diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e5011b6..d6b7e2e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8272,7 +8272,7 @@ index 6529bd9..831344c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..1e738dd 100644 +index 6a1e4d1..47a42d5 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -8415,7 +8415,7 @@ index 6a1e4d1..1e738dd 100644 ## Unconfined access to domains. ## ## -@@ -1530,4 +1561,27 @@ interface(`domain_unconfined',` +@@ -1530,4 +1561,45 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -8442,9 +8442,27 @@ index 6a1e4d1..1e738dd 100644 + ') + + dontaudit $1 domain:socket_class_set { read write }; ++') ++ ++######################################## ++## ++## Allow caller to transition to any domain ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`domain_transition_all',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:process transition; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..ff7c2ff 100644 +index cf04cb5..bcaf613 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8551,16 +8569,17 @@ index cf04cb5..ff7c2ff 100644 ') optional_policy(` -@@ -133,6 +189,8 @@ optional_policy(` +@@ -133,6 +189,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) + xserver_dontaudit_append_xdm_home_files(domain) + xserver_dontaudit_write_log(domain) ++ xserver_dontaudit_xdm_rw_stream_sockets(domain) ') ######################################## -@@ -147,12 +205,18 @@ optional_policy(` +@@ -147,12 +206,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -8580,7 +8599,7 @@ index cf04cb5..ff7c2ff 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +230,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -18362,10 +18381,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..9de7a1f +index 0000000..3c3b9b3 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,330 @@ +@@ -0,0 +1,331 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18445,6 +18464,7 @@ index 0000000..9de7a1f + +unconfined_domain_noaudit(unconfined_t) +domain_named_filetrans(unconfined_t) ++domain_transition_all(unconfined_t) + +usermanage_run_passwd(unconfined_t, unconfined_r) + @@ -20187,7 +20207,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..994eec2 100644 +index 5fc0391..3448145 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20297,11 +20317,13 @@ index 5fc0391..994eec2 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -107,33 +120,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +120,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) ++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file) ++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh") +userdom_read_all_users_keys(ssh_t) +userdom_stream_connect(ssh_t) +userdom_search_admin_dir(sshd_t) @@ -20342,7 +20364,7 @@ index 5fc0391..994eec2 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t) +@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) @@ -20404,7 +20426,7 @@ index 5fc0391..994eec2 100644 ') optional_policy(` -@@ -195,6 +218,7 @@ optional_policy(` +@@ -195,6 +220,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -20412,7 +20434,7 @@ index 5fc0391..994eec2 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -20420,7 +20442,7 @@ index 5fc0391..994eec2 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +248,53 @@ optional_policy(` +@@ -223,33 +250,54 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -20447,6 +20469,7 @@ index 5fc0391..994eec2 100644 # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) ++corenet_tcp_bind_vnc_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +auth_exec_login_program(sshd_t) @@ -20483,7 +20506,7 @@ index 5fc0391..994eec2 100644 ') optional_policy(` -@@ -257,11 +302,24 @@ optional_policy(` +@@ -257,11 +305,24 @@ optional_policy(` ') optional_policy(` @@ -20509,7 +20532,7 @@ index 5fc0391..994eec2 100644 ') optional_policy(` -@@ -269,6 +327,10 @@ optional_policy(` +@@ -269,6 +330,10 @@ optional_policy(` ') optional_policy(` @@ -20520,7 +20543,7 @@ index 5fc0391..994eec2 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +341,69 @@ optional_policy(` +@@ -279,13 +344,69 @@ optional_policy(` ') optional_policy(` @@ -20590,7 +20613,7 @@ index 5fc0391..994eec2 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +412,26 @@ optional_policy(` +@@ -294,19 +415,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20618,7 +20641,7 @@ index 5fc0391..994eec2 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +448,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20631,7 +20654,7 @@ index 5fc0391..994eec2 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +462,138 @@ optional_policy(` +@@ -331,3 +465,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -29942,7 +29965,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index c04ac46..799d194 100644 +index c04ac46..ed59137 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -30066,7 +30089,7 @@ index c04ac46..799d194 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -30088,6 +30111,7 @@ index c04ac46..799d194 100644 +auth_use_nsswitch(sulogin_t) init_getpgid_script(sulogin_t) ++init_getpgid(sulogin_t) logging_send_syslog_msg(sulogin_t) @@ -30124,7 +30148,7 @@ index c04ac46..799d194 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -31490,7 +31514,7 @@ index e8c59a5..d2df072 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..a70c055 100644 +index 9fe8e01..83acb32 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` @@ -31509,7 +31533,7 @@ index 9fe8e01..a70c055 100644 ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -37,14 +39,10 @@ ifdef(`distro_redhat',` +@@ -37,24 +39,20 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31521,19 +31545,25 @@ index 9fe8e01..a70c055 100644 /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +-/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -53,6 +51,7 @@ ifdef(`distro_redhat',` - /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) - /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) - -+/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) + /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) +-/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) +-/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) +- ++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) ++/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) ++/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) + + /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -77,7 +76,7 @@ ifdef(`distro_redhat',` +@@ -77,7 +75,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -31542,7 +31572,7 @@ index 9fe8e01..a70c055 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +89,7 @@ ifdef(`distro_debian',` +@@ -90,6 +88,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -31777,10 +31807,10 @@ index d6293de..8f8d80d 100644 # # Base type for the tests directory. diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc -index 9933677..b155a0d 100644 +index 9933677..ca14c17 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc -@@ -23,3 +23,13 @@ ifdef(`distro_gentoo',` +@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',` /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) @@ -31794,6 +31824,8 @@ index 9933677..b155a0d 100644 +/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) + +/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) ++ ++/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 7449974..6375786 100644 --- a/policy/modules/system/modutils.if @@ -31900,7 +31932,7 @@ index 7449974..6375786 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a49e28..de1dcdd 100644 +index 7a49e28..82004c9 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) @@ -31912,13 +31944,16 @@ index 7a49e28..de1dcdd 100644 type depmod_t; type depmod_exec_t; -@@ -16,11 +16,12 @@ type insmod_t; +@@ -16,11 +16,15 @@ type insmod_t; type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) +mls_process_write_down(insmod_t) role system_r types insmod_t; ++type insmod_var_run_t; ++files_pid_file(insmod_var_run_t) ++ # module loading config type modules_conf_t; -files_type(modules_conf_t) @@ -31926,7 +31961,7 @@ index 7a49e28..de1dcdd 100644 # module dependencies type modules_dep_t; -@@ -29,12 +30,16 @@ files_type(modules_dep_t) +@@ -29,12 +33,16 @@ files_type(modules_dep_t) type update_modules_t; type update_modules_exec_t; init_system_domain(update_modules_t, update_modules_exec_t) @@ -31945,7 +31980,7 @@ index 7a49e28..de1dcdd 100644 ######################################## # # depmod local policy -@@ -54,12 +59,15 @@ corecmd_search_bin(depmod_t) +@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) @@ -31961,7 +31996,7 @@ index 7a49e28..de1dcdd 100644 fs_getattr_xattr_fs(depmod_t) -@@ -69,10 +77,12 @@ init_use_fds(depmod_t) +@@ -69,10 +80,12 @@ init_use_fds(depmod_t) init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) @@ -31975,7 +32010,7 @@ index 7a49e28..de1dcdd 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -80,12 +90,8 @@ ifdef(`distro_ubuntu',` +@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',` ') ') @@ -31990,7 +32025,7 @@ index 7a49e28..de1dcdd 100644 ') optional_policy(` -@@ -94,7 +100,6 @@ optional_policy(` +@@ -94,7 +103,6 @@ optional_policy(` ') optional_policy(` @@ -31998,7 +32033,7 @@ index 7a49e28..de1dcdd 100644 unconfined_domain(depmod_t) ') -@@ -103,11 +108,12 @@ optional_policy(` +@@ -103,11 +111,12 @@ optional_policy(` # insmod local policy # @@ -32012,8 +32047,14 @@ index 7a49e28..de1dcdd 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -117,14 +123,18 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) +@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) + list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) + read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) ++manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) ++manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) ++files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file }) ++ can_exec(insmod_t, insmod_exec_t) +manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) @@ -32032,7 +32073,7 @@ index 7a49e28..de1dcdd 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t) +@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -32040,7 +32081,7 @@ index 7a49e28..de1dcdd 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t) +@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t) files_read_etc_files(insmod_t) files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) @@ -32083,7 +32124,7 @@ index 7a49e28..de1dcdd 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +203,33 @@ optional_policy(` +@@ -184,28 +210,33 @@ optional_policy(` ') optional_policy(` @@ -32107,24 +32148,24 @@ index 7a49e28..de1dcdd 100644 optional_policy(` - mount_domtrans(insmod_t) + hal_write_log(insmod_t) ++') ++ ++optional_policy(` ++ hotplug_search_config(insmod_t) ') optional_policy(` - nis_use_ypbind(insmod_t) -+ hotplug_search_config(insmod_t) ++ kdump_manage_kdumpctl_tmp_files(insmod_t) ') optional_policy(` - nscd_use(insmod_t) -+ kdump_manage_kdumpctl_tmp_files(insmod_t) -+') -+ -+optional_policy(` + mount_domtrans(insmod_t) ') optional_policy(` -@@ -225,6 +249,7 @@ optional_policy(` +@@ -225,6 +256,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -32132,7 +32173,7 @@ index 7a49e28..de1dcdd 100644 ') optional_policy(` -@@ -233,6 +258,10 @@ optional_policy(` +@@ -233,6 +265,10 @@ optional_policy(` ') optional_policy(` @@ -32143,7 +32184,7 @@ index 7a49e28..de1dcdd 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -36528,7 +36569,7 @@ index 0000000..1a254f8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..13712f9 +index 0000000..6379489 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,661 @@ @@ -36821,8 +36862,8 @@ index 0000000..13712f9 +dev_relabel_all_sysfs(systemd_tmpfiles_t) +dev_relabel_cpu_online(systemd_tmpfiles_t) +dev_read_cpu_online(systemd_tmpfiles_t) -+dev_manage_printer(systemd_tmpfiles_t) -+dev_relabel_printer(systemd_tmpfiles_t) ++dev_manage_all_dev_nodes(systemd_tmpfiles_t) ++dev_relabel_all_dev_nodes(systemd_tmpfiles_t) + +domain_obj_id_change_exemption(systemd_tmpfiles_t) + @@ -38573,7 +38614,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..33a39dc 100644 +index 3c5dba7..89012c2 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -41257,7 +41298,7 @@ index 3c5dba7..33a39dc 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4214,1455 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4214,1454 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -42618,9 +42659,8 @@ index 3c5dba7..33a39dc 100644 + gen_require(` + attribute userdom_home_manager_type; + ') -+ typeattribute $1 userdom_home_manager_type; + -+ userdom_filetrans_home_content($1) ++ typeattribute $1 userdom_home_manager_type; +') + +######################################## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9800f7e..1ab902e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2577,10 +2577,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..badbc17 +index 0000000..0c9dc73 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,256 @@ +@@ -0,0 +1,257 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2757,7 +2757,8 @@ index 0000000..badbc17 + +tunable_policy(`antivirus_can_scan_system',` + files_read_non_security_files(antivirus_domain) -+ files_dontaudit_read_all_non_security_files(antivirus_domain) ++ #files_dontaudit_read_all_non_security_files(antivirus_domain) ++ files_dontaudit_read_security_files(antivirus_domain) + files_getattr_all_pipes(antivirus_domain) + files_getattr_all_sockets(antivirus_domain) + dev_getattr_all_blk_files(antivirus_domain) @@ -9351,7 +9352,7 @@ index 1b22262..bf0cefa 100644 + ') ') diff --git a/bugzilla.te b/bugzilla.te -index 41f8251..464107b 100644 +index 41f8251..57f094e 100644 --- a/bugzilla.te +++ b/bugzilla.te @@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4) @@ -9372,7 +9373,7 @@ index 41f8251..464107b 100644 corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -@@ -27,11 +29,19 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) +@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) @@ -9385,6 +9386,8 @@ index 41f8251..464107b 100644 -sysnet_dns_name_resolve(httpd_bugzilla_script_t) +auth_read_passwd(httpd_bugzilla_script_t) + ++dev_read_sysfs(httpd_bugzilla_script_t) ++ +sysnet_read_config(httpd_bugzilla_script_t) sysnet_use_ldap(httpd_bugzilla_script_t) @@ -13077,7 +13080,7 @@ index 3fe3cb8..b8e08c6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..c0501e0 100644 +index 3f2b672..8dee63d 100644 --- a/condor.te +++ b/condor.te @@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -13090,7 +13093,7 @@ index 3f2b672..c0501e0 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -57,10 +60,14 @@ condor_domain_template(startd) +@@ -57,10 +60,15 @@ condor_domain_template(startd) # Global local policy # @@ -13104,15 +13107,11 @@ index 3f2b672..c0501e0 100644 +allow condor_domain self:tcp_socket create_stream_socket_perms; +allow condor_domain self:udp_socket create_socket_perms; +allow condor_domain self:unix_stream_socket create_stream_socket_perms; ++allow condor_domain self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) append_files_pattern(condor_domain, condor_log_t, condor_log_t) -@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; - - kernel_read_kernel_sysctls(condor_domain) - kernel_read_network_state(condor_domain) --kernel_read_system_state(condor_domain) - +@@ -91,8 +99,6 @@ kernel_read_system_state(condor_domain) corecmd_exec_bin(condor_domain) corecmd_exec_shell(condor_domain) @@ -13121,7 +13120,7 @@ index 3f2b672..c0501e0 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +110,7 @@ dev_read_rand(condor_domain) +@@ -106,9 +112,7 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -13132,7 +13131,7 @@ index 3f2b672..c0501e0 100644 tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -125,7 +127,7 @@ optional_policy(` +@@ -125,7 +129,7 @@ optional_policy(` # Master local policy # @@ -13141,7 +13140,7 @@ index 3f2b672..c0501e0 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -133,6 +137,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -13152,7 +13151,7 @@ index 3f2b672..c0501e0 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) +@@ -150,7 +158,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) domain_read_all_domains_state(condor_master_t) @@ -13161,7 +13160,7 @@ index 3f2b672..c0501e0 100644 optional_policy(` mta_send_mail(condor_master_t) -@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -169,6 +177,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -13170,7 +13169,7 @@ index 3f2b672..c0501e0 100644 ##################################### # # Negotiator local policy -@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +188,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13179,7 +13178,7 @@ index 3f2b672..c0501e0 100644 ###################################### # # Procd local policy -@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -201,6 +213,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13188,7 +13187,7 @@ index 3f2b672..c0501e0 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +223,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13197,7 +13196,7 @@ index 3f2b672..c0501e0 100644 ##################################### # # Startd local policy -@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +249,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13210,7 +13209,7 @@ index 3f2b672..c0501e0 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +262,7 @@ optional_policy(` +@@ -249,3 +264,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -15273,7 +15272,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..0c0f4f2 100644 +index 28e1b86..bf91ba9 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -15888,7 +15887,7 @@ index 28e1b86..0c0f4f2 100644 init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) -@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t) +@@ -511,20 +489,26 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -15896,6 +15895,9 @@ index 28e1b86..0c0f4f2 100644 - seutil_read_config(system_cronjob_t) ++userdom_manage_tmpfs_files(system_cronjob_t, file) ++userdom_tmpfs_filetrans(system_cronjob_t, file) ++ ifdef(`distro_redhat',` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + allow crond_t system_cron_spool_t:file manage_file_perms; @@ -15915,7 +15917,7 @@ index 28e1b86..0c0f4f2 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',` +@@ -534,10 +518,17 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -15933,7 +15935,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -546,10 +534,6 @@ optional_policy(` +@@ -546,10 +537,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -15944,7 +15946,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -581,6 +565,7 @@ optional_policy(` +@@ -581,6 +568,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -15952,7 +15954,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -588,15 +573,19 @@ optional_policy(` +@@ -588,15 +576,19 @@ optional_policy(` ') optional_policy(` @@ -15974,7 +15976,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -606,6 +595,7 @@ optional_policy(` +@@ -606,6 +598,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -15982,7 +15984,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -613,12 +603,24 @@ optional_policy(` +@@ -613,12 +606,24 @@ optional_policy(` ') optional_policy(` @@ -16009,7 +16011,7 @@ index 28e1b86..0c0f4f2 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +631,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -16043,7 +16045,7 @@ index 28e1b86..0c0f4f2 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +661,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +664,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -21640,7 +21642,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..fe94a6c 100644 +index a7bfaf0..4ebb0ad 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -21893,7 +21895,7 @@ index a7bfaf0..fe94a6c 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +213,61 @@ optional_policy(` +@@ -221,46 +213,63 @@ optional_policy(` ######################################## # @@ -21942,14 +21944,16 @@ index a7bfaf0..fe94a6c 100644 +files_read_usr_symlinks(dovecot_auth_t) +files_read_var_lib_files(dovecot_auth_t) +files_search_tmp(dovecot_auth_t) -+ -+fs_getattr_xattr_fs(dovecot_auth_t) -seutil_dontaudit_search_config(dovecot_auth_t) ++fs_getattr_xattr_fs(dovecot_auth_t) ++ +init_rw_utmp(dovecot_auth_t) sysnet_use_ldap(dovecot_auth_t) ++userdom_getattr_user_home_dirs(dovecot_auth_t) ++ optional_policy(` + kerberos_use(dovecot_auth_t) + @@ -21964,7 +21968,7 @@ index a7bfaf0..fe94a6c 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -271,15 +278,30 @@ optional_policy(` +@@ -271,15 +280,30 @@ optional_policy(` ') optional_policy(` @@ -21996,7 +22000,7 @@ index a7bfaf0..fe94a6c 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +311,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +313,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -22056,7 +22060,7 @@ index a7bfaf0..fe94a6c 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +355,6 @@ optional_policy(` +@@ -326,5 +357,6 @@ optional_policy(` ') optional_policy(` @@ -25467,10 +25471,10 @@ index e39de43..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..26023f7 100644 +index d03fd43..567f963 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,123 +1,154 @@ +@@ -1,123 +1,155 @@ -## GNU network object model environment. +## GNU network object model environment (GNOME) @@ -25661,6 +25665,7 @@ index d03fd43..26023f7 100644 + + optional_policy(` + telepathy_mission_control_read_state($1_gkeyringd_t) ++ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) + ') + ') +') @@ -25702,7 +25707,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -125,18 +156,18 @@ template(`gnome_role_template',` +@@ -125,18 +157,18 @@ template(`gnome_role_template',` ## ## # @@ -25726,7 +25731,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -144,119 +175,114 @@ interface(`gnome_exec_gconf',` +@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -25883,7 +25888,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -264,15 +290,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -25910,7 +25915,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -280,57 +312,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -26018,7 +26023,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -338,15 +402,18 @@ interface(`gnome_read_generic_home_content',` +@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -26042,7 +26047,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -354,22 +421,18 @@ interface(`gnome_manage_config',` +@@ -354,22 +422,18 @@ interface(`gnome_manage_config',` ## ## # @@ -26070,7 +26075,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -377,53 +440,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -26132,7 +26137,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -431,17 +478,18 @@ interface(`gnome_home_filetrans',` +@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -26155,7 +26160,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -449,23 +497,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -26183,7 +26188,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -473,82 +516,72 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -473,82 +517,72 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -26289,7 +26294,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -557,52 +590,76 @@ interface(`gnome_home_filetrans_gconf_home',` +@@ -557,52 +591,76 @@ interface(`gnome_home_filetrans_gconf_home',` ## ## # @@ -26387,7 +26392,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -610,93 +667,126 @@ interface(`gnome_gconf_home_filetrans',` +@@ -610,93 +668,126 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -26548,7 +26553,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -704,12 +794,811 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +795,811 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -36792,14 +36797,15 @@ index 4926208..293e577 100644 -miscfiles_read_localization(memcached_t) diff --git a/milter.fc b/milter.fc -index 89409eb..64ac6f0 100644 +index 89409eb..67e42f6 100644 --- a/milter.fc +++ b/milter.fc -@@ -1,18 +1,26 @@ +@@ -1,18 +1,29 @@ +/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) +/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) ++/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) @@ -36817,6 +36823,7 @@ index 89409eb..64ac6f0 100644 -/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) @@ -36832,6 +36839,7 @@ index 89409eb..64ac6f0 100644 +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/milter.if b/milter.if index cba62db..562833a 100644 --- a/milter.if @@ -38109,7 +38117,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..97e35b2 100644 +index 6194b80..35b2b47 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38276,10 +38284,10 @@ index 6194b80..97e35b2 100644 - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- -- can_exec($2, mozilla_plugin_rw_t) + mozilla_filetrans_home_content($2) +- can_exec($2, mozilla_plugin_rw_t) +- - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') @@ -38425,7 +38433,7 @@ index 6194b80..97e35b2 100644 ') ######################################## -@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',` +@@ -303,102 +195,103 @@ interface(`mozilla_domtrans',` type mozilla_t, mozilla_exec_t; ') @@ -38513,8 +38521,8 @@ index 6194b80..97e35b2 100644 mozilla_domtrans_plugin($1) roleattribute $2 mozilla_plugin_roles; +-') + roleattribute $2 mozilla_plugin_config_roles; - ') -######################################## -## @@ -38530,12 +38538,14 @@ index 6194b80..97e35b2 100644 -interface(`mozilla_domtrans_plugin_config',` - gen_require(` - type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; -- ') ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mozilla_plugin_t:process ptrace; + ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) --') -- + ') + -######################################## +####################################### ## @@ -38576,7 +38586,7 @@ index 6194b80..97e35b2 100644 ') ######################################## -@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -38586,7 +38596,7 @@ index 6194b80..97e35b2 100644 ## ## ## -@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +325,108 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -38724,7 +38734,7 @@ index 6194b80..97e35b2 100644 ## ## ## -@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +434,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -38749,7 +38759,7 @@ index 6194b80..97e35b2 100644 ## ## ## -@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +453,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -44895,7 +44905,7 @@ index 0e8508c..0b68b86 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..c71f8e5 100644 +index 0b48a30..2de59df 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -44926,7 +44936,7 @@ index 0b48a30..c71f8e5 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -44971,14 +44981,16 @@ index 0b48a30..c71f8e5 100644 +can_exec(NetworkManager_t, NetworkManager_exec_t) +#wicd +can_exec(NetworkManager_t, wpa_cli_exec_t) -+ + +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) - ++ ++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ + filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) +@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -44986,7 +44998,7 @@ index 0b48a30..c71f8e5 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,9 +104,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -44996,7 +45008,7 @@ index 0b48a30..c71f8e5 100644 kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) -@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t) +@@ -91,7 +111,6 @@ kernel_request_load_module(NetworkManager_t) kernel_read_debugfs(NetworkManager_t) kernel_rw_net_sysctls(NetworkManager_t) @@ -45004,7 +45016,7 @@ index 0b48a30..c71f8e5 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +121,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -45030,7 +45042,7 @@ index 0b48a30..c71f8e5 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +137,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -45044,7 +45056,7 @@ index 0b48a30..c71f8e5 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +145,17 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -45062,7 +45074,7 @@ index 0b48a30..c71f8e5 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +164,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -45075,7 +45087,7 @@ index 0b48a30..c71f8e5 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +183,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -45112,7 +45124,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -196,10 +223,6 @@ optional_policy(` +@@ -196,10 +224,6 @@ optional_policy(` ') optional_policy(` @@ -45123,7 +45135,7 @@ index 0b48a30..c71f8e5 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +233,11 @@ optional_policy(` +@@ -210,16 +234,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -45142,7 +45154,7 @@ index 0b48a30..c71f8e5 100644 ') ') -@@ -231,18 +249,19 @@ optional_policy(` +@@ -231,18 +250,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -45165,7 +45177,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -250,6 +269,10 @@ optional_policy(` +@@ -250,6 +270,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -45176,7 +45188,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -257,11 +280,10 @@ optional_policy(` +@@ -257,11 +281,10 @@ optional_policy(` ') optional_policy(` @@ -45192,7 +45204,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -274,10 +296,17 @@ optional_policy(` +@@ -274,10 +297,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -45210,7 +45222,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -289,6 +318,7 @@ optional_policy(` +@@ -289,6 +319,7 @@ optional_policy(` ') optional_policy(` @@ -45218,7 +45230,7 @@ index 0b48a30..c71f8e5 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +326,7 @@ optional_policy(` +@@ -296,7 +327,7 @@ optional_policy(` ') optional_policy(` @@ -45227,7 +45239,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -307,6 +337,7 @@ optional_policy(` +@@ -307,6 +338,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -45235,7 +45247,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -320,13 +351,19 @@ optional_policy(` +@@ -320,13 +352,19 @@ optional_policy(` ') optional_policy(` @@ -45259,7 +45271,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +394,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -52534,35 +52546,42 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..2f407d6 100644 +index dfd46e4..0aaa891 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,16 @@ +@@ -1,15 +1,24 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) --/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) -- ++ ++/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) + -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) ++/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++ ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) ++ ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) ++ ++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++ ++#openlmi agents ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0) ++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) ++ -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -+/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) -+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) - /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -+ -+#openlmi agents -+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) +-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -52664,7 +52683,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..04b62f4 100644 +index 7bcf327..193d6c3 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52688,13 +52707,19 @@ index 7bcf327..04b62f4 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,115 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,176 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) +# pegasus openlmi providers +pegasus_openlmi_domain_template(account) +pegasus_openlmi_domain_template(logicalfile) ++pegasus_openlmi_domain_template(networking) ++ ++pegasus_openlmi_domain_template(storage) ++type pegasus_openlmi_storage_tmp_t; ++files_tmp_file(pegasus_openlmi_storage_tmp_t) ++ +pegasus_openlmi_domain_template(unconfined) + +####################################### @@ -52702,12 +52727,19 @@ index 7bcf327..04b62f4 100644 +# pegasus openlmi providers local policy +# + ++allow pegasus_openlmi_domain self:capability { setuid setgid }; ++ +allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms; + +list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) -+read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++ ++kernel_read_system_state(pegasus_openlmi_domain) + +corecmd_exec_bin(pegasus_openlmi_domain) ++corecmd_exec_shell(pegasus_openlmi_domain) ++ ++auth_read_passwd(pegasus_openlmi_domain) + +sysnet_read_config(pegasus_openlmi_domain) + @@ -52720,7 +52752,7 @@ index 7bcf327..04b62f4 100644 +# pegasus openlmi account local policy +# + -+allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override }; ++allow pegasus_openlmi_account_t self:capability { chown dac_override }; +allow pegasus_openlmi_account_t self:process setfscreate; + +auth_manage_passwd(pegasus_openlmi_account_t) @@ -52751,7 +52783,7 @@ index 7bcf327..04b62f4 100644 +# pegasus openlmi logicalfile local policy +# + -+allow pegasus_openlmi_logicalfile_t self:capability { setuid setgid dac_override }; ++allow pegasus_openlmi_logicalfile_t self:capability { dac_override }; +files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t) +files_manage_non_security_files(pegasus_openlmi_logicalfile_t) + @@ -52779,6 +52811,54 @@ index 7bcf327..04b62f4 100644 + +###################################### +# ++# pegasus openlmi networking local policy ++# ++ ++allow pegasus_openlmi_networking_t self:capability { net_admin }; ++ ++allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;; ++allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms; ++ ++dev_rw_sysfs(pegasus_openlmi_networking_t) ++dev_read_urand(pegasus_openlmi_networking_t) ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_networking_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(pegasus_openlmi_networking_t) ++ ') ++') ++ ++###################################### ++# ++# pegasus openlmi storage local policy ++# ++ ++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) ++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) ++files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) ++ ++storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_networking_t) ++ ++modutils_domtrans_insmod(pegasus_openlmi_storage_t) ++ ++udev_domtrans(pegasus_openlmi_storage_t) ++ ++optional_policy(` ++ lvm_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ mount_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ raid_domtrans_mdadm(pegasus_openlmi_storage_t) ++') ++ ++###################################### ++# +# pegasus openlmi unconfined local policy +# + @@ -52809,7 +52889,7 @@ index 7bcf327..04b62f4 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +148,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +209,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -52840,7 +52920,7 @@ index 7bcf327..04b62f4 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +174,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +235,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -52873,7 +52953,7 @@ index 7bcf327..04b62f4 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +202,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +263,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -52881,7 +52961,7 @@ index 7bcf327..04b62f4 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +217,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +278,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -52899,21 +52979,21 @@ index 7bcf327..04b62f4 100644 - dbus_connect_system_bus(pegasus_t) + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(pegasus_t) -+ ') -+') - optional_policy(` - networkmanager_dbus_chat(pegasus_t) - ') ++ optional_policy(` ++ networkmanager_dbus_chat(pegasus_t) ++ ') ++') ++ +optional_policy(` + rhcs_stream_connect_cluster(pegasus_t) ') optional_policy(` -@@ -151,16 +247,24 @@ optional_policy(` +@@ -151,16 +308,24 @@ optional_policy(` ') optional_policy(` @@ -52934,7 +53014,7 @@ index 7bcf327..04b62f4 100644 +') + +optional_policy(` -+ rpm_exec(pegasus_t) ++ rpm_domtrans(pegasus_t) +') + +optional_policy(` @@ -52942,7 +53022,7 @@ index 7bcf327..04b62f4 100644 ') optional_policy(` -@@ -168,7 +272,7 @@ optional_policy(` +@@ -168,7 +333,7 @@ optional_policy(` ') optional_policy(` @@ -57411,7 +57491,7 @@ index 2e23946..589bbf2 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..5acf87c 100644 +index 191a66f..cddce7d 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -57500,7 +57580,7 @@ index 191a66f..5acf87c 100644 type postfix_data_t; files_type(postfix_data_t) -@@ -102,160 +102,64 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -102,160 +102,61 @@ mta_mailserver_delivery(postfix_virtual_t) ######################################## # @@ -57664,19 +57744,19 @@ index 191a66f..5acf87c 100644 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") - +- -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) - delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") -- + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") - -can_exec(postfix_master_t, postfix_exec_t) ++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) @@ -57686,7 +57766,7 @@ index 191a66f..5acf87c 100644 corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -263,50 +167,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,50 +164,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -57755,7 +57835,7 @@ index 191a66f..5acf87c 100644 optional_policy(` cyrus_stream_connect(postfix_master_t) ') -@@ -316,14 +214,11 @@ optional_policy(` +@@ -316,14 +211,11 @@ optional_policy(` ') optional_policy(` @@ -57771,7 +57851,7 @@ index 191a66f..5acf87c 100644 postgrey_search_spool(postfix_master_t) ') -@@ -333,12 +228,14 @@ optional_policy(` +@@ -333,12 +225,14 @@ optional_policy(` ######################################## # @@ -57788,7 +57868,7 @@ index 191a66f..5acf87c 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -355,37 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -355,37 +249,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -57835,7 +57915,7 @@ index 191a66f..5acf87c 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -393,36 +287,50 @@ optional_policy(` +@@ -393,36 +284,50 @@ optional_policy(` ######################################## # @@ -57895,7 +57975,7 @@ index 191a66f..5acf87c 100644 ') optional_policy(` -@@ -434,6 +342,7 @@ optional_policy(` +@@ -434,6 +339,7 @@ optional_policy(` ') optional_policy(` @@ -57903,7 +57983,7 @@ index 191a66f..5acf87c 100644 mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) mailman_read_log(postfix_local_t) -@@ -444,6 +353,10 @@ optional_policy(` +@@ -444,6 +350,10 @@ optional_policy(` ') optional_policy(` @@ -57914,7 +57994,7 @@ index 191a66f..5acf87c 100644 procmail_domtrans(postfix_local_t) ') -@@ -458,15 +371,17 @@ optional_policy(` +@@ -458,15 +368,17 @@ optional_policy(` ######################################## # @@ -57938,7 +58018,7 @@ index 191a66f..5acf87c 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -476,14 +391,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -57958,7 +58038,7 @@ index 191a66f..5acf87c 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -492,7 +408,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -57966,7 +58046,7 @@ index 191a66f..5acf87c 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -500,21 +415,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -57992,7 +58072,7 @@ index 191a66f..5acf87c 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,16 +440,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,16 +437,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -58012,7 +58092,7 @@ index 191a66f..5acf87c 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +491,26 @@ optional_policy(` +@@ -576,19 +488,26 @@ optional_policy(` ######################################## # @@ -58044,7 +58124,7 @@ index 191a66f..5acf87c 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +525,7 @@ optional_policy(` +@@ -603,10 +522,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -58056,7 +58136,7 @@ index 191a66f..5acf87c 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +540,24 @@ optional_policy(` +@@ -621,17 +537,24 @@ optional_policy(` ####################################### # @@ -58084,7 +58164,7 @@ index 191a66f..5acf87c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +573,77 @@ optional_policy(` +@@ -647,67 +570,77 @@ optional_policy(` ######################################## # @@ -58180,7 +58260,7 @@ index 191a66f..5acf87c 100644 ') optional_policy(` -@@ -720,29 +656,30 @@ optional_policy(` +@@ -720,29 +653,30 @@ optional_policy(` ######################################## # @@ -58219,7 +58299,7 @@ index 191a66f..5acf87c 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +691,7 @@ optional_policy(` +@@ -754,6 +688,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -58227,7 +58307,7 @@ index 191a66f..5acf87c 100644 ') optional_policy(` -@@ -764,31 +702,99 @@ optional_policy(` +@@ -764,31 +699,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -71473,10 +71553,10 @@ index c49828c..a323332 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..1609333 100644 +index ebe91fc..6392cad 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,71 @@ +@@ -1,61 +1,72 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -71505,6 +71585,7 @@ index ebe91fc..1609333 100644 /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -79463,13 +79544,15 @@ index ca32e89..98278dd 100644 + ') diff --git a/slpd.te b/slpd.te -index 66ac42a..f28fadc 100644 +index 66ac42a..1a4c952 100644 --- a/slpd.te +++ b/slpd.te -@@ -50,6 +50,8 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) +@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) corenet_tcp_bind_svrloc_port(slpd_t) corenet_udp_bind_svrloc_port(slpd_t) ++corenet_udp_bind_dhcpc_port(slpd_t) ++ +dev_read_urand(slpd_t) + auth_use_nsswitch(slpd_t) @@ -83790,7 +83873,7 @@ index c7de0cf..9813503 100644 +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if -index 42946bc..95a9aa3 100644 +index 42946bc..3d30062 100644 --- a/telepathy.if +++ b/telepathy.if @@ -2,45 +2,39 @@ @@ -83870,7 +83953,7 @@ index 42946bc..95a9aa3 100644 type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; -@@ -63,91 +62,61 @@ template(`telepathy_role_template',` +@@ -63,91 +62,79 @@ template(`telepathy_role_template',` type telepathy_mission_control_exec_t, telepathy_salut_exec_t; type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; type telepathy_msn_exec_t; @@ -83884,11 +83967,14 @@ index 42946bc..95a9aa3 100644 - - allow $3 telepathy_domain:process { ptrace signal_perms }; - ps_process_pattern($3, telepathy_domain) -- ++ role $1 types telepathy_domain; + - telepathy_gabble_stream_connect($3) - telepathy_msn_stream_connect($3) - telepathy_salut_stream_connect($3) -- ++ allow $2 telepathy_domain:process signal_perms; ++ ps_process_pattern($2, telepathy_domain) + - dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t) - dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) - dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t) @@ -83898,30 +83984,13 @@ index 42946bc..95a9aa3 100644 - dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t) - dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) - dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t) -- -- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- -- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; -+ role $1 types telepathy_domain; - -- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") -- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") -+ allow $2 telepathy_domain:process signal_perms; -+ ps_process_pattern($2, telepathy_domain) - -- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") -- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") + telepathy_gabble_stream_connect($2) + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) -- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") -- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") -- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; + dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) + dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) + dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) @@ -83932,6 +84001,20 @@ index 42946bc..95a9aa3 100644 + dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) + dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; +- +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") +- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") +- +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") +- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") +- +- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") +- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") +- - userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") - - # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") @@ -83971,8 +84054,7 @@ index 42946bc..95a9aa3 100644 ## -## Send dbus messages to and from -## gabble. -+## Send DBus messages to and from -+## Telepathy Gabble. ++## Allow Telepathy Gabble to stream connect to a domain. ## ## -## @@ -83982,11 +84064,30 @@ index 42946bc..95a9aa3 100644 ## # -interface(`telepathy_gabble_dbus_chat',` ++interface(`telepathy_gabble_stream_connect_to', ` ++ gen_require(` ++ type telepathy_gabble_t; ++ ') ++ ++ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1) ++') ++ ++######################################## ++## ++## Send DBus messages to and from ++## Telepathy Gabble. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`telepathy_gabble_dbus_chat', ` gen_require(` type telepathy_gabble_t; class dbus send_msg; -@@ -159,10 +128,10 @@ interface(`telepathy_gabble_dbus_chat',` +@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',` ######################################## ## @@ -83999,7 +84100,7 @@ index 42946bc..95a9aa3 100644 ## Domain allowed access. ## ## -@@ -173,15 +142,12 @@ interface(`telepathy_mission_control_read_state',` +@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',` ') kernel_search_proc($1) @@ -84017,7 +84118,7 @@ index 42946bc..95a9aa3 100644 ## ## ## -@@ -189,19 +155,18 @@ interface(`telepathy_mission_control_read_state',` +@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',` ## ## # @@ -84040,7 +84141,7 @@ index 42946bc..95a9aa3 100644 ## ## ## -@@ -209,11 +174,138 @@ interface(`telepathy_msn_stream_connect',` +@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',` ## ## # @@ -90131,10 +90232,10 @@ index 9dec06c..378880d 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..6b715d6 100644 +index 1f22fba..4493e63 100644 --- a/virt.te +++ b/virt.te -@@ -1,94 +1,97 @@ +@@ -1,94 +1,104 @@ -policy_module(virt, 1.6.10) +policy_module(virt, 1.5.0) @@ -90177,6 +90278,13 @@ index 1f22fba..6b715d6 100644 -## their stack executable. -##

+##

++## Allow virtual processes to run as userdomains ++##

++## ++gen_tunable(virt_transition_userdomain, false) ++ ++## ++##

+## Allow confined virtual guests to use executable memory and executable stack +##

##
@@ -90284,7 +90392,7 @@ index 1f22fba..6b715d6 100644 type virt_cache_t alias svirt_cache_t; files_type(virt_cache_t) -@@ -105,27 +108,25 @@ userdom_user_home_content(virt_home_t) +@@ -105,27 +115,25 @@ userdom_user_home_content(virt_home_t) type svirt_home_t; userdom_user_home_content(svirt_home_t) @@ -90318,7 +90426,7 @@ index 1f22fba..6b715d6 100644 type virt_var_run_t; files_pid_file(virt_var_run_t) -@@ -139,9 +140,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) +@@ -139,9 +147,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) domain_obj_id_change_exemption(virtd_t) domain_subj_id_change_exemption(virtd_t) @@ -90336,7 +90444,7 @@ index 1f22fba..6b715d6 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -155,290 +164,134 @@ type virt_qmf_exec_t; +@@ -155,290 +171,134 @@ type virt_qmf_exec_t; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) type virt_bridgehelper_t; @@ -90600,16 +90708,16 @@ index 1f22fba..6b715d6 100644 - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) - -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -90707,7 +90815,7 @@ index 1f22fba..6b715d6 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +301,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -90753,7 +90861,7 @@ index 1f22fba..6b715d6 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +335,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -90774,7 +90882,7 @@ index 1f22fba..6b715d6 100644 kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +347,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -90782,7 +90890,7 @@ index 1f22fba..6b715d6 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +355,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -90810,7 +90918,7 @@ index 1f22fba..6b715d6 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +375,23 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -90839,7 +90947,7 @@ index 1f22fba..6b715d6 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +422,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -90859,20 +90967,20 @@ index 1f22fba..6b715d6 100644 selinux_validate_context(virtd_t) -@@ -613,18 +444,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +451,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) +sysnet_read_config(virtd_t) -userdom_read_all_users_state(virtd_t) -+systemd_dbus_chat_logind(virtd_t) -+systemd_write_inhibit_pipes(virtd_t) - +- -ifdef(`hide_broken_symptoms',` - dontaudit virtd_t self:capability { sys_module sys_ptrace }; -') -- ++systemd_dbus_chat_logind(virtd_t) ++systemd_write_inhibit_pipes(virtd_t) + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -90894,7 +91002,7 @@ index 1f22fba..6b715d6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +470,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +477,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -90903,17 +91011,19 @@ index 1f22fba..6b715d6 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +495,325 @@ optional_policy(` +@@ -658,95 +502,325 @@ optional_policy(` ') optional_policy(` - firewalld_dbus_chat(virtd_t) -+ hal_dbus_chat(virtd_t) +- ') +- +- optional_policy(` + hal_dbus_chat(virtd_t) ') optional_policy(` -- hal_dbus_chat(virtd_t) -+ networkmanager_dbus_chat(virtd_t) + networkmanager_dbus_chat(virtd_t) ') +') + @@ -91113,10 +91223,7 @@ index 1f22fba..6b715d6 100644 +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - -- optional_policy(` -- networkmanager_dbus_chat(virtd_t) -- ') ++ +sysnet_read_config(virt_domain) - optional_policy(` @@ -91275,7 +91382,7 @@ index 1f22fba..6b715d6 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +825,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +832,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91286,27 +91393,27 @@ index 1f22fba..6b715d6 100644 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") - -dontaudit virsh_t virt_var_lib_t:file read_file_perms; -- --allow virsh_t svirt_lxc_domain:process transition; +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) +filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +-allow virsh_t svirt_lxc_domain:process transition; ++dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; + -can_exec(virsh_t, virsh_exec_t) - -virt_domtrans(virsh_t) -virt_manage_images(virsh_t) -virt_manage_config(virsh_t) -virt_stream_connect(virsh_t) -+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; - +- -kernel_read_crypto_sysctls(virsh_t) +kernel_write_proc_files(virsh_t) kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +852,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -91333,7 +91440,7 @@ index 1f22fba..6b715d6 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +872,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -91365,7 +91472,7 @@ index 1f22fba..6b715d6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +898,20 @@ optional_policy(` +@@ -847,14 +905,20 @@ optional_policy(` ') optional_policy(` @@ -91387,7 +91494,7 @@ index 1f22fba..6b715d6 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +936,45 @@ optional_policy(` +@@ -879,34 +943,45 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -91442,7 +91549,7 @@ index 1f22fba..6b715d6 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +984,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +991,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -91460,7 +91567,7 @@ index 1f22fba..6b715d6 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +1006,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +1013,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -91471,7 +91578,7 @@ index 1f22fba..6b715d6 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1015,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1022,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -91479,7 +91586,7 @@ index 1f22fba..6b715d6 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1027,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1034,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -91498,7 +91605,7 @@ index 1f22fba..6b715d6 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1048,39 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -91546,7 +91653,7 @@ index 1f22fba..6b715d6 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1088,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -91573,7 +91680,7 @@ index 1f22fba..6b715d6 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1106,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91593,7 +91700,7 @@ index 1f22fba..6b715d6 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1125,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -91620,7 +91727,7 @@ index 1f22fba..6b715d6 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1150,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -91639,12 +91746,12 @@ index 1f22fba..6b715d6 100644 + apache_exec_modules(svirt_lxc_domain) + apache_read_sys_content(svirt_lxc_domain) +') - --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +') -+ + +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + ssh_use_ptys(svirt_lxc_net_t) +') @@ -91760,7 +91867,7 @@ index 1f22fba..6b715d6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1242,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1249,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -91775,7 +91882,7 @@ index 1f22fba..6b715d6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1260,8 @@ optional_policy(` +@@ -1183,9 +1267,8 @@ optional_policy(` ######################################## # @@ -91786,7 +91893,7 @@ index 1f22fba..6b715d6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1274,115 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1281,121 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -91904,6 +92011,12 @@ index 1f22fba..6b715d6 100644 +role system_r types svirt_socket_t; +allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; ++ ++tunable_policy(`virt_transition_userdomain',` ++ userdom_transition(virt_t) ++ userdom_transition(virt_lxc_t) ++') ++ diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -95236,7 +95349,7 @@ index 3416401..ef64e73 100644 init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zebra.te b/zebra.te -index b0803c2..13da3cf 100644 +index b0803c2..f1fa5f7 100644 --- a/zebra.te +++ b/zebra.te @@ -1,4 +1,4 @@ @@ -95311,7 +95424,7 @@ index b0803c2..13da3cf 100644 corenet_all_recvfrom_netlabel(zebra_t) corenet_tcp_sendrecv_generic_if(zebra_t) corenet_udp_sendrecv_generic_if(zebra_t) -@@ -79,48 +78,42 @@ corenet_raw_sendrecv_generic_if(zebra_t) +@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t) corenet_tcp_sendrecv_generic_node(zebra_t) corenet_udp_sendrecv_generic_node(zebra_t) corenet_raw_sendrecv_generic_node(zebra_t) @@ -95338,6 +95451,8 @@ index b0803c2..13da3cf 100644 dev_associate_usbfs(zebra_var_run_t) dev_list_all_dev_nodes(zebra_t) ++dev_read_rand(zebra_t) ++dev_read_urand(zebra_t) dev_read_sysfs(zebra_t) dev_rw_zero(zebra_t) @@ -95372,7 +95487,7 @@ index b0803c2..13da3cf 100644 manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) ') -@@ -139,3 +132,7 @@ optional_policy(` +@@ -139,3 +134,7 @@ optional_policy(` optional_policy(` udev_read_db(zebra_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b950318..9b084d6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 66%{?dist} +Release: 67%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -538,6 +538,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 26 2013 Miroslav Grepl 3.12.1-67 +- Add support for cmpiLMI_Service-cimprovagt +- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t +- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t +- Add support for pycmpiLMI_Storage-cimprovagt +- Add support for cmpiLMI_Networking-cimprovagt +- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working +- Allow virtual machines and containers to run as user doains, needed for virt-sandbox +- Allow buglist.cgi to read cpu info + * Mon Jul 22 2013 Miroslav Grepl 3.12.1-66 - Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages