diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ac9e806..3a43036 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..7ba0bd8 100644 +index 1d732f1..9647c14 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -2851,7 +2851,7 @@ index 1d732f1..7ba0bd8 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,6 +383,13 @@ userdom_read_user_tmp_files(passwd_t) +@@ -352,6 +383,14 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2860,12 +2860,13 @@ index 1d732f1..7ba0bd8 100644 +optional_policy(` + gnome_exec_keyringd(passwd_t) + gnome_manage_cache_home_dir(passwd_t) ++ gnome_manage_generic_cache_sockets(passwd_t) + gnome_stream_connect_gkeyringd(passwd_t) +') optional_policy(` nscd_run(passwd_t, passwd_roles) -@@ -401,9 +439,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -401,9 +440,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -2878,7 +2879,7 @@ index 1d732f1..7ba0bd8 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +455,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -416,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -2886,7 +2887,7 @@ index 1d732f1..7ba0bd8 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,12 +464,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -426,12 +465,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -2899,7 +2900,7 @@ index 1d732f1..7ba0bd8 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,7 +481,8 @@ optional_policy(` +@@ -446,7 +482,8 @@ optional_policy(` # Useradd local policy # @@ -2909,7 +2910,7 @@ index 1d732f1..7ba0bd8 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -461,6 +497,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -461,6 +498,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -2920,7 +2921,7 @@ index 1d732f1..7ba0bd8 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +508,27 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +509,27 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -2959,7 +2960,7 @@ index 1d732f1..7ba0bd8 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +536,7 @@ auth_rw_faillog(useradd_t) +@@ -498,6 +537,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -2967,7 +2968,7 @@ index 1d732f1..7ba0bd8 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,33 +547,32 @@ init_rw_utmp(useradd_t) +@@ -508,33 +548,32 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3012,7 +3013,7 @@ index 1d732f1..7ba0bd8 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -549,10 +587,19 @@ optional_policy(` +@@ -549,10 +588,19 @@ optional_policy(` ') optional_policy(` @@ -3032,7 +3033,7 @@ index 1d732f1..7ba0bd8 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +609,12 @@ optional_policy(` +@@ -562,3 +610,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -8699,7 +8700,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..c47a578 100644 +index cf04cb5..4182845 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8836,7 +8837,7 @@ index cf04cb5..c47a578 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,314 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8933,6 +8934,10 @@ index cf04cb5..c47a578 100644 +') + +optional_policy(` ++ cvs_filetrans_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` + devicekit_filetrans_named_content(named_filetrans_domain) +') + @@ -9152,7 +9157,7 @@ index cf04cb5..c47a578 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..bd5b58c 100644 +index b876c48..27f60c6 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9353,7 +9358,7 @@ index b876c48..bd5b58c 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +245,24 @@ ifndef(`distro_redhat',` +@@ -237,11 +245,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9371,7 +9376,8 @@ index b876c48..bd5b58c 100644 +/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) + -+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0) ++/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0) ++/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0) + +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) @@ -9379,7 +9385,7 @@ index b876c48..bd5b58c 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +278,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9394,14 +9400,14 @@ index b876c48..bd5b58c 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +294,5 @@ ifdef(`distro_debian',` +@@ -271,3 +295,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..70fb827 100644 +index f962f76..35cd90c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12032,7 +12038,7 @@ index f962f76..70fb827 100644 ## ## ## -@@ -6519,64 +7762,749 @@ interface(`files_spool_filetrans',` +@@ -6519,64 +7762,767 @@ interface(`files_spool_filetrans',` ## ## # @@ -12639,6 +12645,24 @@ index f962f76..70fb827 100644 + +######################################## +## ++## Allow domain to delete to all dirs ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_delete_all_non_security_dirs',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; ++') ++ ++######################################## ++## +## Transition named content in the var_run_t directory +## +## @@ -21068,10 +21092,10 @@ index fe0c682..c0413e8 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..f2db99e 100644 +index cc877c7..07f129b 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,43 +6,64 @@ policy_module(ssh, 2.4.2) +@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2) # ## @@ -21128,6 +21152,7 @@ index cc877c7..f2db99e 100644 ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) +mls_trusted_object(sshd_t) ++mls_process_write_all_levels(sshd_t) + +type sshd_initrc_exec_t; +init_script_file(sshd_initrc_exec_t) @@ -21150,7 +21175,7 @@ index cc877c7..f2db99e 100644 type ssh_t; type ssh_exec_t; -@@ -73,9 +94,11 @@ type ssh_home_t; +@@ -73,9 +95,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -21164,7 +21189,7 @@ index cc877c7..f2db99e 100644 ############################## # -@@ -86,6 +109,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -21172,7 +21197,7 @@ index cc877c7..f2db99e 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -93,15 +117,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -21189,7 +21214,7 @@ index cc877c7..f2db99e 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -110,33 +130,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -21237,7 +21262,7 @@ index cc877c7..f2db99e 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -157,40 +186,46 @@ files_read_var_files(ssh_t) +@@ -157,40 +187,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -21303,7 +21328,7 @@ index cc877c7..f2db99e 100644 ') optional_policy(` -@@ -198,6 +233,7 @@ optional_policy(` +@@ -198,6 +234,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -21311,7 +21336,7 @@ index cc877c7..f2db99e 100644 ############################## # # ssh_keysign_t local policy -@@ -209,6 +245,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -21319,7 +21344,7 @@ index cc877c7..f2db99e 100644 files_read_etc_files(ssh_keysign_t) -@@ -226,39 +263,56 @@ optional_policy(` +@@ -226,39 +264,56 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -21388,7 +21413,7 @@ index cc877c7..f2db99e 100644 ') optional_policy(` -@@ -266,6 +320,15 @@ optional_policy(` +@@ -266,6 +321,15 @@ optional_policy(` ') optional_policy(` @@ -21404,7 +21429,7 @@ index cc877c7..f2db99e 100644 inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') -@@ -275,6 +338,18 @@ optional_policy(` +@@ -275,6 +339,18 @@ optional_policy(` ') optional_policy(` @@ -21423,7 +21448,7 @@ index cc877c7..f2db99e 100644 oddjob_domtrans_mkhomedir(sshd_t) ') -@@ -289,13 +364,93 @@ optional_policy(` +@@ -289,13 +365,93 @@ optional_policy(` ') optional_policy(` @@ -21517,7 +21542,7 @@ index cc877c7..f2db99e 100644 ######################################## # # ssh_keygen local policy -@@ -304,19 +459,29 @@ optional_policy(` +@@ -304,19 +460,29 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -21548,7 +21573,7 @@ index cc877c7..f2db99e 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -333,6 +498,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -333,6 +499,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -21561,7 +21586,7 @@ index cc877c7..f2db99e 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -341,3 +512,140 @@ optional_policy(` +@@ -341,3 +513,140 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -25994,7 +26019,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..7345117 100644 +index 09b791d..4f331be 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -26191,7 +26216,7 @@ index 09b791d..7345117 100644 miscfiles_read_generic_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) -@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t) +@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) files_manage_etc_files(updpwd_t) @@ -26199,10 +26224,11 @@ index 09b791d..7345117 100644 + +mls_file_read_all_levels(updpwd_t) +mls_file_write_all_levels(updpwd_t) ++mls_file_downgrade(updpwd_t) term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) -@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t) +@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t) logging_send_syslog_msg(updpwd_t) @@ -26213,7 +26239,7 @@ index 09b791d..7345117 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t) +@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) @@ -26230,7 +26256,7 @@ index 09b791d..7345117 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',` +@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -26264,7 +26290,7 @@ index 09b791d..7345117 100644 files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf -@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain) +@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain) sysnet_dns_name_resolve(nsswitch_domain) @@ -26288,7 +26314,7 @@ index 09b791d..7345117 100644 ldap_stream_connect(nsswitch_domain) ') ') -@@ -438,6 +479,7 @@ optional_policy(` +@@ -438,6 +480,7 @@ optional_policy(` likewise_stream_connect_lsassd(nsswitch_domain) ') @@ -26296,7 +26322,7 @@ index 09b791d..7345117 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,6 +498,8 @@ optional_policy(` +@@ -456,6 +499,8 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -26305,7 +26331,7 @@ index 09b791d..7345117 100644 ') optional_policy(` -@@ -463,3 +507,134 @@ optional_policy(` +@@ -463,3 +508,134 @@ optional_policy(` samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') @@ -28404,7 +28430,7 @@ index 79a45f6..edf52ea 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..3ac9985 100644 +index 17eda24..7acba2b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28648,11 +28674,12 @@ index 17eda24..3ac9985 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +284,209 @@ ifdef(`distro_gentoo',` +@@ -186,29 +284,210 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` + fs_manage_tmpfs_files(init_t) ++ fs_manage_tmpfs_symlinks(init_t) + fs_manage_tmpfs_sockets(init_t) + fs_exec_tmpfs_files(init_t) fs_read_tmpfs_symlinks(init_t) @@ -28866,7 +28893,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -216,7 +494,30 @@ optional_policy(` +@@ -216,7 +495,30 @@ optional_policy(` ') optional_policy(` @@ -28897,7 +28924,7 @@ index 17eda24..3ac9985 100644 ') ######################################## -@@ -225,9 +526,9 @@ optional_policy(` +@@ -225,9 +527,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28909,7 +28936,7 @@ index 17eda24..3ac9985 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +559,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28926,7 +28953,7 @@ index 17eda24..3ac9985 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +584,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28969,7 +28996,7 @@ index 17eda24..3ac9985 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +621,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28981,7 +29008,7 @@ index 17eda24..3ac9985 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +633,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +634,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28992,7 +29019,7 @@ index 17eda24..3ac9985 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +644,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +645,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29002,7 +29029,7 @@ index 17eda24..3ac9985 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +653,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +654,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29010,7 +29037,7 @@ index 17eda24..3ac9985 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +660,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29018,7 +29045,7 @@ index 17eda24..3ac9985 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +668,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +669,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29036,7 +29063,7 @@ index 17eda24..3ac9985 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +686,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +687,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29050,7 +29077,7 @@ index 17eda24..3ac9985 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +701,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +702,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29064,7 +29091,7 @@ index 17eda24..3ac9985 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,6 +714,7 @@ mls_process_read_up(initrc_t) +@@ -387,6 +715,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29072,7 +29099,7 @@ index 17eda24..3ac9985 100644 selinux_get_enforce_mode(initrc_t) -@@ -398,6 +726,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +727,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29080,7 +29107,7 @@ index 17eda24..3ac9985 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +745,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +746,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29104,7 +29131,7 @@ index 17eda24..3ac9985 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +778,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +779,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29112,7 +29139,7 @@ index 17eda24..3ac9985 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +812,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +813,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -29123,7 +29150,7 @@ index 17eda24..3ac9985 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +836,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +837,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29132,7 +29159,7 @@ index 17eda24..3ac9985 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +851,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +852,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -29140,7 +29167,7 @@ index 17eda24..3ac9985 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +872,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +873,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -29148,7 +29175,7 @@ index 17eda24..3ac9985 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +882,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +883,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -29193,7 +29220,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -559,14 +927,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +928,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29225,7 +29252,7 @@ index 17eda24..3ac9985 100644 ') ') -@@ -577,6 +962,39 @@ ifdef(`distro_suse',` +@@ -577,6 +963,39 @@ ifdef(`distro_suse',` ') ') @@ -29265,7 +29292,7 @@ index 17eda24..3ac9985 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1007,8 @@ optional_policy(` +@@ -589,6 +1008,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29274,7 +29301,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -610,6 +1030,7 @@ optional_policy(` +@@ -610,6 +1031,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29282,7 +29309,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -626,6 +1047,17 @@ optional_policy(` +@@ -626,6 +1048,17 @@ optional_policy(` ') optional_policy(` @@ -29300,7 +29327,7 @@ index 17eda24..3ac9985 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1074,13 @@ optional_policy(` +@@ -642,9 +1075,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29314,7 +29341,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -657,15 +1093,11 @@ optional_policy(` +@@ -657,15 +1094,11 @@ optional_policy(` ') optional_policy(` @@ -29332,7 +29359,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -686,6 +1118,15 @@ optional_policy(` +@@ -686,6 +1119,15 @@ optional_policy(` ') optional_policy(` @@ -29348,7 +29375,7 @@ index 17eda24..3ac9985 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1167,7 @@ optional_policy(` +@@ -726,6 +1168,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -29356,7 +29383,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -743,7 +1185,13 @@ optional_policy(` +@@ -743,7 +1186,13 @@ optional_policy(` ') optional_policy(` @@ -29371,7 +29398,7 @@ index 17eda24..3ac9985 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1214,10 @@ optional_policy(` +@@ -766,6 +1215,10 @@ optional_policy(` ') optional_policy(` @@ -29382,7 +29409,7 @@ index 17eda24..3ac9985 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1227,20 @@ optional_policy(` +@@ -775,10 +1228,20 @@ optional_policy(` ') optional_policy(` @@ -29403,7 +29430,7 @@ index 17eda24..3ac9985 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1249,10 @@ optional_policy(` +@@ -787,6 +1250,10 @@ optional_policy(` ') optional_policy(` @@ -29414,7 +29441,7 @@ index 17eda24..3ac9985 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1274,6 @@ optional_policy(` +@@ -808,8 +1275,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29423,7 +29450,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -818,6 +1282,10 @@ optional_policy(` +@@ -818,6 +1283,10 @@ optional_policy(` ') optional_policy(` @@ -29434,7 +29461,7 @@ index 17eda24..3ac9985 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1295,12 @@ optional_policy(` +@@ -827,10 +1296,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29447,7 +29474,7 @@ index 17eda24..3ac9985 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,12 +1327,35 @@ optional_policy(` +@@ -857,12 +1328,35 @@ optional_policy(` ') optional_policy(` @@ -29484,7 +29511,7 @@ index 17eda24..3ac9985 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -872,6 +1365,18 @@ optional_policy(` +@@ -872,6 +1366,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29503,7 +29530,7 @@ index 17eda24..3ac9985 100644 ') optional_policy(` -@@ -887,6 +1392,10 @@ optional_policy(` +@@ -887,6 +1393,10 @@ optional_policy(` ') optional_policy(` @@ -29514,7 +29541,7 @@ index 17eda24..3ac9985 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1406,218 @@ optional_policy(` +@@ -897,3 +1407,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -33153,7 +33180,7 @@ index 9933677..ca14c17 100644 + +/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 7449974..6375786 100644 +index 7449974..28cb8a3 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ @@ -33210,7 +33237,32 @@ index 7449974..6375786 100644 ## Read the configuration options used when ## loading modules. ## -@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',` +@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',` + can_exec($1, insmod_exec_t) + ') + ++####################################### ++## ++## Don't audit execute insmod in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modutils_dontaudit_exec_insmod',` ++ gen_require(` ++ type insmod_exec_t; ++ ') ++ ++ dontaudit $1 insmod_exec_t:file exec_file_perms; ++') ++ + ######################################## + ## + ## Execute depmod in the depmod domain. +@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',` # interface(`modutils_run_update_mods',` gen_require(` @@ -33231,7 +33283,7 @@ index 7449974..6375786 100644 ') ######################################## -@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',` +@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',` corecmd_search_bin($1) can_exec($1, update_modules_exec_t) ') @@ -35968,7 +36020,7 @@ index 40edc18..7cc0c8a 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..7bb31c4 100644 +index 2cea692..b324c5c 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -36002,6 +36054,15 @@ index 2cea692..7bb31c4 100644 ') ######################################## +@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',` + ') + + files_search_etc($1) +- allow $1 dhcp_etc_t:file rw_file_perms; ++ rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t) + ') + + ######################################## @@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',` type dhcpc_state_t; ') @@ -36757,10 +36818,10 @@ index 0000000..e9f1096 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..35b4178 +index 0000000..1d9bdfd --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1400 @@ +@@ -0,0 +1,1419 @@ +## SELinux policy for systemd components + +###################################### @@ -38039,6 +38100,25 @@ index 0000000..35b4178 + allow $1 power_unit_file_t:service start; +') + ++######################################## ++## ++## Status power unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`systemd_status_power_services',` ++ gen_require(` ++ type power_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 power_unit_file_t:service status; ++') ++ +####################################### +## +## Start power unit files domain. @@ -38163,10 +38243,10 @@ index 0000000..35b4178 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..c31945a +index 0000000..2109915 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,652 @@ +@@ -0,0 +1,653 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -38466,6 +38546,7 @@ index 0000000..c31945a +files_read_generic_tmp_symlinks(systemd_tmpfiles_t) +files_setattr_all_tmp_dirs(systemd_tmpfiles_t) +files_delete_boot_flag(systemd_tmpfiles_t) ++files_delete_all_non_security_dirs(systemd_tmpfiles_t) +files_delete_all_non_security_files(systemd_tmpfiles_t) +files_delete_all_pid_sockets(systemd_tmpfiles_t) +files_delete_all_pid_pipes(systemd_tmpfiles_t) @@ -38778,7 +38859,7 @@ index 0000000..c31945a +# +# systemd_sysctl domains local policy +# -+allow systemd_sysctl_t self:capability net_admin; ++allow systemd_sysctl_t self:capability { sys_admin net_admin }; +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; + +kernel_dgram_send(systemd_sysctl_t) @@ -39117,7 +39198,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..ef4c635 100644 +index 39f185f..d3c9fcc 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -39314,7 +39395,7 @@ index 39f185f..ef4c635 100644 ') optional_policy(` -@@ -249,17 +270,27 @@ optional_policy(` +@@ -249,17 +270,31 @@ optional_policy(` dbus_use_system_bus_fds(udev_t) optional_policy(` @@ -39336,6 +39417,10 @@ index 39f185f..ef4c635 100644 + +optional_policy(` + gpsd_domtrans(udev_t) ++') ++ ++optional_policy(` ++ kdump_systemctl(udev_t) ') optional_policy(` @@ -39344,7 +39429,7 @@ index 39f185f..ef4c635 100644 ') optional_policy(` -@@ -289,6 +320,10 @@ optional_policy(` +@@ -289,6 +324,10 @@ optional_policy(` ') optional_policy(` @@ -39355,7 +39440,7 @@ index 39f185f..ef4c635 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -303,6 +338,15 @@ optional_policy(` +@@ -303,6 +342,15 @@ optional_policy(` ') optional_policy(` @@ -39371,7 +39456,7 @@ index 39f185f..ef4c635 100644 unconfined_signal(udev_t) ') -@@ -315,6 +359,7 @@ optional_policy(` +@@ -315,6 +363,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -44699,7 +44784,7 @@ index 9dc60c6..daee32c 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..cf1296e 100644 +index f4ac38d..99c8197 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -44788,7 +44873,7 @@ index f4ac38d..cf1296e 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,370 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -44968,6 +45053,10 @@ index f4ac38d..cf1296e 100644 +') + +optional_policy(` ++ cvs_filetrans_home_content(userdom_filetrans_domain) ++') ++ ++optional_policy(` + gnome_filetrans_home_content(userdom_filetrans_type) +') + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f70931c..6e8596f 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2959,10 +2959,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..082e31e 100644 +index 7caefc3..ad4ec67 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,194 @@ +@@ -1,162 +1,195 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3275,6 +3275,7 @@ index 7caefc3..082e31e 100644 +/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -3297,7 +3298,7 @@ index 7caefc3..082e31e 100644 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + diff --git a/apache.if b/apache.if -index f6eb485..fac6fe5 100644 +index f6eb485..51b128e 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3313,16 +3314,14 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -13,118 +13,101 @@ +@@ -13,118 +13,125 @@ # template(`apache_content_template',` gen_require(` - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; -- type httpd_t, httpd_suexec_t; + attribute httpd_exec_scripts, httpd_script_exec_type; -+ type httpd_t, httpd_suexec_t, httpd_log_t; -+ type httpd_sys_content_t; + type httpd_t, httpd_suexec_t; + attribute httpd_script_type, httpd_content_type; ') @@ -3342,75 +3341,48 @@ index f6eb485..fac6fe5 100644 - gen_tunable(allow_httpd_$1_script_anon_write, false) - - type httpd_$1_content_t, httpdcontent; # customizable -+ #This type is for webpages -+ type httpd_$1_content_t; # customizable; -+ typeattribute httpd_$1_content_t httpd_content_type; - typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - files_type(httpd_$1_content_t) - +- typealias httpd_$1_content_t alias httpd_$1_script_ro_t; +- files_type(httpd_$1_content_t) +- - type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; -+ # This type is used for .htaccess files -+ type httpd_$1_htaccess_t, httpd_content_type; # customizable; -+ typeattribute httpd_$1_htaccess_t httpd_content_type; - files_type(httpd_$1_htaccess_t) - +- files_type(httpd_$1_htaccess_t) +- - type httpd_$1_script_t, httpd_script_domains; -+ # Type that CGI scripts run as -+ type httpd_$1_script_t, httpd_script_type; - domain_type(httpd_$1_script_t) - role system_r types httpd_$1_script_t; - -+ kernel_read_system_state(httpd_$1_script_t) -+ -+ # This type is used for executable scripts files - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; +- domain_type(httpd_$1_script_t) +- role system_r types httpd_$1_script_t; +- +- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) -+ typeattribute httpd_$1_script_exec_t httpd_content_type; - domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - +- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) +- - type httpd_$1_rw_content_t, httpdcontent; # customizable -+ type httpd_$1_rw_content_t; # customizable -+ typeattribute httpd_$1_rw_content_t httpd_content_type; - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) - +- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; +- files_type(httpd_$1_rw_content_t) +- - type httpd_$1_ra_content_t, httpdcontent; # customizable -+ type httpd_$1_ra_content_t, httpd_content_type; # customizable -+ typeattribute httpd_$1_ra_content_t httpd_content_type; - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) - +- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; +- files_type(httpd_$1_ra_content_t) +- - ######################################## - # - # Policy - # -+ # Allow the script process to search the cgi directory, and users directory -+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - +- +- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) +- - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; -+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - +- - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; -+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- +- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; @@ -3420,39 +3392,98 @@ index f6eb485..fac6fe5 100644 - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - +- ++ #This type is for webpages ++ type $1_content_t; # customizable; ++ typeattribute $1_content_t httpd_content_type; ++ typealias $1_content_t alias httpd_$1_script_ro_t; ++ files_type($1_content_t) ++ ++ # This type is used for .htaccess files ++ type $1_htaccess_t, httpd_content_type; # customizable; ++ typeattribute $1_htaccess_t httpd_content_type; ++ files_type($1_htaccess_t) ++ ++ # Type that CGI scripts run as ++ type $1_script_t, httpd_script_type; ++ domain_type($1_script_t) ++ role system_r types $1_script_t; ++ ++ kernel_read_system_state($1_script_t) ++ ++ # This type is used for executable scripts files ++ type $1_script_exec_t, httpd_script_exec_type; # customizable; ++ typeattribute $1_script_exec_t httpd_content_type; ++ domain_entry_file($1_script_t, $1_script_exec_t) ++ ++ type $1_rw_content_t; # customizable ++ typeattribute $1_rw_content_t httpd_content_type; ++ typealias $1_rw_content_t alias { $1_script_rw_t }; ++ files_type($1_rw_content_t) ++ ++ type $1_ra_content_t, httpd_content_type; # customizable ++ typeattribute $1_ra_content_t httpd_content_type; ++ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t }; ++ files_type($1_ra_content_t) ++ ++ # Allow the script process to search the cgi directory, and users directory ++ allow $1_script_t $1_content_t:dir search_dir_perms; ++ ++ can_exec($1_script_t, $1_script_exec_t) ++ allow $1_script_t $1_script_exec_t:dir list_dir_perms; ++ ++ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ ++ allow $1_script_t $1_content_t:dir list_dir_perms; ++ read_files_pattern($1_script_t, $1_content_t, $1_content_t) ++ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) ++ ++ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ + # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) ++ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) - allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; - ') -+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms }; -+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; ++ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) - tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` - can_exec(httpd_t, httpd_$1_rw_content_t) ') tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; +- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; - domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) - ') ++ allow $1_script_t $1_script_exec_t:file entrypoint; - tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` - can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) - ') -+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) ++ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; @@ -3460,26 +3491,51 @@ index f6eb485..fac6fe5 100644 - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; - ') + # privileged users run the script: -+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) -+ -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; ++ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; ++ + # apache runs the script: -+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -+ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; ++ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) ++ allow httpd_t $1_script_t:unix_dgram_socket sendto; ') ') ######################################## ## -## Role access for apache. ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving new type names. ++## ++## ++## ++## ++## The prefix to be used for deriving old type names. ++## ++## ++# ++template(`apache_content_alias_template',` ++ typealias $1_htaccess_t alias httpd_$2_htaccess_t; ++ typealias $1_script_t alias httpd_$2_script_t; ++ typealias $1_script_exec_t alias httpd_$2_script_exec_t; ++ typealias $1_content_t alias httpd_$2_content_t; ++ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t; ++ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t; ++') ++ ++######################################## ++## +## Role access for apache ## ## ## -@@ -133,47 +116,61 @@ template(`apache_content_template',` +@@ -133,47 +140,61 @@ template(`apache_content_template',` ## ## ## @@ -3570,7 +3626,7 @@ index f6eb485..fac6fe5 100644 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') -@@ -184,7 +181,7 @@ interface(`apache_role',` +@@ -184,7 +205,7 @@ interface(`apache_role',` ######################################## ## @@ -3579,7 +3635,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',` +@@ -204,7 +225,7 @@ interface(`apache_read_user_scripts',` ######################################## ## @@ -3588,7 +3644,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -224,7 +221,7 @@ interface(`apache_read_user_content',` +@@ -224,7 +245,7 @@ interface(`apache_read_user_content',` ######################################## ## @@ -3597,7 +3653,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -241,27 +238,47 @@ interface(`apache_domtrans',` +@@ -241,27 +262,47 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -3652,7 +3708,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -279,7 +296,7 @@ interface(`apache_signal',` +@@ -279,7 +320,7 @@ interface(`apache_signal',` ######################################## ## @@ -3661,7 +3717,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -297,7 +314,7 @@ interface(`apache_signull',` +@@ -297,7 +338,7 @@ interface(`apache_signull',` ######################################## ## @@ -3670,7 +3726,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -315,8 +332,7 @@ interface(`apache_sigchld',` +@@ -315,8 +356,7 @@ interface(`apache_sigchld',` ######################################## ## @@ -3680,7 +3736,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -334,8 +350,8 @@ interface(`apache_use_fds',` +@@ -334,8 +374,8 @@ interface(`apache_use_fds',` ######################################## ## @@ -3691,7 +3747,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +388,13 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -3708,7 +3764,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -372,8 +412,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` ######################################## ## @@ -3719,7 +3775,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +431,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -3729,7 +3785,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +456,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -3739,7 +3795,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +475,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -3749,7 +3805,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -453,7 +470,8 @@ interface(`apache_list_cache',` +@@ -453,7 +494,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -3759,7 +3815,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +513,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -3769,7 +3825,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +532,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -3779,7 +3835,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +551,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -3842,7 +3898,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -570,8 +592,8 @@ interface(`apache_manage_config',` +@@ -570,8 +616,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -3853,7 +3909,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +654,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -3895,7 +3951,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -639,7 +683,8 @@ interface(`apache_read_log',` +@@ -639,7 +707,8 @@ interface(`apache_read_log',` ######################################## ## @@ -3905,7 +3961,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -657,10 +702,29 @@ interface(`apache_append_log',` +@@ -657,10 +726,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -3937,138 +3993,173 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +766,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## -## Create, read, write, and delete -## httpd log files. +## Allow the specified domain to manage -+## to apache log files. ++## to apache var lib files. ## ## ## -@@ -698,47 +762,49 @@ interface(`apache_manage_log',` - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) +@@ -687,20 +775,21 @@ interface(`apache_dontaudit_append_log',` + ## + ## + # +-interface(`apache_manage_log',` ++interface(`apache_manage_lib',` + gen_require(` +- type httpd_log_t; ++ type httpd_var_lib_t; + ') + +- logging_search_logs($1) +- manage_dirs_pattern($1, httpd_log_t, httpd_log_t) +- manage_files_pattern($1, httpd_log_t, httpd_log_t) +- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t) ++ manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) ++ read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) ') -####################################### +######################################## ## -## Write apache log files. -+## Do not audit attempts to search Apache -+## module directories. ++## Allow the specified domain to manage ++## to apache log files. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -708,19 +797,21 @@ interface(`apache_manage_log',` ## ## # -interface(`apache_write_log',` -+interface(`apache_dontaudit_search_modules',` ++interface(`apache_manage_log',` gen_require(` -- type httpd_log_t; -+ type httpd_modules_t; + type httpd_log_t; ') -- logging_search_logs($1) + logging_search_logs($1) - write_files_pattern($1, httpd_log_t, httpd_log_t) -+ dontaudit $1 httpd_modules_t:dir search_dir_perms; ++ manage_dirs_pattern($1, httpd_log_t, httpd_log_t) ++ manage_files_pattern($1, httpd_log_t, httpd_log_t) ++ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## -## Do not audit attempts to search -## httpd module directories. ++## Do not audit attempts to search Apache ++## module directories. + ## + ## + ## +@@ -738,7 +829,8 @@ interface(`apache_dontaudit_search_modules',` + + ######################################## + ## +-## List httpd module directories. +## Allow the specified domain to read +## the apache module directories. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -746,17 +838,19 @@ interface(`apache_dontaudit_search_modules',` ## ## # --interface(`apache_dontaudit_search_modules',` +-interface(`apache_list_modules',` +interface(`apache_read_modules',` gen_require(` type httpd_modules_t; ') -- dontaudit $1 httpd_modules_t:dir search_dir_perms; +- allow $1 httpd_modules_t:dir list_dir_perms; + read_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ######################################## ## --## List httpd module directories. +-## Execute httpd module files. +## Allow the specified domain to list +## the contents of the apache modules +## directory. ## ## ## -@@ -752,11 +818,13 @@ interface(`apache_list_modules',` +@@ -764,19 +858,19 @@ interface(`apache_list_modules',` + ## + ## + # +-interface(`apache_exec_modules',` ++interface(`apache_list_modules',` + gen_require(` + type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; +- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; +- can_exec($1, httpd_modules_t) + read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ######################################## ## --## Execute httpd module files. +-## Read httpd module files. +## Allow the specified domain to execute +## apache modules. ## ## ## -@@ -776,46 +844,63 @@ interface(`apache_exec_modules',` - - ######################################## - ## --## Read httpd module files. -+## Execute a domain transition to run httpd_rotatelogs. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. +@@ -784,19 +878,19 @@ interface(`apache_exec_modules',` ## ## # -interface(`apache_read_module_files',` -+interface(`apache_domtrans_rotatelogs',` ++interface(`apache_exec_modules',` gen_require(` -- type httpd_modules_t; -+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + type httpd_modules_t; ') - libs_search_lib($1) - read_files_pattern($1, httpd_modules_t, httpd_modules_t) -+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ++ allow $1 httpd_modules_t:dir list_dir_perms; ++ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; ++ can_exec($1, httpd_modules_t) ') --######################################## -+####################################### + ######################################## ## -## Execute a domain transition to -## run httpd_rotatelogs. -+## Execute httpd_rotatelogs in the caller domain. ++## Execute a domain transition to run httpd_rotatelogs. ## ## --## --## Domain allowed to transition. --## + ## +@@ -809,13 +903,50 @@ interface(`apache_domtrans_rotatelogs',` + type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) + ') + ++####################################### ++## ++## Execute httpd_rotatelogs in the caller domain. ++## ++## +## +## Domain allowed to transition. +## - ## - # --interface(`apache_domtrans_rotatelogs',` ++## ++# +interface(`apache_exec_rotatelogs',` + gen_require(` + type httpd_rotatelogs_exec_t; @@ -4088,17 +4179,14 @@ index f6eb485..fac6fe5 100644 +## +# +interface(`apache_exec_sys_script',` - gen_require(` -- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ++ gen_require(` + type httpd_sys_script_exec_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ++ ') ++ + allow $1 httpd_sys_script_exec_t:dir search_dir_perms; + can_exec($1, httpd_sys_script_exec_t) - ') - ++') ++ ######################################## ## -## List httpd system content directories. @@ -4107,7 +4195,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +960,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4124,7 +4212,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +976,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4132,7 +4220,7 @@ index f6eb485..fac6fe5 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +988,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -4239,7 +4327,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1087,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4258,7 +4346,7 @@ index f6eb485..fac6fe5 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1107,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4270,7 +4358,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1146,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4279,7 +4367,7 @@ index f6eb485..fac6fe5 100644 ## to the specified role. ## ## -@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1159,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4287,7 +4375,7 @@ index f6eb485..fac6fe5 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1172,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4297,7 +4385,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1186,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4313,7 +4401,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1210,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4322,7 +4410,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1223,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4337,7 +4425,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1248,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4346,7 +4434,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1266,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4356,7 +4444,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1071,18 +1231,21 @@ interface(`apache_search_sys_scripts',` +@@ -1071,18 +1277,21 @@ interface(`apache_search_sys_scripts',` # interface(`apache_manage_all_user_content',` gen_require(` @@ -4384,7 +4472,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1100,7 +1263,8 @@ interface(`apache_search_sys_script_state',` +@@ -1100,7 +1309,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4394,7 +4482,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1117,10 +1281,29 @@ interface(`apache_read_tmp_files',` +@@ -1117,10 +1327,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4426,7 +4514,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1133,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1133,7 +1362,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4435,7 +4523,7 @@ index f6eb485..fac6fe5 100644 ') ######################################## -@@ -1142,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1142,6 +1371,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4445,7 +4533,7 @@ index f6eb485..fac6fe5 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1171,8 +1357,30 @@ interface(`apache_cgi_domain',` +@@ -1171,8 +1403,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4478,7 +4566,7 @@ index f6eb485..fac6fe5 100644 ## ## ## -@@ -1189,18 +1397,19 @@ interface(`apache_cgi_domain',` +@@ -1189,18 +1443,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4507,7 +4595,7 @@ index f6eb485..fac6fe5 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1210,10 +1419,10 @@ interface(`apache_admin',` +@@ -1210,10 +1465,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4521,7 +4609,7 @@ index f6eb485..fac6fe5 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1433,129 @@ interface(`apache_admin',` +@@ -1224,9 +1479,141 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -4585,7 +4673,19 @@ index f6eb485..fac6fe5 100644 + + + apache_filetrans_home_content($1) ++ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2") ++ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push") ++ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push") ++ files_etc_filetrans($1, httpd_sys_content_t, dir, "web") ++ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar") ++ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig") ++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde") ++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud") + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") ++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty") ++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads") ++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content") ++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade") + userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache") +') + @@ -4656,7 +4756,7 @@ index f6eb485..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..0e09bca 100644 +index 6649962..e3e190e 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,317 @@ policy_module(apache, 2.7.2) @@ -5178,10 +5278,11 @@ index 6649962..0e09bca 100644 type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) -+# setup the system domain for system CGI scripts - apache_content_template(sys) +-apache_content_template(sys) -corecmd_shell_entry_type(httpd_sys_script_t) -typealias httpd_sys_content_t alias ntop_http_content_t; ++# setup the system domain for system CGI scripts ++apache_content_template(httpd_sys) + +typeattribute httpd_sys_content_t httpdcontent; # customizable +typeattribute httpd_sys_rw_content_t httpdcontent; # customizable @@ -5196,9 +5297,12 @@ index 6649962..0e09bca 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -326,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -324,14 +389,21 @@ files_tmp_file(httpd_tmp_t) + type httpd_tmpfs_t; + files_tmpfs_file(httpd_tmpfs_t) - apache_content_template(user) +-apache_content_template(user) ++apache_content_template(httpd_user) ubac_constrained(httpd_user_script_t) + +typeattribute httpd_user_content_t httpdcontent; @@ -5715,7 +5819,7 @@ index 6649962..0e09bca 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +813,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,66 +813,56 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5750,16 +5854,27 @@ index 6649962..0e09bca 100644 -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') -+optional_policy(` -+ cobbler_list_config(httpd_t) -+ cobbler_read_config(httpd_t) - +- -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_fusefs_dirs(httpd_t) - fs_manage_fusefs_files(httpd_t) - fs_read_fusefs_symlinks(httpd_t) -') +- +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) +-') ++optional_policy(` ++ cobbler_list_config(httpd_t) ++ cobbler_read_config(httpd_t) + +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_nfs_dirs(httpd_t) +- fs_manage_nfs_files(httpd_t) +- fs_manage_nfs_symlinks(httpd_t) +-') + tunable_policy(`httpd_serve_cobbler_files',` + cobbler_manage_lib_files(httpd_t) +',` @@ -5767,27 +5882,22 @@ index 6649962..0e09bca 100644 + cobbler_search_lib(httpd_t) + ') --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') --tunable_policy(`httpd_use_nfs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_nfs_dirs(httpd_t) -- fs_manage_nfs_files(httpd_t) -- fs_manage_nfs_symlinks(httpd_t) -+optional_policy(` + optional_policy(` +- calamaris_read_www_files(httpd_t) + tunable_policy(`httpd_use_sasl',` + sasl_connect(httpd_t) + ') ') --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_t) -+optional_policy(` + optional_policy(` +- ccs_read_config(httpd_t) + # Support for ABRT retrace server + # mod_wsgi + abrt_manage_spool_retrace(httpd_t) @@ -5796,22 +5906,18 @@ index 6649962..0e09bca 100644 ') optional_policy(` -@@ -748,14 +865,6 @@ optional_policy(` - ccs_read_config(httpd_t) +- clamav_domtrans_clamscan(httpd_t) ++ calamaris_read_www_files(httpd_t) ') --optional_policy(` -- clamav_domtrans_clamscan(httpd_t) --') -- --optional_policy(` + optional_policy(` - cobbler_read_config(httpd_t) - cobbler_read_lib_files(httpd_t) --') ++ ccs_read_config(httpd_t) + ') optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -@@ -770,6 +879,23 @@ optional_policy(` +@@ -770,6 +878,23 @@ optional_policy(` ') optional_policy(` @@ -5835,7 +5941,7 @@ index 6649962..0e09bca 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +912,48 @@ optional_policy(` +@@ -786,35 +911,53 @@ optional_policy(` ') optional_policy(` @@ -5858,6 +5964,11 @@ index 6649962..0e09bca 100644 - ldap_tcp_connect(httpd_t) - ') +optional_policy(` ++ mirrormanager_read_lib_files(httpd_t) ++ mirrormanager_read_log(httpd_t) ++') ++ ++optional_policy(` + jetty_admin(httpd_t) +') + @@ -5897,7 +6008,7 @@ index 6649962..0e09bca 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +961,18 @@ optional_policy(` +@@ -822,8 +965,18 @@ optional_policy(` ') optional_policy(` @@ -5916,7 +6027,7 @@ index 6649962..0e09bca 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +981,7 @@ optional_policy(` +@@ -832,6 +985,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5924,7 +6035,7 @@ index 6649962..0e09bca 100644 ') optional_policy(` -@@ -842,20 +992,39 @@ optional_policy(` +@@ -842,20 +996,39 @@ optional_policy(` ') optional_policy(` @@ -5970,7 +6081,7 @@ index 6649962..0e09bca 100644 ') optional_policy(` -@@ -863,19 +1032,35 @@ optional_policy(` +@@ -863,19 +1036,35 @@ optional_policy(` ') optional_policy(` @@ -6006,7 +6117,7 @@ index 6649962..0e09bca 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1068,173 @@ optional_policy(` +@@ -883,65 +1072,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6079,11 +6190,10 @@ index 6649962..0e09bca 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache PHP script local policy +# + @@ -6142,10 +6252,11 @@ index 6649962..0e09bca 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache suexec local policy # @@ -6202,7 +6313,7 @@ index 6649962..0e09bca 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1247,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6357,7 +6468,7 @@ index 6649962..0e09bca 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1327,106 @@ optional_policy(` +@@ -1083,172 +1331,106 @@ optional_policy(` ') ') @@ -6379,11 +6490,11 @@ index 6649962..0e09bca 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -+allow httpd_sys_script_t self:process getsched; - +- -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -- ++allow httpd_sys_script_t self:process getsched; + -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6539,8 +6650,7 @@ index 6649962..0e09bca 100644 -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -6556,7 +6666,8 @@ index 6649962..0e09bca 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -6594,7 +6705,7 @@ index 6649962..0e09bca 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6691,7 +6802,7 @@ index 6649962..0e09bca 100644 ######################################## # -@@ -1321,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6708,15 +6819,14 @@ index 6649962..0e09bca 100644 ') ######################################## -@@ -1330,49 +1525,38 @@ optional_policy(` +@@ -1330,49 +1529,38 @@ optional_policy(` # User content local policy # -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_user_script_t) -') -+auth_use_nsswitch(httpd_user_script_t) - +- -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_cifs_files(httpd_user_script_t) @@ -6726,7 +6836,8 @@ index 6649962..0e09bca 100644 -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_user_script_t) -') -- ++auth_use_nsswitch(httpd_user_script_t) + -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_nfs_files(httpd_user_script_t) @@ -6773,7 +6884,7 @@ index 6649962..0e09bca 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1566,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1570,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -6791,8 +6902,7 @@ index 6649962..0e09bca 100644 +systemd_manage_passwd_run(httpd_passwd_t) +systemd_manage_passwd_run(httpd_t) +#systemd_passwd_agent_dev_template(httpd) - --allow httpd_gpg_t self:process setrlimit; ++ +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; + @@ -6826,7 +6936,8 @@ index 6649962..0e09bca 100644 + +miscfiles_read_fonts(httpd_script_type) +miscfiles_read_public_files(httpd_script_type) -+ + +-allow httpd_gpg_t self:process setrlimit; +allow httpd_t httpd_script_type:unix_stream_socket connectto; -allow httpd_gpg_t httpd_t:fd use; @@ -6842,6 +6953,7 @@ index 6649962..0e09bca 100644 +allow httpd_script_type self:process { setsched signal_perms }; +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; +allow httpd_script_type self:unix_dgram_socket create_socket_perms; ++allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms; -files_read_usr_files(httpd_gpg_t) +allow httpd_script_type httpd_t:fd use; @@ -6894,10 +7006,10 @@ index 6649962..0e09bca 100644 + corenet_tcp_connect_osapi_compute_port(httpd_t) ') diff --git a/apcupsd.fc b/apcupsd.fc -index 5ec0e13..1c37fe1 100644 +index 5ec0e13..274704f 100644 --- a/apcupsd.fc +++ b/apcupsd.fc -@@ -1,10 +1,13 @@ +@@ -1,18 +1,21 @@ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) +/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) @@ -6911,10 +7023,46 @@ index 5ec0e13..1c37fe1 100644 /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) + + /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) + +-/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +-/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +-/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +-/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +-/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) ++/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) ++/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) ++/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) ++/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) ++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) diff --git a/apcupsd.if b/apcupsd.if -index f3c0aba..b6afc90 100644 +index f3c0aba..9c06313 100644 --- a/apcupsd.if +++ b/apcupsd.if +@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',` + ######################################## + ## + ## Execute a domain transition to +-## run httpd_apcupsd_cgi_script. ++## run apcupsd_cgi_script. + ## + ## + ## +@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',` + # + interface(`apcupsd_cgi_script_domtrans',` + gen_require(` +- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; ++ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t; + ') + + files_search_var($1) +- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) ++ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t) + + optional_policy(` + apache_search_sys_content($1) @@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',` ######################################## @@ -6993,7 +7141,7 @@ index f3c0aba..b6afc90 100644 + allow $1 apcupsd_unit_file_t:service all_service_perms; ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..b4c43c7 100644 +index 080bc4d..4b86e25 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) @@ -7034,7 +7182,7 @@ index 080bc4d..b4c43c7 100644 corenet_udp_bind_snmp_port(apcupsd_t) corenet_sendrecv_snmp_server_packets(apcupsd_t) -@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) +@@ -74,19 +76,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) dev_rw_generic_usb_dev(apcupsd_t) @@ -7058,20 +7206,59 @@ index 080bc4d..b4c43c7 100644 sysnet_dns_name_resolve(apcupsd_t) -userdom_use_user_ttys(apcupsd_t) -+systemd_start_power_services(apcupsd_t) -+ +userdom_use_inherited_user_ttys(apcupsd_t) optional_policy(` hostname_exec(apcupsd_t) -@@ -112,7 +120,6 @@ optional_policy(` - allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; +@@ -101,6 +107,11 @@ optional_policy(` + shutdown_domtrans(apcupsd_t) + ') + ++optional_policy(` ++ systemd_start_power_services(apcupsd_t) ++ systemd_status_power_services(apcupsd_t) ++') ++ + ######################################## + # + # CGI local policy +@@ -108,20 +119,20 @@ optional_policy(` + optional_policy(` + apache_content_template(apcupsd_cgi) +- +- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; +- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; +- - corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) +- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) +- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) +- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) +- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) +- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t) +- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) +- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) +- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) +- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) +- +- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) ++ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi) ++ ++ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; ++ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms; ++ ++ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t) ++ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t) ++ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t) ++ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t) ++ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t) ++ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t) ++ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t) ++ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t) ++ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t) ++ ++ sysnet_dns_name_resolve(apcupsd_cgi_script_t) + ') diff --git a/apm.fc b/apm.fc index ce27d2f..d20377e 100644 --- a/apm.fc @@ -7974,11 +8161,43 @@ index b8355b3..844e45b 100644 userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) +diff --git a/awstats.fc b/awstats.fc +index 11e6d5f..73b4ea4 100644 +--- a/awstats.fc ++++ b/awstats.fc +@@ -1,5 +1,5 @@ + /usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) +-/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) +-/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) ++/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0) ++/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0) + + /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/awstats.te b/awstats.te -index c1b16c3..c222135 100644 +index c1b16c3..ffbf2cb 100644 --- a/awstats.te +++ b/awstats.te -@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t) +@@ -26,6 +26,7 @@ type awstats_var_lib_t; + files_type(awstats_var_lib_t) + + apache_content_template(awstats) ++apache_content_alias_template(awstats, awstats) + + ######################################## + # +@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) + + manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) + +-allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms; ++allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms; + +-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t }) ++can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t }) + + kernel_dontaudit_read_system_state(awstats_t) + +@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t) dev_read_urand(awstats_t) files_dontaudit_search_all_mountpoints(awstats_t) @@ -7987,7 +8206,7 @@ index c1b16c3..c222135 100644 fs_list_inotifyfs(awstats_t) -@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t) +@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t) logging_read_generic_logs(awstats_t) @@ -7996,22 +8215,24 @@ index c1b16c3..c222135 100644 sysnet_dns_name_resolve(awstats_t) tunable_policy(`awstats_purge_apache_log_files',` -@@ -90,9 +86,13 @@ optional_policy(` +@@ -90,9 +87,13 @@ optional_policy(` # CGI local policy # -+apache_read_log(httpd_awstats_script_t) +-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; ++apache_read_log(awstats_script_t) + -+manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file }) -+ - allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; ++manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t) ++manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t) ++files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file }) + +-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) +-files_search_var_lib(httpd_awstats_script_t) ++allow awstats_script_t awstats_var_lib_t:dir list_dir_perms; - read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) - files_search_var_lib(httpd_awstats_script_t) -- -apache_read_log(httpd_awstats_script_t) ++read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) ++files_search_var_lib(awstats_script_t) diff --git a/backup.te b/backup.te index 7811450..d8a8bd6 100644 --- a/backup.te @@ -9459,21 +9680,48 @@ index c5a9113..6ad8ccb 100644 xen_append_log(brctl_t) xen_dontaudit_rw_unix_stream_sockets(brctl_t) diff --git a/bugzilla.fc b/bugzilla.fc -index fce0b6e..fb6e397 100644 +index fce0b6e..9efceac 100644 --- a/bugzilla.fc +++ b/bugzilla.fc @@ -1,4 +1,4 @@ -/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) -+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) ++/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0) ++/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0) - /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) +-/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) ++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0) diff --git a/bugzilla.if b/bugzilla.if -index 1b22262..bf0cefa 100644 +index 1b22262..d9ea246 100644 --- a/bugzilla.if +++ b/bugzilla.if -@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` +@@ -12,10 +12,10 @@ + # + interface(`bugzilla_search_content',` + gen_require(` +- type httpd_bugzilla_content_t; ++ type bugzilla_content_t; + ') + +- allow $1 httpd_bugzilla_content_t:dir search_dir_perms; ++ allow $1 bugzilla_content_t:dir search_dir_perms; + ') + + ######################################## +@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',` + # + interface(`bugzilla_dontaudit_rw_stream_sockets',` + gen_require(` +- type httpd_bugzilla_script_t; ++ type bugzilla_script_t; + ') + +- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; ++ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write }; + ') + + ######################################## +@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` ## Domain allowed access. ## ## @@ -9486,32 +9734,44 @@ index 1b22262..bf0cefa 100644 # interface(`bugzilla_admin',` gen_require(` - type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; +- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; +- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; -+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; ++ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t; ++ type bugzilla_rw_content_t, bugzilla_script_exec_t; ++ type bugzilla_htaccess_t, bugzilla_tmp_t; ++ ') ++ ++ allow $1 bugzilla_script_t:process signal_perms; ++ ps_process_pattern($1, bugzilla_script_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bugzilla_script_t:process ptrace; ') - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; -+ allow $1 httpd_bugzilla_script_t:process signal_perms; - ps_process_pattern($1, httpd_bugzilla_script_t) +- ps_process_pattern($1, httpd_bugzilla_script_t) ++ files_list_tmp($1) ++ admin_pattern($1, bugzilla_tmp_t) - files_search_usr($1) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_bugzilla_script_t:process ptrace; -+ ') -+ -+ files_list_tmp($1) -+ admin_pattern($1, httpd_bugzilla_tmp_t) -+ -+ files_list_var_lib(httpd_bugzilla_script_t) -+ - admin_pattern($1, httpd_bugzilla_script_exec_t) - admin_pattern($1, httpd_bugzilla_script_t) - admin_pattern($1, httpd_bugzilla_content_t) -@@ -76,5 +78,7 @@ interface(`bugzilla_admin',` +- admin_pattern($1, httpd_bugzilla_script_exec_t) +- admin_pattern($1, httpd_bugzilla_script_t) +- admin_pattern($1, httpd_bugzilla_content_t) +- admin_pattern($1, httpd_bugzilla_htaccess_t) +- admin_pattern($1, httpd_bugzilla_ra_content_t) ++ files_list_var_lib(bugzilla_script_t) ++ ++ admin_pattern($1, bugzilla_script_exec_t) ++ admin_pattern($1, bugzilla_script_t) ++ admin_pattern($1, bugzilla_content_t) ++ admin_pattern($1, bugzilla_htaccess_t) ++ admin_pattern($1, bugzilla_ra_content_t) + + files_search_tmp($1) files_search_var_lib($1) - admin_pattern($1, httpd_bugzilla_rw_content_t) +- admin_pattern($1, httpd_bugzilla_rw_content_t) ++ admin_pattern($1, bugzilla_rw_content_t) - apache_list_sys_content($1) + optional_policy(` @@ -9519,49 +9779,83 @@ index 1b22262..bf0cefa 100644 + ') ') diff --git a/bugzilla.te b/bugzilla.te -index 18623e3..d9f3061 100644 +index 18623e3..c62f617 100644 --- a/bugzilla.te +++ b/bugzilla.te -@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0) +@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0) + # apache_content_template(bugzilla) - -+type httpd_bugzilla_tmp_t; -+files_tmp_file(httpd_bugzilla_tmp_t) ++apache_content_alias_template(bugzilla, bugzilla) + ++type bugzilla_tmp_t alias httpd_bugzilla_tmp_t; ++files_tmp_file(bugzilla_tmp_t) + ######################################## # # Local policy -@@ -14,7 +17,6 @@ apache_content_template(bugzilla) + # - allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; +-allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; ++allow bugzilla_script_t self:tcp_socket { accept listen }; ++ ++corenet_all_recvfrom_netlabel(bugzilla_script_t) ++corenet_tcp_sendrecv_generic_if(bugzilla_script_t) ++corenet_tcp_sendrecv_generic_node(bugzilla_script_t) ++ ++corenet_sendrecv_http_client_packets(bugzilla_script_t) ++corenet_tcp_connect_http_port(bugzilla_script_t) ++corenet_tcp_sendrecv_http_port(bugzilla_script_t) ++ ++corenet_sendrecv_smtp_client_packets(bugzilla_script_t) ++corenet_tcp_connect_smtp_port(bugzilla_script_t) ++corenet_tcp_sendrecv_smtp_port(bugzilla_script_t) ++ ++manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t) ++manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t) ++files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir }) -corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) - corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) - corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) - corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) - corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) - corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) +-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) +-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) +-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) ++files_search_var_lib(bugzilla_script_t) -+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) -+ - files_search_var_lib(httpd_bugzilla_script_t) +-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t) +-corenet_tcp_connect_http_port(httpd_bugzilla_script_t) +-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t) ++auth_read_passwd(bugzilla_script_t) + +-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) +-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) +-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) ++dev_read_sysfs(bugzilla_script_t) + +-files_search_var_lib(httpd_bugzilla_script_t) ++sysnet_read_config(bugzilla_script_t) ++sysnet_use_ldap(bugzilla_script_t) -sysnet_dns_name_resolve(httpd_bugzilla_script_t) -+auth_read_passwd(httpd_bugzilla_script_t) -+ -+dev_read_sysfs(httpd_bugzilla_script_t) -+ -+sysnet_read_config(httpd_bugzilla_script_t) - sysnet_use_ldap(httpd_bugzilla_script_t) +-sysnet_use_ldap(httpd_bugzilla_script_t) ++miscfiles_read_certs(bugzilla_script_t) + + optional_policy(` +- mta_send_mail(httpd_bugzilla_script_t) ++ mta_send_mail(bugzilla_script_t) + ') + + optional_policy(` +- mysql_stream_connect(httpd_bugzilla_script_t) +- mysql_tcp_connect(httpd_bugzilla_script_t) ++ mysql_stream_connect(bugzilla_script_t) ++ mysql_tcp_connect(bugzilla_script_t) + ') -+miscfiles_read_certs(httpd_bugzilla_script_t) -+ optional_policy(` - mta_send_mail(httpd_bugzilla_script_t) +- postgresql_stream_connect(httpd_bugzilla_script_t) +- postgresql_tcp_connect(httpd_bugzilla_script_t) ++ postgresql_stream_connect(bugzilla_script_t) ++ postgresql_tcp_connect(bugzilla_script_t) ') diff --git a/bumblebee.fc b/bumblebee.fc new file mode 100644 @@ -9578,10 +9872,10 @@ index 0000000..b5ee23b +/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0) diff --git a/bumblebee.if b/bumblebee.if new file mode 100644 -index 0000000..23a4f86 +index 0000000..de66654 --- /dev/null +++ b/bumblebee.if -@@ -0,0 +1,126 @@ +@@ -0,0 +1,121 @@ +## policy for bumblebee + +######################################## @@ -9675,11 +9969,6 @@ index 0000000..23a4f86 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`bumblebee_admin',` @@ -10323,7 +10612,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..6e8a513 100644 +index 550b287..7124d87 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -10390,9 +10679,10 @@ index 550b287..6e8a513 100644 -miscfiles_read_localization(certmonger_t) miscfiles_manage_generic_cert_files(certmonger_t) +-userdom_search_user_home_content(certmonger_t) +systemd_exec_systemctl(certmonger_t) + - userdom_search_user_home_content(certmonger_t) ++userdom_manage_home_certs(certmonger_t) optional_policy(` - apache_initrc_domtrans(certmonger_t) @@ -10425,7 +10715,7 @@ index 550b287..6e8a513 100644 + +optional_policy(` + pki_rw_tomcat_cert(certmonger_t) -+ pki_read_tomcat_lib_files(certmonger_t) ++ pki_read_tomcat_lib_files(certmonger_t) +') + +######################################## @@ -10665,7 +10955,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a2..1a33de9 100644 +index 80a88a2..f947039 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -10718,13 +11008,15 @@ index 80a88a2..1a33de9 100644 allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; -@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t) +@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t) files_getattr_all_files(cgred_t) files_getattr_all_sockets(cgred_t) files_read_all_symlinks(cgred_t) -files_read_etc_files(cgred_t) - fs_write_cgroup_files(cgred_t) +-fs_write_cgroup_files(cgred_t) ++fs_manage_cgroup_dirs(cgred_t) ++fs_manage_cgroup_files(cgred_t) +fs_list_inotifyfs(cgred_t) -logging_send_syslog_msg(cgred_t) @@ -12406,7 +12698,7 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..9a5087b 100644 +index 5f306dd..e01156f 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -12455,23 +12747,42 @@ index 5f306dd..9a5087b 100644 ') optional_policy(` -+ apache_domtrans(cobblerd_t) ++ apache_domtrans(cobblerd_t) apache_search_sys_content(cobblerd_t) ') -@@ -188,17 +191,25 @@ optional_policy(` +@@ -170,6 +173,7 @@ optional_policy(` + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) + bind_manage_zone(cobblerd_t) ++ bind_systemctl(cobblerd_t) ') optional_policy(` -+ libs_exec_ldconfig(cobblerd_t) +@@ -179,12 +183,22 @@ optional_policy(` + optional_policy(` + dhcpd_domtrans(cobblerd_t) + dhcpd_initrc_domtrans(cobblerd_t) ++ dhcpd_systemctl(cobblerd_t) + ') + + optional_policy(` + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) ++ dnsmasq_systemctl(cobblerd_t) +') + +optional_policy(` -+ mysql_stream_connect(cobblerd_t) ++ libs_exec_ldconfig(cobblerd_t) +') + +optional_policy(` - rpm_exec(cobblerd_t) ++ mysql_stream_connect(cobblerd_t) + ') + + optional_policy(` +@@ -192,13 +206,13 @@ optional_policy(` ') optional_policy(` @@ -12489,10 +12800,10 @@ index 5f306dd..9a5087b 100644 tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ') diff --git a/collectd.fc b/collectd.fc -index 79a3abe..2e7d7ed 100644 +index 79a3abe..8d70290 100644 --- a/collectd.fc +++ b/collectd.fc -@@ -1,5 +1,7 @@ +@@ -1,9 +1,11 @@ /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) +/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) @@ -12500,6 +12811,11 @@ index 79a3abe..2e7d7ed 100644 /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) + + /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) + +-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) ++/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0) diff --git a/collectd.if b/collectd.if index 954309e..f4db2ca 100644 --- a/collectd.if @@ -12683,10 +12999,10 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..dc0423c 100644 +index 6471fa8..d078b96 100644 --- a/collectd.te +++ b/collectd.te -@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) +@@ -26,7 +26,14 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) @@ -12694,14 +13010,14 @@ index 6471fa8..dc0423c 100644 +systemd_unit_file(collectd_unit_file_t) + apache_content_template(collectd) - -+type httpd_collectd_script_tmp_t; -+files_tmp_file(httpd_collectd_script_tmp_t) ++apache_content_alias_template(collectd, collectd) + ++type collectd_script_tmp_t alias httpd_collectd_script_tmp_t; ++files_tmp_file(collectd_script_tmp_t) + ######################################## # - # Local policy -@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal }; +@@ -38,6 +45,9 @@ allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; allow collectd_t self:unix_stream_socket { accept listen }; @@ -12711,7 +13027,7 @@ index 6471fa8..dc0423c 100644 manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) +@@ -46,23 +56,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) files_pid_filetrans(collectd_t, collectd_var_run_t, file) @@ -12747,7 +13063,7 @@ index 6471fa8..dc0423c 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +90,26 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -12770,16 +13086,16 @@ index 6471fa8..dc0423c 100644 - miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) -') + -+files_search_var_lib(httpd_collectd_script_t) -+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) ++files_search_var_lib(collectd_script_t) ++read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) ++list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) ++miscfiles_setattr_fonts_cache_dirs(collectd_script_t) + -+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) -+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) -+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir }) ++manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t) ++manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t) ++files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir }) + -+auth_read_passwd(httpd_collectd_script_t) ++auth_read_passwd(collectd_script_t) diff --git a/colord.fc b/colord.fc index 71639eb..08ab891 100644 --- a/colord.fc @@ -16015,7 +16331,7 @@ index 1303b30..72481a7 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..c4abac0 100644 +index 7de3859..d8264c4 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,46 @@ gen_require(` @@ -16662,7 +16978,7 @@ index 7de3859..c4abac0 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +531,17 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +531,18 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -16671,6 +16987,7 @@ index 7de3859..c4abac0 100644 apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) ++ apache_manage_lib(system_cronjob_t) + apache_delete_cache_dirs(system_cronjob_t) + apache_delete_cache_files(system_cronjob_t) +') @@ -16680,7 +16997,7 @@ index 7de3859..c4abac0 100644 ') optional_policy(` -@@ -551,10 +550,6 @@ optional_policy(` +@@ -551,10 +551,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -16691,7 +17008,7 @@ index 7de3859..c4abac0 100644 ') optional_policy(` -@@ -591,6 +586,7 @@ optional_policy(` +@@ -591,6 +587,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -16699,7 +17016,7 @@ index 7de3859..c4abac0 100644 ') optional_policy(` -@@ -598,7 +594,19 @@ optional_policy(` +@@ -598,7 +595,19 @@ optional_policy(` ') optional_policy(` @@ -16719,7 +17036,7 @@ index 7de3859..c4abac0 100644 ') optional_policy(` -@@ -608,6 +616,7 @@ optional_policy(` +@@ -608,6 +617,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -16727,7 +17044,7 @@ index 7de3859..c4abac0 100644 ') optional_policy(` -@@ -615,12 +624,24 @@ optional_policy(` +@@ -615,12 +625,24 @@ optional_policy(` ') optional_policy(` @@ -16754,7 +17071,7 @@ index 7de3859..c4abac0 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +649,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +650,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -16788,7 +17105,7 @@ index 7de3859..c4abac0 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +682,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +683,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -18258,8 +18575,31 @@ index c91813c..f31fa44 100644 udev_read_db(ptal_t) ') + +diff --git a/cvs.fc b/cvs.fc +index 75c8be9..4c1a965 100644 +--- a/cvs.fc ++++ b/cvs.fc +@@ -1,13 +1,16 @@ ++HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0) ++/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0) ++ + /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0) + + /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + + /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) + +-/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) ++/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0) + + /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + + /var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0) + +-/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) ++/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0) diff --git a/cvs.if b/cvs.if -index 64775fd..bff3111 100644 +index 64775fd..91a6056 100644 --- a/cvs.if +++ b/cvs.if @@ -1,5 +1,23 @@ @@ -18286,8 +18626,36 @@ index 64775fd..bff3111 100644 ######################################## ## ## Read CVS data and metadata content. -@@ -62,9 +80,14 @@ interface(`cvs_admin',` +@@ -41,6 +59,24 @@ interface(`cvs_exec',` + + ######################################## + ## ++## Transition to cvs named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cvs_filetrans_home_content',` ++ gen_require(` ++ type cvs_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore") ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an cvs environment + ## +@@ -60,11 +96,17 @@ interface(`cvs_admin',` + gen_require(` + type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; type cvs_data_t, cvs_var_run_t, cvs_keytab_t; ++ type cvs_home_t; ') - allow $1 cvs_t:process { ptrace signal_perms }; @@ -18302,8 +18670,16 @@ index 64775fd..bff3111 100644 init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cvs_initrc_exec_t system_r; +@@ -81,4 +123,7 @@ interface(`cvs_admin',` + + files_list_pids($1) + admin_pattern($1, cvs_var_run_t) ++ ++ userdom_search_user_home_dirs($1) ++ admin_pattern($1, cvs_home_t) + ') diff --git a/cvs.te b/cvs.te -index 0f77550..f98a932 100644 +index 0f77550..cd608bc 100644 --- a/cvs.te +++ b/cvs.te @@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2) @@ -18315,7 +18691,32 @@ index 0f77550..f98a932 100644 type cvs_t; type cvs_exec_t; -@@ -74,6 +74,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t) +@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t) + type cvs_var_run_t; + files_pid_file(cvs_var_run_t) + ++type cvs_home_t; ++userdom_user_home_content(cvs_home_t) ++ + ######################################## + # + # Local policy + # + +-allow cvs_t self:capability { setuid setgid }; ++allow cvs_t self:capability { dac_override dac_read_search setuid setgid }; + allow cvs_t self:process signal_perms; + allow cvs_t self:fifo_file rw_fifo_file_perms; + allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + allow cvs_t self:tcp_socket { accept listen }; + ++userdom_search_user_home_dirs(cvs_t) ++allow cvs_t cvs_home_t:file read_file_perms; ++ + manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) + manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) + manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) +@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) @@ -18331,7 +18732,7 @@ index 0f77550..f98a932 100644 dev_read_urand(cvs_t) files_read_etc_runtime_files(cvs_t) -@@ -86,18 +95,18 @@ auth_use_nsswitch(cvs_t) +@@ -86,18 +101,16 @@ auth_use_nsswitch(cvs_t) init_read_utmp(cvs_t) @@ -18344,8 +18745,8 @@ index 0f77550..f98a932 100644 - mta_send_mail(cvs_t) - userdom_dontaudit_search_user_home_dirs(cvs_t) - +-userdom_dontaudit_search_user_home_dirs(cvs_t) +- # cjp: typeattribute doesnt work in conditionals yet auth_can_read_shadow_passwords(cvs_t) -tunable_policy(`allow_cvs_read_shadow',` @@ -18353,11 +18754,19 @@ index 0f77550..f98a932 100644 allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') -@@ -120,4 +129,5 @@ optional_policy(` - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) +@@ -116,8 +129,10 @@ optional_policy(` + + optional_policy(` + apache_content_template(cvs) ++ apache_content_alias_template(cvs, cvs) + +- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) +- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) +- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t) ++ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir }) ') diff --git a/cyphesis.te b/cyphesis.te index 77ffc73..86e11f5 100644 @@ -20871,7 +21280,7 @@ index b3b2188..5f91705 100644 miscfiles_read_localization(dirmngr_t) diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc new file mode 100644 -index 0000000..8c44697 +index 0000000..5e44c5e --- /dev/null +++ b/dirsrv-admin.fc @@ -0,0 +1,15 @@ @@ -20883,8 +21292,8 @@ index 0000000..8c44697 +/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) +/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) + -+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) -+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0) ++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0) + +/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) +/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) @@ -20892,7 +21301,7 @@ index 0000000..8c44697 +/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0) diff --git a/dirsrv-admin.if b/dirsrv-admin.if new file mode 100644 -index 0000000..30416f2 +index 0000000..e360d38 --- /dev/null +++ b/dirsrv-admin.if @@ -0,0 +1,133 @@ @@ -20927,13 +21336,13 @@ index 0000000..30416f2 +## +## +# -+interface(`dirsrvadmin_run_httpd_script_exec',` ++interface(`dirsrvadmin_run_script_exec',` + gen_require(` -+ type httpd_dirsrvadmin_script_exec_t; ++ type dirsrvadmin_script_exec_t; + ') + -+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; -+ can_exec($1, httpd_dirsrvadmin_script_exec_t) ++ allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms; ++ can_exec($1, dirsrvadmin_script_exec_t) +') + +######################################## @@ -21031,10 +21440,10 @@ index 0000000..30416f2 +') diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 0000000..021c5ae +index 0000000..37afbd4 --- /dev/null +++ b/dirsrv-admin.te -@@ -0,0 +1,157 @@ +@@ -0,0 +1,158 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -21107,59 +21516,60 @@ index 0000000..021c5ae + +optional_policy(` + apache_content_template(dirsrvadmin) ++ apache_content_alias_template(dirsrvadmin, dirsrvadmin) + -+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -+ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; -+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; ++ allow dirsrvadmin_script_t self:process { getsched getpgid }; ++ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; ++ allow dirsrvadmin_script_t self:udp_socket create_socket_perms; ++ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; ++ allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; ++ allow dirsrvadmin_script_t self:sem create_sem_perms; + + -+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) -+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) ++ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) ++ files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) + -+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) ++ kernel_read_kernel_sysctls(dirsrvadmin_script_t) + + -+ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t) -+ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t) -+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) ++ corenet_tcp_bind_generic_node(dirsrvadmin_script_t) ++ corenet_udp_bind_generic_node(dirsrvadmin_script_t) ++ corenet_all_recvfrom_netlabel(dirsrvadmin_script_t) + -+ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_bind_http_port(dirsrvadmin_script_t) ++ corenet_tcp_connect_generic_port(dirsrvadmin_script_t) ++ corenet_tcp_connect_ldap_port(dirsrvadmin_script_t) ++ corenet_tcp_connect_http_port(dirsrvadmin_script_t) + -+ files_search_var_lib(httpd_dirsrvadmin_script_t) ++ files_search_var_lib(dirsrvadmin_script_t) + -+ sysnet_read_config(httpd_dirsrvadmin_script_t) ++ sysnet_read_config(dirsrvadmin_script_t) + -+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) ++ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) + + optional_policy(` -+ apache_read_modules(httpd_dirsrvadmin_script_t) -+ apache_read_config(httpd_dirsrvadmin_script_t) -+ apache_signal(httpd_dirsrvadmin_script_t) -+ apache_signull(httpd_dirsrvadmin_script_t) ++ apache_read_modules(dirsrvadmin_script_t) ++ apache_read_config(dirsrvadmin_script_t) ++ apache_signal(dirsrvadmin_script_t) ++ apache_signull(dirsrvadmin_script_t) + ') + + optional_policy(` + # The CGI scripts must be able to manage dirsrv-admin -+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) -+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) -+ dirsrv_domtrans(httpd_dirsrvadmin_script_t) -+ dirsrv_signal(httpd_dirsrvadmin_script_t) -+ dirsrv_signull(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_log(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) -+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_config(httpd_dirsrvadmin_script_t) -+ dirsrv_read_share(httpd_dirsrvadmin_script_t) ++ dirsrvadmin_run_exec(dirsrvadmin_script_t) ++ dirsrvadmin_manage_config(dirsrvadmin_script_t) ++ dirsrv_domtrans(dirsrvadmin_script_t) ++ dirsrv_signal(dirsrvadmin_script_t) ++ dirsrv_signull(dirsrvadmin_script_t) ++ dirsrv_manage_log(dirsrvadmin_script_t) ++ dirsrv_manage_var_lib(dirsrvadmin_script_t) ++ dirsrv_pid_filetrans(dirsrvadmin_script_t) ++ dirsrv_manage_var_run(dirsrvadmin_script_t) ++ dirsrv_manage_config(dirsrvadmin_script_t) ++ dirsrv_read_share(dirsrvadmin_script_t) + ') +') + @@ -22307,10 +22717,10 @@ index 0000000..484dd44 \ No newline at end of file diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..d856375 +index 0000000..543baf1 --- /dev/null +++ b/docker.if -@@ -0,0 +1,196 @@ +@@ -0,0 +1,250 @@ + +## The open-source application container engine. + @@ -22354,6 +22764,25 @@ index 0000000..d856375 + +######################################## +## ++## Execute docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_exec_lib',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ allow $1 docker_var_lib_t:dir search_dir_perms; ++ can_exec($1, docker_var_lib_t) ++') ++ ++######################################## ++## +## Read docker lib files. +## +## @@ -22411,6 +22840,41 @@ index 0000000..d856375 + +######################################## +## ++## Create objects in a docker var lib directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`docker_lib_filetrans',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## +## Read docker PID files. +## +## @@ -23528,11 +23992,15 @@ index f2516cc..8975946 100644 - sysnet_dns_name_resolve(drbd_t) diff --git a/dspam.fc b/dspam.fc -index 5eddac5..3ea0423 100644 +index 5eddac5..b5fcb77 100644 --- a/dspam.fc +++ b/dspam.fc -@@ -5,8 +5,13 @@ - /usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) +@@ -2,11 +2,16 @@ + + /usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0) + +-/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) ++/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0) /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) -/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) @@ -23542,10 +24010,10 @@ index 5eddac5..3ea0423 100644 /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) + +# web -+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) -+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0) ++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0) ++/var/www/dspam(/.*?) gen_context(system_u:object_r:dspam_content_t,s0) + -+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) ++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0) diff --git a/dspam.if b/dspam.if index 18f2452..a446210 100644 --- a/dspam.if @@ -23822,7 +24290,7 @@ index 18f2452..a446210 100644 + ') diff --git a/dspam.te b/dspam.te -index ef62363..37c844b 100644 +index ef62363..1ec4d89 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -23848,7 +24316,7 @@ index ef62363..37c844b 100644 files_search_spool(dspam_t) -@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t) +@@ -64,14 +73,30 @@ auth_use_nsswitch(dspam_t) logging_send_syslog_msg(dspam_t) @@ -23856,36 +24324,35 @@ index ef62363..37c844b 100644 - optional_policy(` apache_content_template(dspam) - -+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) ++ apache_content_alias_template(dspam, dspam) + -+ files_search_var_lib(httpd_dspam_script_t) - list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) -- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) -- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) -+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) -+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) ++ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) + -+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t) ++ files_search_var_lib(dspam_script_t) + -+ term_dontaudit_search_ptys(httpd_dspam_script_t) -+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t) -+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t) ++ domain_dontaudit_read_all_domains_state(dspam_script_t) + -+ init_read_utmp(httpd_dspam_script_t) ++ term_dontaudit_search_ptys(dspam_script_t) ++ term_dontaudit_getattr_all_ttys(dspam_script_t) ++ term_dontaudit_getattr_all_ptys(dspam_script_t) + +- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) +- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) +- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) ++ init_read_utmp(dspam_script_t) + -+ logging_send_syslog_msg(httpd_dspam_script_t) ++ logging_send_syslog_msg(dspam_script_t) + -+ mta_send_mail(httpd_dspam_script_t) ++ mta_send_mail(dspam_script_t) + + optional_policy(` -+ mysql_tcp_connect(httpd_dspam_script_t) -+ mysql_stream_connect(httpd_dspam_script_t) ++ mysql_tcp_connect(dspam_script_t) ++ mysql_stream_connect(dspam_script_t) + ') ') optional_policy(` -@@ -87,3 +114,12 @@ optional_policy(` +@@ -87,3 +112,12 @@ optional_policy(` postgresql_tcp_connect(dspam_t) ') @@ -25315,18 +25782,19 @@ index 5010f04..928215f 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index 92a6479..989f63a 100644 +index 92a6479..064f58e 100644 --- a/fprintd.te +++ b/fprintd.te -@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t) +@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t) allow fprintd_t self:capability sys_nice; allow fprintd_t self:process { getsched setsched signal sigkill }; allow fprintd_t self:fifo_file rw_fifo_file_perms; +allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto }; manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t) +@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t) dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) @@ -25340,11 +25808,11 @@ index 92a6479..989f63a 100644 auth_use_nsswitch(fprintd_t) -miscfiles_read_localization(fprintd_t) -- ++logging_send_syslog_msg(fprintd_t) + userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) - -@@ -54,8 +52,13 @@ optional_policy(` +@@ -54,8 +55,13 @@ optional_policy(` ') ') @@ -26185,6 +26653,29 @@ index 8a820fa..996b30c 100644 -') +userdom_use_inherited_user_terminals(giftd_t) +userdom_home_manager(gitd_t) +diff --git a/git.fc b/git.fc +index 24700f8..6561d56 100644 +--- a/git.fc ++++ b/git.fc +@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) + + /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + +-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +-/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) ++/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0) ++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0) + + /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) + +-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +-/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:git_script_exec_t,s0) ++/var/www/git(/.*)? gen_context(system_u:object_r:git_content_t,s0) ++/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0) ++/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0) diff --git a/git.if b/git.if index 1e29af1..6c64f55 100644 --- a/git.if @@ -26232,7 +26723,7 @@ index 1e29af1..6c64f55 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index dc49c71..654dbc5 100644 +index dc49c71..72aa729 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -26250,7 +26741,15 @@ index dc49c71..654dbc5 100644 ## Determine whether Git system daemon ## can search home directories. ##

-@@ -93,10 +85,10 @@ type git_session_t, git_daemon; +@@ -83,6 +75,7 @@ attribute git_daemon; + attribute_role git_session_roles; + + apache_content_template(git) ++apache_content_alias_template(git, git) + + type git_system_t, git_daemon; + type gitd_exec_t; +@@ -93,10 +86,10 @@ type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) role git_session_roles types git_session_t; @@ -26263,7 +26762,7 @@ index dc49c71..654dbc5 100644 userdom_user_home_content(git_user_content_t) ######################################## -@@ -110,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) +@@ -110,6 +103,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -26272,7 +26771,7 @@ index dc49c71..654dbc5 100644 corenet_all_recvfrom_netlabel(git_session_t) corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) -@@ -130,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` +@@ -130,9 +125,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_sendrecv_all_ports(git_session_t) ') @@ -26283,7 +26782,7 @@ index dc49c71..654dbc5 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(git_session_t) -@@ -158,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',` +@@ -158,6 +151,9 @@ tunable_policy(`use_samba_home_dirs',` list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) @@ -26293,7 +26792,7 @@ index dc49c71..654dbc5 100644 corenet_all_recvfrom_unlabeled(git_system_t) corenet_all_recvfrom_netlabel(git_system_t) corenet_tcp_sendrecv_generic_if(git_system_t) -@@ -176,6 +171,9 @@ logging_send_syslog_msg(git_system_t) +@@ -176,6 +172,9 @@ logging_send_syslog_msg(git_system_t) tunable_policy(`git_system_enable_homedirs',` userdom_search_user_home_dirs(git_system_t) @@ -26303,7 +26802,78 @@ index dc49c71..654dbc5 100644 ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` -@@ -266,12 +264,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -215,48 +214,48 @@ tunable_policy(`git_system_use_nfs',` + # CGI policy + # + +-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +-files_search_var_lib(httpd_git_script_t) ++list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) ++read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) ++files_search_var_lib(git_script_t) + +-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) ++files_dontaudit_getattr_tmp_dirs(git_script_t) + +-auth_use_nsswitch(httpd_git_script_t) ++auth_use_nsswitch(git_script_t) + + tunable_policy(`git_cgi_enable_homedirs',` +- userdom_search_user_home_dirs(httpd_git_script_t) ++ userdom_search_user_home_dirs(git_script_t) + ') + + tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` +- fs_getattr_nfs(httpd_git_script_t) +- fs_list_nfs(httpd_git_script_t) +- fs_read_nfs_files(httpd_git_script_t) ++ fs_getattr_nfs(git_script_t) ++ fs_list_nfs(git_script_t) ++ fs_read_nfs_files(git_script_t) + ',` +- fs_dontaudit_read_nfs_files(httpd_git_script_t) ++ fs_dontaudit_read_nfs_files(git_script_t) + ') + + tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` +- fs_getattr_cifs(httpd_git_script_t) +- fs_list_cifs(httpd_git_script_t) +- fs_read_cifs_files(httpd_git_script_t) ++ fs_getattr_cifs(git_script_t) ++ fs_list_cifs(git_script_t) ++ fs_read_cifs_files(git_script_t) + ',` +- fs_dontaudit_read_cifs_files(httpd_git_script_t) ++ fs_dontaudit_read_cifs_files(git_script_t) + ') + + tunable_policy(`git_cgi_use_cifs',` +- fs_getattr_cifs(httpd_git_script_t) +- fs_list_cifs(httpd_git_script_t) +- fs_read_cifs_files(httpd_git_script_t) ++ fs_getattr_cifs(git_script_t) ++ fs_list_cifs(git_script_t) ++ fs_read_cifs_files(git_script_t) + ',` +- fs_dontaudit_read_cifs_files(httpd_git_script_t) ++ fs_dontaudit_read_cifs_files(git_script_t) + ') + + tunable_policy(`git_cgi_use_nfs',` +- fs_getattr_nfs(httpd_git_script_t) +- fs_list_nfs(httpd_git_script_t) +- fs_read_nfs_files(httpd_git_script_t) ++ fs_getattr_nfs(git_script_t) ++ fs_list_nfs(git_script_t) ++ fs_read_nfs_files(git_script_t) + ',` +- fs_dontaudit_read_nfs_files(httpd_git_script_t) ++ fs_dontaudit_read_nfs_files(git_script_t) + ') + + ######################################## +@@ -266,12 +265,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -26687,10 +27257,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..7b78047 +index 0000000..4b88195 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,199 @@ +@@ -0,0 +1,200 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -26782,12 +27352,13 @@ index 0000000..7b78047 + +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) +relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) + +manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) @@ -30718,10 +31289,10 @@ index 0000000..3ce0ac0 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..5044e7b +index 0000000..bbd5979 --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,68 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -30746,6 +31317,7 @@ index 0000000..5044e7b +# +# gssproxy local policy +# ++allow gssproxy_t self:capability { setuid setgid }; +allow gssproxy_t self:capability2 block_suspend; +allow gssproxy_t self:fifo_file rw_fifo_file_perms; +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; @@ -30776,6 +31348,7 @@ index 0000000..5044e7b + +miscfiles_read_localization(gssproxy_t) + ++userdom_read_all_users_keys(gssproxy_t) +userdom_manage_user_tmp_dirs(gssproxy_t) +userdom_manage_user_tmp_files(gssproxy_t) + @@ -31718,7 +32291,7 @@ index ac00fb0..36ef2e5 100644 + userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index 2636503..7e29d1d 100644 +index 2636503..5910c59 100644 --- a/irc.te +++ b/irc.te @@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t @@ -31776,23 +32349,27 @@ index 2636503..7e29d1d 100644 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) +@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) kernel_read_system_state(irc_t) -corenet_all_recvfrom_unlabeled(irc_t) ++corecmd_exec_shell(irc_t) ++corecmd_exec_bin(irc_t) ++ corenet_all_recvfrom_netlabel(irc_t) corenet_tcp_sendrecv_generic_if(irc_t) corenet_tcp_sendrecv_generic_node(irc_t) -@@ -93,7 +108,6 @@ dev_read_rand(irc_t) +@@ -93,8 +111,6 @@ dev_read_rand(irc_t) domain_use_interactive_fds(irc_t) -files_read_usr_files(irc_t) - +- fs_getattr_all_fs(irc_t) fs_search_auto_mountpoints(irc_t) -@@ -106,14 +120,16 @@ auth_use_nsswitch(irc_t) + +@@ -106,14 +122,16 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) @@ -31814,7 +32391,7 @@ index 2636503..7e29d1d 100644 tunable_policy(`irc_use_any_tcp_ports',` allow irc_t self:tcp_socket { accept listen }; -@@ -124,18 +140,69 @@ tunable_policy(`irc_use_any_tcp_ports',` +@@ -124,18 +142,69 @@ tunable_policy(`irc_use_any_tcp_ports',` corenet_tcp_sendrecv_all_ports(irc_t) ') @@ -31849,7 +32426,7 @@ index 2636503..7e29d1d 100644 + +kernel_read_system_state(irssi_t) + -+corecmd_search_bin(irssi_t) ++corecmd_exec_shell(irssi_t) +corecmd_read_bin_symlinks(irssi_t) + +corenet_tcp_connect_ircd_port(irssi_t) @@ -36427,6 +37004,27 @@ index 4c2b111..8915138 100644 kerberos_use(slapd_t) ') +diff --git a/lightsquid.fc b/lightsquid.fc +index 044390c..63e2058 100644 +--- a/lightsquid.fc ++++ b/lightsquid.fc +@@ -1,11 +1,11 @@ + /etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0) + +-/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) +-/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) ++/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0) ++/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0) + +-/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) ++/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0) + + /var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) + +-/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) +-/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) ++/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0) ++/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0) diff --git a/lightsquid.if b/lightsquid.if index 33a28b9..33ffe24 100644 --- a/lightsquid.if @@ -36441,10 +37039,34 @@ index 33a28b9..33ffe24 100644 + ') ') diff --git a/lightsquid.te b/lightsquid.te -index 09c4f27..75854ed 100644 +index 09c4f27..6c7855e 100644 --- a/lightsquid.te +++ b/lightsquid.te -@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t) +@@ -13,38 +13,34 @@ type lightsquid_exec_t; + application_domain(lightsquid_t, lightsquid_exec_t) + role lightsquid_roles types lightsquid_t; + +-type lightsquid_rw_content_t; +-files_type(lightsquid_rw_content_t) ++type lightsquid_report_content_t; ++files_type(lightsquid_report_content_t) + + ######################################## + # + # Local policy + # + +-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir) ++manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) ++manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) ++manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) ++files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir) + + corecmd_exec_bin(lightsquid_t) + corecmd_exec_shell(lightsquid_t) dev_read_urand(lightsquid_t) @@ -36456,6 +37078,19 @@ index 09c4f27..75854ed 100644 squid_read_config(lightsquid_t) squid_read_log(lightsquid_t) + optional_policy(` + apache_content_template(lightsquid) ++ apache_content_alias_template(lightsquid, lightsquid) + +- list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +- read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +- read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) ++ list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) ++ read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) ++ read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) + ') + + optional_policy(` diff --git a/likewise.if b/likewise.if index bd20e8c..3393a01 100644 --- a/likewise.if @@ -37253,7 +37888,7 @@ index be0ab84..8c532a6 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab65034..52cbb90 100644 +index ab65034..6f52140 100644 --- a/logwatch.te +++ b/logwatch.te @@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2) @@ -37315,7 +37950,7 @@ index ab65034..52cbb90 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -100,23 +115,17 @@ libs_read_lib_files(logwatch_t) +@@ -100,23 +115,14 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -37325,9 +37960,8 @@ index ab65034..52cbb90 100644 sysnet_exec_ifconfig(logwatch_t) - userdom_dontaudit_search_user_home_dirs(logwatch_t) -+userdom_dontaudit_list_admin_dir(logwatch_t) - +-userdom_dontaudit_search_user_home_dirs(logwatch_t) +- mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) @@ -37340,7 +37974,7 @@ index ab65034..52cbb90 100644 corenet_sendrecv_smtp_client_packets(logwatch_t) corenet_tcp_connect_smtp_port(logwatch_t) corenet_tcp_sendrecv_smtp_port(logwatch_t) -@@ -160,6 +169,12 @@ optional_policy(` +@@ -160,6 +166,12 @@ optional_policy(` ') optional_policy(` @@ -37353,7 +37987,7 @@ index ab65034..52cbb90 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -187,6 +202,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -187,6 +199,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -38424,16 +39058,30 @@ index 6b6e2e1..9889cef 100644 + spamassassin_read_home_client(mscan_t) spamassassin_read_lib_files(mscan_t) ') +diff --git a/man2html.fc b/man2html.fc +index 82f6255..3686732 100644 +--- a/man2html.fc ++++ b/man2html.fc +@@ -1,5 +1,5 @@ +-/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) +-/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) +-/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) ++/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0) ++/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0) ++/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0) + +-/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) ++/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0) diff --git a/man2html.if b/man2html.if -index 54ec04d..fe43dea 100644 +index 54ec04d..53eaf61 100644 --- a/man2html.if +++ b/man2html.if -@@ -1 +1,127 @@ +@@ -1 +1,137 @@ ## A Unix manpage-to-HTML converter. + +######################################## +## -+## Transition to httpd_man2html_script. ++## Transition to man2html_script. +## +## +## @@ -38441,18 +39089,18 @@ index 54ec04d..fe43dea 100644 +## +## +# -+interface(`httpd_man2html_script_domtrans',` ++interface(`man2html_script_domtrans',` + gen_require(` -+ type httpd_man2html_script_t, httpd_man2html_script_exec_t; ++ type man2html_script_t, man2html_script_exec_t; + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t) ++ domtrans_pattern($1, man2html_script_exec_t, man2html_script_t) +') + +######################################## +## -+## Search httpd_man2html_script cache directories. ++## Search man2html_script content directories. +## +## +## @@ -38460,18 +39108,19 @@ index 54ec04d..fe43dea 100644 +## +## +# -+interface(`httpd_man2html_script_search_cache',` ++interface(`man2html_search_content',` + gen_require(` -+ type httpd_man2html_script_cache_t; ++ type man2html_content_t; ++ type man2html_rw_content_t; + ') + -+ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms; ++ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms; + files_search_var($1) +') + +######################################## +## -+## Read httpd_man2html_script cache files. ++## Read man2html cache files. +## +## +## @@ -38479,19 +39128,22 @@ index 54ec04d..fe43dea 100644 +## +## +# -+interface(`httpd_man2html_script_read_cache_files',` ++interface(`man2html_read_content_files',` + gen_require(` -+ type httpd_man2html_script_cache_t; ++ type man2html_content_t; ++ type man2html_rw_content_t; + ') + + files_search_var($1) -+ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms; ++ read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t) ++ read_files_pattern($1, man2html_content_t, man2html_content_t) +') + +######################################## +## +## Create, read, write, and delete -+## httpd_man2html_script cache files. ++## man2html content files. +## +## +## @@ -38499,18 +39151,21 @@ index 54ec04d..fe43dea 100644 +## +## +# -+interface(`httpd_man2html_script_manage_cache_files',` ++interface(`man2html_manage_content_files',` + gen_require(` -+ type httpd_man2html_script_cache_t; ++ type man2html_content_t; ++ type man2html_rw_content_t; + ') + + files_search_var($1) -+ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++ manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t) ++ manage_files_pattern($1, man2html_content_t, man2html_content_t) +') + +######################################## +## -+## Manage httpd_man2html_script cache dirs. ++## Create, read, write, and delete ++## man2html content dirs. +## +## +## @@ -38518,20 +39173,21 @@ index 54ec04d..fe43dea 100644 +## +## +# -+interface(`httpd_man2html_script_manage_cache_dirs',` ++interface(`man2html_manage_content_dirs',` + gen_require(` -+ type httpd_man2html_script_cache_t; ++ type man2html_content_t; ++ type man2html_rw_content_t; + ') + + files_search_var($1) -+ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++ manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t) ++ manage_dirs_pattern($1, man2html_content_t, man2html_content_t) +') + -+ +######################################## +## +## All of the rules required to administrate -+## an httpd_man2html_script environment ++## an man2html environment +## +## +## @@ -38539,17 +39195,19 @@ index 54ec04d..fe43dea 100644 +## +## +# -+interface(`httpd_man2html_script_admin',` ++interface(`man2html_admin',` + gen_require(` -+ type httpd_man2html_script_t; -+ type httpd_man2html_script_cache_t; ++ type man2html_script_t; ++ type man2html_rw_content_t; ++ type man2html_content_t; + ') + -+ allow $1 httpd_man2html_script_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, httpd_man2html_script_t) ++ allow $1 man2html_script_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, man2html_script_t) + + files_search_var($1) -+ admin_pattern($1, httpd_man2html_script_cache_t) ++ admin_pattern($1, man2html_content_t) ++ admin_pattern($1, man2html_rw_content_t) + + optional_policy(` + systemd_passwd_agent_exec($1) @@ -38557,22 +39215,22 @@ index 54ec04d..fe43dea 100644 + ') +') diff --git a/man2html.te b/man2html.te -index e08c55d..9e634bd 100644 +index e08c55d..24b56e9 100644 --- a/man2html.te +++ b/man2html.te -@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0) +@@ -5,22 +5,18 @@ policy_module(man2html, 1.0.0) # Declarations # -apache_content_template(man2html) - - type httpd_man2html_script_cache_t; - files_type(httpd_man2html_script_cache_t) +- +-type httpd_man2html_script_cache_t; +-files_type(httpd_man2html_script_cache_t) ######################################## # -# Local policy -+# httpd_man2html_script local policy ++# man2html_script local policy # -manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) @@ -38580,19 +39238,16 @@ index e08c55d..9e634bd 100644 -manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir) +optional_policy(` ++ apache_content_template(man2html) ++ apache_content_alias_template(man2html, man2html) -files_read_etc_files(httpd_man2html_script_t) -+ apache_content_template(man2html) ++ allow man2html_script_t self:process fork; -miscfiles_read_localization(httpd_man2html_script_t) -miscfiles_read_man_pages(httpd_man2html_script_t) -+ allow httpd_man2html_script_t self:process { fork }; -+ -+ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file }) -+ ++ typealias man2html_rw_content_t alias man2html_script_cache_t; ++ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file }) +') diff --git a/mandb.fc b/mandb.fc index 8ae78b5..16e55cd 100644 @@ -39148,8 +39803,27 @@ index 0000000..a04dd6b + +domain_use_interactive_fds(mcollective_t) + +diff --git a/mediawiki.fc b/mediawiki.fc +index 99f7c41..93ec6db 100644 +--- a/mediawiki.fc ++++ b/mediawiki.fc +@@ -1,8 +1,8 @@ +-/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +-/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +-/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) ++/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) ++/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) ++/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) + +-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) ++/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0) + +-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) +-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) ++/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) ++/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0) diff --git a/mediawiki.if b/mediawiki.if -index 9771b4b..1c1d012 100644 +index 9771b4b..9b183e6 100644 --- a/mediawiki.if +++ b/mediawiki.if @@ -1 +1,40 @@ @@ -39169,12 +39843,12 @@ index 9771b4b..1c1d012 100644 +# +interface(`mediawiki_read_tmp_files',` + gen_require(` -+ type httpd_mediawiki_tmp_t; ++ type mediawiki_tmp_t; + ') + + files_search_tmp($1) -+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) ++ read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) ++ read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) +') + +####################################### @@ -39189,23 +39863,22 @@ index 9771b4b..1c1d012 100644 +# +interface(`mediawiki_delete_tmp_files',` + gen_require(` -+ type httpd_mediawiki_tmp_t; ++ type mediawiki_tmp_t; + ') + -+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) ++ delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) +') diff --git a/mediawiki.te b/mediawiki.te -index c528b9f..212712c 100644 +index c528b9f..fcbc191 100644 --- a/mediawiki.te +++ b/mediawiki.te -@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0) +@@ -5,13 +5,26 @@ policy_module(mediawiki, 1.0.0) # Declarations # -apache_content_template(mediawiki) -+optional_policy(` -+ -+ apache_content_template(mediawiki) ++type mediawiki_tmp_t; ++files_tmp_file(mediawiki_tmp_t) ######################################## # @@ -39213,10 +39886,21 @@ index c528b9f..212712c 100644 # -files_search_var_lib(httpd_mediawiki_script_t) -+ files_search_var_lib(httpd_mediawiki_script_t) ++optional_policy(` -miscfiles_read_tetex_data(httpd_mediawiki_script_t) -+ miscfiles_read_tetex_data(httpd_mediawiki_script_t) ++ apache_content_template(mediawiki) ++ apache_content_alias_template(mediawiki, mediawiki) ++ ++ manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) ++ manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) ++ manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) ++ manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) ++ files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file }) ++ ++ files_search_var_lib(mediawiki_script_t) ++ ++ miscfiles_read_tetex_data(mediawiki_script_t) +') diff --git a/memcached.if b/memcached.if index 1d4eb19..650014e 100644 @@ -39778,10 +40462,10 @@ index 0000000..767bbad +/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0) diff --git a/mip6d.if b/mip6d.if new file mode 100644 -index 0000000..9e2bf1b +index 0000000..8169129 --- /dev/null +++ b/mip6d.if -@@ -0,0 +1,80 @@ +@@ -0,0 +1,79 @@ + +## Mobile IPv6 and NEMO Basic Support implementation + @@ -39820,7 +40504,7 @@ index 0000000..9e2bf1b + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 mip6d_unit_file_t:file read_file_perms; + allow $1 mip6d_unit_file_t:service manage_service_perms; + @@ -39838,22 +40522,21 @@ index 0000000..9e2bf1b +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`mip6d_admin',` + gen_require(` + type mip6d_t; -+ type mip6d_unit_file_t; ++ type mip6d_unit_file_t; + ') + -+ allow $1 mip6d_t:process { ptrace signal_perms }; ++ allow $1 mip6d_t:process { signal_perms }; + ps_process_pattern($1, mip6d_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mip6d_t:process ptrace; ++ ') ++ + mip6d_systemctl($1) + admin_pattern($1, mip6d_unit_file_t) + allow $1 mip6d_unit_file_t:service all_service_perms; @@ -39901,6 +40584,298 @@ index 0000000..1d34063 + +logging_send_syslog_msg(mip6d_t) + +diff --git a/mirrormanager.fc b/mirrormanager.fc +new file mode 100644 +index 0000000..c713b27 +--- /dev/null ++++ b/mirrormanager.fc +@@ -0,0 +1,7 @@ ++/usr/share/mirrormanager/server/mirrormanager -- gen_context(system_u:object_r:mirrormanager_exec_t,s0) ++ ++/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0) ++ ++/var/log/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_log_t,s0) ++ ++/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0) +diff --git a/mirrormanager.if b/mirrormanager.if +new file mode 100644 +index 0000000..dd049c7 +--- /dev/null ++++ b/mirrormanager.if +@@ -0,0 +1,224 @@ ++ ++## policy for mirrormanager ++ ++######################################## ++## ++## Execute mirrormanager in the mirrormanager domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mirrormanager_domtrans',` ++ gen_require(` ++ type mirrormanager_t, mirrormanager_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t) ++') ++ ++######################################## ++## ++## Read mirrormanager's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mirrormanager_read_log',` ++ gen_require(` ++ type mirrormanager_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++') ++ ++######################################## ++## ++## Append to mirrormanager log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_append_log',` ++ gen_require(` ++ type mirrormanager_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++') ++ ++######################################## ++## ++## Manage mirrormanager log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_manage_log',` ++ gen_require(` ++ type mirrormanager_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++ manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++ manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++') ++ ++######################################## ++## ++## Search mirrormanager lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_search_lib',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ allow $1 mirrormanager_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read mirrormanager lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_read_lib_files',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++') ++ ++######################################## ++## ++## Manage mirrormanager lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_manage_lib_files',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++') ++ ++######################################## ++## ++## Manage mirrormanager lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_manage_lib_dirs',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++') ++ ++######################################## ++## ++## Read mirrormanager PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_read_pid_files',` ++ gen_require(` ++ type mirrormanager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mirrormanager environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`mirrormanager_admin',` ++ gen_require(` ++ type mirrormanager_t; ++ type mirrormanager_log_t; ++ type mirrormanager_var_lib_t; ++ type mirrormanager_var_run_t; ++ ') ++ ++ allow $1 mirrormanager_t:process { signal_perms }; ++ ps_process_pattern($1, mirrormanager_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mirrormanager_t:process ptrace; ++ ') ++ ++ logging_search_logs($1) ++ admin_pattern($1, mirrormanager_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, mirrormanager_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, mirrormanager_var_run_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/mirrormanager.te b/mirrormanager.te +new file mode 100644 +index 0000000..841b732 +--- /dev/null ++++ b/mirrormanager.te +@@ -0,0 +1,43 @@ ++policy_module(mirrormanager, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mirrormanager_t; ++type mirrormanager_exec_t; ++cron_system_entry(mirrormanager_t, mirrormanager_exec_t) ++ ++type mirrormanager_log_t; ++logging_log_file(mirrormanager_log_t) ++ ++type mirrormanager_var_lib_t; ++files_type(mirrormanager_var_lib_t) ++ ++type mirrormanager_var_run_t; ++files_pid_file(mirrormanager_var_run_t) ++ ++######################################## ++# ++# mirrormanager local policy ++# ++ ++allow mirrormanager_t self:fifo_file rw_fifo_file_perms; ++allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t) ++manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t) ++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t) ++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir }) ++ ++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir }) ++ ++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t) ++manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t) ++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t) ++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir }) ++ diff --git a/mock.fc b/mock.fc new file mode 100644 index 0000000..8d0e473 @@ -40586,7 +41561,7 @@ index b1ac8b5..9b22bea 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..a0dae5e 100644 +index d15eb5b..66a422b 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -40599,12 +41574,15 @@ index d15eb5b..a0dae5e 100644 ######################################## # # Local policy -@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t) +@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; + kernel_read_system_state(modemmanager_t) + dev_read_sysfs(modemmanager_t) ++dev_read_urand(modemmanager_t) dev_rw_modem(modemmanager_t) -files_read_etc_files(modemmanager_t) - +- term_use_generic_ptys(modemmanager_t) term_use_unallocated_ttys(modemmanager_t) +term_use_usb_ttys(modemmanager_t) @@ -40614,6 +41592,19 @@ index d15eb5b..a0dae5e 100644 logging_send_syslog_msg(modemmanager_t) +diff --git a/mojomojo.fc b/mojomojo.fc +index 7b827ca..5ee8a0f 100644 +--- a/mojomojo.fc ++++ b/mojomojo.fc +@@ -1,5 +1,5 @@ +-/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) ++/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0) + +-/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) ++/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0) + +-/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) ++/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0) diff --git a/mojomojo.if b/mojomojo.if index 73952f4..b19a6ee 100644 --- a/mojomojo.if @@ -40627,16 +41618,16 @@ index 73952f4..b19a6ee 100644 interface(`mojomojo_admin',` refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') diff --git a/mojomojo.te b/mojomojo.te -index b94102e..9556487 100644 +index b94102e..25d1d33 100644 --- a/mojomojo.te +++ b/mojomojo.te -@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.1.0) +@@ -5,21 +5,40 @@ policy_module(mojomojo, 1.1.0) # Declarations # -apache_content_template(mojomojo) -+type httpd_mojomojo_tmp_t; -+files_tmp_file(httpd_mojomojo_tmp_t) ++type mojomojo_tmp_t alias httpd_mojomojo_tmp_t; ++files_tmp_file(mojomojo_tmp_t) ######################################## # @@ -40646,38 +41637,37 @@ index b94102e..9556487 100644 -allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +optional_policy(` + apache_content_template(mojomojo) ++ apache_content_alias_template(mojomojo, mojomojo) -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -+ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; ++ manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t) ++ manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t) ++ files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir }) -files_search_var_lib(httpd_mojomojo_script_t) -+ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -+ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -+ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) ++ corenet_tcp_connect_postgresql_port(mojomojo_script_t) ++ corenet_tcp_connect_mysqld_port(mojomojo_script_t) ++ corenet_tcp_connect_smtp_port(mojomojo_script_t) ++ corenet_sendrecv_postgresql_client_packets(mojomojo_script_t) ++ corenet_sendrecv_mysqld_client_packets(mojomojo_script_t) ++ corenet_sendrecv_smtp_client_packets(mojomojo_script_t) -sysnet_dns_name_resolve(httpd_mojomojo_script_t) -+ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) -+ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) -+ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -+ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) -+ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) ++ files_search_var_lib(mojomojo_script_t) -mta_send_mail(httpd_mojomojo_script_t) -+ files_search_var_lib(httpd_mojomojo_script_t) ++ sysnet_dns_name_resolve(mojomojo_script_t) + -+ sysnet_dns_name_resolve(httpd_mojomojo_script_t) -+ -+ mta_send_mail(httpd_mojomojo_script_t) ++ mta_send_mail(mojomojo_script_t) + + optional_policy(` -+ mysql_stream_connect(httpd_mojomojo_script_t) ++ mysql_stream_connect(mojomojo_script_t) + ') + + optional_policy(` -+ postgresql_stream_connect(httpd_mojomojo_script_t) ++ postgresql_stream_connect(mojomojo_script_t) + ') +') diff --git a/mongodb.te b/mongodb.te @@ -41143,7 +42133,7 @@ index 6ffaba2..cb1e8b0 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..7fbb9e7 100644 +index 6194b80..b8952a1 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -41275,7 +42265,8 @@ index 6194b80..7fbb9e7 100644 - mozilla_run_plugin($2, $1) - mozilla_run_plugin_config($2, $1) -- ++ mozilla_filetrans_home_content($2) + - allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) - @@ -41297,8 +42288,7 @@ index 6194b80..7fbb9e7 100644 - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") -+ mozilla_filetrans_home_content($2) - +- - allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; @@ -41653,7 +42643,7 @@ index 6194b80..7fbb9e7 100644 ## ## ## -@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +353,144 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -41756,7 +42746,25 @@ index 6194b80..7fbb9e7 100644 + type mozilla_plugin_t; + ') + -+ allow $1 mozilla_plugin_t:sem { unix_read unix_write }; ++ dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write }; ++') ++ ++####################################### ++## ++## Allow generict ipc read/write to a mozilla_plugin ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mozilla_plugin_rw_sem',` ++ gen_require(` ++ type mozilla_plugin_t; ++ ') ++ ++ allow $1 mozilla_plugin_t:sem { associate unix_read unix_write }; ') ######################################## @@ -41809,7 +42817,7 @@ index 6194b80..7fbb9e7 100644 ## ## ## -@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +498,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -41834,7 +42842,7 @@ index 6194b80..7fbb9e7 100644 ## ## ## -@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +517,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -41916,7 +42924,7 @@ index 6194b80..7fbb9e7 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..5c6fae9 100644 +index 11ac8e4..058f834 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -42184,12 +43192,12 @@ index 11ac8e4..5c6fae9 100644 - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -42438,12 +43446,12 @@ index 11ac8e4..5c6fae9 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -42644,26 +43652,26 @@ index 11ac8e4..5c6fae9 100644 -ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) - fs_read_dos_files(mozilla_plugin_t) +- +- fs_search_removable(mozilla_plugin_t) +- fs_read_removable_files(mozilla_plugin_t) +- fs_read_removable_symlinks(mozilla_plugin_t) +userdom_read_user_home_content_files(mozilla_plugin_t) +userdom_read_user_home_content_symlinks(mozilla_plugin_t) +userdom_read_home_certs(mozilla_plugin_t) +userdom_read_home_audio_files(mozilla_plugin_t) +userdom_exec_user_tmp_files(mozilla_plugin_t) -- fs_search_removable(mozilla_plugin_t) -- fs_read_removable_files(mozilla_plugin_t) -- fs_read_removable_symlinks(mozilla_plugin_t) +- fs_read_iso9660_files(mozilla_plugin_t) +-') +userdom_home_manager(mozilla_plugin_t) -- fs_read_iso9660_files(mozilla_plugin_t) +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_t self:process execmem; +tunable_policy(`mozilla_plugin_can_network_connect',` + corenet_tcp_connect_all_ports(mozilla_plugin_t) ') --tunable_policy(`allow_execmem',` -- allow mozilla_plugin_t self:process execmem; --') -- -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_t self:process { execmem execstack }; +optional_policy(` @@ -42745,16 +43753,20 @@ index 11ac8e4..5c6fae9 100644 ') optional_policy(` -@@ -560,7 +566,7 @@ optional_policy(` +@@ -560,7 +566,11 @@ optional_policy(` ') optional_policy(` - pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) ++ policykit_dbus_chat(mozilla_plugin_t) ++') ++ ++optional_policy(` + rtkit_scheduled(mozilla_plugin_t) ') optional_policy(` -@@ -568,108 +574,130 @@ optional_policy(` +@@ -568,108 +578,130 @@ optional_policy(` ') optional_policy(` @@ -43342,7 +44354,7 @@ index f42896c..cb2791a 100644 -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..e3840c1 100644 +index ed81cac..26c97cd 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -43408,7 +44420,7 @@ index ed81cac..e3840c1 100644 + kernel_read_system_state($1_mail_t) + -+ corenet_all_recvfrom_netlabel($1_mail_t) ++ corenet_all_recvfrom_netlabel($1_mail_t) + auth_use_nsswitch($1_mail_t) @@ -44459,7 +45471,7 @@ index ed81cac..e3840c1 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..4bf6d3b 100644 +index ff1d68c..2305a28 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -44496,7 +45508,16 @@ index ff1d68c..4bf6d3b 100644 userdom_user_tmp_file(user_mail_tmp_t) ######################################## -@@ -79,12 +77,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; +@@ -66,8 +64,6 @@ allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; + manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) + manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) + manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir") +-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir") + + read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t }) + +@@ -79,12 +75,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) kernel_read_crypto_sysctls(user_mail_domain) @@ -44509,7 +45530,7 @@ index ff1d68c..4bf6d3b 100644 corenet_tcp_sendrecv_generic_if(user_mail_domain) corenet_tcp_sendrecv_generic_node(user_mail_domain) -@@ -107,10 +103,6 @@ fs_getattr_all_fs(user_mail_domain) +@@ -107,10 +101,6 @@ fs_getattr_all_fs(user_mail_domain) init_dontaudit_rw_utmp(user_mail_domain) @@ -44520,7 +45541,7 @@ index ff1d68c..4bf6d3b 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(user_mail_domain) fs_manage_cifs_files(user_mail_domain) -@@ -124,6 +116,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -124,6 +114,11 @@ tunable_policy(`use_nfs_home_dirs',` ') optional_policy(` @@ -44532,7 +45553,7 @@ index ff1d68c..4bf6d3b 100644 courier_manage_spool_dirs(user_mail_domain) courier_manage_spool_files(user_mail_domain) courier_rw_spool_pipes(user_mail_domain) -@@ -150,6 +147,11 @@ optional_policy(` +@@ -150,6 +145,11 @@ optional_policy(` ') optional_policy(` @@ -44544,7 +45565,15 @@ index ff1d68c..4bf6d3b 100644 procmail_exec(user_mail_domain) ') -@@ -171,52 +173,69 @@ optional_policy(` +@@ -166,57 +166,76 @@ optional_policy(` + uucp_manage_spool(user_mail_domain) + ') + ++mta_filetrans_admin_home_content(user_mail_domain) ++mta_filetrans_home_content(user_mail_domain) ++ + ######################################## + # # System local policy # @@ -44595,7 +45624,6 @@ index ff1d68c..4bf6d3b 100644 +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) + -+ +logging_append_all_logs(system_mail_t) + +logging_send_syslog_msg(system_mail_t) @@ -44680,7 +45708,7 @@ index ff1d68c..4bf6d3b 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +301,15 @@ optional_policy(` +@@ -272,6 +301,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -44689,6 +45717,10 @@ index ff1d68c..4bf6d3b 100644 +') + +optional_policy(` ++ postfix_domtrans_postdrop(system_mail_t) ++') ++ ++optional_policy(` + qmail_domtrans_inject(system_mail_t) + qmail_manage_spool_dirs(system_mail_t) + qmail_manage_spool_files(system_mail_t) @@ -44696,7 +45728,7 @@ index ff1d68c..4bf6d3b 100644 ') optional_policy(` -@@ -287,42 +325,36 @@ optional_policy(` +@@ -287,42 +329,36 @@ optional_policy(` ') optional_policy(` @@ -44749,7 +45781,7 @@ index ff1d68c..4bf6d3b 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,40 +363,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,40 +367,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -44798,7 +45830,7 @@ index ff1d68c..4bf6d3b 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -372,6 +390,13 @@ optional_policy(` +@@ -372,6 +394,13 @@ optional_policy(` ') optional_policy(` @@ -44812,7 +45844,7 @@ index ff1d68c..4bf6d3b 100644 postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -381,24 +406,49 @@ optional_policy(` +@@ -381,24 +410,49 @@ optional_policy(` ######################################## # @@ -44870,7 +45902,7 @@ index ff1d68c..4bf6d3b 100644 + + diff --git a/munin.fc b/munin.fc -index eb4b72a..4968324 100644 +index eb4b72a..af28bb5 100644 --- a/munin.fc +++ b/munin.fc @@ -1,77 +1,79 @@ @@ -44991,14 +46023,15 @@ index eb4b72a..4968324 100644 -/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) - -/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) +/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) - /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0) ++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0) ++/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) ++/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) diff --git a/munin.if b/munin.if -index b744fe3..4c1b6a8 100644 +index b744fe3..900d083 100644 --- a/munin.if +++ b/munin.if @@ -1,12 +1,13 @@ @@ -45145,8 +46178,12 @@ index b744fe3..4c1b6a8 100644 ## ## ## -@@ -170,8 +212,12 @@ interface(`munin_admin',` - type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; +@@ -167,11 +209,15 @@ interface(`munin_admin',` + attribute munin_plugin_domain, munin_plugin_tmp_content; + type munin_t, munin_etc_t, munin_tmp_t; + type munin_log_t, munin_var_lib_t, munin_var_run_t; +- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ++ type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ') - allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; @@ -45160,16 +46197,23 @@ index b744fe3..4c1b6a8 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) +@@ -193,5 +239,5 @@ interface(`munin_admin',` + files_list_pids($1) + admin_pattern($1, munin_var_run_t) + +- admin_pattern($1, httpd_munin_content_t) ++ admin_pattern($1, munin_content_t) + ') diff --git a/munin.te b/munin.te -index b708708..cead88c 100644 +index b708708..16b96d0 100644 --- a/munin.te +++ b/munin.te @@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) munin_plugin_template(system) munin_plugin_template(unconfined) -+type httpd_munin_script_tmp_t; -+files_tmp_file(httpd_munin_script_tmp_t) ++type munin_script_tmp_t alias httpd_munin_script_tmp_t; ++files_tmp_file(munin_script_tmp_t) + ################################ # @@ -45371,7 +46415,7 @@ index b708708..cead88c 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +427,31 @@ optional_policy(` +@@ -421,3 +427,32 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -45383,22 +46427,23 @@ index b708708..cead88c 100644 +# + +apache_content_template(munin) ++apache_content_alias_template(munin, munin) + -+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++manage_dirs_pattern(munin_t, munin_content_t, munin_content_t) ++manage_files_pattern(munin_t, munin_content_t, munin_content_t) + -+manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t) -+manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t) ++manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t) ++manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t) + -+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) -+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) ++read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t) ++read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t) + -+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) -+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) ++read_files_pattern(munin_script_t, munin_log_t, munin_log_t) ++append_files_pattern(munin_script_t, munin_log_t, munin_log_t) + -+files_search_var_lib(httpd_munin_script_t) ++files_search_var_lib(munin_script_t) + -+auth_read_passwd(httpd_munin_script_t) ++auth_read_passwd(munin_script_t) + +optional_policy(` + apache_search_sys_content(munin_t) @@ -46295,31 +47340,31 @@ index 7584bbe..2d683f1 100644 +userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/mythtv.fc b/mythtv.fc new file mode 100644 -index 0000000..3a1c423 +index 0000000..d62cf88 --- /dev/null +++ b/mythtv.fc @@ -0,0 +1,9 @@ -+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) ++/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:mythtv_script_exec_t,s0) + +/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0) + +/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0) + -+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) -+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) -+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) ++/usr/share/mythtv(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0) ++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0) ++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0) diff --git a/mythtv.if b/mythtv.if new file mode 100644 -index 0000000..171f666 +index 0000000..e2403dd --- /dev/null +++ b/mythtv.if @@ -0,0 +1,152 @@ + -+## policy for httpd_mythtv_script ++## policy for mythtv_script + +######################################## +## -+## Execute TEMPLATE in the httpd_mythtv_script domin. ++## Execute TEMPLATE in the mythtv_script domin. +## +## +## @@ -46327,13 +47372,13 @@ index 0000000..171f666 +## +## +# -+interface(`httpd_mythtv_script_domtrans',` ++interface(`mythtv_script_domtrans',` + gen_require(` -+ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t; ++ type mythtv_script_t, mythtv_script_exec_t; + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t) ++ domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t) +') + +####################################### @@ -46449,15 +47494,15 @@ index 0000000..171f666 +# +interface(`mythtv_admin',` + gen_require(` -+ type httpd_mythtv_script_t, mythtv_var_lib_t; ++ type mythtv_script_t, mythtv_var_lib_t; + type mythtv_var_log_t; + ') + -+ allow $1 httpd_mythtv_script_t:process signal_perms; -+ ps_process_pattern($1, httpd_mythtv_script_t) ++ allow $1 mythtv_script_t:process signal_perms; ++ ps_process_pattern($1, mythtv_script_t) + + tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_mythtv_script_t:process ptrace; ++ allow $1 mythtv_script_t:process ptrace; + ') + + logging_list_logs($1) @@ -46468,10 +47513,10 @@ index 0000000..171f666 +') diff --git a/mythtv.te b/mythtv.te new file mode 100644 -index 0000000..90129ac +index 0000000..0e585e3 --- /dev/null +++ b/mythtv.te -@@ -0,0 +1,41 @@ +@@ -0,0 +1,47 @@ +policy_module(mythtv, 1.0.0) + +######################################## @@ -46480,6 +47525,7 @@ index 0000000..90129ac +# + +apache_content_template(mythtv) ++apache_content_alias_template(mythtv, mythtv) + +type mythtv_var_lib_t; +files_type(mythtv_var_lib_t) @@ -46489,32 +47535,37 @@ index 0000000..90129ac + +######################################## +# -+# httpd_mythtv_script local policy ++# mythtv_script local policy +# ++#============= httpd_mythtv_script_t ============== ++allow httpd_mythtv_script_t self:process setpgid; ++dev_list_sysfs(httpd_mythtv_script_t) ++ ++manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) ++manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) ++files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file }) + -+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) -+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) -+files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file }) ++manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) ++manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) ++logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file ) + -+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) -+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) -+logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file ) ++domain_use_interactive_fds(mythtv_script_t) + -+domain_use_interactive_fds(httpd_mythtv_script_t) ++files_read_etc_files(mythtv_script_t) + -+files_read_etc_files(httpd_mythtv_script_t) ++fs_read_nfs_files(mythtv_script_t) + -+fs_read_nfs_files(httpd_mythtv_script_t) ++auth_read_passwd(httpd_mythtv_script_t) + +miscfiles_read_localization(httpd_mythtv_script_t) + +optional_policy(` -+ mysql_read_config(httpd_mythtv_script_t) -+ mysql_stream_connect(httpd_mythtv_script_t) -+ mysql_tcp_connect(httpd_mythtv_script_t) ++ mysql_read_config(mythtv_script_t) ++ mysql_stream_connect(mythtv_script_t) ++ mysql_tcp_connect(mythtv_script_t) +') diff --git a/nagios.fc b/nagios.fc -index d78dfc3..a00cc2d 100644 +index d78dfc3..24a2dec 100644 --- a/nagios.fc +++ b/nagios.fc @@ -1,88 +1,97 @@ @@ -46532,8 +47583,8 @@ index d78dfc3..a00cc2d 100644 -/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) @@ -46552,8 +47603,8 @@ index d78dfc3..a00cc2d 100644 +ifdef(`distro_debian',` +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +') -+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) +# admin plugins /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) @@ -46905,7 +47956,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..f565a0e 100644 +index 7b3e682..1726e88 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -47018,15 +48069,63 @@ index 7b3e682..f565a0e 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -178,6 +183,7 @@ optional_policy(` +@@ -178,35 +183,37 @@ optional_policy(` # # CGI local policy # + optional_policy(` apache_content_template(nagios) - typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -229,9 +235,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +- typealias httpd_nagios_script_t alias nagios_cgi_t; +- typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; ++ apache_content_alias_template(nagios, nagios) ++ typealias nagios_script_t alias nagios_cgi_t; ++ typealias nagios_script_exec_t alias nagios_cgi_exec_t; + +- allow httpd_nagios_script_t self:process signal_perms; ++ allow nagios_script_t self:process signal_perms; + +- read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) +- read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++ read_files_pattern(nagios_script_t, nagios_t, nagios_t) ++ read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t) + +- allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +- allow httpd_nagios_script_t nagios_etc_t:file read_file_perms; +- allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; ++ allow nagios_script_t nagios_etc_t:dir list_dir_perms; ++ allow nagios_script_t nagios_etc_t:file read_file_perms; ++ allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; + +- files_search_spool(httpd_nagios_script_t) +- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) ++ files_search_spool(nagios_script_t) ++ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t) + +- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +- read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) ++ allow nagios_script_t nagios_log_t:dir list_dir_perms; ++ read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t) ++ read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t) + +- kernel_read_system_state(httpd_nagios_script_t) ++ kernel_read_system_state(nagios_script_t) + +- domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) ++ domain_dontaudit_read_all_domains_state(nagios_script_t) + +- files_read_etc_runtime_files(httpd_nagios_script_t) +- files_read_kernel_symbol_table(httpd_nagios_script_t) ++ files_read_etc_runtime_files(nagios_script_t) ++ files_read_kernel_symbol_table(nagios_script_t) + +- logging_send_syslog_msg(httpd_nagios_script_t) ++ logging_send_syslog_msg(nagios_script_t) + ') + + ######################################## +@@ -229,9 +236,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) @@ -47037,7 +48136,7 @@ index 7b3e682..f565a0e 100644 corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -252,8 +258,8 @@ dev_read_urand(nrpe_t) +@@ -252,8 +259,8 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) @@ -47047,7 +48146,7 @@ index 7b3e682..f565a0e 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +268,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,8 +269,6 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -47056,7 +48155,7 @@ index 7b3e682..f565a0e 100644 userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -310,15 +314,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -310,15 +315,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -47075,7 +48174,7 @@ index 7b3e682..f565a0e 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +349,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,6 +350,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -47085,7 +48184,7 @@ index 7b3e682..f565a0e 100644 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) -@@ -357,9 +364,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +365,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -47099,7 +48198,7 @@ index 7b3e682..f565a0e 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -391,6 +400,11 @@ optional_policy(` +@@ -391,6 +401,11 @@ optional_policy(` optional_policy(` mysql_stream_connect(nagios_services_plugin_t) @@ -47111,7 +48210,7 @@ index 7b3e682..f565a0e 100644 ') optional_policy(` -@@ -411,6 +425,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -411,6 +426,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -47119,7 +48218,7 @@ index 7b3e682..f565a0e 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,10 +436,10 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -47132,7 +48231,7 @@ index 7b3e682..f565a0e 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,11 +458,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -48679,7 +49778,7 @@ index 46e55c3..6e4e061 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3a6b035..1a181ad 100644 +index 3a6b035..b9887c1 100644 --- a/nis.te +++ b/nis.te @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0) @@ -48845,11 +49944,12 @@ index 3a6b035..1a181ad 100644 dev_read_sysfs(yppasswdd_t) fs_getattr_all_fs(yppasswdd_t) -@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t) +@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t) + selinux_get_fs_mount(yppasswdd_t) auth_manage_shadow(yppasswdd_t) ++auth_manage_passwd(yppasswdd_t) auth_relabel_shadow(yppasswdd_t) -+auth_read_passwd(yppasswdd_t) auth_etc_filetrans_shadow(yppasswdd_t) +corecmd_exec_bin(yppasswdd_t) @@ -51694,7 +52794,7 @@ index b0a1be4..239f27a 100644 + virt_ptrace(numad_t) +') diff --git a/nut.fc b/nut.fc -index 379af96..41ff159 100644 +index 379af96..fac7d7b 100644 --- a/nut.fc +++ b/nut.fc @@ -1,23 +1,16 @@ @@ -51725,9 +52825,9 @@ index 379af96..41ff159 100644 -/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if index 57c0161..54bd4d7 100644 --- a/nut.if @@ -51788,7 +52888,7 @@ index 57c0161..54bd4d7 100644 + ps_process_pattern($1, swift_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..1701352 100644 +index 5b2cb0d..249224e 100644 --- a/nut.te +++ b/nut.te @@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain; @@ -51973,7 +53073,7 @@ index 5b2cb0d..1701352 100644 corecmd_exec_bin(nut_upsdrvctl_t) dev_read_sysfs(nut_upsdrvctl_t) -@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t) +@@ -139,22 +149,35 @@ dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) term_use_unallocated_ttys(nut_upsdrvctl_t) @@ -51995,22 +53095,24 @@ index 5b2cb0d..1701352 100644 optional_policy(` apache_content_template(nutups_cgi) ++ apache_content_alias_template(nutups_cgi,nutups_cgi) ++ ++ read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t) - allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms; - allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms; - allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms; -+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) -+ -+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) -+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) -+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) -+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) -+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) -+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) -+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) -+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) - - sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ++ corenet_all_recvfrom_netlabel(nutups_cgi_script_t) ++ corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t) ++ corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t) ++ corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t) ++ corenet_tcp_connect_ups_port(nutups_cgi_script_t) ++ corenet_udp_sendrecv_generic_if(nutups_cgi_script_t) ++ corenet_udp_sendrecv_generic_node(nutups_cgi_script_t) ++ corenet_udp_sendrecv_all_ports(nutups_cgi_script_t) + +- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ++ sysnet_dns_name_resolve(nutups_cgi_script_t) ') diff --git a/nx.if b/nx.if index 251d681..50ae2a9 100644 @@ -52939,7 +54041,7 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..0dc672f +index 0000000..a7905db --- /dev/null +++ b/openshift.fc @@ -0,0 +1,27 @@ @@ -52964,7 +54066,7 @@ index 0000000..0dc672f +/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) + +/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0) ++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_script_exec_t,s0) +/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + @@ -53680,10 +54782,10 @@ index 0000000..cf03270 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..3c4beaf +index 0000000..e40e9d5 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,558 @@ +@@ -0,0 +1,559 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -53982,13 +55084,14 @@ index 0000000..3c4beaf + # openshift cgi script policy + # + apache_content_template(openshift) -+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t) ++ apache_content_alias_template(openshift, openshift) ++ domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t) + + optional_policy(` -+ dbus_system_bus_client(httpd_openshift_script_t) ++ dbus_system_bus_client(openshift_script_t) + + optional_policy(` -+ oddjob_dbus_chat(httpd_openshift_script_t) ++ oddjob_dbus_chat(openshift_script_t) + oddjob_dontaudit_rw_fifo_file(openshift_domain) + ') + ') @@ -57639,10 +58742,10 @@ index 0000000..726d992 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..b975b85 +index 0000000..798efb6 --- /dev/null +++ b/pki.if -@@ -0,0 +1,294 @@ +@@ -0,0 +1,287 @@ + +## policy for pki + @@ -57779,13 +58882,6 @@ index 0000000..b975b85 + + # need to resolve addresses? + auth_use_nsswitch($1_t) -+ -+ #pki_apache_domain_signal(httpd_t) -+ #pki_apache_domain_signal(httpd_t) -+ #pki_manage_apache_run(httpd_t) -+ #pki_manage_apache_config_files(httpd_t) -+ #pki_manage_apache_log_files(httpd_t) -+ #pki_manage_apache_lib(httpd_t) +') + +####################################### @@ -57939,10 +59035,10 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..17f5d18 +index 0000000..d656f71 --- /dev/null +++ b/pki.te -@@ -0,0 +1,284 @@ +@@ -0,0 +1,271 @@ +policy_module(pki,10.0.11) + +######################################## @@ -57988,7 +59084,6 @@ index 0000000..17f5d18 +typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; +typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; +typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; -+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; + + +# pki policy types @@ -58071,10 +59166,6 @@ index 0000000..17f5d18 +userdom_manage_user_tmp_dirs(pki_tomcat_t) +userdom_manage_user_tmp_files(pki_tomcat_t) + -+# forward proxy -+# need to define ports to fix this -+#corenet_tcp_connect_pki_tomcat_port(httpd_t) -+ +# for crl publishing +allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; + @@ -58111,9 +59202,6 @@ index 0000000..17f5d18 + +files_exec_usr_files(pki_tps_t) + -+# why do I need to add this? -+#allow httpd_t httpd_config_t:file execute; -+ +###################################### +# +# ra local policy @@ -58213,13 +59301,8 @@ index 0000000..17f5d18 + apache_list_modules(pki_apache_domain) + apache_read_config(pki_apache_domain) + apache_exec(pki_apache_domain) -+ apache_exec_suexec(pki_apache_domain) ++ apache_exec_suexec(pki_apache_domain) + apache_entrypoint(pki_apache_domain) -+ -+ # should be started using a script which will execute httpd -+ # start up httpd in pki_apache_domain mode -+ #can_exec(pki_apache_domain, httpd_config_t) -+ #can_exec(pki_apache_domain, httpd_suexec_exec_t) +') + +# allow rpm -q in init scripts @@ -59594,7 +60677,7 @@ index ae27bb7..d00f6ba 100644 + allow $1 polipo_unit_file_t:service all_service_perms; ') diff --git a/polipo.te b/polipo.te -index 9764bfe..2d8d495 100644 +index 9764bfe..96dadf3 100644 --- a/polipo.te +++ b/polipo.te @@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1) @@ -59664,7 +60747,7 @@ index 9764bfe..2d8d495 100644 type polipo_cache_t; files_type(polipo_cache_t) -@@ -56,116 +63,102 @@ files_type(polipo_cache_t) +@@ -56,116 +63,103 @@ files_type(polipo_cache_t) type polipo_log_t; logging_log_file(polipo_log_t) @@ -59717,6 +60800,7 @@ index 9764bfe..2d8d495 100644 +corenet_tcp_bind_http_cache_port(polipo_daemon) +corenet_sendrecv_http_cache_server_packets(polipo_daemon) +corenet_tcp_connect_http_port(polipo_daemon) ++corenet_tcp_connect_http_cache_port(polipo_daemon) +corenet_tcp_connect_tor_port(polipo_daemon) +corenet_tcp_connect_flash_port(polipo_daemon) @@ -63305,6 +64389,19 @@ index 8e26216..d59dc50 100644 + dbus_read_config(prelink_t) + ') +') +diff --git a/prelude.fc b/prelude.fc +index 8dbc763..b580f85 100644 +--- a/prelude.fc ++++ b/prelude.fc +@@ -12,7 +12,7 @@ + + /usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) + +-/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) ++/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0) + + /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) + diff --git a/prelude.if b/prelude.if index c83a838..f41a4f7 100644 --- a/prelude.if @@ -63467,7 +64564,7 @@ index c83a838..f41a4f7 100644 admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index 8f44609..509fd0a 100644 +index 8f44609..e1f4f70 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -63569,6 +64666,46 @@ index 8f44609..509fd0a 100644 userdom_read_all_users_state(prelude_lml_t) optional_policy(` +@@ -278,27 +265,28 @@ optional_policy(` + + optional_policy(` + apache_content_template(prewikka) ++ apache_content_alias_template(prewikka, prewikka) + +- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) ++ can_exec(prewikka_script_t, prewikka_script_exec_t) + +- files_search_tmp(httpd_prewikka_script_t) ++ files_search_tmp(prewikka_script_t) + +- kernel_read_sysctl(httpd_prewikka_script_t) +- kernel_search_network_sysctl(httpd_prewikka_script_t) ++ kernel_read_sysctl(prewikka_script_t) ++ kernel_search_network_sysctl(prewikka_script_t) + +- auth_use_nsswitch(httpd_prewikka_script_t) ++ auth_use_nsswitch(prewikka_script_t) + +- logging_send_syslog_msg(httpd_prewikka_script_t) ++ logging_send_syslog_msg(prewikka_script_t) + +- apache_search_sys_content(httpd_prewikka_script_t) ++ apache_search_sys_content(prewikka_script_t) + + optional_policy(` +- mysql_stream_connect(httpd_prewikka_script_t) +- mysql_tcp_connect(httpd_prewikka_script_t) ++ mysql_stream_connect(prewikka_script_t) ++ mysql_tcp_connect(prewikka_script_t) + ') + + optional_policy(` +- postgresql_stream_connect(httpd_prewikka_script_t) +- postgresql_tcp_connect(httpd_prewikka_script_t) ++ postgresql_stream_connect(prewikka_script_t) ++ postgresql_tcp_connect(prewikka_script_t) + ') + ') diff --git a/privoxy.if b/privoxy.if index bdcee30..34f3143 100644 --- a/privoxy.if @@ -68718,7 +69855,7 @@ index 8644d8b..b744b5d 100644 + sudo_exec(neutron_t) ') diff --git a/quota.fc b/quota.fc -index cadabe3..0ee2489 100644 +index cadabe3..54ba01d 100644 --- a/quota.fc +++ b/quota.fc @@ -1,6 +1,5 @@ @@ -68729,7 +69866,7 @@ index cadabe3..0ee2489 100644 /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) /etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) @@ -68745,6 +69882,7 @@ index cadabe3..0ee2489 100644 /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) ++/var/spool/cron/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) @@ -70044,10 +71182,10 @@ index 0000000..a073efd +') diff --git a/rasdaemon.te b/rasdaemon.te new file mode 100644 -index 0000000..8651ca4 +index 0000000..7b1fa9e --- /dev/null +++ b/rasdaemon.te -@@ -0,0 +1,35 @@ +@@ -0,0 +1,45 @@ +policy_module(rasdaemon, 1.0.0) + +######################################## @@ -70079,10 +71217,20 @@ index 0000000..8651ca4 +kernel_read_system_state(rasdaemon_t) +kernel_manage_debugfs(rasdaemon_t) + ++auth_use_nsswitch(rasdaemon_t) ++ ++dev_read_raw_memory(rasdaemon_t) +dev_read_sysfs(rasdaemon_t) ++dev_read_urand(rasdaemon_t) + +logging_send_syslog_msg(rasdaemon_t) + ++modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277 ++ ++optional_policy(` ++ dmidecode_exec(rasdaemon_t) ++') ++ diff --git a/razor.fc b/razor.fc index 6723f4d..6e26673 100644 --- a/razor.fc @@ -72213,7 +73361,7 @@ index 47de2d6..98a4280 100644 +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..2e4d698 100644 +index c8bdea2..f1ee87e 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -72462,8 +73610,10 @@ index c8bdea2..2e4d698 100644 + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + -+######################################## -+## + ######################################## + ## +-## Read and write all cluster domains +-## shared memory. +## Read and write to group shared memory. +## +## @@ -72483,10 +73633,8 @@ index c8bdea2..2e4d698 100644 + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + - ######################################## - ## --## Read and write all cluster domains --## shared memory. ++######################################## ++## +## Read and write to group shared memory. ## ## @@ -72514,7 +73662,7 @@ index c8bdea2..2e4d698 100644 ## ## ## -@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',` +@@ -393,20 +423,44 @@ interface(`rhcs_rw_cluster_semaphores',` ## ## # @@ -72526,49 +73674,65 @@ index c8bdea2..2e4d698 100644 ') - allow $1 groupd_t:sem { rw_sem_perms destroy }; -- -- fs_search_tmpfs($1) -- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) - ') ++') --######################################## +- fs_search_tmpfs($1) +- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +##################################### - ## --## Read and write groupd shared memory. ++## +## Connect to cluster domains over a unix domain +## stream socket. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## +## +## Domain allowed access. +## +## ++# ++interface(`rhcs_stream_connect_cluster_to',` ++ gen_require(` ++ attribute cluster_domain; ++ attribute cluster_pid; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, cluster_pid, cluster_pid, $2) + ') + + ######################################## + ## +-## Read and write groupd shared memory. ++## Send a null signal to cluster. + ## + ## + ## +@@ -414,15 +468,12 @@ interface(`rhcs_rw_groupd_semaphores',` + ## + ## # -interface(`rhcs_rw_groupd_shm',` -+interface(`rhcs_stream_connect_cluster_to',` ++interface(`rhcs_signull_cluster',` gen_require(` - type groupd_t, groupd_tmpfs_t; -+ attribute cluster_domain; -+ attribute cluster_pid; ++ type cluster_t; ') - allow $1 groupd_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+ files_search_pids($1) -+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2) ++ allow $1 cluster_t:process signull; ') ###################################### -@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +497,360 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -72619,7 +73783,11 @@ index c8bdea2..2e4d698 100644 + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -+ + +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; +##################################### +## +## Allow domain to manage cluster lib files @@ -72635,16 +73803,14 @@ index c8bdea2..2e4d698 100644 + type cluster_var_lib_t; + ') -- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; -- allow $2 system_r; +- files_search_pids($1) +- admin_pattern($1, cluster_pid) + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_pids($1) -- admin_pattern($1, cluster_pid) +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) +#################################### +## +## Allow domain to relabel cluster lib files @@ -72665,8 +73831,8 @@ index c8bdea2..2e4d698 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_locks($1) -- admin_pattern($1, fenced_lock_t) +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) +###################################### +## +## Execute a domain transition to run cluster administrative domain. @@ -72682,14 +73848,14 @@ index c8bdea2..2e4d698 100644 + type cluster_t, cluster_exec_t; + ') -- files_search_tmp($1) -- admin_pattern($1, fenced_tmp_t) +- files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) + corecmd_search_bin($1) + domtrans_pattern($1, cluster_exec_t, cluster_t) +') -- files_search_var_lib($1) -- admin_pattern($1, qdiskd_var_lib_t) +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) +####################################### +## +## Execute cluster init scripts in @@ -72705,9 +73871,7 @@ index c8bdea2..2e4d698 100644 + gen_require(` + type cluster_initrc_exec_t; + ') - -- fs_search_tmpfs($1) -- admin_pattern($1, cluster_tmpfs) ++ + init_labeled_script_domtrans($1, cluster_initrc_exec_t) +') + @@ -77525,7 +78689,7 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..382a1bf 100644 +index abeb302..61b21d2 100644 --- a/rsync.te +++ b/rsync.te @@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) @@ -77646,7 +78810,7 @@ index abeb302..382a1bf 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -77712,9 +78876,7 @@ index abeb302..382a1bf 100644 + +tunable_policy(`rsync_full_access',` + allow rsync_t self:capability { dac_override dac_read_search }; -+ files_manage_non_security_dirs(rsync_t) -+ files_manage_non_security_files(rsync_t) -+ #files_relabel_non_security_files(rsync_t) ++ files_manage_non_auth_files(rsync_t) ') tunable_policy(`rsync_export_all_ro',` @@ -79029,7 +80191,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..1912f75 100644 +index 2b7c441..a96f064 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -79335,10 +80497,10 @@ index 2b7c441..1912f75 100644 +allow smbd_t self:udp_socket create_socket_perms; +allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+allow smbd_t nmbd_t:process { signal signull }; -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; ++allow smbd_t nmbd_t:process { signal signull }; ++ +allow smbd_t nmbd_var_run_t:file rw_file_perms; +stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) @@ -79582,7 +80744,18 @@ index 2b7c441..1912f75 100644 lpd_exec_lpr(smbd_t) ') -@@ -499,9 +491,33 @@ optional_policy(` +@@ -488,6 +480,10 @@ optional_policy(` + ') + + optional_policy(` ++ rhcs_signull_cluster(smbd_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(smbd_t) + ') + +@@ -499,9 +495,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -79617,7 +80790,7 @@ index 2b7c441..1912f75 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +528,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +532,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -79632,7 +80805,7 @@ index 2b7c441..1912f75 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +544,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +548,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -79656,7 +80829,7 @@ index 2b7c441..1912f75 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +561,41 @@ kernel_read_network_state(nmbd_t) +@@ -548,52 +565,41 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -79705,14 +80878,14 @@ index 2b7c441..1912f75 100644 - userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - +- -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') -- ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -79722,7 +80895,7 @@ index 2b7c441..1912f75 100644 ') optional_policy(` -@@ -606,16 +608,22 @@ optional_policy(` +@@ -606,16 +612,22 @@ optional_policy(` ######################################## # @@ -79749,7 +80922,7 @@ index 2b7c441..1912f75 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +635,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +639,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -79767,7 +80940,7 @@ index 2b7c441..1912f75 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +647,23 @@ optional_policy(` +@@ -644,22 +651,23 @@ optional_policy(` ######################################## # @@ -79799,7 +80972,7 @@ index 2b7c441..1912f75 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +672,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +676,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -79835,7 +81008,7 @@ index 2b7c441..1912f75 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +699,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +703,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -79927,7 +81100,7 @@ index 2b7c441..1912f75 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +778,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +782,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -79951,7 +81124,7 @@ index 2b7c441..1912f75 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +792,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +796,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -79994,7 +81167,7 @@ index 2b7c441..1912f75 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +822,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +826,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -80008,7 +81181,7 @@ index 2b7c441..1912f75 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +845,20 @@ optional_policy(` +@@ -840,17 +849,20 @@ optional_policy(` # Winbind local policy # @@ -80034,7 +81207,7 @@ index 2b7c441..1912f75 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +868,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +872,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -80045,7 +81218,7 @@ index 2b7c441..1912f75 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +879,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +883,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -80075,7 +81248,7 @@ index 2b7c441..1912f75 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +902,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +906,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -80096,7 +81269,7 @@ index 2b7c441..1912f75 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +920,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,10 +924,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -80107,7 +81280,7 @@ index 2b7c441..1912f75 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +928,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +932,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -80149,7 +81322,7 @@ index 2b7c441..1912f75 100644 ') optional_policy(` -@@ -959,31 +976,29 @@ optional_policy(` +@@ -959,31 +980,29 @@ optional_policy(` # Winbind helper local policy # @@ -80187,7 +81360,7 @@ index 2b7c441..1912f75 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1012,38 @@ optional_policy(` +@@ -997,25 +1016,38 @@ optional_policy(` ######################################## # @@ -80450,10 +81623,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..5da5bff +index 0000000..e45c73a --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,392 @@ +@@ -0,0 +1,393 @@ + +## policy for sandboxX + @@ -80577,6 +81750,7 @@ index 0000000..5da5bff + + domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) + domain_entry_file($1_client_t, sandbox_exec_t) ++ allow $1_client_t $1_t:shm { unix_read unix_write }; + + ps_process_pattern(sandbox_xserver_t, $1_client_t) + ps_process_pattern(sandbox_xserver_t, $1_t) @@ -80848,10 +82022,10 @@ index 0000000..5da5bff +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..710df6b +index 0000000..9ba5803 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,483 @@ +@@ -0,0 +1,488 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -80976,7 +82150,7 @@ index 0000000..710df6b +# +# sandbox_x_domain local policy +# -+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; ++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap }; +tunable_policy(`deny_execmem',`',` + allow sandbox_x_domain self:process execmem; +') @@ -81277,6 +82451,14 @@ index 0000000..710df6b +') + +optional_policy(` ++ mozilla_plugin_rw_sem(sandbox_web_type) ++') ++ ++optional_policy(` ++ networkmanager_dontaudit_dbus_chat(sandbox_web_type) ++') ++ ++optional_policy(` + nsplugin_manage_rw(sandbox_web_type) + nsplugin_read_rw_files(sandbox_web_type) + nsplugin_rw_exec(sandbox_web_type) @@ -81298,10 +82480,6 @@ index 0000000..710df6b +') + +optional_policy(` -+ networkmanager_dontaudit_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` + udev_read_state(sandbox_web_type) +') + @@ -81331,10 +82509,11 @@ index 0000000..710df6b + mozilla_dontaudit_rw_user_home_files(sandbox_x_t) + mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) -+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) ++ mozilla_plugin_rw_sem(sandbox_x_domain) + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') +userdom_dontaudit_open_user_ptys(sandbox_x_domain) ++ diff --git a/sanlock.fc b/sanlock.fc index 3df2a0f..9059165 100644 --- a/sanlock.fc @@ -82960,20 +84139,24 @@ index 12700b4..fde3c8d 100644 + unconfined_domain(unconfined_sendmail_t) ') diff --git a/sensord.fc b/sensord.fc -index 8185d5a..719ac47 100644 +index 8185d5a..97926d2 100644 --- a/sensord.fc +++ b/sensord.fc -@@ -1,3 +1,5 @@ +@@ -1,5 +1,9 @@ +/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0) + /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) + ++/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0) ++ + /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/sensord.if b/sensord.if -index d204752..5eba5fd 100644 +index d204752..31cc6e6 100644 --- a/sensord.if +++ b/sensord.if -@@ -1,35 +1,75 @@ +@@ -1,35 +1,80 @@ -## Sensor information logging daemon. + +## Sensor information logging daemon @@ -83041,7 +84224,9 @@ index d204752..5eba5fd 100644 gen_require(` - type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; + type sensord_t; -+ type sensord_unit_file_t; ++ type sensord_unit_file_t; ++ type sensord_log_t; ++ type sensord_var_run_t; ') allow $1 sensord_t:process { ptrace signal_perms }; @@ -83056,17 +84241,19 @@ index d204752..5eba5fd 100644 + allow $1 sensord_unit_file_t:service all_service_perms; - files_search_pids($1) -- admin_pattern($1, sensord_var_run_t) ++ admin_pattern($1, sensord_log_t) + admin_pattern($1, sensord_var_run_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') ') diff --git a/sensord.te b/sensord.te -index 5e82fd6..fa352d8 100644 +index 5e82fd6..f3e5808 100644 --- a/sensord.te +++ b/sensord.te -@@ -9,6 +9,9 @@ type sensord_t; +@@ -9,12 +9,18 @@ type sensord_t; type sensord_exec_t; init_daemon_domain(sensord_t, sensord_exec_t) @@ -83076,7 +84263,24 @@ index 5e82fd6..fa352d8 100644 type sensord_initrc_exec_t; init_script_file(sensord_initrc_exec_t) -@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file) + type sensord_var_run_t; + files_pid_file(sensord_var_run_t) + ++type sensord_log_t; ++logging_log_file(sensord_log_t) ++ + ######################################## + # + # Local policy +@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t) + allow sensord_t self:fifo_file rw_fifo_file_perms; + allow sensord_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t) ++logging_log_filetrans(sensord_t, sensord_log_t, file) ++ + manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) + files_pid_filetrans(sensord_t, sensord_var_run_t, file) dev_read_sysfs(sensord_t) @@ -83854,10 +85058,18 @@ index 1aeef8a..d5ce40a 100644 admin_pattern($1, shorewall_etc_t) diff --git a/shorewall.te b/shorewall.te -index 7710b9f..76a2c97 100644 +index 7710b9f..6195392 100644 --- a/shorewall.te +++ b/shorewall.te -@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) +@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t) + + allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; + dontaudit shorewall_t self:capability sys_tty_config; ++allow shorewall_t self:process signal_perms; + allow shorewall_t self:fifo_file rw_fifo_file_perms; + allow shorewall_t self:netlink_socket create_socket_perms; + +@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) files_lock_filetrans(shorewall_t, shorewall_lock_t, file) manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) @@ -83868,7 +85080,7 @@ index 7710b9f..76a2c97 100644 logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) @@ -83878,7 +85090,7 @@ index 7710b9f..76a2c97 100644 allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; -@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t) +@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t) domain_read_all_domains_state(shorewall_t) files_getattr_kernel_modules(shorewall_t) @@ -83886,7 +85098,7 @@ index 7710b9f..76a2c97 100644 files_search_kernel_modules(shorewall_t) fs_getattr_all_fs(shorewall_t) -@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t) +@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t) logging_read_generic_logs(shorewall_t) logging_send_syslog_msg(shorewall_t) @@ -84324,6 +85536,19 @@ index 9cf6582..bc33dd7 100644 - udev_read_db(fsdaemon_t) + virt_read_images(fsdaemon_t) ') +diff --git a/smokeping.fc b/smokeping.fc +index 3359819..a231ecb 100644 +--- a/smokeping.fc ++++ b/smokeping.fc +@@ -2,7 +2,7 @@ + + /usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) + +-/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) ++/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0) + + /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) + diff --git a/smokeping.if b/smokeping.if index 1fa51c1..82e111c 100644 --- a/smokeping.if @@ -84342,7 +85567,7 @@ index 1fa51c1..82e111c 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index ec031a0..ebf575f 100644 +index ec031a0..26b6da1 100644 --- a/smokeping.te +++ b/smokeping.te @@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) @@ -84370,15 +85595,35 @@ index ec031a0..ebf575f 100644 mta_send_mail(smokeping_t) netutils_domtrans_ping(smokeping_t) -@@ -70,6 +68,8 @@ optional_policy(` - files_search_tmp(httpd_smokeping_cgi_script_t) - files_search_var_lib(httpd_smokeping_cgi_script_t) +@@ -60,17 +58,20 @@ netutils_domtrans_ping(smokeping_t) -+ auth_read_passwd(httpd_smokeping_cgi_script_t) + optional_policy(` + apache_content_template(smokeping_cgi) ++ apache_content_alias_template(smokeping_cgi, smokeping_cgi) + - sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) ++ manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) ++ manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + +- manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) +- manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) ++ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) + +- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) ++ files_read_etc_files(smokeping_cgi_script_t) ++ files_search_tmp(smokeping_cgi_script_t) ++ files_search_var_lib(smokeping_cgi_script_t) + +- files_read_etc_files(httpd_smokeping_cgi_script_t) +- files_search_tmp(httpd_smokeping_cgi_script_t) +- files_search_var_lib(httpd_smokeping_cgi_script_t) ++ auth_read_passwd(smokeping_cgi_script_t) - netutils_domtrans_ping(httpd_smokeping_cgi_script_t) +- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) ++ sysnet_dns_name_resolve(smokeping_cgi_script_t) + +- netutils_domtrans_ping(httpd_smokeping_cgi_script_t) ++ netutils_domtrans_ping(smokeping_cgi_script_t) + ') diff --git a/smoltclient.te b/smoltclient.te index b3f2c6f..dccac2a 100644 --- a/smoltclient.te @@ -85258,7 +86503,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..de22c9c 100644 +index f2f507d..10b5705 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -85419,13 +86664,17 @@ index f2f507d..de22c9c 100644 ') optional_policy(` -@@ -151,9 +198,21 @@ optional_policy(` +@@ -151,9 +198,25 @@ optional_policy(` ') optional_policy(` - rpm_exec(sosreport_t) - rpm_dontaudit_manage_db(sosreport_t) - rpm_read_db(sosreport_t) ++ rhsmcertd_manage_lib_files(sosreport_t) ++') ++ ++optional_policy(` + rpm_dontaudit_manage_db(sosreport_t) + rpm_manage_cache(sosreport_t) + rpm_manage_log(sosreport_t) @@ -86775,6 +88024,221 @@ index cc58e35..ecd30f3 100644 + gpg_manage_home_content(spamd_update_t) ') + +diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc +new file mode 100644 +index 0000000..545f682 +--- /dev/null ++++ b/speech-dispatcher.fc +@@ -0,0 +1,5 @@ ++/usr/bin/speech-dispatcher -- gen_context(system_u:object_r:speech-dispatcher_exec_t,s0) ++ ++/usr/lib/systemd/system/speech-dispatcherd.service -- gen_context(system_u:object_r:speech-dispatcher_unit_file_t,s0) ++ ++/var/log/speech-dispatcher(/.*)? gen_context(system_u:object_r:speech-dispatcher_log_t,s0) +diff --git a/speech-dispatcher.if b/speech-dispatcher.if +new file mode 100644 +index 0000000..ddfed09 +--- /dev/null ++++ b/speech-dispatcher.if +@@ -0,0 +1,142 @@ ++ ++## speech-dispatcher - server process managing speech requests in Speech Dispatcher ++ ++######################################## ++## ++## Execute speech-dispatcher in the speech-dispatcher domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`speech-dispatcher_domtrans',` ++ gen_require(` ++ type speech-dispatcher_t, speech-dispatcher_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, speech-dispatcher_exec_t, speech-dispatcher_t) ++') ++######################################## ++## ++## Read speech-dispatcher's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`speech-dispatcher_read_log',` ++ gen_require(` ++ type speech-dispatcher_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t) ++') ++ ++######################################## ++## ++## Append to speech-dispatcher log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`speech-dispatcher_append_log',` ++ gen_require(` ++ type speech-dispatcher_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t) ++') ++ ++######################################## ++## ++## Manage speech-dispatcher log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`speech-dispatcher_manage_log',` ++ gen_require(` ++ type speech-dispatcher_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t) ++ manage_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t) ++ manage_lnk_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t) ++') ++######################################## ++## ++## Execute speech-dispatcher server in the speech-dispatcher domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`speech-dispatcher_systemctl',` ++ gen_require(` ++ type speech-dispatcher_t; ++ type speech-dispatcher_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 speech-dispatcher_unit_file_t:file read_file_perms; ++ allow $1 speech-dispatcher_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, speech-dispatcher_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an speech-dispatcher environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`speech-dispatcher_admin',` ++ gen_require(` ++ type speech-dispatcher_t; ++ type speech-dispatcher_log_t; ++ type speech-dispatcher_unit_file_t; ++ ') ++ ++ allow $1 speech-dispatcher_t:process { signal_perms }; ++ ps_process_pattern($1, speech-dispatcher_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 speech-dispatcher_t:process ptrace; ++ ') ++ ++ logging_search_logs($1) ++ admin_pattern($1, speech-dispatcher_log_t) ++ ++ speech-dispatcher_systemctl($1) ++ admin_pattern($1, speech-dispatcher_unit_file_t) ++ allow $1 speech-dispatcher_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/speech-dispatcher.te b/speech-dispatcher.te +new file mode 100644 +index 0000000..57372d0 +--- /dev/null ++++ b/speech-dispatcher.te +@@ -0,0 +1,50 @@ ++policy_module(speech-dispatcher, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type speech-dispatcher_t; ++type speech-dispatcher_exec_t; ++init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t) ++ ++type speech-dispatcher_log_t; ++logging_log_file(speech-dispatcher_log_t) ++ ++type speech-dispatcher_unit_file_t; ++systemd_unit_file(speech-dispatcher_unit_file_t) ++ ++type speech-dispatcher_tmp_t; ++files_tmp_file(speech-dispatcher_tmp_t) ++ ++type speech-dispatcher_tmpfs_t; ++files_tmpfs_file(speech-dispatcher_tmpfs_t) ++ ++######################################## ++# ++# speech-dispatcher local policy ++# ++allow speech-dispatcher_t self:process { fork signal_perms }; ++allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms; ++allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms; ++allow speech-dispatcher_t self:tcp_socket create_socket_perms; ++ ++manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t) ++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t) ++logging_log_filetrans(speech-dispatcher_t, speech-dispatcher_log_t, { dir }) ++ ++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmp_t, speech-dispatcher_tmp_t) ++files_tmp_filetrans(speech-dispatcher_t, speech-dispatcher_tmp_t, { file }) ++ ++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t) ++fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file }) ++ ++kernel_read_system_state(speech-dispatcher_t) ++ ++auth_read_passwd(speech-dispatcher_t) ++ ++corenet_tcp_connect_pdps_port(speech-dispatcher_t) ++ ++dev_read_urand(speech-dispatcher_t) ++ diff --git a/speedtouch.te b/speedtouch.te index b38b8b1..eb36653 100644 --- a/speedtouch.te @@ -86797,25 +88261,25 @@ index b38b8b1..eb36653 100644 userdom_dontaudit_search_user_home_dirs(speedmgmt_t) diff --git a/squid.fc b/squid.fc -index 0a8b0f7..ebbec17 100644 +index 0a8b0f7..5b066d3 100644 --- a/squid.fc +++ b/squid.fc @@ -1,12 +1,15 @@ -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -- --/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) ++/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0) +-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) -+ + /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) ++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0) /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) @@ -86866,7 +88330,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 03472ed..7cb8bec 100644 +index 03472ed..4ade5f1 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -86952,30 +88416,41 @@ index 03472ed..7cb8bec 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -198,6 +202,8 @@ tunable_policy(`squid_use_tproxy',` +@@ -197,28 +201,31 @@ tunable_policy(`squid_use_tproxy',` + optional_policy(` apache_content_template(squid) - -+ allow httpd_squid_script_t self:tcp_socket create_socket_perms; -+ - corenet_all_recvfrom_unlabeled(httpd_squid_script_t) - corenet_all_recvfrom_netlabel(httpd_squid_script_t) - corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) -@@ -207,18 +213,18 @@ optional_policy(` - corenet_tcp_connect_http_cache_port(httpd_squid_script_t) - corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) ++ apache_content_alias_template(squid, squid) + +- corenet_all_recvfrom_unlabeled(httpd_squid_script_t) +- corenet_all_recvfrom_netlabel(httpd_squid_script_t) +- corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) +- corenet_tcp_sendrecv_generic_node(httpd_squid_script_t) ++ allow squid_script_t self:tcp_socket create_socket_perms; + +- corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t) +- corenet_tcp_connect_http_cache_port(httpd_squid_script_t) +- corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) ++ corenet_all_recvfrom_unlabeled(squid_script_t) ++ corenet_all_recvfrom_netlabel(squid_script_t) ++ corenet_tcp_sendrecv_generic_if(squid_script_t) ++ corenet_tcp_sendrecv_generic_node(squid_script_t) - sysnet_dns_name_resolve(httpd_squid_script_t) -+ corenet_tcp_connect_squid_port(httpd_squid_script_t) ++ corenet_sendrecv_http_cache_client_packets(squid_script_t) ++ corenet_tcp_connect_http_cache_port(squid_script_t) ++ corenet_tcp_sendrecv_http_cache_port(squid_script_t) - squid_read_config(httpd_squid_script_t) -') -+ sysnet_dns_name_resolve(httpd_squid_script_t) ++ corenet_tcp_connect_squid_port(squid_script_t) -optional_policy(` - cron_system_entry(squid_t, squid_exec_t) ++ sysnet_dns_name_resolve(squid_script_t) ++ + optional_policy(` -+ squid_read_config(httpd_squid_script_t) ++ squid_read_config(squid_script_t) + ') ') @@ -86987,7 +88462,7 @@ index 03472ed..7cb8bec 100644 ') optional_policy(` -@@ -236,3 +242,24 @@ optional_policy(` +@@ -236,3 +243,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -87416,7 +88891,7 @@ index a240455..16a04bf 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..290807b 100644 +index 2d8db1f..fb9841f 100644 --- a/sssd.te +++ b/sssd.te @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) @@ -87501,7 +88976,7 @@ index 2d8db1f..290807b 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +106,34 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -87512,6 +88987,7 @@ index 2d8db1f..290807b 100644 +userdom_manage_tmp_role(system_r, sssd_t) +userdom_manage_all_users_keys(sssd_t) ++userdom_home_reader(sssd_t) + optional_policy(` dbus_system_bus_client(sssd_t) @@ -87528,15 +89004,16 @@ index 2d8db1f..290807b 100644 + +optional_policy(` + dirsrv_stream_connect(sssd_t) - ') ++') + +optional_policy(` + ldap_stream_connect(sssd_t) -+ ldap_read_certs(sssd_t) ++ ldap_read_certs(sssd_t) +') + -+userdom_home_reader(sssd_t) -+ ++optional_policy(` ++ systemd_login_read_pid_files(sssd_t) + ') diff --git a/stapserver.fc b/stapserver.fc new file mode 100644 index 0000000..0ccce59 @@ -95206,10 +96683,10 @@ index facdee8..43128c6 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..6771aec 100644 +index f03dcf5..eeb0c89 100644 --- a/virt.te +++ b/virt.te -@@ -1,150 +1,190 @@ +@@ -1,150 +1,197 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -95347,6 +96824,8 @@ index f03dcf5..6771aec 100644 -attribute virt_image_type; -attribute virt_tmp_type; -attribute virt_tmpfs_type; +- +-attribute svirt_lxc_domain; +## +##

+## Allow confined virtual guests to use usb devices @@ -95354,14 +96833,6 @@ index f03dcf5..6771aec 100644 +## +gen_tunable(virt_use_usb, true) --attribute svirt_lxc_domain; -+## -+##

-+## Allow sandbox containers to use netlink system calls -+##

-+## -+gen_tunable(virt_sandbox_use_netlink, false) - -attribute_role virt_domain_roles; -roleattribute system_r virt_domain_roles; +## @@ -95373,20 +96844,33 @@ index f03dcf5..6771aec 100644 -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; -+virt_domain_template(svirt) -+role system_r types svirt_t; -+typealias svirt_t alias qemu_t; ++## ++##

++## Allow sandbox containers to use netlink system calls ++##

++## ++gen_tunable(virt_sandbox_use_netlink, false) -attribute_role svirt_lxc_domain_roles; -roleattribute system_r svirt_lxc_domain_roles; -+virt_domain_template(svirt_tcg) -+role system_r types svirt_tcg_t; ++## ++##

++## Allow sandbox containers to use sys_admin system calls, for example mount ++##

++## ++gen_tunable(virt_sandbox_use_sys_admin, false) --virt_domain_template(svirt) + virt_domain_template(svirt) -virt_domain_template(svirt_prot_exec) -+type qemu_exec_t, virt_file_type; ++role system_r types svirt_t; ++typealias svirt_t alias qemu_t; ++ ++virt_domain_template(svirt_tcg) ++role system_r types svirt_tcg_t; -type virt_cache_t alias svirt_cache_t; ++type qemu_exec_t, virt_file_type; ++ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -95471,7 +96955,7 @@ index f03dcf5..6771aec 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +193,144 @@ ifdef(`enable_mls',` +@@ -153,299 +200,132 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -95665,27 +97149,18 @@ index f03dcf5..6771aec 100644 - fs_manage_nfs_named_sockets(virt_domain) - fs_read_nfs_symlinks(virt_domain) -') -+type virtd_lxc_t, virt_system_domain; -+type virtd_lxc_exec_t, virt_file_type; -+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) - +- -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(virt_domain) - fs_manage_cifs_files(virt_domain) - fs_manage_cifs_named_sockets(virt_domain) - fs_read_cifs_symlinks(virt_domain) -') -+type virt_lxc_var_run_t, virt_file_type; -+files_pid_file(virt_lxc_var_run_t) -+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; - +- -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(virt_domain) -') -+# virt lxc container files -+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type; -+files_mountpoint(svirt_sandbox_file_t) - +- -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(virt_domain) - dev_read_sysfs(virt_domain) @@ -95693,53 +97168,42 @@ index f03dcf5..6771aec 100644 - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -+######################################## -+# -+# svirt local policy -+# - +- -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -optional_policy(` - dbus_read_lib_files(virt_domain) -') -+corenet_udp_sendrecv_generic_if(svirt_t) -+corenet_udp_sendrecv_generic_node(svirt_t) -+corenet_udp_sendrecv_all_ports(svirt_t) -+corenet_udp_bind_generic_node(svirt_t) -+corenet_udp_bind_all_ports(svirt_t) -+corenet_tcp_bind_all_ports(svirt_t) -+corenet_tcp_connect_all_ports(svirt_t) - +- -optional_policy(` - nscd_use(virt_domain) -') -+miscfiles_read_generic_certs(svirt_t) ++type virtd_lxc_t, virt_system_domain; ++type virtd_lxc_exec_t, virt_file_type; ++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) - optional_policy(` +-optional_policy(` - samba_domtrans_smbd(virt_domain) -+ nscd_dontaudit_write_sock_file(svirt_t) - ') +-') ++type virt_lxc_var_run_t, virt_file_type; ++files_pid_file(virt_lxc_var_run_t) ++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; - optional_policy(` +-optional_policy(` - xen_rw_image_files(virt_domain) -+ sssd_dontaudit_stream_connect(svirt_t) -+ sssd_dontaudit_read_lib(svirt_t) -+ sssd_dontaudit_read_public_files(svirt_t) - ') +-') ++# virt lxc container files ++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type; ++files_mountpoint(svirt_sandbox_file_t) --######################################## -+####################################### + ######################################## # --# svirt local policy -+# svirt_prot_exec local policy + # svirt local policy # -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) @@ -95761,26 +97225,35 @@ index f03dcf5..6771aec 100644 -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) --corenet_udp_bind_generic_node(svirt_t) + corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) --corenet_udp_bind_all_ports(svirt_t) --corenet_tcp_bind_all_ports(svirt_t) + corenet_udp_bind_all_ports(svirt_t) + corenet_tcp_bind_all_ports(svirt_t) +- +-corenet_sendrecv_all_client_packets(svirt_t) + corenet_tcp_connect_all_ports(svirt_t) + ++####################################### ++# ++# svirt_prot_exec local policy ++# ++ +allow svirt_tcg_t self:process { execmem execstack }; +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - --corenet_sendrecv_all_client_packets(svirt_t) --corenet_tcp_connect_all_ports(svirt_t) ++ +corenet_udp_sendrecv_generic_if(svirt_tcg_t) +corenet_udp_sendrecv_generic_node(svirt_tcg_t) +corenet_udp_sendrecv_all_ports(svirt_tcg_t) @@ -95788,7 +97261,7 @@ index f03dcf5..6771aec 100644 +corenet_udp_bind_all_ports(svirt_tcg_t) +corenet_tcp_bind_all_ports(svirt_tcg_t) +corenet_tcp_connect_all_ports(svirt_tcg_t) - ++ ######################################## # # virtd local policy @@ -95857,7 +97330,7 @@ index f03dcf5..6771aec 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +340,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +335,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -95904,29 +97377,29 @@ index f03dcf5..6771aec 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,16 +375,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,16 +370,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -520,6 +388,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -520,6 +383,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -95934,7 +97407,7 @@ index f03dcf5..6771aec 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +396,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +391,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -95962,7 +97435,7 @@ index f03dcf5..6771aec 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,22 +416,27 @@ dev_rw_vhost(virtd_t) +@@ -555,22 +411,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -95995,7 +97468,7 @@ index f03dcf5..6771aec 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -601,15 +467,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +462,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -96015,7 +97488,7 @@ index f03dcf5..6771aec 100644 selinux_validate_context(virtd_t) -@@ -620,18 +489,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +484,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -96052,7 +97525,7 @@ index f03dcf5..6771aec 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +517,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +512,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -96061,7 +97534,7 @@ index f03dcf5..6771aec 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +542,12 @@ optional_policy(` +@@ -665,20 +537,12 @@ optional_policy(` ') optional_policy(` @@ -96082,7 +97555,7 @@ index f03dcf5..6771aec 100644 ') optional_policy(` -@@ -691,20 +560,26 @@ optional_policy(` +@@ -691,20 +555,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -96113,7 +97586,7 @@ index f03dcf5..6771aec 100644 ') optional_policy(` -@@ -712,11 +587,13 @@ optional_policy(` +@@ -712,11 +582,13 @@ optional_policy(` ') optional_policy(` @@ -96127,7 +97600,7 @@ index f03dcf5..6771aec 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +604,18 @@ optional_policy(` +@@ -727,10 +599,18 @@ optional_policy(` ') optional_policy(` @@ -96146,7 +97619,7 @@ index f03dcf5..6771aec 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +631,264 @@ optional_policy(` +@@ -746,44 +626,276 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -96246,7 +97719,7 @@ index f03dcf5..6771aec 100644 -can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - ++ +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -96290,6 +97763,8 @@ index f03dcf5..6771aec 100644 + +# I think we need these for now. +miscfiles_read_public_files(virt_domain) ++miscfiles_read_generic_certs(virt_domain) ++ +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) @@ -96308,6 +97783,10 @@ index f03dcf5..6771aec 100644 +') + +optional_policy(` ++ nscd_dontaudit_write_sock_file(virt_domain) ++') ++ ++optional_policy(` + ptchown_domtrans(virt_domain) +') + @@ -96316,6 +97795,12 @@ index f03dcf5..6771aec 100644 +') + +optional_policy(` ++ sssd_dontaudit_stream_connect(virt_domain) ++ sssd_dontaudit_read_lib(virt_domain) ++ sssd_dontaudit_read_public_files(virt_domain) ++') ++ ++optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) + virt_read_content(virt_domain) @@ -96332,7 +97817,7 @@ index f03dcf5..6771aec 100644 + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) +') -+ + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) @@ -96433,7 +97918,7 @@ index f03dcf5..6771aec 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +899,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +906,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -96460,7 +97945,7 @@ index f03dcf5..6771aec 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +919,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +926,23 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -96493,7 +97978,7 @@ index f03dcf5..6771aec 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +954,20 @@ optional_policy(` +@@ -856,14 +961,20 @@ optional_policy(` ') optional_policy(` @@ -96515,7 +98000,7 @@ index f03dcf5..6771aec 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +992,65 @@ optional_policy(` +@@ -888,49 +999,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -96555,7 +98040,7 @@ index f03dcf5..6771aec 100644 manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) -+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill }; ++allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms }; + allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; -manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) @@ -96599,7 +98084,7 @@ index f03dcf5..6771aec 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1062,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1069,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -96619,7 +98104,7 @@ index f03dcf5..6771aec 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1083,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1090,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -96643,7 +98128,7 @@ index f03dcf5..6771aec 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1108,256 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1115,271 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -96670,14 +98155,18 @@ index f03dcf5..6771aec 100644 -seutil_read_config(virtd_lxc_t) -seutil_read_default_contexts(virtd_lxc_t) +optional_policy(` ++ docker_exec_lib(virtd_lxc_t) ++') ++ ++optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -96770,6 +98259,11 @@ index f03dcf5..6771aec 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) ++ ++optional_policy(` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -96854,22 +98348,22 @@ index f03dcf5..6771aec 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) ++ docker_read_lib_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ ssh_use_ptys(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) -+') -+ -+optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') + @@ -96886,7 +98380,7 @@ index f03dcf5..6771aec 100644 +typeattribute svirt_lxc_net_t sandbox_net_domain; -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; @@ -96901,6 +98395,10 @@ index f03dcf5..6771aec 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; ++ ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -96916,6 +98414,8 @@ index f03dcf5..6771aec 100644 + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++', ` ++ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) @@ -96991,7 +98491,8 @@ index f03dcf5..6771aec 100644 +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + @@ -97003,8 +98504,7 @@ index f03dcf5..6771aec 100644 +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +files_read_kernel_modules(svirt_qemu_net_t) + +fs_noxattr_type(svirt_sandbox_file_t) @@ -97038,7 +98538,7 @@ index f03dcf5..6771aec 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1370,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1392,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -97053,7 +98553,7 @@ index f03dcf5..6771aec 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1388,8 @@ optional_policy(` +@@ -1192,9 +1410,8 @@ optional_policy(` ######################################## # @@ -97064,7 +98564,7 @@ index f03dcf5..6771aec 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1402,198 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1424,198 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -97806,6 +99306,68 @@ index 95b26d1..55557cb 100644 -optional_policy(` - seutil_use_newrole_fds(vpnc_t) -') +diff --git a/w3c.fc b/w3c.fc +index 463c799..227feaf 100644 +--- a/w3c.fc ++++ b/w3c.fc +@@ -1,4 +1,4 @@ +-/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) ++/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:w3c_validator_script_exec_t,s0) + +-/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) +-/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) ++/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0) ++/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0) +diff --git a/w3c.te b/w3c.te +index b14d6a9..ac1944e 100644 +--- a/w3c.te ++++ b/w3c.te +@@ -6,29 +6,30 @@ policy_module(w3c, 1.1.0) + # + + apache_content_template(w3c_validator) ++apache_content_alias_template(w3c_validator, w3c_validator) + + ######################################## + # + # Local policy + # + +-corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t) +-corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t) +-corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t) +-corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t) ++corenet_all_recvfrom_unlabeled(w3c_validator_script_t) ++corenet_all_recvfrom_netlabel(w3c_validator_script_t) ++corenet_tcp_sendrecv_generic_if(w3c_validator_script_t) ++corenet_tcp_sendrecv_generic_node(w3c_validator_script_t) + +-corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t) +-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) +-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) ++corenet_sendrecv_ftp_client_packets(w3c_validator_script_t) ++corenet_tcp_connect_ftp_port(w3c_validator_script_t) ++corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t) + +-corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t) +-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) +-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) ++corenet_sendrecv_http_client_packets(w3c_validator_script_t) ++corenet_tcp_connect_http_port(w3c_validator_script_t) ++corenet_tcp_sendrecv_http_port(w3c_validator_script_t) + +-corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t) +-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) +-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) ++corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t) ++corenet_tcp_connect_http_cache_port(w3c_validator_script_t) ++corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t) + +-miscfiles_read_generic_certs(httpd_w3c_validator_script_t) ++miscfiles_read_generic_certs(w3c_validator_script_t) + +-sysnet_dns_name_resolve(httpd_w3c_validator_script_t) ++sysnet_dns_name_resolve(w3c_validator_script_t) diff --git a/watchdog.fc b/watchdog.fc index eecd0e0..8df2e8c 100644 --- a/watchdog.fc @@ -98153,11 +99715,21 @@ index 2a6cae7..6d0a2a1 100644 tunable_policy(`webadm_manage_user_files',` userdom_manage_user_home_content_files(webadm_t) +diff --git a/webalizer.fc b/webalizer.fc +index 64baf67..76c753b 100644 +--- a/webalizer.fc ++++ b/webalizer.fc +@@ -6,4 +6,4 @@ + + /var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) + +-/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) ++/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0) diff --git a/webalizer.te b/webalizer.te -index ae919b9..e0b1983 100644 +index ae919b9..32cbf8c 100644 --- a/webalizer.te +++ b/webalizer.te -@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t) +@@ -55,29 +55,36 @@ can_exec(webalizer_t, webalizer_exec_t) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) @@ -98193,10 +99765,13 @@ index ae919b9..e0b1983 100644 optional_policy(` apache_read_log(webalizer_t) apache_content_template(webalizer) +- manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) +- manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) ++ apache_content_alias_template(webalizer, webalizer) + apache_manage_sys_content(webalizer_t) - manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) - manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) ') + + optional_policy(` diff --git a/wine.if b/wine.if index fd2b6cc..938c4a7 100644 --- a/wine.if @@ -100156,10 +101731,10 @@ index 2695db2..123c042 100644 userdom_search_user_home_dirs(yam_t) diff --git a/zabbix.fc b/zabbix.fc -index c3b5a81..7d8b570 100644 +index c3b5a81..52c1586 100644 --- a/zabbix.fc +++ b/zabbix.fc -@@ -4,11 +4,15 @@ +@@ -4,12 +4,17 @@ /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) @@ -100174,8 +101749,10 @@ index c3b5a81..7d8b570 100644 +/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/zabbix.if b/zabbix.if index dd63de0..38ce620 100644 --- a/zabbix.if @@ -100339,10 +101916,10 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..922b7e0 100644 +index 7f496c6..f24bf4b 100644 --- a/zabbix.te +++ b/zabbix.te -@@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0) +@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) # ## @@ -100369,7 +101946,24 @@ index 7f496c6..922b7e0 100644 type zabbix_agent_exec_t; init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) -@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t) + type zabbix_agent_initrc_exec_t; + init_script_file(zabbix_agent_initrc_exec_t) + ++type zabbixd_var_lib_t; ++files_type(zabbixd_var_lib_t) ++ + type zabbix_log_t; + logging_log_file(zabbix_log_t) + +@@ -36,27 +41,53 @@ files_tmp_file(zabbix_tmp_t) + type zabbix_tmpfs_t; + files_tmpfs_file(zabbix_tmpfs_t) + ++type zabbix_var_lib_t; ++files_type(zabbix_var_lib_t) ++ + type zabbix_var_run_t; + files_pid_file(zabbix_var_run_t) ######################################## # @@ -100409,6 +102003,11 @@ index 7f496c6..922b7e0 100644 -allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms; +allow zabbix_t self:capability { dac_read_search dac_override }; ++ ++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv") -allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) @@ -100422,7 +102021,7 @@ index 7f496c6..922b7e0 100644 manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -70,13 +101,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) kernel_read_system_state(zabbix_t) @@ -100436,7 +102035,13 @@ index 7f496c6..922b7e0 100644 corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t) -@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t) +@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) + corenet_sendrecv_http_client_packets(zabbix_t) + corenet_tcp_connect_http_port(zabbix_t) + corenet_tcp_sendrecv_http_port(zabbix_t) ++corenet_tcp_connect_smtp_port(zabbix_t) + + corenet_sendrecv_zabbix_server_packets(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) corenet_tcp_sendrecv_zabbix_port(zabbix_t) @@ -100454,7 +102059,7 @@ index 7f496c6..922b7e0 100644 zabbix_agent_tcp_connect(zabbix_t) tunable_policy(`zabbix_can_network',` -@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',` +@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',` ') optional_policy(` @@ -100469,7 +102074,7 @@ index 7f496c6..922b7e0 100644 ') optional_policy(` -@@ -125,6 +131,7 @@ optional_policy(` +@@ -125,6 +143,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -100477,7 +102082,7 @@ index 7f496c6..922b7e0 100644 ') ######################################## -@@ -132,18 +139,7 @@ optional_policy(` +@@ -132,18 +151,7 @@ optional_policy(` # Agent local policy # @@ -100497,7 +102102,7 @@ index 7f496c6..922b7e0 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) @@ -100516,7 +102121,7 @@ index 7f496c6..922b7e0 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,12 +169,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,12 +181,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) @@ -100530,7 +102135,7 @@ index 7f496c6..922b7e0 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -190,8 +181,14 @@ init_read_utmp(zabbix_agent_t) +@@ -190,8 +193,14 @@ init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) @@ -101340,7 +102945,7 @@ index 2e80d04..3a76167 100644 +') diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 -index 0000000..8c61505 +index 0000000..ceaa219 --- /dev/null +++ b/zoneminder.fc @@ -0,0 +1,13 @@ @@ -101350,7 +102955,7 @@ index 0000000..8c61505 + +/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0) + -+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0) ++/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:zoneminder_script_exec_t,s0) + +/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) + @@ -101739,7 +103344,7 @@ index 0000000..d02a6f4 + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..add28f7 +index 0000000..b66e76d --- /dev/null +++ b/zoneminder.te @@ -0,0 +1,187 @@ @@ -101909,26 +103514,26 @@ index 0000000..add28f7 + +optional_policy(` + apache_content_template(zoneminder) ++ apache_content_alias_template(zoneminder, zoneminder) + + # need more testing -+ #allow httpd_zoneminder_script_t self:shm create_shm_perms; ++ #allow zoneminder_script_t self:shm create_shm_perms; + -+ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++ manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) + -+ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++ rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) + -+ zoneminder_stream_connect(httpd_zoneminder_script_t) ++ zoneminder_stream_connect(zoneminder_script_t) + -+ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t) ++ can_exec(zoneminder_t, zoneminder_script_exec_t) + -+ files_search_var_lib(httpd_zoneminder_script_t) ++ files_search_var_lib(zoneminder_script_t) + -+ logging_send_syslog_msg(httpd_zoneminder_script_t) ++ logging_send_syslog_msg(zoneminder_script_t) + + optional_policy(` -+ mysql_stream_connect(httpd_zoneminder_script_t) ++ mysql_stream_connect(zoneminder_script_t) + ') -+ +') diff --git a/zosremote.if b/zosremote.if index b14698c..16e1581 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 61c0aa9..cc10110 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -576,6 +576,62 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 6 2014 Miroslav Grepl 3.13.1-11 +- passwd to create gnome-keyring passwd socket +- systemd_systemctl needs sys_admin capability +- Allow cobbler to search dhcp_etc_t directory +- Allow sytemd_tmpfiles_t to delete all directories +- allow sshd to write to all process levels in order to change passwd when running at a level +- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range +- Allow apcuspd_t to status and start the power unit file +- Allow udev to manage kdump unit file +- Added new interface modutils_dontaudit_exec_insmod +- Add labeling for /var/lib/servicelog/servicelog.db-journal +- Allow init_t to create tmpfs_t lnk_file +- Add label for ~/.cvsignore +- Allow fprintd_t to send syslog messages +- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port +- Allow mozilla plugin to chat with policykit, needed for spice +- Allow gssprozy to change user and gid, as well as read user keyrings +- Allow sandbox apps to attempt to set and get capabilties +- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly +- allow modemmanger to read /dev/urand +- Allow polipo to connect to http_cache_ports +- Allow cron jobs to manage apache var lib content +- Allow yppassword to manage the passwd_file_t +- Allow showall_t to send itself signals +- Allow cobbler to restart dhcpc, dnsmasq and bind services +- Allow rsync_t to manage all non auth files +- Allow certmonger to manage home cert files +- Allow user_mail_domains to write certain files to the /root and ~/ directories +- Allow apcuspd_t to status and start the power unit file +- Allow cgroupdrulesengd to create content in cgoups directories +- Add new access for mythtv +- Allow irc_t to execute shell and bin-t files: +- Allow smbd_t to signull cluster +- Allow sssd to read systemd_login_var_run_t +- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t +- Add label for /var/spool/cron.aquota.user +- Allow sandbox_x domains to use work with the mozilla plugin semaphore +- Added new policy for speech-dispatcher +- Added dontaudit rule for insmod_exec_t in rasdaemon policy +- Updated rasdaemon policy +- Allow virt_domains to read cert files +- Allow system_mail_t to transition to postfix_postdrop_t +- Clean up mirrormanager policy +- Allow subscription-manager running as sosreport_t to manage rhsmcertd +- Remove ability to do mount/sys_admin by default in virt_sandbox domains +- New rules required to run docker images within libivrt +- Fixed bumblebee_admin() and mip6d_admin() +- Add log support for sensord +- Add label for ~/.cvsignore +- Change mirrormanager to be run by cron +- Add mirrormanager policy +- Additional fixes for docker.te +- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot +- Add tftp_write_rw_content/tftp_read_rw_content interfaces +- Allow amanda to do backups over UDP + * Thu Dec 13 2013 Miroslav Grepl 3.13.1-10 - Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template()