diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a373432..f15a12c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -16881,7 +16881,7 @@ index 54f1827..39faa3f 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 64c4cd0..69be610 100644 +index 64c4cd0..b9d9660 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -17010,7 +17010,7 @@ index 64c4cd0..69be610 100644 ######################################## ## ## Allow the caller to directly read -@@ -813,3 +897,411 @@ interface(`storage_unconfined',` +@@ -813,3 +897,452 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -17355,6 +17355,47 @@ index 64c4cd0..69be610 100644 + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50") + dev_filetrans($1, removable_device_t, blk_file, "sr0") + dev_filetrans($1, removable_device_t, blk_file, "sr1") + dev_filetrans($1, removable_device_t, blk_file, "sr2") diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 54cdf61..c33f667 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -28811,7 +28811,7 @@ index e39de43..6a6db28 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..d0bfef0 100644 +index ab09d61..8bcb6ba 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,78 @@ @@ -29858,7 +29858,7 @@ index ab09d61..d0bfef0 100644 ## ## ## -@@ -706,12 +820,931 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +820,948 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -30251,6 +30251,23 @@ index ab09d61..d0bfef0 100644 + read_files_pattern($1, config_home_t, config_home_t) + read_lnk_files_pattern($1, config_home_t, config_home_t) +') ++####################################### ++## ++## append gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ append_files_pattern($1, config_home_t, config_home_t) ++') + +####################################### +## @@ -33328,10 +33345,10 @@ index 0000000..48d7322 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..4095bed +index 0000000..d028154 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,58 @@ +@@ -0,0 +1,57 @@ +## Policy for IPA services. + +######################################## @@ -33389,7 +33406,6 @@ index 0000000..4095bed + manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) +') + -+') diff --git a/ipa.te b/ipa.te new file mode 100644 index 0000000..b60bc5f @@ -73656,10 +73672,10 @@ index 0000000..a073efd +') diff --git a/rasdaemon.te b/rasdaemon.te new file mode 100644 -index 0000000..7b1fa9e +index 0000000..6731d5c --- /dev/null +++ b/rasdaemon.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,46 @@ +policy_module(rasdaemon, 1.0.0) + +######################################## @@ -73691,16 +73707,17 @@ index 0000000..7b1fa9e +kernel_read_system_state(rasdaemon_t) +kernel_manage_debugfs(rasdaemon_t) + -+auth_use_nsswitch(rasdaemon_t) -+ +dev_read_raw_memory(rasdaemon_t) +dev_read_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) -+ -+logging_send_syslog_msg(rasdaemon_t) ++dev_rw_cpu_microcode(rasdaemon_t) + +modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277 + ++auth_use_nsswitch(rasdaemon_t) ++ ++logging_send_syslog_msg(rasdaemon_t) ++ +optional_policy(` + dmidecode_exec(rasdaemon_t) +') @@ -95084,10 +95101,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..bb3e477 +index 0000000..0e30ce2 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,156 @@ +@@ -0,0 +1,157 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -95217,6 +95234,7 @@ index 0000000..bb3e477 + # .config + gnome_dontaudit_search_config(thumb_t) + gnome_dontaudit_write_config_files(thumb_t) ++ gnome_append_home_config(thumb_t) + gnome_append_generic_cache_files(thumb_t) + gnome_read_generic_data_home_files(thumb_t) + gnome_dontaudit_rw_generic_cache_files(thumb_t)