diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9bb7547..123e1ed 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -31994,10 +31994,10 @@ index 0000000..595f756 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..a4b0917 +index 0000000..8b02900 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1041 @@ +@@ -0,0 +1,1043 @@ +## SELinux policy for systemd components + +####################################### @@ -33016,12 +33016,13 @@ index 0000000..a4b0917 + + allow $1 systemd_timedated_t:dbus send_msg; + allow systemd_timedated_t $1:dbus send_msg; ++ ps_process_pattern(systemd_hostnamed_t, $1) +') + +######################################## +## +## Send and receive messages from -+## systemd hostnamed over dbus. ++## systemd timedated over dbus. +## +## +## @@ -33037,14 +33038,15 @@ index 0000000..a4b0917 + + allow $1 systemd_hostnamed_t:dbus send_msg; + allow systemd_hostnamed_t $1:dbus send_msg; ++ ps_process_pattern(systemd_hostnamed_t, $1) +') + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..6c712b8 +index 0000000..913fc52 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,618 @@ +@@ -0,0 +1,620 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -33521,6 +33523,8 @@ index 0000000..6c712b8 +seutil_read_config(systemd_localed_t) +seutil_read_file_contexts(systemd_localed_t) + ++logging_stream_connect_syslog(systemd_localed_t) ++ +miscfiles_manage_localization(systemd_localed_t) +miscfiles_etc_filetrans_localization(systemd_localed_t) + @@ -35034,7 +35038,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..4efa151 100644 +index 3c5dba7..c270e54 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -35050,7 +35054,7 @@ index 3c5dba7..4efa151 100644 corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -44,79 +46,132 @@ template(`userdom_base_user_template',` +@@ -44,79 +46,133 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -35202,6 +35206,7 @@ index 3c5dba7..4efa151 100644 + miscfiles_read_public_files($1_usertype) - tunable_policy(`allow_execmem',` ++ systemd_dbus_chat_hostnamed($1_usertype) + systemd_dbus_chat_logind($1_usertype) + systemd_read_logind_sessions_files($1_usertype) + systemd_write_inhibit_pipes($1_usertype) @@ -35235,7 +35240,7 @@ index 3c5dba7..4efa151 100644 ') ####################################### -@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',` +@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -35244,7 +35249,7 @@ index 3c5dba7..4efa151 100644 ############################## # # Domain access to home dir -@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',` +@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -35272,7 +35277,7 @@ index 3c5dba7..4efa151 100644 ') ####################################### -@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',` +@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -35284,7 +35289,7 @@ index 3c5dba7..4efa151 100644 ############################## # # Domain access to home dir -@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',` +@@ -229,43 +269,47 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -35348,7 +35353,7 @@ index 3c5dba7..4efa151 100644 ') ') -@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',` +@@ -273,6 +317,25 @@ interface(`userdom_manage_home_role',` ## ## Manage user temporary files ## @@ -35374,7 +35379,7 @@ index 3c5dba7..4efa151 100644 ## ## ## Role allowed access. -@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',` +@@ -287,17 +350,64 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -35444,7 +35449,7 @@ index 3c5dba7..4efa151 100644 ') ####################################### -@@ -317,11 +426,31 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,11 +427,31 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -35476,7 +35481,7 @@ index 3c5dba7..4efa151 100644 ## Role access for the user tmpfs type ## that the user has full access. ## -@@ -348,59 +477,60 @@ interface(`userdom_exec_user_tmp_files',` +@@ -348,59 +478,60 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -35567,7 +35572,7 @@ index 3c5dba7..4efa151 100644 ') ####################################### -@@ -431,6 +561,7 @@ template(`userdom_xwindows_client_template',` +@@ -431,6 +562,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -35575,7 +35580,7 @@ index 3c5dba7..4efa151 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -463,8 +594,8 @@ template(`userdom_change_password_template',` +@@ -463,8 +595,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -35586,7 +35591,7 @@ index 3c5dba7..4efa151 100644 ') ') -@@ -491,7 +622,8 @@ template(`userdom_common_user_template',` +@@ -491,7 +623,8 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -35596,7 +35601,7 @@ index 3c5dba7..4efa151 100644 ############################## # -@@ -501,41 +633,51 @@ template(`userdom_common_user_template',` +@@ -501,41 +634,51 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -35671,7 +35676,7 @@ index 3c5dba7..4efa151 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +688,121 @@ template(`userdom_common_user_template',` +@@ -546,93 +689,121 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -35831,7 +35836,7 @@ index 3c5dba7..4efa151 100644 ') optional_policy(` -@@ -646,19 +816,17 @@ template(`userdom_common_user_template',` +@@ -646,19 +817,17 @@ template(`userdom_common_user_template',` # for running depmod as part of the kernel packaging process optional_policy(` @@ -35856,7 +35861,7 @@ index 3c5dba7..4efa151 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +839,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +840,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -35865,7 +35870,7 @@ index 3c5dba7..4efa151 100644 ') optional_policy(` -@@ -680,9 +848,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +849,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -35878,7 +35883,7 @@ index 3c5dba7..4efa151 100644 ') ') -@@ -693,32 +861,36 @@ template(`userdom_common_user_template',` +@@ -693,32 +862,36 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -35926,7 +35931,7 @@ index 3c5dba7..4efa151 100644 ') ') -@@ -743,17 +915,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +916,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -35965,7 +35970,7 @@ index 3c5dba7..4efa151 100644 userdom_change_password_template($1) -@@ -761,82 +949,100 @@ template(`userdom_login_user_template', ` +@@ -761,82 +950,100 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -36102,7 +36107,7 @@ index 3c5dba7..4efa151 100644 ') ') -@@ -868,6 +1074,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1075,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -36115,7 +36120,7 @@ index 3c5dba7..4efa151 100644 ############################## # # Local policy -@@ -908,41 +1120,97 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1121,97 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -36226,7 +36231,7 @@ index 3c5dba7..4efa151 100644 ') optional_policy(` -@@ -951,12 +1219,30 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1220,30 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -36258,7 +36263,7 @@ index 3c5dba7..4efa151 100644 ') ####################################### -@@ -990,27 +1276,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1277,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -36296,7 +36301,7 @@ index 3c5dba7..4efa151 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1313,57 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1314,57 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -36364,7 +36369,7 @@ index 3c5dba7..4efa151 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -36375,7 +36380,7 @@ index 3c5dba7..4efa151 100644 ') ') -@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -36384,7 +36389,7 @@ index 3c5dba7..4efa151 100644 ') ############################## -@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -36392,7 +36397,7 @@ index 3c5dba7..4efa151 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -36402,7 +36407,7 @@ index 3c5dba7..4efa151 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -36410,7 +36415,7 @@ index 3c5dba7..4efa151 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -36425,7 +36430,7 @@ index 3c5dba7..4efa151 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,30 +1499,39 @@ template(`userdom_admin_user_template',` +@@ -1162,30 +1500,39 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -36470,7 +36475,7 @@ index 3c5dba7..4efa151 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator # cannot directly manipulate policy files with arbitrary programs. -@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -36479,7 +36484,7 @@ index 3c5dba7..4efa151 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -36498,7 +36503,7 @@ index 3c5dba7..4efa151 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36507,7 +36512,7 @@ index 3c5dba7..4efa151 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -36519,7 +36524,7 @@ index 3c5dba7..4efa151 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -36562,7 +36567,7 @@ index 3c5dba7..4efa151 100644 ') optional_policy(` -@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -36581,7 +36586,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -36633,7 +36638,7 @@ index 3c5dba7..4efa151 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -36665,7 +36670,7 @@ index 3c5dba7..4efa151 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -36680,7 +36685,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -36692,7 +36697,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -36735,7 +36740,7 @@ index 3c5dba7..4efa151 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -36744,7 +36749,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -36759,7 +36764,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -1772,7 +2248,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2249,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -36768,7 +36773,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -1780,19 +2256,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2257,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -36792,7 +36797,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -1800,31 +2274,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2275,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -36832,7 +36837,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -1848,6 +2322,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2323,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -36858,7 +36863,7 @@ index 3c5dba7..4efa151 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2371,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2372,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -36896,7 +36901,7 @@ index 3c5dba7..4efa151 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2411,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2412,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36914,7 +36919,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -1941,7 +2459,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2460,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -36941,7 +36946,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -1951,17 +2487,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2488,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -36962,7 +36967,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -1969,12 +2503,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2504,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -37013,7 +37018,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -2010,8 +2580,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2581,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -37023,7 +37028,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -2027,20 +2596,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2597,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -37048,7 +37053,7 @@ index 3c5dba7..4efa151 100644 ######################################## ## -@@ -2123,7 +2686,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2687,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -37057,7 +37062,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -2131,19 +2694,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2695,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -37081,7 +37086,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -2151,12 +2712,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2713,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -37097,7 +37102,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -2393,11 +2954,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2955,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -37112,7 +37117,7 @@ index 3c5dba7..4efa151 100644 files_search_tmp($1) ') -@@ -2417,7 +2978,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2979,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -37121,7 +37126,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -2664,6 +3225,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3226,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -37147,7 +37152,7 @@ index 3c5dba7..4efa151 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3260,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3261,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -37163,7 +37168,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -2707,7 +3288,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3289,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -37172,7 +37177,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -2715,19 +3296,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3297,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -37195,7 +37200,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -2735,21 +3314,39 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2735,21 +3315,39 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -37240,7 +37245,7 @@ index 3c5dba7..4efa151 100644 ## ## # -@@ -2817,6 +3414,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3415,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -37265,7 +37270,7 @@ index 3c5dba7..4efa151 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3450,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3451,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -37308,7 +37313,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -2859,14 +3486,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3487,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -37346,7 +37351,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -2885,8 +3531,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3532,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -37376,7 +37381,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -2958,69 +3623,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3624,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -37477,7 +37482,7 @@ index 3c5dba7..4efa151 100644 ## ## ## -@@ -3028,12 +3692,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3693,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -37492,7 +37497,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -3097,7 +3761,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3762,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -37501,7 +37506,7 @@ index 3c5dba7..4efa151 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3777,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3778,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -37535,7 +37540,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -3217,7 +3865,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3866,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -37544,7 +37549,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -3272,7 +3920,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3921,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -37610,7 +37615,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -3290,7 +3995,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3996,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -37619,7 +37624,7 @@ index 3c5dba7..4efa151 100644 ') ######################################## -@@ -3309,6 +4014,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4015,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -37627,7 +37632,7 @@ index 3c5dba7..4efa151 100644 kernel_search_proc($1) ') -@@ -3385,6 +4091,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4092,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -37670,7 +37675,7 @@ index 3c5dba7..4efa151 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4147,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4148,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -37695,7 +37700,7 @@ index 3c5dba7..4efa151 100644 ## Create keys for all user domains. ## ## -@@ -3439,3 +4199,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4200,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c71d3e6..cb0c0a9 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -64,7 +64,7 @@ index e4f84de..94697ea 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..cce58bb 100644 +index 058d908..b7620e3 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -314,7 +314,7 @@ index 058d908..cce58bb 100644 + ') + + systemd_exec_systemctl($1) -+ allow $1 abrt_unit_file_t:file read_file_perms; ++ allow $1 abrt_unit_file_t:file manage_file_perms; + allow $1 abrt_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, abrt_t) @@ -16924,7 +16924,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index afcf3a2..90299b3 100644 +index afcf3a2..0730306 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -17409,7 +17409,7 @@ index afcf3a2..90299b3 100644 ## ## ## -@@ -543,33 +387,57 @@ interface(`dbus_system_bus_unconfined',` +@@ -543,33 +387,24 @@ interface(`dbus_system_bus_unconfined',` # interface(`dbus_system_domain',` gen_require(` @@ -17425,122 +17425,114 @@ index afcf3a2..90299b3 100644 - role system_r types $1; - domtrans_pattern(system_dbusd_t, $2, $1) -+') - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - ps_process_pattern(system_dbusd_t, $1) -+######################################## -+## -+## Use and inherit system DBUS file descriptors. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_use_system_bus_fds',` -+ gen_require(` -+ type system_dbusd_t; -+ ') - +- - userdom_read_all_users_state($1) -+ allow $1 system_dbusd_t:fd use; -+') ++ ps_process_pattern($1, system_dbusd_t) - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+######################################## -+## -+## Allow unconfined access to the system DBUS. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_unconfined',` -+ gen_require(` -+ attribute dbusd_unconfined; - ') -+ -+ typeattribute $1 dbusd_unconfined; +- ') ') ######################################## ## -## Use and inherit DBUS system bus -## file descriptors. -+## Delete all dbus pid files ++## Use and inherit system DBUS file descriptors. ## ## ## -@@ -577,18 +445,20 @@ interface(`dbus_system_domain',` - ## - ## - # --interface(`dbus_use_system_bus_fds',` -+interface(`dbus_delete_pid_files',` - gen_require(` -- type system_dbusd_t; -+ type system_dbusd_var_run_t; - ') - -- allow $1 system_dbusd_t:fd use; -+ files_search_pids($1) -+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) - ') +@@ -587,26 +422,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## -## Do not audit attempts to read and -## write DBUS system bus TCP sockets. -+## Do not audit attempts to connect to -+## session bus types with a unix -+## stream socket. ++## Allow unconfined access to the system DBUS. ## ## ## -@@ -596,28 +466,51 @@ interface(`dbus_use_system_bus_fds',` +-## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+interface(`dbus_dontaudit_stream_connect_session_bus',` ++interface(`dbus_unconfined',` gen_require(` - type system_dbusd_t; -+ attribute session_bus_type; ++ attribute dbusd_unconfined; ') - dontaudit $1 system_dbusd_t:tcp_socket { read write }; -+ dontaudit $1 session_bus_type:unix_stream_socket connectto; ++ typeattribute $1 dbusd_unconfined; ') ######################################## ## -## Unconfined access to DBUS. -+## Do not audit attempts to send dbus -+## messages to session bus types. ++## Delete all dbus pid files ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -614,10 +448,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # -interface(`dbus_unconfined',` -+interface(`dbus_dontaudit_chat_session_bus',` ++interface(`dbus_delete_pid_files',` gen_require(` - attribute dbusd_unconfined; -+ attribute session_bus_type; -+ class dbus send_msg; ++ type system_dbusd_var_run_t; ') - typeattribute $1 dbusd_unconfined; ++ files_search_pids($1) ++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dbus_dontaudit_stream_connect_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ ') ++ ++ dontaudit $1 session_bus_type:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## Do not audit attempts to send dbus ++## messages to session bus types. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dbus_dontaudit_chat_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ class dbus send_msg; ++ ') ++ + dontaudit $1 session_bus_type:dbus send_msg; +') + @@ -23707,12 +23699,35 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..6704414 +index 0000000..9cfc035 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,104 @@ +@@ -0,0 +1,145 @@ +policy_module(glusterfs, 1.0.1) + ++## ++##

++## Allow glusterfsd to modify public files used for public file ++## transfer services. Files/Directories must be labeled ++## public_content_rw_t. ++##

++##
++gen_tunable(gluster_anon_write, false) ++ ++## ++##

++## Allow glusterfsd to share any file/directory read only. ++##

++##
++gen_tunable(gluster_export_all_ro, false) ++ ++## ++##

++## Allow glusterfsd to share any file/directory read/write. ++##

++##
++gen_tunable(gluster_export_all_rw, false) ++ +######################################## +# +# Declarations @@ -23806,6 +23821,8 @@ index 0000000..6704414 + +domain_use_interactive_fds(glusterd_t) + ++fs_getattr_all_fs(glusterd_t) ++ +auth_use_nsswitch(glusterd_t) + +fs_getattr_all_fs(glusterd_t) @@ -23813,8 +23830,24 @@ index 0000000..6704414 +logging_send_syslog_msg(glusterd_t) + +miscfiles_read_localization(glusterd_t) ++miscfiles_read_public_files(glusterd_t) + +userdom_manage_user_home_dirs(glusterd_t) ++ ++tunable_policy(`gluster_anon_write',` ++ miscfiles_manage_public_files(glusterd_t) ++') ++ ++tunable_policy(`gluster_export_all_ro',` ++ fs_read_noxattr_fs_files(glusterd_t) ++ files_read_non_security_files(glusterd_t) ++') ++ ++tunable_policy(`gluster_export_all_rw',` ++ fs_manage_noxattr_fs_files(glusterd_t) ++ files_manage_non_security_files(glusterd_t) ++') ++ diff --git a/glusterfs.fc b/glusterfs.fc deleted file mode 100644 index 4bd6ade..0000000 @@ -28136,10 +28169,84 @@ index c5a8112..947efe0 100644 userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) userdom_dontaudit_search_user_home_dirs(irqbalance_t) +diff --git a/iscsi.fc b/iscsi.fc +index 08b7560..9d1930b 100644 +--- a/iscsi.fc ++++ b/iscsi.fc +@@ -1,19 +1,17 @@ +-/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0) +- + /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + /sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + + /usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + /usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + + /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) + + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) + +-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) + + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) + /var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) ++ ++/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) ++/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +diff --git a/iscsi.if b/iscsi.if +index 1a35420..1d27695 100644 +--- a/iscsi.if ++++ b/iscsi.if +@@ -88,27 +88,21 @@ interface(`iscsi_read_lib_files',` + ## Domain allowed access. + ##
+ ## +-## +-## +-## Role allowed access. +-## +-## + ## + # + interface(`iscsi_admin',` + gen_require(` + type iscsid_t, iscsi_lock_t, iscsi_log_t; + type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; +- type iscsi_initrc_exec_t; ++ type iscsi_unit_file_t; + ') + + allow $1 iscsid_t:process { ptrace signal_perms }; + ps_process_pattern($1, iscsid_t) + +- init_labeled_script_domtrans($1, iscsi_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 iscsi_initrc_exec_t system_r; +- allow $2 system_r; ++ systemd_exec_systemctl($1) ++ allow $1 iscsi_unit_file_t:file manage_file_perms; ++ allow $1 iscsi_unit_file_t:service manage_service_perms; + + logging_search_logs($1) + admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index 57304e4..3dba77f 100644 +index 57304e4..74153ec 100644 --- a/iscsi.te +++ b/iscsi.te +@@ -9,8 +9,8 @@ type iscsid_t; + type iscsid_exec_t; + init_daemon_domain(iscsid_t, iscsid_exec_t) + +-type iscsi_initrc_exec_t; +-init_script_file(iscsi_initrc_exec_t) ++type iscsi_unit_file_t; ++systemd_unit_file(iscsi_unit_file_t) + + type iscsi_lock_t; + files_lock_file(iscsi_lock_t) @@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t) # @@ -28148,7 +28255,12 @@ index 57304e4..3dba77f 100644 allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; -@@ -68,7 +67,6 @@ kernel_read_network_state(iscsid_t) +@@ -64,11 +63,11 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) + + can_exec(iscsid_t, iscsid_exec_t) + ++kernel_request_load_module(iscsid_t) + kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) kernel_setsched(iscsid_t) @@ -28156,18 +28268,22 @@ index 57304e4..3dba77f 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,6 +83,10 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,10 +84,12 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) +-dev_read_raw_memory(iscsid_t) +corenet_sendrecv_winshadow_client_packets(iscsid_t) +corenet_tcp_connect_winshadow_port(iscsid_t) +corenet_tcp_sendrecv_winshadow_port(iscsid_t) + - dev_read_raw_memory(iscsid_t) dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) -@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t) +-dev_write_raw_memory(iscsid_t) + + domain_use_interactive_fds(iscsid_t) + domain_dontaudit_read_all_domains_state(iscsid_t) +@@ -99,8 +100,6 @@ init_stream_connect_script(iscsid_t) logging_send_syslog_msg(iscsid_t) @@ -42489,7 +42605,7 @@ index 8aa1bfa..cd0e015 100644 +/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/nis.if b/nis.if -index 46e55c3..1112fae 100644 +index 46e55c3..346242e 100644 --- a/nis.if +++ b/nis.if @@ -1,4 +1,4 @@ @@ -42518,14 +42634,12 @@ index 46e55c3..1112fae 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -49,14 +44,13 @@ interface(`nis_use_ypbind_uncond',` +@@ -49,14 +44,11 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) -+ corenet_tcp_bind_all_rpc_ports($1) -+ corenet_udp_bind_all_rpc_ports($1) corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) @@ -42536,7 +42650,7 @@ index 46e55c3..1112fae 100644 corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) -@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',` +@@ -88,14 +80,14 @@ interface(`nis_use_ypbind_uncond',` ## # interface(`nis_use_ypbind',` @@ -42553,7 +42667,7 @@ index 46e55c3..1112fae 100644 ##
## ## -@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',` +@@ -105,7 +97,7 @@ interface(`nis_use_ypbind',` ## # interface(`nis_authenticate',` @@ -42562,7 +42676,7 @@ index 46e55c3..1112fae 100644 nis_use_ypbind_uncond($1) corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) -@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',` +@@ -133,20 +125,19 @@ interface(`nis_domtrans_ypbind',` ####################################### ## @@ -42590,7 +42704,7 @@ index 46e55c3..1112fae 100644 can_exec($1, ypbind_exec_t) ') -@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',` +@@ -169,11 +160,11 @@ interface(`nis_exec_ypbind',` # interface(`nis_run_ypbind',` gen_require(` @@ -42604,7 +42718,7 @@ index 46e55c3..1112fae 100644 ') ######################################## -@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',` +@@ -196,7 +187,7 @@ interface(`nis_signal_ypbind',` ######################################## ## @@ -42613,7 +42727,7 @@ index 46e55c3..1112fae 100644 ## ## ## -@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',` +@@ -272,10 +263,11 @@ interface(`nis_read_ypbind_pid',` # interface(`nis_delete_ypbind_pid',` gen_require(` @@ -42627,7 +42741,7 @@ index 46e55c3..1112fae 100644 ') ######################################## -@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -355,8 +347,57 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## @@ -42687,7 +42801,7 @@ index 46e55c3..1112fae 100644 ## ## ## -@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -372,32 +413,56 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -51986,7 +52100,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 49694e8..0372dfd 100644 +index 49694e8..e426304 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ @@ -52018,7 +52132,7 @@ index 49694e8..0372dfd 100644 type policykit_resolve_t, policykit_domain; type policykit_resolve_exec_t; -@@ -42,48 +37,43 @@ files_pid_file(policykit_var_run_t) +@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t) ####################################### # @@ -52081,7 +52195,10 @@ index 49694e8..0372dfd 100644 domain_read_all_domains_state(policykit_t) -@@ -93,12 +83,17 @@ fs_list_inotifyfs(policykit_t) + files_dontaudit_search_all_mountpoints(policykit_t) + ++fs_getattr_all_fs(policykit_t) + fs_list_inotifyfs(policykit_t) auth_use_nsswitch(policykit_t) @@ -52099,7 +52216,7 @@ index 49694e8..0372dfd 100644 optional_policy(` consolekit_dbus_chat(policykit_t) ') -@@ -109,29 +104,43 @@ optional_policy(` +@@ -109,29 +105,43 @@ optional_policy(` ') optional_policy(` @@ -52151,7 +52268,7 @@ index 49694e8..0372dfd 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,9 +154,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,9 +155,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -52161,7 +52278,7 @@ index 49694e8..0372dfd 100644 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) -@@ -162,48 +168,58 @@ auth_rw_var_auth(policykit_auth_t) +@@ -162,48 +169,58 @@ auth_rw_var_auth(policykit_auth_t) auth_use_nsswitch(policykit_auth_t) auth_domtrans_chk_passwd(policykit_auth_t) @@ -52230,7 +52347,7 @@ index 49694e8..0372dfd 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +227,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +228,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -52257,7 +52374,7 @@ index 49694e8..0372dfd 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +248,28 @@ optional_policy(` +@@ -235,26 +249,28 @@ optional_policy(` ######################################## # @@ -52292,7 +52409,7 @@ index 49694e8..0372dfd 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +281,7 @@ optional_policy(` +@@ -266,6 +282,7 @@ optional_policy(` ') optional_policy(` @@ -69204,7 +69321,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..4d983f7 100644 +index 57c034b..055c3c5 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -69758,9 +69875,9 @@ index 57c034b..4d983f7 100644 + +tunable_policy(`samba_export_all_rw',` + allow nmbd_t self:capability { dac_read_search dac_override }; -+ fs_read_noxattr_fs_files(smbd_t) ++ fs_manage_noxattr_fs_files(smbd_t) + files_manage_non_security_files(smbd_t) -+ fs_read_noxattr_fs_files(nmbd_t) ++ fs_manage_noxattr_fs_files(nmbd_t) + files_manage_non_security_files(nmbd_t) +') + @@ -79818,10 +79935,10 @@ index 0000000..601aea3 +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..72c42ad +index 0000000..eb30b4c --- /dev/null +++ b/thumb.if -@@ -0,0 +1,126 @@ +@@ -0,0 +1,125 @@ + +## policy for thumb + @@ -79901,8 +80018,7 @@ index 0000000..72c42ad + ps_process_pattern($2, thumb_t) + allow thumb_t $2:unix_stream_socket connectto; + -+ allow $2 thumb_t:dbus send_msg; -+ allow thumb_t $2:dbus send_msg; ++ thumb_dbus_chat($2) + thumb_filetrans_home_content($2) +') +