diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0d7ca0b..8268e42 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -18395,10 +18395,10 @@ index 3a45a3e..7499f24 100644 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da11120..d67bcca 100644 +index da11120..621ec5a 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te -@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0) +@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) role secadm_r; @@ -18408,10 +18408,24 @@ index da11120..d67bcca 100644 +userdom_security_admin(secadm_t, secadm_r) +userdom_inherit_append_admin_home_files(secadm_t) +userdom_read_admin_home_files(secadm_t) ++userdom_manage_tmp_role(secadm_r, secadm_t) ######################################## # -@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t) +@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r) + + allow secadm_t self:capability { dac_read_search dac_override }; + ++kernel_read_system_state(secadm_t) ++ + corecmd_exec_shell(secadm_t) + + dev_relabel_all_dev_nodes(secadm_t) ++dev_read_urand(secadm_t) + + domain_obj_id_change_exemption(secadm_t) + +@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_role(secadm_r, secadm_t) @@ -20469,7 +20483,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..8332fca 100644 +index 6d77e81..c8df034 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -20621,22 +20635,15 @@ index 6d77e81..8332fca 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -153,6 +251,10 @@ ifndef(`distro_redhat',` - userhelper_role_template(user, user_r, user_t) - ') - -+ optional_policy(` -+ vmtools_run_helper(user_t, user_r) -+ ') -+ - optional_policy(` - vmware_role(user_r, user_t) - ') -@@ -161,3 +263,15 @@ ifndef(`distro_redhat',` +@@ -161,3 +259,19 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') + ++optional_policy(` ++ vmtools_run_helper(user_t, user_r) ++') ++ + +optional_policy(` + virt_transition_svirt(user_t, user_r) @@ -39706,10 +39713,10 @@ index 0000000..8bca1d7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..ca13b14 +index 0000000..898464f --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,680 @@ +@@ -0,0 +1,679 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -40389,7 +40396,6 @@ index 0000000..ca13b14 + +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) -+ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e..49fd32e 100644 --- a/policy/modules/system/udev.fc @@ -46842,7 +46848,7 @@ index e79d545..101086d 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..64e135a 100644 +index 6e91317..018d0a6 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -46952,7 +46958,7 @@ index 6e91317..64e135a 100644 +# +# Service +# -+define(`manage_service_perms', `{ start stop status reload } ') ++define(`manage_service_perms', `{ start stop status reload enable disable } ') diff --git a/policy/users b/policy/users index c4ebc7e..30d6d7a 100644 --- a/policy/users diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3f9cc30..2c2a540 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index 1a93dc5..40dda9e 100644 +index 1a93dc5..2eebc19 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,31 +1,41 @@ +@@ -1,31 +1,43 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -50,12 +50,14 @@ index 1a93dc5..40dda9e 100644 +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) ++/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) @@ -2377,7 +2379,7 @@ index 14a61b7..21bbf36 100644 +') + diff --git a/anaconda.te b/anaconda.te -index aa44abf..13ba56c 100644 +index aa44abf..ae0e58f 100644 --- a/anaconda.te +++ b/anaconda.te @@ -4,6 +4,10 @@ gen_require(` @@ -2417,7 +2419,7 @@ index aa44abf..13ba56c 100644 optional_policy(` rpm_domtrans(anaconda_t) -@@ -53,3 +66,32 @@ optional_policy(` +@@ -53,3 +66,34 @@ optional_policy(` optional_policy(` unconfined_domain_noaudit(anaconda_t) ') @@ -2429,6 +2431,8 @@ index aa44abf..13ba56c 100644 + +allow install_t self:capability2 mac_admin; + ++systemd_dbus_chat_localed(install_t) ++ +tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(install_t) +') @@ -8600,10 +8604,10 @@ index c3fd7b1..e189593 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..ab80059 100644 +index 2b9a3a1..f755e6b 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,74 @@ +@@ -1,54 +1,75 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -8704,6 +8708,7 @@ index 2b9a3a1..ab80059 100644 -/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) ++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) +/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) @@ -12859,7 +12864,7 @@ index cc4e7cb..f348d27 100644 domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff --git a/cmirrord.te b/cmirrord.te -index bbdd396..fddf8f4 100644 +index bbdd396..8328b95 100644 --- a/cmirrord.te +++ b/cmirrord.te @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) @@ -12871,13 +12876,14 @@ index bbdd396..fddf8f4 100644 dontaudit cmirrord_t self:capability sys_tty_config; allow cmirrord_t self:process { setfscreate signal }; allow cmirrord_t self:fifo_file rw_fifo_file_perms; -@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) +@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) domain_use_interactive_fds(cmirrord_t) domain_obj_id_change_exemption(cmirrord_t) -files_read_etc_files(cmirrord_t) - storage_create_fixed_disk_dev(cmirrord_t) ++storage_raw_read_fixed_disk(cmirrord_t) +storage_rw_inherited_fixed_disk_dev(cmirrord_t) seutil_read_file_contexts(cmirrord_t) @@ -23268,10 +23274,10 @@ index 0000000..fd679a1 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..89401fe +index 0000000..4ca46bc --- /dev/null +++ b/docker.if -@@ -0,0 +1,324 @@ +@@ -0,0 +1,325 @@ + +## The open-source application container engine. + @@ -23387,6 +23393,7 @@ index 0000000..89401fe + + files_search_var_lib($1) + manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++ manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) +') + +######################################## @@ -23598,10 +23605,10 @@ index 0000000..89401fe +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..ea0f2d3 +index 0000000..d30d730 --- /dev/null +++ b/docker.te -@@ -0,0 +1,260 @@ +@@ -0,0 +1,263 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23739,6 +23746,7 @@ index 0000000..ea0f2d3 +files_read_etc_files(docker_t) + +fs_read_cgroup_files(docker_t) ++fs_read_tmpfs_symlinks(docker_t) + +storage_raw_rw_fixed_disk(docker_t) + @@ -23815,6 +23823,7 @@ index 0000000..ea0f2d3 +fs_manage_cgroup_files(docker_t) +fs_relabelfrom_xattr_fs(docker_t) +fs_relabelfrom_tmpfs(docker_t) ++fs_read_tmpfs_symlinks(docker_t) + +term_use_generic_ptys(docker_t) +term_use_ptmx(docker_t) @@ -23825,6 +23834,7 @@ index 0000000..ea0f2d3 +modutils_domtrans_insmod(docker_t) + +userdom_stream_connect(docker_t) ++userdom_search_user_home_content(docker_t) + +optional_policy(` + dbus_system_bus_client(docker_t) @@ -37641,7 +37651,7 @@ index 19777b8..55d1556 100644 + ') +') diff --git a/ktalk.te b/ktalk.te -index c5548c5..bb979b1 100644 +index c5548c5..1356fcb 100644 --- a/ktalk.te +++ b/ktalk.te @@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) @@ -37654,7 +37664,7 @@ index c5548c5..bb979b1 100644 type ktalkd_tmp_t; files_tmp_file(ktalkd_tmp_t) -@@ -50,12 +53,11 @@ dev_read_urand(ktalkd_t) +@@ -50,7 +53,8 @@ dev_read_urand(ktalkd_t) fs_getattr_xattr_fs(ktalkd_t) @@ -37664,11 +37674,13 @@ index c5548c5..bb979b1 100644 auth_use_nsswitch(ktalkd_t) - init_read_utmp(ktalkd_t) +@@ -58,4 +62,5 @@ init_read_utmp(ktalkd_t) logging_send_syslog_msg(ktalkd_t) -- + -miscfiles_read_localization(ktalkd_t) ++userdom_use_user_ptys(ktalkd_t) ++userdom_use_user_ttys(ktalkd_t) diff --git a/kudzu.if b/kudzu.if index 5297064..6ba8108 100644 --- a/kudzu.if @@ -50545,7 +50557,7 @@ index 86dc29d..1cd0d0e 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..bb85ae6 100644 +index 55f2009..ed9adbc 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -50841,7 +50853,7 @@ index 55f2009..bb85ae6 100644 ') optional_policy(` -@@ -257,11 +299,14 @@ optional_policy(` +@@ -257,15 +299,19 @@ optional_policy(` ') optional_policy(` @@ -50858,7 +50870,12 @@ index 55f2009..bb85ae6 100644 ') optional_policy(` -@@ -274,10 +319,17 @@ optional_policy(` + netutils_exec_ping(NetworkManager_t) ++ netutils_exec(NetworkManager_t) + ') + + optional_policy(` +@@ -274,10 +320,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -50876,7 +50893,7 @@ index 55f2009..bb85ae6 100644 ') optional_policy(` -@@ -289,6 +341,7 @@ optional_policy(` +@@ -289,6 +342,7 @@ optional_policy(` ') optional_policy(` @@ -50884,7 +50901,7 @@ index 55f2009..bb85ae6 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +349,7 @@ optional_policy(` +@@ -296,7 +350,7 @@ optional_policy(` ') optional_policy(` @@ -50893,7 +50910,7 @@ index 55f2009..bb85ae6 100644 ') optional_policy(` -@@ -307,6 +360,7 @@ optional_policy(` +@@ -307,6 +361,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -50901,7 +50918,7 @@ index 55f2009..bb85ae6 100644 ') optional_policy(` -@@ -320,14 +374,20 @@ optional_policy(` +@@ -320,14 +375,20 @@ optional_policy(` ') optional_policy(` @@ -50927,7 +50944,7 @@ index 55f2009..bb85ae6 100644 ') optional_policy(` -@@ -357,6 +417,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +418,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -58967,7 +58984,7 @@ index bf59ef7..0ec51d4 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') diff --git a/passenger.te b/passenger.te -index 08ec33b..24ce7e8 100644 +index 08ec33b..12f6357 100644 --- a/passenger.te +++ b/passenger.te @@ -14,6 +14,9 @@ role system_r types passenger_t; @@ -59059,7 +59076,7 @@ index 08ec33b..24ce7e8 100644 +') + +optional_policy(` -+ puppet_domtrans_master(passenger_t) ++ puppet_domtrans(passenger_t) + puppet_manage_lib(passenger_t) puppet_read_config(passenger_t) - puppet_append_log_files(passenger_t) @@ -61403,10 +61420,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..e8c6156 +index 0000000..b7dfce7 --- /dev/null +++ b/pki.te -@@ -0,0 +1,273 @@ +@@ -0,0 +1,274 @@ +policy_module(pki,10.0.11) + +######################################## @@ -61481,6 +61498,7 @@ index 0000000..e8c6156 +# + +allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; ++dontaudit pki_tomcat_t self:capability net_admin; +allow pki_tomcat_t self:process { signal setsched signull execmem }; + +allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; @@ -68776,23 +68794,29 @@ index 6643b49..1d2470f 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..8d566fb 100644 +index d68e26d..98ad443 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,7 +1,7 @@ +@@ -1,18 +1,13 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) - /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) ++/usr/lib/systemd/system/puppet.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) ++/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) /usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) - /usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -@@ -11,8 +11,6 @@ - /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) - /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) ++/usr/bin/puppet -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppet_exec_t,s0) +-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +- -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) - -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) @@ -68802,10 +68826,10 @@ index d68e26d..8d566fb 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..9422c90 100644 +index 7cb8b1f..6357588 100644 --- a/puppet.if +++ b/puppet.if -@@ -1,4 +1,32 @@ +@@ -1,4 +1,50 @@ -## Configuration management system. +## Puppet client daemon +## @@ -68817,29 +68841,47 @@ index 7cb8b1f..9422c90 100644 +##

+##
+ -+######################################## ++####################################### +## -+## Execute puppet_master in the puppet_master -+## domain. ++## Execute puppet_master in the puppet_master ++## domain. +## +## +## -+## Domain allowed to transition. ++## Domain allowed to transition. +## +## +# +interface(`puppet_domtrans_master',` -+ gen_require(` -+ type puppetmaster_t, puppetmaster_exec_t; -+ ') ++ gen_require(` ++ type puppetmaster_t, puppetmaster_exec_t; ++ ') ++ refpolicywarn(`$0($*) has been deprecated.') ++') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) ++######################################## ++## ++## Execute puppet in the puppet ++## domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`puppet_domtrans',` ++ gen_require(` ++ type puppet_t, puppet_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, puppet_exec_t, puppet_t) +') ######################################## ## -@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',` +@@ -40,16 +86,19 @@ interface(`puppet_domtrans_puppetca',` # interface(`puppet_run_puppetca',` gen_require(` @@ -68863,7 +68905,7 @@ index 7cb8b1f..9422c90 100644 ## ## ## -@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',` +@@ -57,15 +106,13 @@ interface(`puppet_run_puppetca',` ## ## # @@ -68883,7 +68925,7 @@ index 7cb8b1f..9422c90 100644 ') ################################################ -@@ -78,158 +107,164 @@ interface(`puppet_read_config',` +@@ -78,158 +125,164 @@ interface(`puppet_read_config',` ##
## # @@ -69057,15 +69099,15 @@ index 7cb8b1f..9422c90 100644 -## -## Domain allowed access. -## -+## -+## Domain allowed access. -+## - ## +-## -## -## -## Role allowed access. -## --## ++## ++## Domain allowed access. ++## + ## -## # -interface(`puppet_admin',` @@ -69075,14 +69117,14 @@ index 7cb8b1f..9422c90 100644 - type puppet_var_run_t, puppetmaster_tmp_t; - type puppet_t, puppetca_t, puppetmaster_t; - ') -- -- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) +interface(`puppet_manage_log',` + gen_require(` + type puppet_log_t; + ') +- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) +- - init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; @@ -69143,10 +69185,10 @@ index 7cb8b1f..9422c90 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..f81c59f 100644 +index 618dcfe..ca66457 100644 --- a/puppet.te +++ b/puppet.te -@@ -6,15 +6,19 @@ policy_module(puppet, 1.4.0) +@@ -6,25 +6,31 @@ policy_module(puppet, 1.4.0) # ## @@ -69168,11 +69210,25 @@ index 618dcfe..f81c59f 100644 +## Allow Puppet master to use connect to MySQL and PostgreSQL database +##

+##
-+gen_tunable(puppetmaster_use_db, false) ++gen_tunable(puppet_use_db, false) type puppet_t; type puppet_exec_t; -@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t) + init_daemon_domain(puppet_t, puppet_exec_t) + ++typealias puppet_t alias puppetmaster_t; ++ + type puppet_etc_t; + files_config_file(puppet_etc_t) + +-type puppet_initrc_exec_t; +-init_script_file(puppet_initrc_exec_t) ++type puppet_unit_file_t; ++systemd_unit_file(puppet_unit_file_t) + + type puppet_log_t; + logging_log_file(puppet_log_t) +@@ -37,52 +43,37 @@ files_type(puppet_var_lib_t) type puppet_var_run_t; files_pid_file(puppet_var_run_t) @@ -69182,12 +69238,18 @@ index 618dcfe..f81c59f 100644 type puppetca_exec_t; application_domain(puppetca_t, puppetca_exec_t) -role puppetca_roles types puppetca_t; +- +-type puppetmaster_t; +-type puppetmaster_exec_t; +-init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) +- +-type puppetmaster_initrc_exec_t; +-init_script_file(puppetmaster_initrc_exec_t) +- +-type puppetmaster_tmp_t; +-files_tmp_file(puppetmaster_tmp_t) +role system_r types puppetca_t; - type puppetmaster_t; - type puppetmaster_exec_t; -@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t) - ######################################## # -# Local policy @@ -69228,7 +69290,7 @@ index 618dcfe..f81c59f 100644 logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) +@@ -91,43 +82,38 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) kernel_dontaudit_search_sysctl(puppet_t) kernel_dontaudit_search_kernel_sysctl(puppet_t) @@ -69262,6 +69324,7 @@ index 618dcfe..f81c59f 100644 -domain_interactive_fd(puppet_t) domain_read_all_domains_state(puppet_t) +domain_interactive_fd(puppet_t) ++domain_named_filetrans(puppet_t) files_manage_config_files(puppet_t) files_manage_config_dirs(puppet_t) @@ -69278,7 +69341,7 @@ index 618dcfe..f81c59f 100644 selinux_set_all_booleans(puppet_t) selinux_set_generic_booleans(puppet_t) selinux_validate_context(puppet_t) -@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t) +@@ -135,6 +121,8 @@ selinux_validate_context(puppet_t) term_dontaudit_getattr_unallocated_ttys(puppet_t) term_dontaudit_getattr_all_ttys(puppet_t) @@ -69287,7 +69350,7 @@ index 618dcfe..f81c59f 100644 init_all_labeled_script_domtrans(puppet_t) init_domtrans_script(puppet_t) init_read_utmp(puppet_t) -@@ -143,18 +138,19 @@ init_signull_script(puppet_t) +@@ -143,18 +131,31 @@ init_signull_script(puppet_t) logging_send_syslog_msg(puppet_t) miscfiles_read_hwdata(puppet_t) @@ -69309,86 +69372,31 @@ index 618dcfe..f81c59f 100644 tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) + files_manage_non_security_files(puppet_t) ++') ++ ++optional_policy(` ++ tunable_policy(`puppet_use_db',` ++ mysql_stream_connect(puppet_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`puppet_use_db',` ++ postgresql_stream_connect(puppet_t) ++ ') ') optional_policy(` -@@ -196,21 +192,86 @@ optional_policy(` +@@ -196,21 +197,19 @@ optional_policy(` ') optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -+ auth_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ alsa_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ bootloader_filetrans_config(puppet_t) -+') -+ -+optional_policy(` -+ devicekit_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ dnsmasq_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ kerberos_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ libs_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ miscfiles_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ mta_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ modules_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ networkmanager_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ nx_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ postfix_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` + openshift_initrc_domtrans(puppet_t) -+') -+ -+optional_policy(` -+ quota_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ sysnet_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ virt_filetrans_home_content(puppet_t) -+') -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(puppet_t) ') ++ ######################################## # -# Ca local policy @@ -69405,7 +69413,7 @@ index 618dcfe..f81c59f 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +220,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -69413,7 +69421,7 @@ index 618dcfe..f81c59f 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +229,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -69429,148 +69437,107 @@ index 618dcfe..f81c59f 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +305,47 @@ optional_policy(` +@@ -246,99 +243,7 @@ optional_policy(` hostname_exec(puppetca_t) ') -+optional_policy(` -+ mta_sendmail_access_check(puppetca_t) -+') -+ -+ - ######################################## - # +-######################################## +-# -# Master local policy -+# Pupper master personal policy - # - - allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; - allow puppetmaster_t self:process { signal_perms getsched setsched }; - allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +-# +- +-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; +-allow puppetmaster_t self:process { signal_perms getsched setsched }; +-allow puppetmaster_t self:fifo_file rw_fifo_file_perms; -allow puppetmaster_t self:netlink_route_socket nlmsg_write; -+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; - allow puppetmaster_t self:socket create; +-allow puppetmaster_t self:socket create; -allow puppetmaster_t self:tcp_socket { accept listen }; -+allow puppetmaster_t self:tcp_socket create_stream_socket_perms; -+allow puppetmaster_t self:udp_socket create_socket_perms; - +- -allow puppetmaster_t puppet_etc_t:dir list_dir_perms; -allow puppetmaster_t puppet_etc_t:file read_file_perms; -allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; -+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) -+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) - +- -allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; -append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; -+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; - logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) -+allow puppetmaster_t puppet_log_t:file relabel_file_perms; - +-logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) +- -allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; -+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; -+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; - +- -allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_run_t:file manage_file_perms; -+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) - files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; - +-files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) +- -allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; -+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) -+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) - files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; - - kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) - kernel_read_network_state(puppetmaster_t) -@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t) - corecmd_exec_shell(puppetmaster_t) - - corenet_all_recvfrom_netlabel(puppetmaster_t) +-files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) +- +-kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) +-kernel_read_network_state(puppetmaster_t) +-kernel_read_system_state(puppetmaster_t) +-kernel_read_crypto_sysctls(puppetmaster_t) +-kernel_read_kernel_sysctls(puppetmaster_t) +- +-corecmd_exec_bin(puppetmaster_t) +-corecmd_exec_shell(puppetmaster_t) +- +-corenet_all_recvfrom_netlabel(puppetmaster_t) -corenet_all_recvfrom_unlabeled(puppetmaster_t) - corenet_tcp_sendrecv_generic_if(puppetmaster_t) - corenet_tcp_sendrecv_generic_node(puppetmaster_t) - corenet_tcp_bind_generic_node(puppetmaster_t) +-corenet_tcp_sendrecv_generic_if(puppetmaster_t) +-corenet_tcp_sendrecv_generic_node(puppetmaster_t) +-corenet_tcp_bind_generic_node(puppetmaster_t) - -corenet_sendrecv_puppet_server_packets(puppetmaster_t) - corenet_tcp_bind_puppet_port(puppetmaster_t) +-corenet_tcp_bind_puppet_port(puppetmaster_t) -corenet_tcp_sendrecv_puppet_port(puppetmaster_t) -+corenet_sendrecv_puppet_server_packets(puppetmaster_t) -+corenet_tcp_connect_ntop_port(puppetmaster_t) -+ -+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. -+corenet_udp_bind_generic_node(puppetmaster_t) -+corenet_udp_bind_generic_port(puppetmaster_t) - - dev_read_rand(puppetmaster_t) - dev_read_urand(puppetmaster_t) - dev_search_sysfs(puppetmaster_t) - +- +-dev_read_rand(puppetmaster_t) +-dev_read_urand(puppetmaster_t) +-dev_search_sysfs(puppetmaster_t) +- -domain_obj_id_change_exemption(puppetmaster_t) - domain_read_all_domains_state(puppetmaster_t) -+domain_obj_id_change_exemption(puppetmaster_t) - +-domain_read_all_domains_state(puppetmaster_t) +- -files_read_usr_files(puppetmaster_t) - - selinux_validate_context(puppetmaster_t) - -@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t) - logging_send_syslog_msg(puppetmaster_t) - - miscfiles_read_generic_certs(puppetmaster_t) +- +-selinux_validate_context(puppetmaster_t) +- +-auth_use_nsswitch(puppetmaster_t) +- +-logging_send_syslog_msg(puppetmaster_t) +- +-miscfiles_read_generic_certs(puppetmaster_t) -miscfiles_read_localization(puppetmaster_t) - - seutil_read_file_contexts(puppetmaster_t) - - sysnet_run_ifconfig(puppetmaster_t, system_r) - -+mta_send_mail(puppetmaster_t) -+ - optional_policy(` +- +-seutil_read_file_contexts(puppetmaster_t) +- +-sysnet_run_ifconfig(puppetmaster_t, system_r) +- +-optional_policy(` - hostname_exec(puppetmaster_t) -+ tunable_policy(`puppetmaster_use_db',` -+ mysql_stream_connect(puppetmaster_t) -+ ') - ') - +-') +- optional_policy(` - mta_send_mail(puppetmaster_t) -+ tunable_policy(`puppetmaster_use_db',` -+ postgresql_stream_connect(puppetmaster_t) -+ ') ++ mta_sendmail_access_check(puppetca_t) ') - optional_policy(` +-optional_policy(` - mysql_stream_connect(puppetmaster_t) -+ systemd_dbus_chat_timedated(puppetmaster_t) - ') - - optional_policy(` +-') +- +-optional_policy(` - postgresql_stream_connect(puppetmaster_t) -+ hostname_exec(puppetmaster_t) - ') - - optional_policy(` -@@ -342,3 +416,9 @@ optional_policy(` - rpm_exec(puppetmaster_t) - rpm_read_db(puppetmaster_t) - ') -+ -+optional_policy(` -+ usermanage_access_check_groupadd(puppetmaster_t) -+ usermanage_access_check_passwd(puppetmaster_t) -+ usermanage_access_check_useradd(puppetmaster_t) -+') +-') +- +-optional_policy(` +- files_read_usr_symlinks(puppetmaster_t) +- +- rpm_exec(puppetmaster_t) +- rpm_read_db(puppetmaster_t) +-') diff --git a/pwauth.fc b/pwauth.fc index 7e7b444..e2f8687 100644 --- a/pwauth.fc @@ -75718,10 +75685,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..a7e8263 100644 +index 47de2d6..5ad36aa 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,86 @@ +@@ -1,31 +1,88 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -75780,6 +75747,8 @@ index 47de2d6..a7e8263 100644 +/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0) ++/var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) ++/var/run/haproxy\.sock.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + +# cluster administrative domains file spec @@ -76594,7 +76563,7 @@ index c8bdea2..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..8980ac4 100644 +index 6cf79c4..ec50831 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -77078,7 +77047,7 @@ index 6cf79c4..8980ac4 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -77094,13 +77063,14 @@ index 6cf79c4..8980ac4 100644 +# + +# bug in haproxy and process vs pid owner -+allow haproxy_t self:capability dac_override; ++allow haproxy_t self:capability { dac_override kill }; + +allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource }; +allow haproxy_t self:process { fork setrlimit signal_perms }; +allow haproxy_t self:fifo_file rw_fifo_file_perms; +allow haproxy_t self:unix_stream_socket create_stream_socket_perms; -+allow haproxy_t self:tcp_socket { accept listen }; ++allow haproxy_t self:tcp_socket create_stream_socket_perms; ++allow haproxy_t self: udp_socket create_socket_perms; + +manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) +manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) @@ -77108,6 +77078,8 @@ index 6cf79c4..8980ac4 100644 +manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) +files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file }) + ++corenet_sendrecv_unlabeled_packets(haproxy_t) ++ +corenet_tcp_connect_commplex_link_port(haproxy_t) +corenet_tcp_connect_commplex_main_port(haproxy_t) +corenet_tcp_bind_commplex_main_port(haproxy_t) @@ -77131,7 +77103,7 @@ index 6cf79c4..8980ac4 100644 ###################################### # # qdiskd local policy -@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -81809,10 +81781,10 @@ index 0000000..0ec3302 +') diff --git a/rtas.te b/rtas.te new file mode 100644 -index 0000000..52a39f8 +index 0000000..9a5164c --- /dev/null +++ b/rtas.te -@@ -0,0 +1,62 @@ +@@ -0,0 +1,95 @@ +policy_module(rtas, 1.0.0) + +######################################## @@ -81836,13 +81808,19 @@ index 0000000..52a39f8 +type rtas_errd_unit_file_t; +systemd_unit_file(rtas_errd_unit_file_t) + ++type rtas_errd_tmp_t; ++files_tmp_file(rtas_errd_tmp_t) ++ ++type rtas_errd_tmpfs_t; ++files_tmpfs_file(rtas_errd_tmpfs_t) ++ +######################################## +# +# rtas_errd local policy +# + -+allow rtas_errd_t self:capability { chown sys_admin }; -+allow rtas_errd_t self:process fork; ++allow rtas_errd_t self:capability { net_admin chown sys_admin }; ++allow rtas_errd_t self:process { fork signull }; +allow rtas_errd_t self:fifo_file rw_fifo_file_perms; +allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms; + @@ -81860,7 +81838,19 @@ index 0000000..52a39f8 +manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) +files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file }) + ++manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t) ++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t) ++files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir }) ++ ++manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t) ++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t) ++fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir }) ++ ++kernel_read_all_sysctls(rtas_errd_t) +kernel_read_system_state(rtas_errd_t) ++kernel_read_network_state(rtas_errd_t) ++ ++domain_read_all_domains_state(rtas_errd_t) + +auth_use_nsswitch(rtas_errd_t) + @@ -81870,11 +81860,26 @@ index 0000000..52a39f8 +dev_read_urand(rtas_errd_t) +dev_read_raw_memory(rtas_errd_t) +dev_write_raw_memory(rtas_errd_t) ++dev_read_sysfs(rtas_errd_t) ++dev_rw_nvram(rtas_errd_t) + +files_manage_system_db_files(rtas_errd_t) + ++logging_send_syslog_msg(rtas_errd_t) +logging_read_generic_logs(rtas_errd_t) + ++optional_policy(` ++ hostname_exec(rtas_errd_t) ++') ++ ++optional_policy(` ++ rpm_exec(rtas_errd_t) ++ rpm_dontaudit_manage_db(rtas_errd_t) ++') ++ ++optional_policy(` ++ unconfined_domain(rtas_errd_t) ++') diff --git a/rtkit.if b/rtkit.if index e904ec4..e0dd20e 100644 --- a/rtkit.if @@ -85849,7 +85854,7 @@ index 98c9e0a..d4aa009 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..453eb03 100644 +index 299756b..4c33d02 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -85982,7 +85987,7 @@ index 299756b..453eb03 100644 + +auth_use_nsswitch(sblim_sfcbd_t) + -+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) ++corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t) +corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t) + +dev_read_rand(sblim_sfcbd_t) @@ -89158,7 +89163,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 9dcaeb8..2537e6c 100644 +index 9dcaeb8..490a046 100644 --- a/snmp.te +++ b/snmp.te @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) @@ -89214,7 +89219,14 @@ index 9dcaeb8..2537e6c 100644 files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) -@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t) +@@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t) + storage_dontaudit_read_fixed_disk(snmpd_t) + storage_dontaudit_read_removable_device(snmpd_t) + storage_dontaudit_write_removable_device(snmpd_t) ++storage_getattr_fixed_disk_dev(snmpd_t) ++storage_getattr_removable_dev(snmpd_t) + + auth_use_nsswitch(snmpd_t) init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -89228,7 +89240,7 @@ index 9dcaeb8..2537e6c 100644 seutil_dontaudit_search_config(snmpd_t) -@@ -131,7 +133,11 @@ optional_policy(` +@@ -131,7 +135,11 @@ optional_policy(` ') optional_policy(` @@ -89241,7 +89253,7 @@ index 9dcaeb8..2537e6c 100644 ') optional_policy(` -@@ -140,6 +146,7 @@ optional_policy(` +@@ -140,6 +148,7 @@ optional_policy(` optional_policy(` mta_read_config(snmpd_t) @@ -97878,7 +97890,7 @@ index a4f20bc..6351bcb 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..f2c0191 100644 +index facdee8..88dcafb 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -99400,7 +99412,7 @@ index facdee8..f2c0191 100644 ## ## ## -@@ -1053,37 +1102,131 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -99424,7 +99436,7 @@ index facdee8..f2c0191 100644 ## -## +## - ## ++## +## Prefix for the domain. +## +## @@ -99441,6 +99453,8 @@ index facdee8..f2c0191 100644 + mcs_constrained($1_t) + role system_r types $1_t; + ++ logging_send_syslog_msg($1_t) ++ + kernel_read_system_state($1_t) +') + @@ -99449,7 +99463,7 @@ index facdee8..f2c0191 100644 +## Make the specified type usable as a lxc domain +## +## -+## + ## +## Type to be used as a lxc domain +## +## @@ -99546,7 +99560,7 @@ index facdee8..f2c0191 100644 ## ## ## -@@ -1091,36 +1234,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -99620,7 +99634,7 @@ index facdee8..f2c0191 100644 ## ## ## -@@ -1136,50 +1297,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -99693,10 +99707,10 @@ index facdee8..f2c0191 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..fb96958 100644 +index f03dcf5..fe84861 100644 --- a/virt.te +++ b/virt.te -@@ -1,150 +1,197 @@ +@@ -1,150 +1,212 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -99834,23 +99848,37 @@ index f03dcf5..fb96958 100644 -attribute virt_image_type; -attribute virt_tmp_type; -attribute virt_tmpfs_type; -- --attribute svirt_lxc_domain; +## +##

+## Allow confined virtual guests to use usb devices +##

+##
+gen_tunable(virt_use_usb, true) ++ ++## ++##

++## Allow sandbox containers to manage nfs files ++##

++##
++gen_tunable(virt_sandbox_use_nfs, false) ++ ++## ++##

++## Allow sandbox containers to manage samba/cifs files ++##

++##
++gen_tunable(virt_sandbox_use_samba, false) --attribute_role virt_domain_roles; --roleattribute system_r virt_domain_roles; +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to send audit messages + +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; +##

+##
-+gen_tunable(virt_sandbox_use_audit, false) ++gen_tunable(virt_sandbox_use_audit, true) -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; @@ -99877,10 +99905,10 @@ index f03dcf5..fb96958 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; -+ -+type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; ++type qemu_exec_t, virt_file_type; ++ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -99965,7 +99993,7 @@ index f03dcf5..fb96958 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +200,132 @@ ifdef(`enable_mls',` +@@ -153,299 +215,132 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -100228,16 +100256,16 @@ index f03dcf5..fb96958 100644 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) - -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) @@ -100340,7 +100368,7 @@ index f03dcf5..fb96958 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +335,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +350,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -100387,7 +100415,7 @@ index f03dcf5..fb96958 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +370,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +385,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -100418,7 +100446,7 @@ index f03dcf5..fb96958 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +391,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +406,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -100446,7 +100474,7 @@ index f03dcf5..fb96958 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,22 +411,27 @@ dev_rw_vhost(virtd_t) +@@ -555,22 +426,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -100479,7 +100507,7 @@ index f03dcf5..fb96958 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -601,15 +462,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +477,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -100499,7 +100527,7 @@ index f03dcf5..fb96958 100644 selinux_validate_context(virtd_t) -@@ -620,18 +484,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +499,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -100536,7 +100564,7 @@ index f03dcf5..fb96958 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +512,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +527,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -100545,7 +100573,7 @@ index f03dcf5..fb96958 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +537,12 @@ optional_policy(` +@@ -665,20 +552,12 @@ optional_policy(` ') optional_policy(` @@ -100566,7 +100594,7 @@ index f03dcf5..fb96958 100644 ') optional_policy(` -@@ -691,20 +555,26 @@ optional_policy(` +@@ -691,20 +570,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -100597,7 +100625,7 @@ index f03dcf5..fb96958 100644 ') optional_policy(` -@@ -712,11 +582,13 @@ optional_policy(` +@@ -712,11 +597,13 @@ optional_policy(` ') optional_policy(` @@ -100611,7 +100639,7 @@ index f03dcf5..fb96958 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +599,18 @@ optional_policy(` +@@ -727,10 +614,18 @@ optional_policy(` ') optional_policy(` @@ -100630,7 +100658,7 @@ index f03dcf5..fb96958 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +626,277 @@ optional_policy(` +@@ -746,44 +641,277 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -100658,23 +100686,18 @@ index f03dcf5..fb96958 100644 -allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { accept connectto listen }; -allow virsh_t self:tcp_socket { accept listen }; +- +-manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) +read_files_pattern(virt_domain, virt_content_t, virt_content_t) +dontaudit virt_domain virt_content_t:file write_file_perms; +dontaudit virt_domain virt_content_t:dir write; - --manage_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++ +kernel_read_net_sysctls(virt_domain) +kernel_read_network_state(virt_domain) - --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++ +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -100684,15 +100707,17 @@ index f03dcf5..fb96958 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++ +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -100724,14 +100749,18 @@ index f03dcf5..fb96958 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --allow virsh_t svirt_lxc_domain:process transition; +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +dontaudit virt_domain virt_tmpfs_type:file { read write }; --can_exec(virsh_t, virsh_exec_t) +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +append_files_pattern(virt_domain, virt_log_t, virt_log_t) -+ + +-allow virsh_t svirt_lxc_domain:process transition; +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +-can_exec(virsh_t, virsh_exec_t) +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -100763,7 +100792,7 @@ index f03dcf5..fb96958 100644 +files_read_mnt_symlinks(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) -+ + +fs_getattr_xattr_fs(virt_domain) +fs_getattr_tmpfs(virt_domain) +fs_rw_anon_inodefs_files(virt_domain) @@ -100772,7 +100801,7 @@ index f03dcf5..fb96958 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +miscfiles_read_generic_certs(virt_domain) @@ -100930,7 +100959,7 @@ index f03dcf5..fb96958 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +907,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +922,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -100957,7 +100986,7 @@ index f03dcf5..fb96958 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +927,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +942,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -100991,7 +101020,7 @@ index f03dcf5..fb96958 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +964,20 @@ optional_policy(` +@@ -856,14 +979,20 @@ optional_policy(` ') optional_policy(` @@ -101013,7 +101042,7 @@ index f03dcf5..fb96958 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1002,65 @@ optional_policy(` +@@ -888,49 +1017,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -101097,7 +101126,7 @@ index f03dcf5..fb96958 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1072,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1087,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -101117,7 +101146,7 @@ index f03dcf5..fb96958 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1093,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1108,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -101141,7 +101170,7 @@ index f03dcf5..fb96958 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1118,275 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1133,297 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -101199,6 +101228,10 @@ index f03dcf5..fb96958 100644 +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:passwd rootok; + ++tunable_policy(`deny_ptrace',`',` ++ allow svirt_sandbox_domain self:process ptrace; ++') ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -101272,21 +101305,6 @@ index f03dcf5..fb96958 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ docker_read_share_files(svirt_sandbox_domain) -+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+ docker_use_ptys(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -101371,6 +101389,23 @@ index f03dcf5..fb96958 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ docker_manage_lib_files(svirt_lxc_net_t) ++ docker_manage_lib_dirs(svirt_lxc_net_t) ++ docker_read_share_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ docker_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') ++ ++optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') @@ -101383,6 +101418,18 @@ index f03dcf5..fb96958 100644 - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) + userhelper_dontaudit_write_config(svirt_sandbox_domain) ++') ++ ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(svirt_sandbox_domain) ++ fs_manage_nfs_files(svirt_sandbox_domain) ++ fs_read_nfs_symlinks(svirt_sandbox_domain) ++') ++ ++tunable_policy(`virt_use_samba',` ++ fs_manage_nfs_files(svirt_sandbox_domain) ++ fs_manage_cifs_files(svirt_sandbox_domain) ++ fs_read_cifs_symlinks(svirt_sandbox_domain) ') ######################################## @@ -101409,10 +101456,6 @@ index f03dcf5..fb96958 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; -+ -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -101424,6 +101467,13 @@ index f03dcf5..fb96958 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -101432,14 +101482,11 @@ index f03dcf5..fb96958 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; - -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) ++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; ++ +kernel_read_irq_sysctls(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) @@ -101458,15 +101505,16 @@ index f03dcf5..fb96958 100644 +fs_manage_cgroup_files(svirt_lxc_net_t) +# Needed for docker +fs_unmount_xattr_fs(svirt_lxc_net_t) - --auth_use_nsswitch(svirt_lxc_net_t) ++ +term_pty(svirt_sandbox_file_t) + auth_use_nsswitch(svirt_lxc_net_t) + -logging_send_audit_msgs(svirt_lxc_net_t) -+auth_use_nsswitch(svirt_lxc_net_t) ++rpm_read_db(svirt_lxc_net_t) -userdom_use_user_ptys(svirt_lxc_net_t) -+rpm_read_db(svirt_lxc_net_t) ++logging_send_syslog_msg(svirt_lxc_net_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) @@ -101522,19 +101570,21 @@ index f03dcf5..fb96958 100644 +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +term_pty(svirt_sandbox_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) + +rpm_read_db(svirt_qemu_net_t) + ++logging_send_syslog_msg(svirt_qemu_net_t) ++ +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(svirt_qemu_net_t) +') @@ -101555,7 +101605,7 @@ index f03dcf5..fb96958 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1399,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1436,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -101570,7 +101620,7 @@ index f03dcf5..fb96958 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1417,8 @@ optional_policy(` +@@ -1192,9 +1454,8 @@ optional_policy(` ######################################## # @@ -101581,7 +101631,7 @@ index f03dcf5..fb96958 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1431,210 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1468,218 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -101766,6 +101816,8 @@ index f03dcf5..fb96958 100644 + +rpm_read_db(svirt_kvm_net_t) + ++logging_send_syslog_msg(svirt_kvm_net_t) ++ +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(svirt_kvm_net_t) +') @@ -101792,8 +101844,14 @@ index f03dcf5..fb96958 100644 +corenet_tcp_connect_all_ports(sandbox_net_domain) + +optional_policy(` ++ sssd_stream_connect(sandbox_net_domain) ++') ++ ++optional_policy(` + systemd_dbus_chat_logind(sandbox_net_domain) +') ++ ++ diff --git a/vlock.te b/vlock.te index 6b72968..de409cc 100644 --- a/vlock.te @@ -101949,10 +102007,10 @@ index 0000000..7933d80 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..d59b917 +index 0000000..1928ad9 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,94 @@ +@@ -0,0 +1,96 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -102042,6 +102100,8 @@ index 0000000..d59b917 +corecmd_exec_bin(vmtools_helper_t) + +userdom_stream_connect(vmtools_helper_t) ++userdom_use_inherited_user_ttys(vmtools_helper_t) ++userdom_use_inherited_user_ptys(vmtools_helper_t) + +optional_policy(` + unconfined_domain(vmtools_helper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index bbe6d97..1affd65 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 38%{?dist} +Release: 39%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -584,6 +584,34 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Mar 25 2014 Miroslav Grepl 3.13.1-39 +- Manage_service_perms should include enable and disable, need backport to RHEL7 +- Allow also unpriv user to run vmtools +- Allow secadm to read /dev/urandom and meminfo +- Add userdom_tmp_role for secadm_t +- Allow postgresql to read network state +- Add a new file context for /var/named/chroot/run directory +- Add booleans to allow docker processes to use nfs and samba +- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t +- Allow puppet stream connect to mysql +- Fixed some rules related to puppet policy +- Allow vmware-user-sui to use user ttys +- Allow talk 2 users logged via console too +- Additional avcs for docker when running tests +- allow anaconda to dbus chat with systemd-localed +- clean up rhcs.te +- remove dup rules from haproxy.te +- Add fixes for haproxy based on bperkins@redhat.com +- Allow cmirrord to make dmsetup working +- Allow NM to execute arping +- Allow users to send messages through talk +- update rtas_errd policy +- Add support for /var/spool/rhsm/debug +- Make virt_sandbox_use_audit as True by default +- Allow svirt_sandbox_domains to ptrace themselves +- Allow snmpd to getattr on removeable and fixed disks +- Allow docker containers to manage /var/lib/docker content + * Mon Mar 17 2014 Miroslav Grepl 3.13.1-38 - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state