154,7 @@ index 2fbb25a..2cba7c4 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +1034,6 @@ optional_policy(` +@@ -767,8 +1035,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -42720,7 +43163,7 @@ index 2fbb25a..2cba7c4 100644 ') optional_policy(` -@@ -776,14 +1042,21 @@ optional_policy(` +@@ -777,14 +1043,21 @@ optional_policy(` ') optional_policy(` @@ -42742,7 +43185,7 @@ index 2fbb25a..2cba7c4 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1078,19 @@ optional_policy(` +@@ -806,11 +1079,19 @@ optional_policy(` ') optional_policy(` @@ -42763,7 +43206,7 @@ index 2fbb25a..2cba7c4 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1100,25 @@ optional_policy(` +@@ -820,6 +1101,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -42789,7 +43232,7 @@ index 2fbb25a..2cba7c4 100644 ') optional_policy(` -@@ -844,3 +1144,59 @@ optional_policy(` +@@ -845,3 +1145,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -45651,7 +46094,7 @@ index 170e2c7..bbaa8cf 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ff5d72d..f5fdb63 100644 +index ff5d72d..8526f19 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -45808,7 +46251,16 @@ index ff5d72d..f5fdb63 100644 # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -405,6 +423,10 @@ ifndef(`direct_sysadm_daemon',` +@@ -380,6 +398,8 @@ selinux_compute_create_context(run_init_t) + selinux_compute_relabel_context(run_init_t) + selinux_compute_user_contexts(run_init_t) + ++term_use_console(run_init_t) ++ + auth_use_nsswitch(run_init_t) + auth_domtrans_chk_passwd(run_init_t) + auth_domtrans_upd_passwd(run_init_t) +@@ -405,6 +425,10 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -45819,7 +46271,7 @@ index ff5d72d..f5fdb63 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,61 +442,22 @@ optional_policy(` +@@ -420,61 +444,22 @@ optional_policy(` # semodule local policy # @@ -45889,7 +46341,7 @@ index ff5d72d..f5fdb63 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -483,12 +466,23 @@ ifdef(`distro_debian',` +@@ -483,12 +468,23 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') @@ -45913,7 +46365,7 @@ index ff5d72d..f5fdb63 100644 # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -498,112 +492,54 @@ ifdef(`enable_mls',` +@@ -498,112 +494,54 @@ ifdef(`enable_mls',` userdom_read_user_tmp_files(semanage_t) ') @@ -46090,7 +46542,7 @@ index 726619b..36426f7 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 8e71fb7..350d003 100644 +index 8e71fb7..f1b155a 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` @@ -46207,21 +46659,15 @@ index 8e71fb7..350d003 100644 ## Read network config files. ##
## -@@ -403,11 +496,8 @@ interface(`sysnet_manage_config',` - type net_conf_t; - ') +@@ -406,6 +499,7 @@ interface(`sysnet_manage_config',` + allow $1 net_conf_t:file manage_file_perms; -- allow $1 net_conf_t:file manage_file_perms; -- -- ifdef(`distro_redhat',` -- manage_files_pattern($1, net_conf_t, net_conf_t) -- ') -+ allow $1 net_conf_t:dir list_dir_perms; -+ manage_files_pattern($1, net_conf_t, net_conf_t) + ifdef(`distro_redhat',` ++ allow $1 net_conf_t:dir list_dir_perms; + manage_files_pattern($1, net_conf_t, net_conf_t) + ') ') - - ####################################### -@@ -444,6 +534,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -444,6 +538,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -46229,7 +46675,7 @@ index 8e71fb7..350d003 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -464,6 +555,10 @@ interface(`sysnet_domtrans_ifconfig',` +@@ -464,6 +559,10 @@ interface(`sysnet_domtrans_ifconfig',` corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) @@ -46240,7 +46686,7 @@ index 8e71fb7..350d003 100644 ') ######################################## -@@ -534,6 +629,25 @@ interface(`sysnet_signal_ifconfig',` +@@ -534,6 +633,25 @@ interface(`sysnet_signal_ifconfig',` ######################################## ## @@ -46266,26 +46712,29 @@ index 8e71fb7..350d003 100644 ## Read the DHCP configuration files. ## ## -@@ -677,7 +791,10 @@ interface(`sysnet_use_ldap',` - corenet_tcp_connect_ldap_port($1) +@@ -641,6 +759,8 @@ interface(`sysnet_dns_name_resolve',` + corenet_tcp_connect_dns_port($1) + corenet_sendrecv_dns_client_packets($1) + ++ miscfiles_read_generic_certs($1) ++ + sysnet_read_config($1) + + optional_policy(` +@@ -678,6 +798,9 @@ interface(`sysnet_use_ldap',` corenet_sendrecv_ldap_client_packets($1) -- sysnet_read_config($1) -+ files_search_etc($1) -+ allow $1 net_conf_t:file read_file_perms; + sysnet_read_config($1) ++ + # LDAP Configuration using encrypted requires + dev_read_urand($1) ') ######################################## -@@ -709,5 +826,52 @@ interface(`sysnet_use_portmap',` - corenet_tcp_connect_portmap_port($1) - corenet_sendrecv_portmap_client_packets($1) +@@ -711,3 +834,49 @@ interface(`sysnet_use_portmap',` -- sysnet_read_config($1) -+ files_search_etc($1) -+ allow $1 net_conf_t:file read_file_perms; -+') + sysnet_read_config($1) + ') + +######################################## +## @@ -46331,7 +46780,7 @@ index 8e71fb7..350d003 100644 + ') + + role_transition $1 dhcpc_exec_t system_r; - ') ++') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index dfbe736..d8c6f24 100644 --- a/policy/modules/system/sysnetwork.te @@ -46650,7 +47099,7 @@ index 0000000..5f0352b + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..a74c435 +index 0000000..24f8c6f --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,98 @@ @@ -46721,7 +47170,7 @@ index 0000000..a74c435 +files_manage_all_locks(systemd_tmpfiles_t) +files_setattr_all_tmp_dirs(systemd_tmpfiles_t) +files_unlink_all_pid_sockets(systemd_tmpfiles_t) -+ ++files_delete_boot_flag(systemd_tmpfiles_t) +files_purge_tmp(systemd_tmpfiles_t) +files_manage_generic_tmp_files(systemd_tmpfiles_t) +files_manage_generic_tmp_dirs(systemd_tmpfiles_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index e7330e3..99148d8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -471,6 +471,17 @@ exit 0 %endif %changelog +* Tue Dec 21 2010 Miroslav Grepl 3.9.12-1 +- Update to upstream +- Fixes for systemd policy +- Fixes for passenger policy +- Allow staff users to run mysqld in the staff_t domain, akonadi needs this +- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py +- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data +- Dontaudit (xdm_t) gok attempting to list contents of /var/account +- Telepathy domains need to read urand +- Need interface to getattr all file classes in a mock library for setroubleshoot + * Wed Dec 15 2010 Dan Walsh 3.9.11-2 - Update selinux policy to handle new /usr/share/sandbox/start script