diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 5224658..b57ae16 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0af94e9..5c190b1 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2922,7 +2922,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..f6ff7aa 100644 +index 1d732f1..47af4c3 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3151,7 +3151,7 @@ index 1d732f1..f6ff7aa 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,6 +383,18 @@ userdom_read_user_tmp_files(passwd_t) +@@ -352,6 +383,19 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3160,6 +3160,7 @@ index 1d732f1..f6ff7aa 100644 + +# needed by gnome-keyring +userdom_manage_user_tmp_files(passwd_t) ++userdom_manage_user_tmp_dirs(passwd_t) + +optional_policy(` + gnome_exec_keyringd(passwd_t) @@ -3170,7 +3171,7 @@ index 1d732f1..f6ff7aa 100644 optional_policy(` nscd_run(passwd_t, passwd_roles) -@@ -401,9 +444,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -401,9 +445,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3183,7 +3184,7 @@ index 1d732f1..f6ff7aa 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -416,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -3191,7 +3192,7 @@ index 1d732f1..f6ff7aa 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,12 +469,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -426,12 +470,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -3204,7 +3205,7 @@ index 1d732f1..f6ff7aa 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,7 +486,8 @@ optional_policy(` +@@ -446,7 +487,8 @@ optional_policy(` # Useradd local policy # @@ -3214,7 +3215,7 @@ index 1d732f1..f6ff7aa 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -461,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -461,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -3225,7 +3226,7 @@ index 1d732f1..f6ff7aa 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +513,28 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +514,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3265,7 +3266,7 @@ index 1d732f1..f6ff7aa 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +542,7 @@ auth_rw_faillog(useradd_t) +@@ -498,6 +543,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -3273,7 +3274,7 @@ index 1d732f1..f6ff7aa 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,33 +553,32 @@ init_rw_utmp(useradd_t) +@@ -508,33 +554,32 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3318,7 +3319,7 @@ index 1d732f1..f6ff7aa 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -545,14 +589,27 @@ optional_policy(` +@@ -545,14 +590,27 @@ optional_policy(` ') optional_policy(` @@ -3346,7 +3347,7 @@ index 1d732f1..f6ff7aa 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +619,12 @@ optional_policy(` +@@ -562,3 +620,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -5812,7 +5813,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..90ffe79 100644 +index b191055..72bc5d0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5886,7 +5887,7 @@ index b191055..90ffe79 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -76,63 +99,79 @@ type server_packet_t, packet_type, server_packet_type; +@@ -76,63 +99,80 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) @@ -5956,6 +5957,7 @@ index b191055..90ffe79 100644 network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0) network_port(epmap, tcp,135,s0, udp,135,s0) network_port(epmd, tcp,4369,s0, udp,4369,s0) ++network_port(fac_restore, tcp,5582,s0, udp,5582,s0) network_port(fingerd, tcp,79,s0) -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) +network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0) @@ -5976,7 +5978,7 @@ index b191055..90ffe79 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +179,60 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +180,60 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -6052,7 +6054,7 @@ index b191055..90ffe79 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +240,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +241,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -6117,8 +6119,9 @@ index b191055..90ffe79 100644 +network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) +-network_port(redis, tcp,6379,s0) +network_port(time, tcp,37,s0, udp,37,s0) - network_port(redis, tcp,6379,s0) ++network_port(redis, tcp,6379,s0, tcp,26379,s0, tcp,16379,s0) network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) @@ -6200,7 +6203,7 @@ index b191055..90ffe79 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +370,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +371,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6227,7 +6230,7 @@ index b191055..90ffe79 100644 ######################################## # -@@ -333,6 +419,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +420,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6236,7 +6239,7 @@ index b191055..90ffe79 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +433,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +434,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -11030,7 +11033,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..917b5b2 100644 +index f962f76..41b68a6 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -15076,7 +15079,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',` +@@ -5808,63 +6675,68 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -15134,10 +15137,11 @@ index f962f76..917b5b2 100644 + filetrans_pattern($1, var_t, $2, $3, $4) ') ++ ######################################## ## -## Delete all lock files. -+## Get the attributes of the /var/lib directory. ++## Relabel dirs in the /var directory. ## ## ## @@ -15147,46 +15151,32 @@ index f962f76..917b5b2 100644 -## # -interface(`files_delete_all_locks',` -+interface(`files_getattr_var_lib_dirs',` ++interface(`files_relabel_var_dirs',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; -+ type var_t, var_lib_t; ++ type var_t; ') - +- - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - delete_files_pattern($1, lockfile, lockfile) -+ getattr_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 var_t:dir relabel_dir_perms; ') ######################################## ## -## Read all lock files. -+## Search the /var/lib directory. ++## Get the attributes of the /var/lib directory. ## -+## -+##

-+## Search the /var/lib directory. This is -+## necessary to access files or directories under -+## /var/lib that have a private type. For example, a -+## domain accessing a private library file in the -+## /var/lib directory: -+##

-+##

-+## allow mydomain_t mylibfile_t:file read_file_perms; -+## files_search_var_lib(mydomain_t) -+##

-+##
## ## - ## Domain allowed access. +@@ -5872,101 +6744,87 @@ interface(`files_delete_all_locks',` ## ## -+## # -interface(`files_read_all_locks',` -+interface(`files_search_var_lib',` ++interface(`files_getattr_var_lib_dirs',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; @@ -15198,29 +15188,40 @@ index f962f76..917b5b2 100644 - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -+ search_dirs_pattern($1, var_t, var_lib_t) ++ getattr_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## -## manage all lock files. -+## Do not audit attempts to search the -+## contents of /var/lib. ++## Search the /var/lib directory. ## ++## ++##

++## Search the /var/lib directory. This is ++## necessary to access files or directories under ++## /var/lib that have a private type. For example, a ++## domain accessing a private library file in the ++## /var/lib directory: ++##

++##

++## allow mydomain_t mylibfile_t:file read_file_perms; ++## files_search_var_lib(mydomain_t) ++##

++##
## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## +## # -interface(`files_manage_all_locks',` -+interface(`files_dontaudit_search_var_lib',` ++interface(`files_search_var_lib',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; -+ type var_lib_t; ++ type var_t, var_lib_t; ') - allow $1 var_lock_t:lnk_file read_lnk_file_perms; @@ -15228,20 +15229,21 @@ index f962f76..917b5b2 100644 - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -+ dontaudit $1 var_lib_t:dir search_dir_perms; ++ search_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## -## Create an object in the locks directory, with a private -## type using a type transition. -+## List the contents of the /var/lib directory. ++## Do not audit attempts to search the ++## contents of /var/lib. ## ## ## - ## Domain allowed access. - ## - ## +-## Domain allowed access. +-##
+-## -## -## -## The type of the object to be created. @@ -15255,28 +15257,29 @@ index f962f76..917b5b2 100644 -## -## -## The name of the object being created. --## --## ++## Domain to not audit. + ## + ## ++## # -interface(`files_lock_filetrans',` -+interface(`files_list_var_lib',` ++interface(`files_dontaudit_search_var_lib',` gen_require(` - type var_t, var_lock_t; -+ type var_t, var_lib_t; ++ type var_lib_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_lock_t, $2, $3, $4) -+ list_dirs_pattern($1, var_t, var_lib_t) ++ dontaudit $1 var_lib_t:dir search_dir_perms; ') --######################################## -+########################################### + ######################################## ## -## Do not audit attempts to get the attributes -## of the /var/run directory. -+## Read-write /var/lib directories ++## List the contents of the /var/lib directory. ## ## ## @@ -15286,30 +15289,31 @@ index f962f76..917b5b2 100644 ## # -interface(`files_dontaudit_getattr_pid_dirs',` -+interface(`files_rw_var_lib_dirs',` ++interface(`files_list_var_lib',` gen_require(` - type var_run_t; -+ type var_lib_t; ++ type var_t, var_lib_t; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir getattr; -+ rw_dirs_pattern($1, var_lib_t, var_lib_t) ++ list_dirs_pattern($1, var_t, var_lib_t) ') - ######################################## +-######################################## ++########################################### ## -## Set the attributes of the /var/run directory. -+## Create directories in /var/lib ++## Read-write /var/lib directories ## ## ## -@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5974,19 +6832,17 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # -interface(`files_setattr_pid_dirs',` -+interface(`files_create_var_lib_dirs',` ++interface(`files_rw_var_lib_dirs',` gen_require(` - type var_run_t; + type var_lib_t; @@ -15317,65 +15321,64 @@ index f962f76..917b5b2 100644 - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir setattr; -+ allow $1 var_lib_t:dir { create rw_dir_perms }; ++ rw_dirs_pattern($1, var_lib_t, var_lib_t) ') -+ ######################################## ## -## Search the contents of runtime process -## ID directories (/var/run). -+## Create objects in the /var/lib directory ++## Create directories in /var/lib ## ## ## - ## Domain allowed access. +@@ -5994,39 +6850,52 @@ interface(`files_setattr_pid_dirs',` ## ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## # -interface(`files_search_pids',` -+interface(`files_var_lib_filetrans',` ++interface(`files_create_var_lib_dirs',` gen_require(` - type var_t, var_run_t; -+ type var_t, var_lib_t; ++ type var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_lib_t, $2, $3, $4) ++ allow $1 var_lib_t:dir { create rw_dir_perms }; ') ++ ######################################## ## -## Do not audit attempts to search -## the /var/run directory. -+## Read generic files in /var/lib. ++## Create objects in the /var/lib directory ## ## ## -## Domain to not audit. +## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ## ## # -interface(`files_dontaudit_search_pids',` -+interface(`files_read_var_lib_files',` ++interface(`files_var_lib_filetrans',` gen_require(` - type var_run_t; + type var_t, var_lib_t; @@ -15383,24 +15386,24 @@ index f962f76..917b5b2 100644 - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir search_dir_perms; -+ allow $1 var_lib_t:dir list_dir_perms; -+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_lib_t, $2, $3, $4) ') ######################################## ## -## List the contents of the runtime process -## ID directories (/var/run). -+## Read generic symbolic links in /var/lib ++## Read generic files in /var/lib. ## ## ## -@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',` +@@ -6034,18 +6903,18 @@ interface(`files_dontaudit_search_pids',` ## ## # -interface(`files_list_pids',` -+interface(`files_read_var_lib_symlinks',` ++interface(`files_read_var_lib_files',` gen_require(` - type var_t, var_run_t; + type var_t, var_lib_t; @@ -15408,69 +15411,127 @@ index f962f76..917b5b2 100644 - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) -+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ allow $1 var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') ######################################## ## -## Read generic process ID files. -+## manage generic symbolic links -+## in the /var/lib directory. ++## Read generic symbolic links in /var/lib ## ## ## -@@ -6053,19 +6923,21 @@ interface(`files_list_pids',` +@@ -6053,19 +6922,18 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` -+interface(`files_manage_var_lib_symlinks',` ++interface(`files_read_var_lib_symlinks',` gen_require(` - type var_t, var_run_t; -+ type var_lib_t; ++ type var_t, var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') -+# cjp: the next two interfaces really need to be fixed -+# in some way. They really neeed their own types. -+ ######################################## ## -## Write named generic process ID pipes -+## Create, read, write, and delete the -+## pseudorandom number generator seed. ++## manage generic symbolic links ++## in the /var/lib directory. ## ## ## -@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',` +@@ -6073,23 +6941,652 @@ interface(`files_read_generic_pids',` ## ## # -interface(`files_write_generic_pid_pipes',` -+interface(`files_manage_urandom_seed',` ++interface(`files_manage_var_lib_symlinks',` gen_require(` - type var_run_t; -+ type var_t, var_lib_t; ++ type var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:fifo_file write; -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_lib_t, var_lib_t) ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ') ++# cjp: the next two interfaces really need to be fixed ++# in some way. They really neeed their own types. ++ ######################################## ## -## Create an object in the process ID directory, with a private type. -+## Allow domain to manage mount tables -+## necessary for rpcd, nfsd, etc. ++## Create, read, write, and delete the ++## pseudorandom number generator seed. ## -## +-##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating ++## ++##

++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_urandom_seed',` ++ gen_require(` ++ type var_t, var_lib_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++ ++######################################## ++## ++## Relabel to dirs in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelto_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ allow $1 var_lib_t:dir relabelto; ++') ++ ++ ++######################################## ++## ++## Relabel dirs in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ allow $1 var_lib_t:dir relabel_dir_perms; ++') ++ ++######################################## ++## ++## Allow domain to manage mount tables ++## necessary for rpcd, nfsd, etc. ++## +## +## +## Domain allowed access. @@ -16045,14 +16106,14 @@ index f962f76..917b5b2 100644 +##

+## Create an object in the process ID directory (e.g., /var/run) +## with a private type. Typically this is used for creating -+## private PID files in /var/run with the private type instead -+## of the general PID file type. To accomplish this goal, -+## either the program must be SELinux-aware, or use this interface. -+##

-+##

-+## Related interfaces: -+##

-+##
    + ## private PID files in /var/run with the private type instead + ## of the general PID file type. To accomplish this goal, + ## either the program must be SELinux-aware, or use this interface. +@@ -6098,18 +7595,781 @@ interface(`files_write_generic_pid_pipes',` + ## Related interfaces: + ##

    + ##
      +-##
    • files_pid_file()
    • +##
    • files_pid_file()
    • +##
    +##

    @@ -16497,23 +16558,17 @@ index f962f76..917b5b2 100644 +## used for spool files. +##

+## - ##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. ++##

+## Make the specified type usable for spool files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a spool file may result in problems with +## purging spool files. - ##

- ##

- ## Related interfaces: - ##

- ##
    --##
  • files_pid_file()
  • ++##

    ++##

    ++## Related interfaces: ++##

    ++##
      +##
    • files_spool_filetrans()
    • ##
    ##

    @@ -16843,7 +16898,7 @@ index f962f76..917b5b2 100644 ##

    ## ## -@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,80 +8377,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ##
## @@ -17030,7 +17085,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8535,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -17054,7 +17109,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8553,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -17077,7 +17132,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -6237,129 +8517,119 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8571,119 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17247,7 +17302,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -6367,18 +8637,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8691,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17272,7 +17327,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -6386,132 +8657,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8711,227 @@ interface(`files_search_spool',` ## ## # @@ -17546,7 +17601,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -6519,53 +8885,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8939,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17604,7 +17659,7 @@ index f962f76..917b5b2 100644 ## ## ## -@@ -6573,10 +8903,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8957,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -25199,7 +25254,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..d2f55a2 100644 +index 2522ca6..fe03d6d 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -25359,18 +25414,18 @@ index 2522ca6..d2f55a2 100644 optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) + ') + + optional_policy(` +- cvs_exec(sysadm_t) ++ consoletype_exec(sysadm_t) +') + +optional_policy(` -+ consoletype_exec(sysadm_t) ++ daemonstools_run_start(sysadm_t, sysadm_r) +') + +optional_policy(` -+ daemonstools_run_start(sysadm_t, sysadm_r) - ') - - optional_policy(` -- cvs_exec(sysadm_t) + dbus_role_template(sysadm, sysadm_r, sysadm_t) + + dontaudit sysadm_dbusd_t self:capability net_admin; @@ -25494,7 +25549,7 @@ index 2522ca6..d2f55a2 100644 ') optional_policy(` -@@ -237,14 +334,28 @@ optional_policy(` +@@ -237,14 +334,32 @@ optional_policy(` ') optional_policy(` @@ -25520,10 +25575,14 @@ index 2522ca6..d2f55a2 100644 + +optional_policy(` + nx_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ oddjob_dbus_chat(sysadm_t) ') optional_policy(` -@@ -252,10 +363,20 @@ optional_policy(` +@@ -252,10 +367,20 @@ optional_policy(` ') optional_policy(` @@ -25544,7 +25603,7 @@ index 2522ca6..d2f55a2 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +387,41 @@ optional_policy(` +@@ -266,35 +391,46 @@ optional_policy(` ') optional_policy(` @@ -25555,30 +25614,35 @@ index 2522ca6..d2f55a2 100644 optional_policy(` - quota_run(sysadm_t, sysadm_r) + postgresql_admin(sysadm_t, sysadm_r) ++ postgresql_run(sysadm_t, sysadm_r) ') optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) -+ prelink_run(sysadm_t, sysadm_r) ++ journalctl_role(sysadm_r, sysadm_t) ') optional_policy(` - razor_role(sysadm_r, sysadm_t) -+ puppet_run_puppetca(sysadm_t, sysadm_r) ++ prelink_run(sysadm_t, sysadm_r) ') optional_policy(` - rpc_domtrans_nfsd(sysadm_t) -+ quota_filetrans_named_content(sysadm_t) ++ puppet_run_puppetca(sysadm_t, sysadm_r) ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) -+ raid_domtrans_mdadm(sysadm_t) ++ quota_filetrans_named_content(sysadm_t) ') optional_policy(` - rssh_role(sysadm_r, sysadm_t) ++ raid_domtrans_mdadm(sysadm_t) ++') ++ ++optional_policy(` + rpc_domtrans_nfsd(sysadm_t) +') + @@ -25593,7 +25657,7 @@ index 2522ca6..d2f55a2 100644 ') optional_policy(` -@@ -308,6 +435,7 @@ optional_policy(` +@@ -308,6 +444,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25601,7 +25665,7 @@ index 2522ca6..d2f55a2 100644 ') optional_policy(` -@@ -315,12 +443,20 @@ optional_policy(` +@@ -315,12 +452,20 @@ optional_policy(` ') optional_policy(` @@ -25623,7 +25687,7 @@ index 2522ca6..d2f55a2 100644 ') optional_policy(` -@@ -345,30 +481,37 @@ optional_policy(` +@@ -345,30 +490,37 @@ optional_policy(` ') optional_policy(` @@ -25670,7 +25734,7 @@ index 2522ca6..d2f55a2 100644 ') optional_policy(` -@@ -380,10 +523,6 @@ optional_policy(` +@@ -380,10 +532,6 @@ optional_policy(` ') optional_policy(` @@ -25681,7 +25745,7 @@ index 2522ca6..d2f55a2 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +530,9 @@ optional_policy(` +@@ -391,6 +539,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25691,7 +25755,7 @@ index 2522ca6..d2f55a2 100644 ') optional_policy(` -@@ -398,31 +540,34 @@ optional_policy(` +@@ -398,31 +549,34 @@ optional_policy(` ') optional_policy(` @@ -25732,7 +25796,7 @@ index 2522ca6..d2f55a2 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +580,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +589,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25743,7 +25807,7 @@ index 2522ca6..d2f55a2 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +600,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +609,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -27188,10 +27252,10 @@ index a26f84f..f4a44eb 100644 -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 9d2f311..9e87525 100644 +index 9d2f311..2d782e0 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if -@@ -10,90 +10,21 @@ +@@ -10,90 +10,46 @@ ## ## ## @@ -27237,7 +27301,8 @@ index 9d2f311..9e87525 100644 typeattribute $2 sepgsql_client_type; role $1 types sepgsql_trusted_proc_t; role $1 types sepgsql_ranged_proc_t; -- ++') + - ############################## - # - # Client local policy @@ -27251,8 +27316,27 @@ index 9d2f311..9e87525 100644 - allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; - allow $2 user_sepgsql_view_t:db_view { create drop setattr }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; -- ') -- ++######################################## ++## ++## Execute the postgresql program in the postgresql domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to allow the postgresql domain. ++## ++## ++## ++# ++interface(`postgresql_run',` ++ gen_require(` ++ type postgresql_t; + ') + - allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; - type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; - type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; @@ -27283,10 +27367,12 @@ index 9d2f311..9e87525 100644 - - allow $2 sepgsql_trusted_proc_t:process transition; - type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++ postgresql_domtrans($1) ++ role $2 types postgresql_t; ') ######################################## -@@ -312,7 +243,7 @@ interface(`postgresql_search_db',` +@@ -312,7 +268,7 @@ interface(`postgresql_search_db',` type postgresql_db_t; ') @@ -27295,7 +27381,7 @@ index 9d2f311..9e87525 100644 ') ######################################## -@@ -324,14 +255,16 @@ interface(`postgresql_search_db',` +@@ -324,14 +280,16 @@ interface(`postgresql_search_db',` ## Domain allowed access. ## ## @@ -27315,7 +27401,7 @@ index 9d2f311..9e87525 100644 ') ######################################## -@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',` +@@ -354,6 +312,24 @@ interface(`postgresql_domtrans',` ###################################### ## @@ -27340,7 +27426,7 @@ index 9d2f311..9e87525 100644 ## Allow domain to signal postgresql ## ## -@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',` +@@ -421,7 +397,6 @@ interface(`postgresql_tcp_connect',` ## Domain allowed access. ## ## @@ -27348,7 +27434,7 @@ index 9d2f311..9e87525 100644 # interface(`postgresql_stream_connect',` gen_require(` -@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',` +@@ -432,6 +407,7 @@ interface(`postgresql_stream_connect',` files_search_pids($1) files_search_tmp($1) @@ -27356,7 +27442,7 @@ index 9d2f311..9e87525 100644 ') ######################################## -@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',` +@@ -447,83 +423,10 @@ interface(`postgresql_stream_connect',` # interface(`postgresql_unpriv_client',` gen_require(` @@ -27440,7 +27526,7 @@ index 9d2f311..9e87525 100644 ') ######################################## -@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',` +@@ -547,6 +450,29 @@ interface(`postgresql_unconfined',` ######################################## ## @@ -27470,7 +27556,7 @@ index 9d2f311..9e87525 100644 ## All of the rules required to administrate an postgresql environment ## ## -@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',` +@@ -563,35 +489,41 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` @@ -35033,7 +35119,7 @@ index bc0ffc8..37b8ea5 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..cf6add7 100644 +index 79a45f6..e176b9f 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -35598,12 +35684,36 @@ index 79a45f6..cf6add7 100644 files_search_etc($1) ') -@@ -1012,26 +1260,27 @@ interface(`init_read_state',` +@@ -992,7 +1240,7 @@ interface(`init_run_daemon',` + + ######################################## + ## +-## Read the process state (/proc/pid) of init. ++## Allow execute all init daemon executables type without transition. + ## + ## + ## +@@ -1000,38 +1248,37 @@ interface(`init_run_daemon',` + ## + ## + # +-interface(`init_read_state',` ++interface(`init_exec_notrans_direct_init_entry',` + gen_require(` +- type init_t; ++ attribute direct_init_entry; + ') + +- allow $1 init_t:dir search_dir_perms; +- allow $1 init_t:file read_file_perms; +- allow $1 init_t:lnk_file read_lnk_file_perms; ++ allow $1 direct_init_entry:file execute_no_trans; + ') ######################################## ## -## Ptrace init -+## Dontaudit read the process state (/proc/pid) of init. ++## Read the process state (/proc/pid) of init. ## ## ## @@ -35613,52 +35723,54 @@ index 79a45f6..cf6add7 100644 -## # -interface(`init_ptrace',` -+interface(`init_dontaudit_read_state',` ++interface(`init_read_state',` gen_require(` type init_t; ') - allow $1 init_t:process ptrace; -+ dontaudit $1 init_t:dir search_dir_perms; -+ dontaudit $1 init_t:file read_file_perms; -+ dontaudit $1 init_t:lnk_file read_lnk_file_perms; ++ allow $1 init_t:dir search_dir_perms; ++ allow $1 init_t:file read_file_perms; ++ allow $1 init_t:lnk_file read_lnk_file_perms; ') ######################################## ## -## Write an init script unnamed pipe. -+## Read the process keyring of init. ++## Dontaudit read the process state (/proc/pid) of init. ## ## ## -@@ -1039,17 +1288,17 @@ interface(`init_ptrace',` +@@ -1039,17 +1286,19 @@ interface(`init_ptrace',` ## ## # -interface(`init_write_script_pipes',` -+interface(`init_read_key',` ++interface(`init_dontaudit_read_state',` gen_require(` - type initrc_t; + type init_t; ') - allow $1 initrc_t:fifo_file write; -+ allow $1 init_t:key read; ++ dontaudit $1 init_t:dir search_dir_perms; ++ dontaudit $1 init_t:file read_file_perms; ++ dontaudit $1 init_t:lnk_file read_lnk_file_perms; ') ######################################## ## -## Get the attribute of init script entrypoint files. -+## Write the process keyring of init. ++## Read the process keyring of init. ## ## ## -@@ -1057,37 +1306,38 @@ interface(`init_write_script_pipes',` +@@ -1057,18 +1306,17 @@ interface(`init_write_script_pipes',` ## ## # -interface(`init_getattr_script_files',` -+interface(`init_write_key',` ++interface(`init_read_key',` gen_require(` - type initrc_exec_t; + type init_t; @@ -35672,17 +35784,16 @@ index 79a45f6..cf6add7 100644 ######################################## ## -## Read init scripts. -+## Ptrace init ++## Write the process keyring of init. ## ## ## - ## Domain allowed access. +@@ -1076,37 +1324,38 @@ interface(`init_getattr_script_files',` ## ## -+## # -interface(`init_read_script_files',` -+interface(`init_ptrace',` ++interface(`init_write_key',` gen_require(` - type initrc_exec_t; + type init_t; @@ -35690,69 +35801,84 @@ index 79a45f6..cf6add7 100644 - files_search_etc($1) - allow $1 initrc_exec_t:file read_file_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 init_t:process ptrace; -+ ') ++ allow $1 init_t:key read; ') ######################################## ## -## Execute init scripts in the caller domain. -+## Write an init script unnamed pipe. ++## Ptrace init ## ## ## -@@ -1095,18 +1345,17 @@ interface(`init_read_script_files',` + ## Domain allowed access. ## ## ++## # -interface(`init_exec_script_files',` -+interface(`init_write_script_pipes',` ++interface(`init_ptrace',` gen_require(` - type initrc_exec_t; -+ type initrc_t; ++ type init_t; ') - files_list_etc($1) - can_exec($1, initrc_exec_t) -+ allow $1 initrc_t:fifo_file write; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 init_t:process ptrace; ++ ') ') ######################################## ## -## Get the attribute of all init script entrypoint files. -+## Get the attribute of init script entrypoint files. ++## Write an init script unnamed pipe. ## ## ## -@@ -1114,18 +1363,18 @@ interface(`init_exec_script_files',` +@@ -1114,7 +1363,82 @@ interface(`init_exec_script_files',` ## ## # -interface(`init_getattr_all_script_files',` ++interface(`init_write_script_pipes',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ allow $1 initrc_t:fifo_file write; ++') ++ ++######################################## ++## ++## Get the attribute of init script entrypoint files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`init_getattr_script_files',` - gen_require(` -- attribute init_script_file_type; ++ gen_require(` + type initrc_exec_t; - ') - - files_list_etc($1) -- allow $1 init_script_file_type:file getattr; ++ ') ++ ++ files_list_etc($1) + allow $1 initrc_exec_t:file getattr; - ') - - ######################################## - ## --## Read all init script files. ++') ++ ++######################################## ++## +## Read init scripts. - ## - ## - ## -@@ -1133,7 +1382,102 @@ interface(`init_getattr_all_script_files',` - ## - ## - # --interface(`init_read_all_script_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`init_read_script_files',` + gen_require(` + type initrc_exec_t; @@ -35792,16 +35918,13 @@ index 79a45f6..cf6add7 100644 +## +# +interface(`init_getattr_all_script_files',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ files_list_etc($1) -+ allow $1 init_script_file_type:file getattr; -+') -+ -+######################################## -+## + gen_require(` + attribute init_script_file_type; + ') +@@ -1125,6 +1449,44 @@ interface(`init_getattr_all_script_files',` + + ######################################## + ## +## Allow the specified domain to modify the systemd configuration of +## all init scripts. +## @@ -35840,19 +35963,10 @@ index 79a45f6..cf6add7 100644 + +######################################## +## -+## Read all init script files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_read_all_script_files',` - gen_require(` - attribute init_script_file_type; - ') -@@ -1144,6 +1488,24 @@ interface(`init_read_all_script_files',` + ## Read all init script files. + ## + ## +@@ -1144,6 +1506,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -35877,7 +35991,7 @@ index 79a45f6..cf6add7 100644 ## Dontaudit read all init script files. ## ## -@@ -1195,12 +1557,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1575,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -35891,7 +36005,7 @@ index 79a45f6..cf6add7 100644 ') ######################################## -@@ -1314,6 +1671,24 @@ interface(`init_signal_script',` +@@ -1314,6 +1689,24 @@ interface(`init_signal_script',` ######################################## ## @@ -35916,7 +36030,7 @@ index 79a45f6..cf6add7 100644 ## Send null signals to init scripts. ## ## -@@ -1440,6 +1815,27 @@ interface(`init_dbus_send_script',` +@@ -1440,6 +1833,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -35944,7 +36058,7 @@ index 79a45f6..cf6add7 100644 ## init scripts over dbus. ## ## -@@ -1547,6 +1943,25 @@ interface(`init_getattr_script_status_files',` +@@ -1547,6 +1961,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -35970,7 +36084,7 @@ index 79a45f6..cf6add7 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +2020,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +2038,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -35995,7 +36109,7 @@ index 79a45f6..cf6add7 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2110,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2128,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -36039,7 +36153,7 @@ index 79a45f6..cf6add7 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2235,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2253,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -36048,7 +36162,7 @@ index 79a45f6..cf6add7 100644 ') ######################################## -@@ -1806,37 +2276,672 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,37 +2294,672 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -36057,23 +36171,33 @@ index 79a45f6..cf6add7 100644 ## -## Allow the specified domain to connect to daemon with a tcp socket +## Allow search directory in the /run/systemd directory. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`init_tcp_recvfrom_all_daemons',` +- gen_require(` +- attribute daemon; +- ') +interface(`init_search_pid_dirs',` + gen_require(` + type init_var_run_t; + ') -+ + +- corenet_tcp_recvfrom_labeled($1, daemon) + allow $1 init_var_run_t:dir search_dir_perms; -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Allow the specified domain to connect to daemon with a udp socket +## Allow listing of the /run/systemd directory. +## +## @@ -36137,7 +36261,7 @@ index 79a45f6..cf6add7 100644 ## ## # --interface(`init_tcp_recvfrom_all_daemons',` +-interface(`init_udp_recvfrom_all_daemons',` - gen_require(` - attribute daemon; - ') @@ -36145,25 +36269,22 @@ index 79a45f6..cf6add7 100644 + gen_require(` + type init_var_run_t; + ') - -- corenet_tcp_recvfrom_labeled($1, daemon) ++ + files_search_pids($1) + filetrans_pattern($1, init_var_run_t, $2, $3, $4) - ') - --######################################## ++') ++ +####################################### - ## --## Allow the specified domain to connect to daemon with a udp socket ++## +## Create objects in /run/systemd directory +## with an automatic type transition to +## a specified private type. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## +## +## The type of the object to create. @@ -36179,14 +36300,11 @@ index 79a45f6..cf6add7 100644 +## The name of the object being created. +## +## - # --interface(`init_udp_recvfrom_all_daemons',` ++# +interface(`init_named_pid_filetrans',` - gen_require(` -- attribute daemon; ++ gen_require(` + type init_var_run_t; - ') -- corenet_udp_recvfrom_labeled($1, daemon) ++ ') + + files_search_pids($1) + filetrans_pattern($1, init_var_run_t, $2, $3, $4) @@ -36224,8 +36342,8 @@ index 79a45f6..cf6add7 100644 + gen_require(` + attribute daemon; + ') -+ corenet_udp_recvfrom_labeled($1, daemon) -+') + corenet_udp_recvfrom_labeled($1, daemon) + ') + +######################################## +## @@ -36733,9 +36851,9 @@ index 79a45f6..cf6add7 100644 + + files_search_var_lib($1) + allow $1 init_var_lib_t:dir search_dir_perms; - ') ++') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..f09c5ae 100644 +index 17eda24..0a4a187 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36960,7 +37078,7 @@ index 17eda24..f09c5ae 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +256,67 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +256,68 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -37003,6 +37121,7 @@ index 17eda24..f09c5ae 100644 # Run init scripts. init_domtrans_script(init_t) ++init_exec_notrans_direct_init_entry(init_t) libs_rw_ld_so_cache(init_t) @@ -37033,7 +37152,7 @@ index 17eda24..f09c5ae 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +325,256 @@ ifdef(`distro_gentoo',` +@@ -186,29 +326,258 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37168,6 +37287,8 @@ index 17eda24..f09c5ae 100644 +files_list_home(init_t) +files_create_lock_dirs(init_t) +files_relabel_all_lock_dirs(init_t) ++files_relabel_var_dirs(init_t) ++files_relabel_var_lib_dirs(init_t) +files_read_kernel_modules(init_t) +fs_getattr_all_fs(init_t) +fs_manage_cgroup_dirs(init_t) @@ -37299,7 +37420,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -216,7 +582,30 @@ optional_policy(` +@@ -216,7 +585,30 @@ optional_policy(` ') optional_policy(` @@ -37331,7 +37452,7 @@ index 17eda24..f09c5ae 100644 ') ######################################## -@@ -225,9 +614,9 @@ optional_policy(` +@@ -225,9 +617,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37343,7 +37464,7 @@ index 17eda24..f09c5ae 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +647,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +650,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37360,7 +37481,7 @@ index 17eda24..f09c5ae 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +672,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +675,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37403,7 +37524,7 @@ index 17eda24..f09c5ae 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +709,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +712,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37415,7 +37536,7 @@ index 17eda24..f09c5ae 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +721,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +724,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37426,7 +37547,7 @@ index 17eda24..f09c5ae 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +732,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +735,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37436,7 +37557,7 @@ index 17eda24..f09c5ae 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +741,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +744,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37444,7 +37565,7 @@ index 17eda24..f09c5ae 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +748,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +751,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37452,7 +37573,7 @@ index 17eda24..f09c5ae 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +756,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +759,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37470,7 +37591,7 @@ index 17eda24..f09c5ae 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +774,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +777,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37484,7 +37605,7 @@ index 17eda24..f09c5ae 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +789,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +792,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37498,7 +37619,7 @@ index 17eda24..f09c5ae 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +802,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +805,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37509,7 +37630,7 @@ index 17eda24..f09c5ae 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +815,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +818,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37517,7 +37638,7 @@ index 17eda24..f09c5ae 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +834,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +837,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37541,7 +37662,7 @@ index 17eda24..f09c5ae 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +867,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +870,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37549,7 +37670,7 @@ index 17eda24..f09c5ae 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +901,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +904,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37560,7 +37681,7 @@ index 17eda24..f09c5ae 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +925,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +928,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37569,7 +37690,7 @@ index 17eda24..f09c5ae 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +940,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +943,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37577,7 +37698,7 @@ index 17eda24..f09c5ae 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +961,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +964,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37585,7 +37706,7 @@ index 17eda24..f09c5ae 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +971,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +974,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37630,7 +37751,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -559,14 +1016,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1019,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37662,7 +37783,7 @@ index 17eda24..f09c5ae 100644 ') ') -@@ -577,6 +1051,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1054,39 @@ ifdef(`distro_suse',` ') ') @@ -37702,7 +37823,7 @@ index 17eda24..f09c5ae 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1096,8 @@ optional_policy(` +@@ -589,6 +1099,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37711,7 +37832,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -610,6 +1119,7 @@ optional_policy(` +@@ -610,6 +1122,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37719,7 +37840,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -626,6 +1136,17 @@ optional_policy(` +@@ -626,6 +1139,17 @@ optional_policy(` ') optional_policy(` @@ -37737,7 +37858,7 @@ index 17eda24..f09c5ae 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1163,13 @@ optional_policy(` +@@ -642,9 +1166,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37751,7 +37872,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -657,15 +1182,11 @@ optional_policy(` +@@ -657,15 +1185,11 @@ optional_policy(` ') optional_policy(` @@ -37769,7 +37890,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -686,6 +1207,15 @@ optional_policy(` +@@ -686,6 +1210,15 @@ optional_policy(` ') optional_policy(` @@ -37785,7 +37906,7 @@ index 17eda24..f09c5ae 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1256,7 @@ optional_policy(` +@@ -726,6 +1259,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37793,7 +37914,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -743,7 +1274,13 @@ optional_policy(` +@@ -743,7 +1277,13 @@ optional_policy(` ') optional_policy(` @@ -37808,7 +37929,7 @@ index 17eda24..f09c5ae 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1303,10 @@ optional_policy(` +@@ -766,6 +1306,10 @@ optional_policy(` ') optional_policy(` @@ -37819,7 +37940,7 @@ index 17eda24..f09c5ae 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1316,20 @@ optional_policy(` +@@ -775,10 +1319,20 @@ optional_policy(` ') optional_policy(` @@ -37840,7 +37961,7 @@ index 17eda24..f09c5ae 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1338,10 @@ optional_policy(` +@@ -787,6 +1341,10 @@ optional_policy(` ') optional_policy(` @@ -37851,7 +37972,7 @@ index 17eda24..f09c5ae 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1363,6 @@ optional_policy(` +@@ -808,8 +1366,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37860,7 +37981,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -818,6 +1371,10 @@ optional_policy(` +@@ -818,6 +1374,10 @@ optional_policy(` ') optional_policy(` @@ -37871,7 +37992,7 @@ index 17eda24..f09c5ae 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1384,12 @@ optional_policy(` +@@ -827,10 +1387,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37884,7 +38005,7 @@ index 17eda24..f09c5ae 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1416,62 @@ optional_policy(` +@@ -857,21 +1419,62 @@ optional_policy(` ') optional_policy(` @@ -37948,7 +38069,7 @@ index 17eda24..f09c5ae 100644 ') optional_policy(` -@@ -887,6 +1487,10 @@ optional_policy(` +@@ -887,6 +1490,10 @@ optional_policy(` ') optional_policy(` @@ -37959,7 +38080,7 @@ index 17eda24..f09c5ae 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1501,218 @@ optional_policy(` +@@ -897,3 +1504,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48234,10 +48355,10 @@ index 0000000..ebd6cc8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..8c07053 +index 0000000..7717a2b --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,931 @@ +@@ -0,0 +1,932 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49120,6 +49241,7 @@ index 0000000..8c07053 + +corenet_tcp_bind_llmnr_port(systemd_resolved_t) +corenet_udp_bind_llmnr_port(systemd_resolved_t) ++corenet_tcp_connect_llmnr_port(systemd_resolved_t) + +dev_write_kmsg(systemd_resolved_t) +dev_read_sysfs(systemd_resolved_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e5b5dff..6657026 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -16593,10 +16593,10 @@ index 0000000..1cc5fa4 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..bce21bf +index 0000000..2357f3b --- /dev/null +++ b/conman.te -@@ -0,0 +1,96 @@ +@@ -0,0 +1,97 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -16646,6 +16646,7 @@ index 0000000..bce21bf +allow conman_t self:tcp_socket { accept listen create_socket_perms }; + +allow conman_t conman_unconfined_script_t:process sigkill; ++allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms; + +manage_dirs_pattern(conman_t, conman_log_t, conman_log_t) +manage_files_pattern(conman_t, conman_log_t, conman_log_t) @@ -28762,7 +28763,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..d5d852e 100644 +index 98072a3..18a2ef2 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28806,7 +28807,7 @@ index 98072a3..d5d852e 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +77,19 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +77,20 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -28830,10 +28831,11 @@ index 98072a3..d5d852e 100644 -sysnet_read_config(firewalld_t) +sysnet_dns_name_resolve(firewalld_t) ++sysnet_manage_config_dirs(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +108,10 @@ optional_policy(` +@@ -95,6 +109,10 @@ optional_policy(` ') optional_policy(` @@ -29529,7 +29531,7 @@ index 0000000..0d09fbd + +userdom_use_inherited_user_terminals(freqset_t) diff --git a/ftp.fc b/ftp.fc -index ddb75c1..44f74e6 100644 +index ddb75c1..f38075f 100644 --- a/ftp.fc +++ b/ftp.fc @@ -1,5 +1,8 @@ @@ -29541,6 +29543,14 @@ index ddb75c1..44f74e6 100644 /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +@@ -23,6 +26,7 @@ + + /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) + /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) ++/var/log/proftpd\.log -- gen_context(system_u:object_r:xferlog_t,s0) + /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) + /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) + /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/ftp.if b/ftp.if index 4498143..84a4858 100644 --- a/ftp.if @@ -36646,10 +36656,10 @@ index 0000000..d0016da +') diff --git a/hostapd.te b/hostapd.te new file mode 100644 -index 0000000..54deae3 +index 0000000..438573d --- /dev/null +++ b/hostapd.te -@@ -0,0 +1,52 @@ +@@ -0,0 +1,53 @@ +policy_module(hostapd, 1.0.0) + +######################################## @@ -36675,6 +36685,7 @@ index 0000000..54deae3 +allow hostapd_t self:fifo_file rw_fifo_file_perms; +allow hostapd_t self:unix_stream_socket create_stream_socket_perms; +allow hostapd_t self:netlink_socket create_socket_perms; ++allow hostapd_t self:netlink_generic_socket create_socket_perms; +allow hostapd_t self:netlink_route_socket create_netlink_socket_perms; +allow hostapd_t self:packet_socket create_socket_perms; + @@ -40775,10 +40786,10 @@ index 0000000..17126b6 +') diff --git a/journalctl.te b/journalctl.te new file mode 100644 -index 0000000..896cde4 +index 0000000..68dd2b7 --- /dev/null +++ b/journalctl.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,47 @@ +policy_module(journalctl, 1.0.0) + +######################################## @@ -40819,6 +40830,7 @@ index 0000000..896cde4 +miscfiles_read_localization(journalctl_t) + +logging_read_generic_logs(journalctl_t) ++logging_read_syslog_pid(journalctl_t) + +userdom_list_user_home_dirs(journalctl_t) +userdom_read_user_home_content_files(journalctl_t) @@ -49038,11 +49050,11 @@ index 0000000..0f290e9 + diff --git a/mirrormanager.fc b/mirrormanager.fc new file mode 100644 -index 0000000..c713b27 +index 0000000..abd53a4 --- /dev/null +++ b/mirrormanager.fc @@ -0,0 +1,7 @@ -+/usr/share/mirrormanager/server/mirrormanager -- gen_context(system_u:object_r:mirrormanager_exec_t,s0) ++/usr/share/mirrormanager/server/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_exec_t,s0) + +/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0) + @@ -53170,10 +53182,10 @@ index 65a246a..fa86320 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..2cf0c23 100644 +index f42896c..fce39c1 100644 --- a/mta.fc +++ b/mta.fc -@@ -1,34 +1,41 @@ +@@ -1,34 +1,39 @@ -HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) @@ -53195,6 +53207,8 @@ index f42896c..2cf0c23 100644 -/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) - -/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +- +/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +ifdef(`distro_redhat',` +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) @@ -53207,8 +53221,6 @@ index f42896c..2cf0c23 100644 +/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -59325,10 +59337,10 @@ index 0000000..409de8c +') diff --git a/ninfod.te b/ninfod.te new file mode 100644 -index 0000000..d75c408 +index 0000000..b3aa3ce --- /dev/null +++ b/ninfod.te -@@ -0,0 +1,35 @@ +@@ -0,0 +1,36 @@ +policy_module(ninfod, 1.0.0) + +######################################## @@ -59355,6 +59367,7 @@ index 0000000..d75c408 +allow ninfod_t self:fifo_file rw_fifo_file_perms; +allow ninfod_t self:rawip_socket { create setopt }; +allow ninfod_t self:unix_stream_socket create_stream_socket_perms; ++allow ninfod_t self:rawip_socket read; + +manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t) +files_pid_filetrans(ninfod_t,ninfod_run_t, { file }) @@ -69117,7 +69130,7 @@ index d2fc677..86dce34 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..6a92354 100644 +index 608f454..bc31081 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -69477,7 +69490,7 @@ index 608f454..6a92354 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +368,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -69508,7 +69521,11 @@ index 608f454..6a92354 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +394,21 @@ kernel_read_net_sysctls(pegasus_t) ++kernel_read_sysctl(pegasus_t) + kernel_read_fs_sysctls(pegasus_t) + kernel_read_system_state(pegasus_t) + kernel_search_vm_sysctl(pegasus_t) +@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -69541,7 +69558,7 @@ index 608f454..6a92354 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +422,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -69553,7 +69570,7 @@ index 608f454..6a92354 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +438,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -69575,21 +69592,21 @@ index 608f454..6a92354 100644 +optional_policy(` + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(pegasus_t) -+ ') -+') - optional_policy(` - networkmanager_dbus_chat(pegasus_t) - ') ++ optional_policy(` ++ networkmanager_dbus_chat(pegasus_t) ++ ') ++') ++ +optional_policy(` + rhcs_stream_connect_cluster(pegasus_t) ') optional_policy(` -@@ -151,16 +472,24 @@ optional_policy(` +@@ -151,16 +473,24 @@ optional_policy(` ') optional_policy(` @@ -69618,7 +69635,7 @@ index 608f454..6a92354 100644 ') optional_policy(` -@@ -168,7 +497,7 @@ optional_policy(` +@@ -168,7 +498,7 @@ optional_policy(` ') optional_policy(` @@ -69627,7 +69644,7 @@ index 608f454..6a92354 100644 ') optional_policy(` -@@ -180,6 +509,7 @@ optional_policy(` +@@ -180,12 +510,17 @@ optional_policy(` ') optional_policy(` @@ -69635,6 +69652,16 @@ index 608f454..6a92354 100644 virt_domtrans(pegasus_t) virt_stream_connect(pegasus_t) virt_manage_config(pegasus_t) + ') + + optional_policy(` ++ qemu_getattr_exec(pegasus_t) ++') ++ ++optional_policy(` + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) + ') diff --git a/pesign.fc b/pesign.fc new file mode 100644 index 0000000..7b54c39 @@ -77508,10 +77535,10 @@ index 0000000..8231f4f +') diff --git a/prosody.te b/prosody.te new file mode 100644 -index 0000000..3ef4a99 +index 0000000..71f9abb --- /dev/null +++ b/prosody.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,98 @@ +policy_module(prosody, 1.0.0) + +######################################## @@ -77588,6 +77615,7 @@ index 0000000..3ef4a99 +corenet_tcp_bind_jabber_interserver_port(prosody_t) +corenet_tcp_bind_jabber_router_port(prosody_t) +corenet_tcp_bind_commplex_main_port(prosody_t) ++corenet_tcp_bind_fac_restore_port(prosody_t) + +tunable_policy(`prosody_bind_http_port',` + corenet_tcp_bind_http_port(prosody_t) @@ -78923,7 +78951,7 @@ index 7cb8b1f..bef7217 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..1cd6fca 100644 +index 618dcfe..67d166c 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -78985,7 +79013,7 @@ index 618dcfe..1cd6fca 100644 type puppetmaster_t; type puppetmaster_exec_t; -@@ -56,161 +62,162 @@ files_tmp_file(puppetmaster_tmp_t) +@@ -56,161 +62,166 @@ files_tmp_file(puppetmaster_tmp_t) ######################################## # @@ -79184,61 +79212,65 @@ index 618dcfe..1cd6fca 100644 + +optional_policy(` + mysql_stream_connect(puppetagent_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(puppetagent_t) ++') ++ ++optional_policy(` ++ cfengine_read_lib_files(puppetagent_t) ') optional_policy(` - cfengine_read_lib_files(puppet_t) -+ postgresql_stream_connect(puppetagent_t) ++ consoletype_exec(puppetagent_t) ') optional_policy(` - consoletype_exec(puppet_t) -+ cfengine_read_lib_files(puppetagent_t) ++ hostname_exec(puppetagent_t) ') optional_policy(` - hostname_exec(puppet_t) -+ consoletype_exec(puppetagent_t) ++ mount_domtrans(puppetagent_t) ') optional_policy(` - mount_domtrans(puppet_t) -+ hostname_exec(puppetagent_t) ++ mta_send_mail(puppetagent_t) ') optional_policy(` - mta_send_mail(puppet_t) -+ mount_domtrans(puppetagent_t) ++ firewalld_dbus_chat(puppetagent_t) ') optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) -+ mta_send_mail(puppetagent_t) ++ portage_domtrans(puppetagent_t) ++ portage_domtrans_fetch(puppetagent_t) ++ portage_domtrans_gcc_config(puppetagent_t) ') optional_policy(` - files_rw_var_files(puppet_t) -+ firewalld_dbus_chat(puppetagent_t) -+') ++ files_rw_var_files(puppetagent_t) - rpm_domtrans(puppet_t) - rpm_manage_db(puppet_t) - rpm_manage_log(puppet_t) -+optional_policy(` -+ portage_domtrans(puppetagent_t) -+ portage_domtrans_fetch(puppetagent_t) -+ portage_domtrans_gcc_config(puppetagent_t) ++ rpm_domtrans(puppetagent_t) ++ rpm_manage_db(puppetagent_t) ++ rpm_manage_log(puppetagent_t) ') optional_policy(` - unconfined_domain(puppet_t) -+ files_rw_var_files(puppetagent_t) -+ -+ rpm_domtrans(puppetagent_t) -+ rpm_manage_db(puppetagent_t) -+ rpm_manage_log(puppetagent_t) ++ shorewall_domtrans(puppetagent_t) ') optional_policy(` @@ -79264,7 +79296,7 @@ index 618dcfe..1cd6fca 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +228,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +232,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -79272,7 +79304,7 @@ index 618dcfe..1cd6fca 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +237,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +241,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -79288,7 +79320,7 @@ index 618dcfe..1cd6fca 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +251,48 @@ optional_policy(` +@@ -246,38 +255,48 @@ optional_policy(` hostname_exec(puppetca_t) ') @@ -79353,7 +79385,7 @@ index 618dcfe..1cd6fca 100644 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) -@@ -289,23 +304,24 @@ corecmd_exec_bin(puppetmaster_t) +@@ -289,23 +308,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -79384,7 +79416,7 @@ index 618dcfe..1cd6fca 100644 selinux_validate_context(puppetmaster_t) -@@ -314,26 +330,31 @@ auth_use_nsswitch(puppetmaster_t) +@@ -314,26 +334,31 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -79421,7 +79453,7 @@ index 618dcfe..1cd6fca 100644 ') optional_policy(` -@@ -342,3 +363,9 @@ optional_policy(` +@@ -342,3 +367,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -80193,7 +80225,7 @@ index 86ea53c..a2dcf7b 100644 /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/qemu.if b/qemu.if -index eaf56b8..aa90671 100644 +index eaf56b8..8894726 100644 --- a/qemu.if +++ b/qemu.if @@ -1,19 +1,21 @@ @@ -80419,7 +80451,7 @@ index eaf56b8..aa90671 100644 ## ## ## -@@ -264,48 +239,68 @@ interface(`qemu_kill',` +@@ -264,28 +239,68 @@ interface(`qemu_kill',` ######################################## ## @@ -80457,9 +80489,6 @@ index eaf56b8..aa90671 100644 - type unconfined_qemu_t, qemu_exec_t; + type qemu_exec_t; ') -- -- corecmd_search_bin($1) -- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) + + read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) + domain_transition_pattern($1, qemu_exec_t, $2) @@ -80469,63 +80498,66 @@ index eaf56b8..aa90671 100644 + allow $2 $1:fd use; + allow $2 $1:fifo_file rw_fifo_file_perms; + allow $2 $1:process sigchld; ++') + +- corecmd_search_bin($1) +- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) ++######################################## ++## ++## Execute qemu unconfined programs in the role. ++## ++## ++## ++## The role to allow the qemu unconfined domain. ++## ++## ++# ++interface(`qemu_unconfined_role',` ++ gen_require(` ++ type unconfined_qemu_t; ++ type qemu_t; ++ ') ++ role $1 types unconfined_qemu_t; ++ role $1 types qemu_t; ') ######################################## ## -## Create, read, write, and delete -## qemu temporary directories. -+## Execute qemu unconfined programs in the role. ++## Manage qemu temporary dirs. ## --## -+## + ## ## --## Domain allowed access. -+## The role to allow the qemu unconfined domain. - ## - ## - # --interface(`qemu_manage_tmp_dirs',` -+interface(`qemu_unconfined_role',` - gen_require(` -- type qemu_tmp_t; -+ type unconfined_qemu_t; -+ type qemu_t; +@@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',` + type qemu_tmp_t; ') -- + - files_search_tmp($1) -- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) -+ role $1 types unconfined_qemu_t; -+ role $1 types qemu_t; + manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) ') ######################################## ## -## Create, read, write, and delete -## qemu temporary files. -+## Manage qemu temporary dirs. ++## Manage qemu temporary files. ## ## ## -@@ -313,58 +308,41 @@ interface(`qemu_manage_tmp_dirs',` - ## - ## - # --interface(`qemu_manage_tmp_files',` -+interface(`qemu_manage_tmp_dirs',` - gen_require(` +@@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',` type qemu_tmp_t; ') - files_search_tmp($1) -- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) -+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') ######################################## ## -## Execute qemu in a specified domain. -+## Manage qemu temporary files. ++## Make qemu_exec_t an entrypoint for ++## the specified domain. ## -## -##

@@ -80543,43 +80575,54 @@ index eaf56b8..aa90671 100644 -##

-## -## -+## - ## +-## -## Domain to transition to. -+## Domain allowed access. - ## +-## ++## ++## ++## The domain for which qemu_exec_t is an entrypoint. ++## ## # -interface(`qemu_spec_domtrans',` -+interface(`qemu_manage_tmp_files',` ++interface(`qemu_entry_type',` gen_require(` -- type qemu_exec_t; -+ type qemu_tmp_t; + type qemu_exec_t; ') - corecmd_search_bin($1) - domain_auto_trans($1, qemu_exec_t, $2) -+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ++ domain_entry_file($1, qemu_exec_t) ') -###################################### -+######################################## ++####################################### ## -## Make qemu executable files an -## entrypoint for the specified domain. -+## Make qemu_exec_t an entrypoint for -+## the specified domain. ++## Getattr on qemu executable. ## ## -## -## The domain for which qemu_exec_t is an entrypoint. -## -+## -+## The domain for which qemu_exec_t is an entrypoint. -+## ++## ++## Domain allowed to transition. ++## ## # - interface(`qemu_entry_type',` +-interface(`qemu_entry_type',` +- gen_require(` +- type qemu_exec_t; +- ') ++interface(`qemu_getattr_exec',` ++ gen_require(` ++ type qemu_exec_t; ++ ') + +- domain_entry_file($1, qemu_exec_t) ++ allow $1 qemu_exec_t:file getattr; + ') diff --git a/qemu.te b/qemu.te index 4f90743..958c0ef 100644 --- a/qemu.te @@ -88301,7 +88344,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..2e80d44 100644 +index d32e1a2..cb5f49c 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -88340,7 +88383,7 @@ index d32e1a2..2e80d44 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,87 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -88351,6 +88394,8 @@ index d32e1a2..2e80d44 100644 +corenet_tcp_connect_http_port(rhsmcertd_t) +corenet_tcp_connect_http_cache_port(rhsmcertd_t) +corenet_tcp_connect_squid_port(rhsmcertd_t) ++corenet_tcp_connect_netport_port(rhsmcertd_t) ++corenet_tcp_connect_websm_port(rhsmcertd_t) corecmd_exec_bin(rhsmcertd_t) +corecmd_exec_shell(rhsmcertd_t) @@ -101382,10 +101427,10 @@ index 0919e0c..56a984b 100644 userdom_dontaudit_use_unpriv_user_fds(soundd_t) diff --git a/spamassassin.fc b/spamassassin.fc -index e9bd097..e059e27 100644 +index e9bd097..5724bcf 100644 --- a/spamassassin.fc +++ b/spamassassin.fc -@@ -1,20 +1,26 @@ +@@ -1,20 +1,27 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) -HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -101417,10 +101462,11 @@ index e9bd097..e059e27 100644 /usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) -/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/libexec/mimedefang-wrapper -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) -@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) +@@ -25,7 +32,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) @@ -101901,10 +101947,10 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..d20d0ed 100644 +index cc58e35..7e5c719 100644 --- a/spamassassin.te +++ b/spamassassin.te -@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) +@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) ## ##

@@ -101925,6 +101971,13 @@ index cc58e35..d20d0ed 100644 -gen_tunable(spamd_enable_home_dirs, false) +gen_tunable(spamd_enable_home_dirs, true) + ++## ++##

++## Allow spamd_update to connect to all ports. ++##

++##
++gen_tunable(spamd_update_can_network, false) ++ type spamd_update_t; type spamd_update_exec_t; @@ -101961,7 +102014,7 @@ index cc58e35..d20d0ed 100644 type spamd_t; type spamd_exec_t; -@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t) +@@ -59,12 +39,6 @@ init_daemon_domain(spamd_t, spamd_exec_t) type spamd_compiled_t; files_type(spamd_compiled_t) @@ -101974,7 +102027,7 @@ index cc58e35..d20d0ed 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +39,199 @@ type spamd_log_t; +@@ -72,87 +46,199 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -102196,7 +102249,7 @@ index cc58e35..d20d0ed 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +239,8 @@ optional_policy(` +@@ -160,6 +246,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -102205,7 +102258,7 @@ index cc58e35..d20d0ed 100644 ') ######################################## -@@ -167,72 +248,95 @@ optional_policy(` +@@ -167,72 +255,95 @@ optional_policy(` # Client local policy # @@ -102309,20 +102362,20 @@ index cc58e35..d20d0ed 100644 -auth_use_nsswitch(spamc_t) +fs_search_auto_mountpoints(spamc_t) -+ -+libs_exec_ldconfig(spamc_t) - logging_send_syslog_msg(spamc_t) +-logging_send_syslog_msg(spamc_t) ++libs_exec_ldconfig(spamc_t) -miscfiles_read_localization(spamc_t) -+auth_use_nsswitch(spamc_t) ++logging_send_syslog_msg(spamc_t) -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamc_t) - fs_manage_nfs_files(spamc_t) - fs_manage_nfs_symlinks(spamc_t) -') -- ++auth_use_nsswitch(spamc_t) + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamc_t) - fs_manage_cifs_files(spamc_t) @@ -102332,7 +102385,7 @@ index cc58e35..d20d0ed 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +347,7 @@ optional_policy(` +@@ -243,6 +354,7 @@ optional_policy(` ') optional_policy(` @@ -102340,7 +102393,7 @@ index cc58e35..d20d0ed 100644 evolution_stream_connect(spamc_t) ') -@@ -251,11 +356,18 @@ optional_policy(` +@@ -251,11 +363,18 @@ optional_policy(` ') optional_policy(` @@ -102360,7 +102413,7 @@ index cc58e35..d20d0ed 100644 ') optional_policy(` -@@ -267,36 +379,40 @@ optional_policy(` +@@ -267,36 +386,40 @@ optional_policy(` ######################################## # @@ -102387,17 +102440,17 @@ index cc58e35..d20d0ed 100644 allow spamd_t self:unix_dgram_socket sendto; -allow spamd_t self:unix_stream_socket { accept connectto listen }; -allow spamd_t self:tcp_socket { accept listen }; -- ++allow spamd_t self:unix_stream_socket connectto; ++allow spamd_t self:tcp_socket create_stream_socket_perms; ++allow spamd_t self:udp_socket create_socket_perms; + -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") -+allow spamd_t self:unix_stream_socket connectto; -+allow spamd_t self:tcp_socket create_stream_socket_perms; -+allow spamd_t self:udp_socket create_socket_perms; - +- -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) @@ -102418,7 +102471,7 @@ index cc58e35..d20d0ed 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +424,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +431,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -102428,7 +102481,7 @@ index cc58e35..d20d0ed 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +434,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +441,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -102445,7 +102498,7 @@ index cc58e35..d20d0ed 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +450,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +457,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -102550,7 +102603,7 @@ index cc58e35..d20d0ed 100644 ') optional_policy(` -@@ -421,21 +522,13 @@ optional_policy(` +@@ -421,21 +529,13 @@ optional_policy(` ') optional_policy(` @@ -102574,7 +102627,7 @@ index cc58e35..d20d0ed 100644 ') optional_policy(` -@@ -443,8 +536,8 @@ optional_policy(` +@@ -443,8 +543,8 @@ optional_policy(` ') optional_policy(` @@ -102584,7 +102637,7 @@ index cc58e35..d20d0ed 100644 ') optional_policy(` -@@ -455,7 +548,17 @@ optional_policy(` +@@ -455,7 +555,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -102603,7 +102656,7 @@ index cc58e35..d20d0ed 100644 ') optional_policy(` -@@ -463,9 +566,9 @@ optional_policy(` +@@ -463,9 +573,9 @@ optional_policy(` ') optional_policy(` @@ -102614,7 +102667,7 @@ index cc58e35..d20d0ed 100644 ') optional_policy(` -@@ -474,32 +577,32 @@ optional_policy(` +@@ -474,32 +584,32 @@ optional_policy(` ######################################## # @@ -102640,24 +102693,24 @@ index cc58e35..d20d0ed 100644 -kernel_read_system_state(spamd_update_t) +allow spamd_update_t spamc_home_t:dir search_dir_perms; +allow spamd_update_t spamd_tmp_t:file read_file_perms; ++ ++allow spamd_update_t spamc_home_t:dir search_dir_perms; -corenet_all_recvfrom_unlabeled(spamd_update_t) -corenet_all_recvfrom_netlabel(spamd_update_t) -corenet_tcp_sendrecv_generic_if(spamd_update_t) -corenet_tcp_sendrecv_generic_node(spamd_update_t) -corenet_tcp_sendrecv_all_ports(spamd_update_t) -+allow spamd_update_t spamc_home_t:dir search_dir_perms; ++kernel_read_system_state(spamd_update_t) -corenet_sendrecv_http_client_packets(spamd_update_t) -+kernel_read_system_state(spamd_update_t) -+ +# for updating rules corenet_tcp_connect_http_port(spamd_update_t) -corenet_tcp_sendrecv_http_port(spamd_update_t) corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +611,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -102687,8 +102740,13 @@ index cc58e35..d20d0ed 100644 - mta_read_config(spamd_update_t) + gpg_domtrans(spamd_update_t) + gpg_manage_home_content(spamd_update_t) - ') ++') + ++tunable_policy(`spamd_update_can_network',` ++ corenet_sendrecv_all_client_packets(spamd_update_t) ++ corenet_tcp_connect_all_ports(spamd_update_t) ++ corenet_tcp_sendrecv_all_ports(spamd_update_t) + ') diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc new file mode 100644 index 0000000..545f682 @@ -108753,7 +108811,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..6893547 100644 +index 393a330..0691d4a 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -108818,7 +108876,7 @@ index 393a330..6893547 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t) +@@ -64,35 +78,72 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -108879,11 +108937,15 @@ index 393a330..6893547 100644 mount_domtrans(tuned_t) ') -+# to allow network interface tuning optional_policy(` ++ policykit_dbus_chat(tuned_t) ++') ++ ++# to allow network interface tuning ++optional_policy(` sysnet_domtrans_ifconfig(tuned_t) ') -@@ -96,3 +139,7 @@ optional_policy(` + optional_policy(` unconfined_dbus_send(tuned_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 3e5dd9d..b3718bc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 197%{?dist} +Release: 198%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,42 @@ exit 0 %endif %changelog +* Wed Jun 22 2016 Lukas Vrabec 3.13.1-198 +- Allow firewalld_t to create entries in net_conf_t dirs. +- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals +- Allow rhsmcertd connect to port tcp 9090 +- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. +- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. +- Add new boolean spamd_update_can_network. +- Add proper label for /var/log/proftpd.log +- Allow rhsmcertd connect to tcp netport_port_t +- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. +- Allow prosody to bind to fac_restore tcp port. +- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager +- Allow ninfod to read raw packets +- Fix broken hostapd policy +- Allow hostapd to create netlink_generic sockets. BZ(1343683) +- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall +- Allow pegasus get attributes from qemu binary files. +- Allow tuned to use policykit. This change is required by cockpit. +- Allow conman_t to read dir with conman_unconfined_script_t binary files. +- Allow pegasus to read /proc/sysinfo. +- Allow puppet_t transtition to shorewall_t +- Allow conman to kill conman_unconfined_script. +- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. +- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base +- Allow systemd to execute all init daemon executables. +- Add init_exec_notrans_direct_init_entry() interface. +- Label tcp ports:16379, 26379 as redis_port_t +- Allow systemd to relabel /var and /var/lib directories during boot. +- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. +- Add files_relabelto_var_lib_dirs() interface. +- Label tcp and udp port 5582 as fac_restore_port_t +- Allow sysadm_t user to run postgresql-setup. +- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. +- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849) +- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd + * Thu Jun 16 2016 Lukas Vrabec 3.13.1-197 - Allow conman to kill conman_unconfined_script. - Make conman_unconfined_script_t as init_system_domain.