diff --git a/.gitignore b/.gitignore index 0dd8fdf..5c00acd 100644 --- a/.gitignore +++ b/.gitignore @@ -225,3 +225,4 @@ serefpolicy* /serefpolicy-3.9.2.tgz /serefpolicy-3.9.3.tgz /serefpolicy-3.9.4.tgz +/serefpolicy-3.9.5.tgz diff --git a/policy-F14.patch b/policy-F14.patch index 21ebcd0..be8c885 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -280,7 +280,7 @@ index 5b43db5..fdb453c 100644 + role $2 types brctl_t; +') diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te -index e0fa983..86644f0 100644 +index a2e9cb5..cec5c56 100644 --- a/policy/modules/admin/certwatch.te +++ b/policy/modules/admin/certwatch.te @@ -35,7 +35,7 @@ miscfiles_read_generic_certs(certwatch_t) @@ -292,14 +292,6 @@ index e0fa983..86644f0 100644 optional_policy(` apache_exec_modules(certwatch_t) -@@ -47,6 +47,7 @@ optional_policy(` - ') - - optional_policy(` -+ pcscd_domtrans(certwatch_t) - pcscd_stream_connect(certwatch_t) - pcscd_read_pub_files(certwatch_t) - ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 2b12a37..a370656 100644 --- a/policy/modules/admin/consoletype.te @@ -334,21 +326,10 @@ index 72bc6d8..5421065 100644 ') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te -index db780c2..fd55ce2 100644 +index 66e486e..bfda8e9 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te -@@ -91,6 +91,10 @@ userdom_home_filetrans_user_home_dir(firstboot_t) - userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) - - optional_policy(` -+ consoletype_domtrans(firstboot_t) -+') -+ -+optional_policy(` - dbus_system_bus_client(firstboot_t) - - optional_policy(` -@@ -99,6 +103,10 @@ optional_policy(` +@@ -103,6 +103,10 @@ optional_policy(` ') optional_policy(` @@ -359,7 +340,7 @@ index db780c2..fd55ce2 100644 nis_use_ypbind(firstboot_t) ') -@@ -121,6 +129,7 @@ optional_policy(` +@@ -125,6 +129,7 @@ optional_policy(` ') optional_policy(` @@ -368,7 +349,7 @@ index db780c2..fd55ce2 100644 ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 0b6123e..23ef05f 100644 +index 0b6123e..dd4cd30 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t) @@ -379,6 +360,15 @@ index 0b6123e..23ef05f 100644 cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) +@@ -126,7 +127,7 @@ cron_search_spool(logrotate_t) + mta_send_mail(logrotate_t) + + ifdef(`distro_debian', ` +- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; ++ allow logrotate_t logrotate_tmp_t:file relabel_file_perms; + # for savelog + can_exec(logrotate_t, logrotate_exec_t) + diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc index 3c7b1e8..1e155f5 100644 --- a/policy/modules/admin/logwatch.fc @@ -726,10 +716,10 @@ index b687b5d..4f38995 100644 + term_dontaudit_use_all_ptys(traceroute_t) +') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index aa0dcc6..cdbadda 100644 +index aa0dcc6..0faba2a 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te -@@ -59,6 +59,7 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) @@ -737,6 +727,11 @@ index aa0dcc6..cdbadda 100644 # prelink misc objects that are not system # libraries or entrypoints +-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; ++allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; + + kernel_read_system_state(prelink_t) + kernel_read_kernel_sysctls(prelink_t) @@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) @@ -1413,18 +1408,6 @@ index 51f7c3a..707fb3d 100644 +optional_policy(` xserver_dontaudit_write_log(shutdown_t) ') -diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te -index 254c59d..35f2bb0 100644 ---- a/policy/modules/admin/smoltclient.te -+++ b/policy/modules/admin/smoltclient.te -@@ -42,6 +42,7 @@ dev_read_sysfs(smoltclient_t) - - fs_getattr_all_fs(smoltclient_t) - fs_getattr_all_dirs(smoltclient_t) -+fs_list_auto_mountpoints(smoltclient_t) - - files_getattr_generic_locks(smoltclient_t) - files_read_etc_files(smoltclient_t) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index a0aa8c5..1b60ad8 100644 --- a/policy/modules/admin/su.if @@ -1673,18 +1656,6 @@ index a870982..6542902 100644 optional_policy(` dbus_system_bus_client(vpnc_t) -diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te -index 051b979..31397a3 100644 ---- a/policy/modules/apps/awstats.te -+++ b/policy/modules/apps/awstats.te -@@ -47,6 +47,7 @@ dev_read_urand(awstats_t) - files_read_etc_files(awstats_t) - # e.g. /usr/share/awstats/lang/awstats-en.txt - files_read_usr_files(awstats_t) -+files_dontaudit_search_all_mountpoints(awstats_t) - - fs_list_inotifyfs(awstats_t) - diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc new file mode 100644 index 0000000..432fb25 @@ -1792,10 +1763,10 @@ index 0000000..5ef90cd + diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..b09816f +index 0000000..4e92e87 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,92 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -1878,14 +1849,15 @@ index 0000000..b09816f +') + +tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_append_nfs_files(chrome_sandbox_t) -+ fs_dontaudit_read_nfs_files(chrome_sandbox_t) -+ fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t) ++ fs_search_nfs(chrome_sandbox_t) ++ fs_read_inherited_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_symlinks(chrome_sandbox_t) +') + +tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(chrome_sandbox_t) ++ fs_read_inherited_cifs_files(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) -+ fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te index 7fd0900..899e234 100644 @@ -4860,9 +4832,18 @@ index 690589e..815d35d 100644 optional_policy(` diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if -index 2ba7787..15fef11 100644 +index 2ba7787..9f12b51 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if +@@ -17,7 +17,7 @@ + # + interface(`pulseaudio_role',` + gen_require(` +- type pulseaudio_t, pulseaudio_exec_t, print_spool_t; ++ type pulseaudio_t, pulseaudio_exec_t; + class dbus { acquire_svc send_msg }; + ') + @@ -35,6 +35,10 @@ interface(`pulseaudio_role',` allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; @@ -6695,7 +6676,7 @@ index 5872ea2..028c994 100644 /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te -index 1f803bb..8a97303 100644 +index 1f803bb..4bdcbe3 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t) @@ -6706,9 +6687,34 @@ index 1f803bb..8a97303 100644 domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) -@@ -159,7 +160,10 @@ netutils_domtrans_ping(vmware_host_t) +@@ -133,6 +134,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t) + files_list_tmp(vmware_host_t) + files_read_etc_files(vmware_host_t) + files_read_etc_runtime_files(vmware_host_t) ++files_read_usr_files(vmware_host_t) + + fs_getattr_all_fs(vmware_host_t) + fs_search_auto_mountpoints(vmware_host_t) +@@ -151,6 +153,7 @@ logging_send_syslog_msg(vmware_host_t) + miscfiles_read_localization(vmware_host_t) + + sysnet_dns_name_resolve(vmware_host_t) ++sysnet_domtrans_ifconfig(vmware_host_t) + + userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) + userdom_dontaudit_search_user_home_dirs(vmware_host_t) +@@ -158,8 +161,19 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) + netutils_domtrans_ping(vmware_host_t) optional_policy(` ++ hostname_exec(vmware_host_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(vmware_host_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(vmware_host_t) +') @@ -8587,7 +8593,7 @@ index 59bae6a..16f0f9e 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 437a42a..4eecefb 100644 +index 437a42a..51d47a0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',` @@ -8654,7 +8660,32 @@ index 437a42a..4eecefb 100644 dev_search_sysfs($1) ') -@@ -1241,7 +1249,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1227,6 +1235,24 @@ interface(`fs_dontaudit_append_cifs_files',` + + ######################################## + ## ++## Read inherited files on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_read_inherited_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read or + ## write files on a CIFS or SMB filesystem. + ## +@@ -1241,7 +1267,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -8663,7 +8694,7 @@ index 437a42a..4eecefb 100644 ') ######################################## -@@ -1504,6 +1512,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1530,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -8689,7 +8720,7 @@ index 437a42a..4eecefb 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1931,7 +1958,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +1976,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -8717,7 +8748,7 @@ index 437a42a..4eecefb 100644 ## ## ## -@@ -1946,6 +1992,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2010,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -8759,7 +8790,7 @@ index 437a42a..4eecefb 100644 ######################################## ## -@@ -1999,6 +2080,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2098,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -8767,7 +8798,7 @@ index 437a42a..4eecefb 100644 ') ######################################## -@@ -2395,6 +2477,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2495,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -8793,7 +8824,32 @@ index 437a42a..4eecefb 100644 ## Append files ## on a NFS filesystem. ## -@@ -2449,7 +2550,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2435,6 +2554,24 @@ interface(`fs_dontaudit_append_nfs_files',` + + ######################################## + ## ++## Read inherited files on a NFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_read_inherited_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read or + ## write files on a NFS filesystem. + ## +@@ -2449,7 +2586,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -8802,7 +8858,7 @@ index 437a42a..4eecefb 100644 ') ######################################## -@@ -2637,6 +2738,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2774,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -8827,7 +8883,7 @@ index 437a42a..4eecefb 100644 ## Read removable storage symbolic links. ## ## -@@ -2845,7 +2964,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3000,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -8836,7 +8892,7 @@ index 437a42a..4eecefb 100644 ## ## ## -@@ -3970,6 +4089,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3970,6 +4125,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -8861,7 +8917,7 @@ index 437a42a..4eecefb 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4662,3 +4799,24 @@ interface(`fs_unconfined',` +@@ -4662,3 +4835,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -9273,7 +9329,7 @@ index 3723150..bde6daa 100644 dev_add_entry_generic_dirs($1) ') diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 492bf76..f9930a3 100644 +index 492bf76..87a6942 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -292,9 +292,11 @@ interface(`term_use_console',` @@ -9289,6 +9345,15 @@ index 492bf76..f9930a3 100644 ') ######################################## +@@ -334,7 +336,7 @@ interface(`term_relabel_console',` + ') + + dev_list_all_dev_nodes($1) +- allow $1 console_device_t:chr_file { relabelfrom relabelto }; ++ allow $1 console_device_t:chr_file relabel_chr_file_perms; + ') + + ######################################## @@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -9298,6 +9363,15 @@ index 492bf76..f9930a3 100644 ') ######################################## +@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',` + ') + + dev_list_all_dev_nodes($1) +- allow $1 tty_device_t:chr_file { relabelfrom relabelto }; ++ allow $1 tty_device_t:chr_file relabel_chr_file_perms; + ') + + ######################################## @@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -9334,6 +9408,15 @@ index 492bf76..f9930a3 100644 ') ######################################## +@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',` + ') + + dev_list_all_dev_nodes($1) +- allow $1 ttynode:chr_file { relabelfrom relabelto }; ++ allow $1 ttynode:chr_file relabel_chr_file_perms; + ') + + ######################################## @@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -9374,10 +9457,18 @@ index 252913b..a1bbe8f 100644 consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te -index 1875064..20d9333 100644 +index 1875064..e9c9277 100644 --- a/policy/modules/roles/dbadm.te +++ b/policy/modules/roles/dbadm.te -@@ -58,3 +58,7 @@ optional_policy(` +@@ -37,6 +37,7 @@ files_list_var(dbadm_t) + selinux_get_enforce_mode(dbadm_t) + + logging_send_syslog_msg(dbadm_t) ++logging_send_audit_msgs(dbadm_t) + + userdom_dontaudit_search_user_home_dirs(dbadm_t) + +@@ -58,3 +59,7 @@ optional_policy(` optional_policy(` postgresql_admin(dbadm_t, dbadm_r) ') @@ -9413,10 +9504,10 @@ index ebe6a9c..e3a1987 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0c9876c..06b7974 100644 +index 1854002..b0d95d4 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,17 +8,55 @@ policy_module(staff, 2.1.1) +@@ -8,12 +8,46 @@ policy_module(staff, 2.1.2) role staff_r; userdom_unpriv_user_template(staff) @@ -9463,129 +9554,95 @@ index 0c9876c..06b7974 100644 optional_policy(` apache_role(staff_r, staff_t) ') - - optional_policy(` -+ mozilla_run_plugin(staff_t, staff_r) -+') -+ -+optional_policy(` - auditadm_role_change(staff_r) - ') - -@@ -27,6 +65,23 @@ optional_policy(` +@@ -27,6 +61,35 @@ optional_policy(` ') optional_policy(` -+ logadm_role_change(staff_r) ++ accountsd_dbus_chat(staff_t) ++ accountsd_read_lib_files(staff_t) +') + +optional_policy(` -+ webadm_role_change(staff_r) ++ gnomeclock_dbus_chat(staff_t) +') + +optional_policy(` -+ kerneloops_manage_tmp_files(staff_t) ++ firewallgui_dbus_chat(staff_t) +') + +optional_policy(` -+ oident_manage_user_content(staff_t) -+ oident_relabel_user_content(staff_t) ++ lpd_list_spool(staff_t) +') + +optional_policy(` - postgresql_role(staff_r, staff_t) - ') - -@@ -35,6 +90,18 @@ optional_policy(` - ') - - optional_policy(` -+ unconfined_role_change(staff_r) ++ kerneloops_dbus_chat(staff_t) +') + +optional_policy(` -+ rtkit_scheduled(staff_t) ++ logadm_role_change(staff_r) +') + +optional_policy(` -+ screen_role_template(staff, staff_r, staff_t) ++ mozilla_run_plugin(staff_t, staff_r) +') + +optional_policy(` - ssh_role_template(staff, staff_r, staff_t) + oident_manage_user_content(staff_t) + oident_relabel_user_content(staff_t) ') - -@@ -48,6 +115,10 @@ optional_policy(` +@@ -36,21 +99,62 @@ optional_policy(` ') optional_policy(` -+ telepathy_dbus_session_role(staff_r, staff_t) ++ rtkit_scheduled(staff_t) +') + +optional_policy(` - xserver_role(staff_r, staff_t) ++ rpm_dbus_chat(staff_usertype) ++') ++ ++optional_policy(` + secadm_role_change(staff_r) ') -@@ -121,10 +192,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) -- ') -- optional_policy(` - pyzor_role(staff_r, staff_t) - ') - -@@ -137,10 +204,6 @@ ifndef(`distro_redhat',` - ') + optional_policy(` +- ssh_role_template(staff, staff_r, staff_t) ++ sandbox_transition(staff_t, staff_r) + ') - optional_policy(` -- screen_role_template(staff, staff_r, staff_t) -- ') -- -- optional_policy(` - spamassassin_role(staff_r, staff_t) - ') + optional_policy(` +- sudo_role_template(staff, staff_r, staff_t) ++ screen_role_template(staff, staff_r, staff_t) + ') -@@ -172,3 +235,46 @@ ifndef(`distro_redhat',` - wireshark_role(staff_r, staff_t) - ') + optional_policy(` + sysadm_role_change(staff_r) + userdom_dontaudit_use_user_terminals(staff_t) ') -+ -+optional_policy(` -+ accountsd_dbus_chat(staff_t) -+ accountsd_read_lib_files(staff_t) -+') -+ +optional_policy(` -+ gnomeclock_dbus_chat(staff_t) ++ setroubleshoot_stream_connect(staff_t) ++ setroubleshoot_dbus_chat(staff_t) ++ setroubleshoot_dbus_chat_fixit(staff_t) +') + +optional_policy(` -+ firewallgui_dbus_chat(staff_t) ++ ssh_role_template(staff, staff_r, staff_t) +') + +optional_policy(` -+ lpd_list_spool(staff_t) ++ sudo_role_template(staff, staff_r, staff_t) +') + +optional_policy(` -+ kerneloops_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ rpm_dbus_chat(staff_usertype) ++ telepathy_dbus_session_role(staff_r, staff_t) +') + +optional_policy(` -+ sandbox_transition(staff_t, staff_r) ++ userhelper_console_role_template(staff, staff_r, staff_usertype) +') + +optional_policy(` -+ setroubleshoot_stream_connect(staff_t) -+ setroubleshoot_dbus_chat(staff_t) -+ setroubleshoot_dbus_chat_fixit(staff_t) ++ unconfined_role_change(staff_r) +') + +optional_policy(` @@ -9593,8 +9650,22 @@ index 0c9876c..06b7974 100644 +') + +optional_policy(` -+ userhelper_console_role_template(staff, staff_r, staff_usertype) ++ webadm_role_change(staff_r) +') + + optional_policy(` + xserver_role(staff_r, staff_t) +@@ -138,10 +242,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- screen_role_template(staff, staff_r, staff_t) +- ') +- +- optional_policy(` + spamassassin_role(staff_r, staff_t) + ') + diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 2a19751..1a95085 100644 --- a/policy/modules/roles/sysadm.te @@ -11106,10 +11177,10 @@ index 0000000..799db36 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e8a507d..aac3fe1 100644 +index 9b55b00..2932c13 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,22 +12,48 @@ role user_r; +@@ -12,6 +12,8 @@ role user_r; userdom_unpriv_user_template(user) @@ -11118,6 +11189,8 @@ index e8a507d..aac3fe1 100644 optional_policy(` apache_role(user_r, user_t) ') +@@ -22,10 +24,34 @@ optional_policy(` + ') optional_policy(` + mozilla_run_plugin(user_t, user_r) @@ -11140,43 +11213,17 @@ index e8a507d..aac3fe1 100644 ') optional_policy(` -+ telepathy_dbus_session_role(user_r, user_t) ++ setroubleshoot_dontaudit_stream_connect(user_t) +') + +optional_policy(` -+ setroubleshoot_dontaudit_stream_connect(user_t) ++ telepathy_dbus_session_role(user_r, user_t) +') + +optional_policy(` xserver_role(user_r, user_t) ') - ifndef(`distro_redhat',` - optional_policy(` - auth_role(user_r, user_t) -- ') -+ ') - - optional_policy(` - bluetooth_role(user_r, user_t) -@@ -44,7 +70,7 @@ ifndef(`distro_redhat',` - optional_policy(` - dbus_role_template(user, user_r, user_t) - ') -- -+ - optional_policy(` - evolution_role(user_r, user_t) - ') -@@ -97,7 +123,7 @@ ifndef(`distro_redhat',` - oident_manage_user_content(user_t) - oident_relabel_user_content(user_t) - ') -- -+ - optional_policy(` - postgresql_role(user_r, user_t) - ') @@ -115,7 +141,7 @@ ifndef(`distro_redhat',` ') @@ -11186,6 +11233,18 @@ index e8a507d..aac3fe1 100644 ') optional_policy(` +diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te +index 0ecc786..dbf2710 100644 +--- a/policy/modules/roles/webadm.te ++++ b/policy/modules/roles/webadm.te +@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t) + seutil_domtrans_setfiles(webadm_t) + + logging_send_syslog_msg(webadm_t) ++logging_send_audit_msgs(webadm_t) + + userdom_dontaudit_search_user_home_dirs(webadm_t) + diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te index e88b95f..e76f7a7 100644 --- a/policy/modules/roles/xguest.te @@ -11357,10 +11416,18 @@ index 1bd5812..3b3ba64 100644 /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..8a5d6a4 100644 +index 0b827c5..022c079 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if -@@ -130,6 +130,10 @@ interface(`abrt_domtrans_helper',` +@@ -71,6 +71,7 @@ interface(`abrt_read_state',` + type abrt_t; + ') + ++ kernel_search_proc($1) + ps_process_pattern($1, abrt_t) + ') + +@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',` ') domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) @@ -11371,7 +11438,7 @@ index 0b827c5..8a5d6a4 100644 ') ######################################## -@@ -160,8 +164,25 @@ interface(`abrt_run_helper',` +@@ -160,8 +165,25 @@ interface(`abrt_run_helper',` ######################################## ## @@ -11399,7 +11466,7 @@ index 0b827c5..8a5d6a4 100644 ## ## ## -@@ -253,6 +274,24 @@ interface(`abrt_manage_pid_files',` +@@ -253,6 +275,24 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -11565,6 +11632,19 @@ index 98646c4..2bd70ae 100644 + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; +') +diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if +index c0f858d..b46f76f 100644 +--- a/policy/modules/services/accountsd.if ++++ b/policy/modules/services/accountsd.if +@@ -138,7 +138,7 @@ interface(`accountsd_admin',` + type accountsd_t; + ') + +- allow $1 accountsd_t:process { ptrace signal_perms getattr }; ++ allow $1 accountsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, accountsd_t) + + accountsd_manage_lib_files($1) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te index 1632f10..2724c11 100644 --- a/policy/modules/services/accountsd.te @@ -11587,6 +11667,21 @@ index 1632f10..2724c11 100644 + xserver_dbus_chat_xdm(accountsd_t) + xserver_manage_xdm_etc_files(accountsd_t) +') +diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if +index 8559cdc..49c0cc8 100644 +--- a/policy/modules/services/afs.if ++++ b/policy/modules/services/afs.if +@@ -97,8 +97,8 @@ interface(`afs_admin',` + type afs_t, afs_initrc_exec_t; + ') + +- allow $1 afs_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, afs_t, afs_t) ++ allow $1 afs_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, afs_t) + + # Allow afs_admin to restart the afs service + afs_initrc_domtrans($1) diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te index de8b791..9ec36b9 100644 --- a/policy/modules/services/afs.te @@ -11740,7 +11835,7 @@ index 0000000..420c856 +') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te new file mode 100644 -index 0000000..d21aa69 +index 0000000..416c49e --- /dev/null +++ b/policy/modules/services/aiccu.te @@ -0,0 +1,71 @@ @@ -11769,7 +11864,7 @@ index 0000000..d21aa69 +# aiccu local policy +# + -+allow aiccu_t self:capability { kill net_admin }; ++allow aiccu_t self:capability { kill net_admin net_raw }; +dontaudit aiccu_t self:capability sys_tty_config; +allow aiccu_t self:process signal; +allow aiccu_t self:fifo_file rw_fifo_file_perms; @@ -11990,35 +12085,6 @@ index 0000000..3441758 +miscfiles_read_localization(ajaxterm_t) + +sysnet_dns_name_resolve(ajaxterm_t) -diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if -index adb3d5f..de26af5 100644 ---- a/policy/modules/services/amavis.if -+++ b/policy/modules/services/amavis.if -@@ -56,7 +56,7 @@ interface(`amavis_read_spool_files',` - ') - - files_search_spool($1) -- allow $1 amavis_spool_t:file read_file_perms; -+ read_files_pattern($1, amavis_spool_t, amavis_spool_t) - ') - - ######################################## -diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index 3e8002a..31f4612 100644 ---- a/policy/modules/services/amavis.te -+++ b/policy/modules/services/amavis.te -@@ -92,9 +92,10 @@ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) - logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) - - # pid file -+manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) - manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) - manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) --files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file }) -+files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file dir }) - - kernel_read_kernel_sysctls(amavis_t) - # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 9e39aa5..8603d4d 100644 --- a/policy/modules/services/apache.fc @@ -13254,26 +13320,32 @@ index 1c8c27e..c7cba00 100644 ',` # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) -diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te -index 0160ba4..f31b5c9 100644 ---- a/policy/modules/services/arpwatch.te -+++ b/policy/modules/services/arpwatch.te -@@ -50,6 +50,7 @@ kernel_read_network_state(arpwatch_t) - kernel_read_kernel_sysctls(arpwatch_t) - kernel_list_proc(arpwatch_t) - kernel_read_proc_symlinks(arpwatch_t) -+kernel_request_load_module(arpwatch_t) - - corenet_all_recvfrom_unlabeled(arpwatch_t) - corenet_all_recvfrom_netlabel(arpwatch_t) -@@ -63,6 +64,7 @@ corenet_tcp_sendrecv_all_ports(arpwatch_t) - corenet_udp_sendrecv_all_ports(arpwatch_t) - - dev_read_sysfs(arpwatch_t) -+dev_read_usbmon_dev(arpwatch_t) - dev_rw_generic_usb_dev(arpwatch_t) - - fs_getattr_all_fs(arpwatch_t) +diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if +index c804110..bdefbe1 100644 +--- a/policy/modules/services/arpwatch.if ++++ b/policy/modules/services/arpwatch.if +@@ -137,7 +137,7 @@ interface(`arpwatch_admin',` + type arpwatch_initrc_exec_t; + ') + +- allow $1 arpwatch_t:process { ptrace signal_perms getattr }; ++ allow $1 arpwatch_t:process { ptrace signal_perms }; + ps_process_pattern($1, arpwatch_t) + + arpwatch_initrc_domtrans($1) +diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if +index 8b8143e..c1a2b96 100644 +--- a/policy/modules/services/asterisk.if ++++ b/policy/modules/services/asterisk.if +@@ -64,7 +64,7 @@ interface(`asterisk_admin',` + type asterisk_initrc_exec_t; + ') + +- allow $1 asterisk_t:process { ptrace signal_perms getattr }; ++ allow $1 asterisk_t:process { ptrace signal_perms }; + ps_process_pattern($1, asterisk_t) + + init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index b9e94c4..608e3a1 100644 --- a/policy/modules/services/asterisk.te @@ -13305,6 +13377,29 @@ index b9e94c4..608e3a1 100644 postgresql_stream_connect(asterisk_t) ') +diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if +index d80a16b..f384848 100644 +--- a/policy/modules/services/automount.if ++++ b/policy/modules/services/automount.if +@@ -68,7 +68,8 @@ interface(`automount_read_state',` + type automount_t; + ') + +- read_files_pattern($1, automount_t, automount_t) ++ kernel_search_proc($1) ++ ps_process_pattern($1, automount_t) + ') + + ######################################## +@@ -149,7 +150,7 @@ interface(`automount_admin',` + type automount_var_run_t, automount_initrc_exec_t; + ') + +- allow $1 automount_t:process { ptrace signal_perms getattr }; ++ allow $1 automount_t:process { ptrace signal_perms }; + ps_process_pattern($1, automount_t) + + init_labeled_script_domtrans($1, automount_initrc_exec_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 39799db..6189565 100644 --- a/policy/modules/services/automount.te @@ -13506,7 +13601,7 @@ index 0000000..c095160 +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if new file mode 100644 -index 0000000..9f4885c +index 0000000..272bf74 --- /dev/null +++ b/policy/modules/services/boinc.if @@ -0,0 +1,151 @@ @@ -13650,8 +13745,8 @@ index 0000000..9f4885c + type boinc_var_lib_t; + ') + -+ allow $1 boinc_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, boinc_t, boinc_t) ++ allow $1 boinc_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, boinc_t) + + boinc_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -14213,22 +14308,6 @@ index 0000000..e67f987 +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) -diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te -index 358b757..b819a47 100644 ---- a/policy/modules/services/canna.te -+++ b/policy/modules/services/canna.te -@@ -42,9 +42,10 @@ manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) - manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) - files_var_lib_filetrans(canna_t, canna_var_lib_t, file) - -+manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) - manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) - manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) --files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file }) -+files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) - - kernel_read_kernel_sysctls(canna_t) - kernel_read_system_state(canna_t) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 4c90b57..bffe6b6 100644 --- a/policy/modules/services/ccs.te @@ -14244,38 +14323,8 @@ index 4c90b57..bffe6b6 100644 +optional_policy(` unconfined_use_fds(ccs_t) ') -diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if -index 9629d3d..f9335fb 100644 ---- a/policy/modules/services/certmaster.if -+++ b/policy/modules/services/certmaster.if -@@ -18,6 +18,25 @@ interface(`certmaster_domtrans',` - domtrans_pattern($1, certmaster_exec_t, certmaster_t) - ') - -+#################################### -+## -+## Execute certmaster. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_exec',` -+ gen_require(` -+ type certmaster_exec_t; -+ ') -+ -+ can_exec($1, certmaster_exec_t) -+ corecmd_search_bin($1) -+') -+ - ####################################### - ## - ## read certmaster logs. diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te -index d8b8639..da60c93 100644 +index 73f03ff..4aef864 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te @@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t) @@ -14286,32 +14335,6 @@ index d8b8639..da60c93 100644 files_list_var(certmaster_t) files_search_var_lib(certmaster_t) -diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if -index a3728d4..7a6e5ba 100644 ---- a/policy/modules/services/certmonger.if -+++ b/policy/modules/services/certmonger.if -@@ -167,8 +167,8 @@ interface(`certmonger_admin',` - allow $2 system_r; - - files_search_var_lib($1) -- admin_pattern($1, cermonger_var_lib_t) -+ admin_pattern($1, certmonger_var_lib_t) - - files_search_pids($1) -- admin_pattern($1, cermonger_var_run_t) -+ admin_pattern($1, certmonger_var_run_t) - ') -diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te -index 7106981..261a37c 100644 ---- a/policy/modules/services/certmonger.te -+++ b/policy/modules/services/certmonger.te -@@ -68,5 +68,5 @@ optional_policy(` - ') - - optional_policy(` -- unconfined_dbus_send(certmonger_t) -+ pcscd_stream_connect(certmonger_t) - ') diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te index 8ca2333..63a18fc 100644 --- a/policy/modules/services/cgroup.te @@ -14694,10 +14717,10 @@ index 0000000..d5b410f +') diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te new file mode 100644 -index 0000000..1e4adfa +index 0000000..bb7d429 --- /dev/null +++ b/policy/modules/services/cmirrord.te -@@ -0,0 +1,56 @@ +@@ -0,0 +1,55 @@ +policy_module(cmirrord,1.0.0) + +######################################## @@ -14709,8 +14732,6 @@ index 0000000..1e4adfa +type cmirrord_exec_t; +init_daemon_domain(cmirrord_t, cmirrord_exec_t) + -+permissive cmirrord_t; -+ +type cmirrord_initrc_exec_t; +init_script_file(cmirrord_initrc_exec_t) + @@ -14726,6 +14747,7 @@ index 0000000..1e4adfa +# + +allow cmirrord_t self:capability { net_admin kill }; ++dontaudit cmirrord_t self:capability sys_tty_config; +allow cmirrord_t self:process signal; + +allow cmirrord_t self:fifo_file rw_fifo_file_perms; @@ -14797,7 +14819,7 @@ index 1cf6c4e..90c60df 100644 -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if -index 293e08d..1bdfe84 100644 +index 293e08d..b2198bb 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',` @@ -14907,7 +14929,7 @@ index 293e08d..1bdfe84 100644 ## All of the rules required to administrate ## an cobblerd environment ## -@@ -162,6 +186,9 @@ interface(`cobblerd_admin',` +@@ -162,10 +186,13 @@ interface(`cobblerd_admin',` gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; type cobbler_etc_t, cobblerd_initrc_exec_t; @@ -14916,7 +14938,13 @@ index 293e08d..1bdfe84 100644 + type httpd_cobbler_content_rw_t; ') - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; +- allow $1 cobblerd_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, cobblerd_t, cobblerd_t) ++ allow $1 cobblerd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, cobblerd_t) + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) @@ -176,10 +203,18 @@ interface(`cobblerd_admin',` logging_search_logs($1) admin_pattern($1, cobbler_var_log_t) @@ -15254,8 +15282,38 @@ index 3a6d7eb..2098ee9 100644 /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) +diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if +index 5220c9d..05f7296 100644 +--- a/policy/modules/services/corosync.if ++++ b/policy/modules/services/corosync.if +@@ -18,6 +18,25 @@ interface(`corosync_domtrans',` + domtrans_pattern($1, corosync_exec_t, corosync_t) + ') + ++###################################### ++## ++## Execute corosync in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`corosync_exec',` ++ gen_require(` ++ type corosync_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, corosync_exec_t) ++') ++ + ####################################### + ## + ## Allow the specified domain to read corosync's log files. diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 7d2cf85..fdb0dcb 100644 +index 7d2cf85..ed9dd2f 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t) @@ -15297,7 +15355,7 @@ index 7d2cf85..fdb0dcb 100644 auth_use_nsswitch(corosync_t) -@@ -83,19 +88,35 @@ logging_send_syslog_msg(corosync_t) +@@ -83,19 +88,36 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -15334,38 +15392,10 @@ index 7d2cf85..fdb0dcb 100644 + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) ++ rhcs_read_cluster_lib_files(corosync_t) ') optional_policy(` -diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if -index 37b03f6..9971337 100644 ---- a/policy/modules/services/courier.if -+++ b/policy/modules/services/courier.if -@@ -38,10 +38,12 @@ template(`courier_domain_template',` - read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) - allow courier_$1_t courier_etc_t:dir list_dir_perms; - -+ manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - files_search_pids(courier_$1_t) -+ files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) - - kernel_read_system_state(courier_$1_t) - kernel_read_kernel_sysctls(courier_$1_t) -diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te -index b96c242..72901d8 100644 ---- a/policy/modules/services/courier.te -+++ b/policy/modules/services/courier.te -@@ -48,6 +48,7 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; - allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; - allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; - allow courier_authdaemon_t courier_tcpd_t:process sigchld; -+allow courier_authdaemon_t courier_tcpd_t:fd use; - allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; - allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; - diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index 2eefc08..3e8ad69 100644 --- a/policy/modules/services/cron.fc @@ -15388,21 +15418,22 @@ index 2eefc08..3e8ad69 100644 + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if -index 35241ed..cbd01be 100644 +index 35241ed..9822074 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if -@@ -12,6 +12,10 @@ +@@ -12,6 +12,11 @@ ## # template(`cron_common_crontab_template',` + gen_require(` -+ type crond_t, crond_var_run_t; ++ type crond_t, crond_var_run_t, crontab_exec_t; ++ type cron_spool_t, user_cron_spool_t; + ') + ############################## # # Declarations -@@ -34,8 +38,12 @@ template(`cron_common_crontab_template',` +@@ -34,8 +39,12 @@ template(`cron_common_crontab_template',` allow $1_t self:process { setsched signal_perms }; allow $1_t self:fifo_file rw_fifo_file_perms; @@ -15417,7 +15448,7 @@ index 35241ed..cbd01be 100644 # create files in /var/spool/cron manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -@@ -62,6 +70,7 @@ template(`cron_common_crontab_template',` +@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',` logging_send_syslog_msg($1_t) logging_send_audit_msgs($1_t) @@ -15425,7 +15456,7 @@ index 35241ed..cbd01be 100644 init_dontaudit_write_utmp($1_t) init_read_utmp($1_t) -@@ -76,6 +85,7 @@ template(`cron_common_crontab_template',` +@@ -76,6 +86,7 @@ template(`cron_common_crontab_template',` userdom_use_user_terminals($1_t) # Read user crontabs userdom_read_user_home_content_files($1_t) @@ -15433,7 +15464,7 @@ index 35241ed..cbd01be 100644 tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -106,6 +116,8 @@ template(`cron_common_crontab_template',` +@@ -106,6 +117,8 @@ template(`cron_common_crontab_template',` interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; @@ -15442,7 +15473,7 @@ index 35241ed..cbd01be 100644 ') role $1 types { cronjob_t crontab_t }; -@@ -116,6 +128,13 @@ interface(`cron_role',` +@@ -116,6 +129,13 @@ interface(`cron_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, crontab_t) @@ -15456,7 +15487,7 @@ index 35241ed..cbd01be 100644 # crontab shows up in user ps ps_process_pattern($2, crontab_t) allow $2 crontab_t:process signal; -@@ -154,27 +173,14 @@ interface(`cron_role',` +@@ -154,27 +174,14 @@ interface(`cron_role',` # interface(`cron_unconfined_role',` gen_require(` @@ -15486,7 +15517,7 @@ index 35241ed..cbd01be 100644 optional_policy(` gen_require(` class dbus send_msg; -@@ -408,7 +414,43 @@ interface(`cron_rw_pipes',` +@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -15531,7 +15562,7 @@ index 35241ed..cbd01be 100644 ') ######################################## -@@ -554,7 +596,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -554,7 +597,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -15540,7 +15571,7 @@ index 35241ed..cbd01be 100644 ') ######################################## -@@ -587,11 +629,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -587,11 +630,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -15556,12 +15587,11 @@ index 35241ed..cbd01be 100644 ') ######################################## -@@ -627,7 +672,48 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -627,7 +673,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; + type cron_var_run_t; -+ type system_cronjob_var_run_t; ') dontaudit $1 system_cronjob_tmp_t:file write_file_perms; @@ -15606,7 +15636,7 @@ index 35241ed..cbd01be 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f35b243..c72dd92 100644 +index f35b243..ff1a1c9 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t) @@ -15884,17 +15914,21 @@ index f35b243..c72dd92 100644 ') optional_policy(` -@@ -497,6 +579,9 @@ optional_policy(` +@@ -497,7 +579,13 @@ optional_policy(` ') optional_policy(` -+ unconfined_dbus_send(crond_t) -+ unconfined_shell_domtrans(crond_t) + unconfined_domain(crond_t) unconfined_domain(system_cronjob_t) ++') ++ ++optional_policy(` ++ unconfined_shell_domtrans(crond_t) ++ unconfined_dbus_send(crond_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,7 +675,10 @@ userdom_manage_user_home_content_sockets(cronjob_t) + +@@ -590,7 +678,10 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -16292,21 +16326,6 @@ index b354128..c725cae 100644 + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') -diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te -index f02cfe4..0cb9ac9 100644 ---- a/policy/modules/services/dcc.te -+++ b/policy/modules/services/dcc.te -@@ -231,8 +231,9 @@ manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) - manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) - files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) - -+manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) - manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) --files_pid_filetrans(dccd_t, dccd_var_run_t, file) -+files_pid_filetrans(dccd_t, dccd_var_run_t, { file dir }) - - kernel_read_system_state(dccd_t) - kernel_read_kernel_sysctls(dccd_t) diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te index 8ba9425..d53ee7e 100644 --- a/policy/modules/services/denyhosts.te @@ -16350,6 +16369,27 @@ index 8ba9425..d53ee7e 100644 +optional_policy(` + gnome_dontaudit_search_config(denyhosts_t) +') +diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if +index f706b99..70cf018 100644 +--- a/policy/modules/services/devicekit.if ++++ b/policy/modules/services/devicekit.if +@@ -165,13 +165,13 @@ interface(`devicekit_admin',` + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + ') + +- allow $1 devicekit_t:process { ptrace signal_perms getattr }; ++ allow $1 devicekit_t:process { ptrace signal_perms }; + ps_process_pattern($1, devicekit_t) + +- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; ++ allow $1 devicekit_disk_t:process { ptrace signal_perms }; + ps_process_pattern($1, devicekit_disk_t) + +- allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; ++ allow $1 devicekit_power_t:process { ptrace signal_perms }; + ps_process_pattern($1, devicekit_power_t) + + admin_pattern($1, devicekit_tmp_t) diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index f231f17..6cee08f 100644 --- a/policy/modules/services/devicekit.te @@ -16457,6 +16497,19 @@ index f231f17..6cee08f 100644 vbetool_domtrans(devicekit_power_t) ') + +diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if +index 5e2cea8..aa4da1d 100644 +--- a/policy/modules/services/dhcp.if ++++ b/policy/modules/services/dhcp.if +@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',` + # + interface(`dhcpd_admin',` + gen_require(` +- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; ++ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; + type dhcpd_var_run_t, dhcpd_initrc_exec_t; + ') + diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te index d4424ad..a307b51 100644 --- a/policy/modules/services/dhcp.te @@ -16473,10 +16526,10 @@ index d4424ad..a307b51 100644 dbus_connect_system_bus(dhcpd_t) ') diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te -index 22221ad..bd97d09 100644 +index 0c6a473..e723266 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te -@@ -22,6 +22,8 @@ djbdns_daemontools_domain_template(tinydns) +@@ -23,6 +23,8 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # @@ -16685,7 +16738,7 @@ index 298f066..c2570df 100644 /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if -index 6bef7f8..0217906 100644 +index 6bef7f8..1685c5d 100644 --- a/policy/modules/services/exim.if +++ b/policy/modules/services/exim.if @@ -20,6 +20,24 @@ interface(`exim_domtrans',` @@ -16740,8 +16793,8 @@ index 6bef7f8..0217906 100644 + type exim_tmp_t, exim_spool_t, exim_var_run_t; + ') + -+ allow $1 exim_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, exim_t, exim_t) ++ allow $1 exim_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, exim_t) + + exim_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -16838,21 +16891,18 @@ index 2a69e5e..fd30b02 100644 +optional_policy(` iptables_domtrans(fail2ban_t) ') -diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te -index dc2c044..5f5b57b 100644 ---- a/policy/modules/services/fetchmail.te -+++ b/policy/modules/services/fetchmail.te -@@ -37,8 +37,9 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms; - allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; - mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) - -+manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) - manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) --files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file) -+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) - - kernel_read_kernel_sysctls(fetchmail_t) - kernel_list_proc(fetchmail_t) +diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if +index 6537214..7d64c0a 100644 +--- a/policy/modules/services/fetchmail.if ++++ b/policy/modules/services/fetchmail.if +@@ -18,6 +18,7 @@ interface(`fetchmail_admin',` + type fetchmail_var_run_t; + ') + ++ allow $1 fetchmail_t:process { ptrace signal_perms }; + ps_process_pattern($1, fetchmail_t) + + files_list_etc($1) diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te index 7df52c7..899feaf 100644 --- a/policy/modules/services/fprintd.te @@ -17827,10 +17877,18 @@ index 03742d8..7b9c543 100644 ') diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if -index 7cf6763..5b9771e 100644 +index 7cf6763..0d50d0d 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if -@@ -377,6 +377,25 @@ interface(`hal_read_pid_files',` +@@ -51,6 +51,7 @@ interface(`hal_read_state',` + type hald_t; + ') + ++ kernel_search_proc($1) + ps_process_pattern($1, hald_t) + ') + +@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',` ######################################## ## @@ -17839,7 +17897,7 @@ index 7cf6763..5b9771e 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -17856,7 +17914,7 @@ index 7cf6763..5b9771e 100644 ## Read/Write hald PID files. ## ## -@@ -431,3 +450,27 @@ interface(`hal_manage_pid_files',` +@@ -431,3 +451,27 @@ interface(`hal_manage_pid_files',` files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') @@ -17867,7 +17925,7 @@ index 7cf6763..5b9771e 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -17988,11 +18046,36 @@ index 24c6253..e72b063 100644 ######################################## # # Local hald dccm policy +diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if +index 87b4531..777b036 100644 +--- a/policy/modules/services/hddtemp.if ++++ b/policy/modules/services/hddtemp.if +@@ -70,8 +70,4 @@ interface(`hddtemp_admin',` + + admin_pattern($1, hddtemp_etc_t) + files_search_etc($1) +- +- allow $1 hddtemp_t:dir list_dir_perms; +- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) +- kernel_search_proc($1) + ') +diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if +index ecab47a..3aa86f3 100644 +--- a/policy/modules/services/icecast.if ++++ b/policy/modules/services/icecast.if +@@ -173,6 +173,7 @@ interface(`icecast_admin',` + type icecast_t, icecast_initrc_exec_t; + ') + ++ allow $1 icecast_t:process { ptrace signal_perms }; + ps_process_pattern($1, icecast_t) + + # Allow icecast_t to restart the apache service diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te -index a57ffc0..4992511 100644 +index f368bf3..80befb0 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te -@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.0) +@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.1) # Declarations # @@ -18007,12 +18090,9 @@ index a57ffc0..4992511 100644 type icecast_t; type icecast_exec_t; init_daemon_domain(icecast_t, icecast_exec_t) -@@ -37,7 +45,16 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) - manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) - files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) + kernel_read_system_state(icecast_t) -+kernel_read_system_state(icecast_t) -+ corenet_tcp_bind_soundd_port(icecast_t) +corenet_tcp_connect_soundd_port(icecast_t) + @@ -18024,16 +18104,6 @@ index a57ffc0..4992511 100644 # Init script handling domain_use_interactive_fds(icecast_t) -@@ -51,5 +68,9 @@ miscfiles_read_localization(icecast_t) - sysnet_dns_name_resolve(icecast_t) - - optional_policy(` -+ apache_read_sys_content(icecast_t) -+') -+ -+optional_policy(` - rtkit_scheduled(icecast_t) - ') diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index 9fab1dc..05119f7 100644 --- a/policy/modules/services/inn.te @@ -18075,7 +18145,7 @@ index 4c9acec..908eb91 100644 /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if -index 9878499..2873e8f 100644 +index 9878499..f17e629 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if @@ -1,17 +1,96 @@ @@ -18149,7 +18219,7 @@ index 9878499..2873e8f 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -18491,7 +18561,7 @@ index c62f23e..335fda1 100644 /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if -index 3aa8fa7..e5684f4 100644 +index 3aa8fa7..d15f94d 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -1,5 +1,43 @@ @@ -18564,13 +18634,16 @@ index 3aa8fa7..e5684f4 100644 ## Read the OpenLDAP configuration files. ## ## -@@ -71,6 +128,30 @@ interface(`ldap_stream_connect',` +@@ -69,8 +126,30 @@ interface(`ldap_stream_connect',` + ') + files_search_pids($1) - allow $1 slapd_var_run_t:sock_file write; - allow $1 slapd_t:unix_stream_socket connectto; +- allow $1 slapd_var_run_t:sock_file write; +- allow $1 slapd_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) + + optional_policy(` -+ ldap_stream_connect_dirsrv($1) ++ ldap_stream_connect_dirsrv($1) + ') +') + @@ -18590,8 +18663,7 @@ index 3aa8fa7..e5684f4 100644 + ') + + files_search_pids($1) -+ allow $1 dirsrv_var_run_t:sock_file write; -+ allow $1 dirsrv_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) ') ######################################## @@ -18677,6 +18749,19 @@ index 6a78de1..02f6985 100644 dev_read_mouse(lircd_t) dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) +diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if +index a4f32f5..d801ec0 100644 +--- a/policy/modules/services/lpd.if ++++ b/policy/modules/services/lpd.if +@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',` + ') + + files_search_spool($1) +- allow $1 print_spool_t:file { relabelto relabelfrom }; ++ allow $1 print_spool_t:file relabel_file_perms; + ') + + ######################################## diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 93c14ca..4d31118 100644 --- a/policy/modules/services/lpd.te @@ -18744,7 +18829,7 @@ index af4d572..ac97ed9 100644 \ No newline at end of file +') diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if -index db4fd6f..c28a876 100644 +index db4fd6f..ee60e59 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -59,6 +59,7 @@ interface(`memcached_admin',` @@ -18755,6 +18840,13 @@ index db4fd6f..c28a876 100644 ') allow $1 memcached_t:process { ptrace signal_perms }; +@@ -69,5 +70,6 @@ interface(`memcached_admin',` + role_transition $2 memcached_initrc_exec_t system_r; + allow $2 system_r; + ++ files_search_pids($1) + admin_pattern($1, memcached_var_run_t) + ') diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 55a3e2f..613c69d 100644 --- a/policy/modules/services/milter.fc @@ -19334,10 +19426,10 @@ index 0000000..564b22d +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if new file mode 100644 -index 0000000..07dac12 +index 0000000..5599d14 --- /dev/null +++ b/policy/modules/services/mpd.if -@@ -0,0 +1,274 @@ +@@ -0,0 +1,273 @@ + +## policy for daemon for playing music + @@ -19393,7 +19485,6 @@ index 0000000..07dac12 + type mpd_data_t; + ') + -+ files_search_var_lib($1) + mpd_search_lib($1) + read_files_pattern($1, mpd_data_t, mpd_data_t) +') @@ -19413,8 +19504,7 @@ index 0000000..07dac12 + type mpd_tmpfs_t; + ') + -+ files_search_var_lib($1) -+ mpd_search_lib($1) ++ fs_search_tmpfs($1) + read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + @@ -19433,8 +19523,7 @@ index 0000000..07dac12 + type mpd_tmpfs_t; + ') + -+ files_search_var_lib($1) -+ mpd_search_lib($1) ++ fs_search_tmpfs($1) + manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) + manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') @@ -19454,7 +19543,6 @@ index 0000000..07dac12 + type mpd_data_t; + ') + -+ files_search_var_lib($1) + mpd_search_lib($1) + manage_files_pattern($1, mpd_data_t, mpd_data_t) +') @@ -19590,6 +19678,7 @@ index 0000000..07dac12 + type mpd_data_t; + type mpd_log_t; + type mpd_var_lib_t; ++ type mpd_tmpfs_t; + ') + + allow $1 mpd_t:process { ptrace signal_perms }; @@ -19611,6 +19700,8 @@ index 0000000..07dac12 + + admin_pattern($1, mpd_log_t) + ++ fs_search_tmpfs($1) ++ admin_pattern($1, mpd_tmpfs_t) +') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te new file mode 100644 @@ -20133,7 +20224,7 @@ index fd71d69..bad9920 100644 /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if -index c358d8f..5046738 100644 +index c358d8f..dda8ca9 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -13,10 +13,11 @@ @@ -20169,7 +20260,18 @@ index c358d8f..5046738 100644 ') ######################################## -@@ -92,6 +84,24 @@ interface(`munin_read_config',` +@@ -65,9 +57,8 @@ interface(`munin_stream_connect',` + type munin_var_run_t, munin_t; + ') + +- allow $1 munin_t:unix_stream_socket connectto; +- allow $1 munin_var_run_t:sock_file { getattr write }; + files_search_pids($1) ++ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) + ') + + ####################################### +@@ -92,6 +83,24 @@ interface(`munin_read_config',` files_search_etc($1) ') @@ -20375,6 +20477,18 @@ index f17583b..13d365d 100644 +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) +diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if +index e9c0982..b81e257 100644 +--- a/policy/modules/services/mysql.if ++++ b/policy/modules/services/mysql.if +@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',` + type mysqld_t, mysqld_var_run_t, mysqld_db_t; + ') + ++ files_search_pids($1) + stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) + stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) + ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 0a0d63c..b370d53 100644 --- a/policy/modules/services/mysql.te @@ -20842,19 +20956,37 @@ index 7936e09..6a174f5 100644 +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') -diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te -index 21360e8..b314c0d 100644 ---- a/policy/modules/services/nslcd.te -+++ b/policy/modules/services/nslcd.te -@@ -34,6 +34,8 @@ manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) - manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) - files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) +diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if +index 23c769c..b94add1 100644 +--- a/policy/modules/services/nslcd.if ++++ b/policy/modules/services/nslcd.if +@@ -106,9 +106,9 @@ interface(`nslcd_admin',` + role_transition $2 nslcd_initrc_exec_t system_r; + allow $2 system_r; -+kernel_read_system_state(nslcd_t) -+ - files_read_etc_files(nslcd_t) +- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) ++ files_search_etc($1) ++ admin_pattern($1, nslcd_conf_t) + +- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) +- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) +- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ++ files_search_pids($1) ++ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) + ') +diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if +index e80f8c0..6b240d9 100644 +--- a/policy/modules/services/ntp.if ++++ b/policy/modules/services/ntp.if +@@ -144,7 +144,7 @@ interface(`ntp_admin',` + type ntpd_initrc_exec_t; + ') - auth_use_nsswitch(nslcd_t) +- allow $1 ntpd_t:process { ptrace signal_perms getattr }; ++ allow $1 ntpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ntpd_t) + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index c61adc8..b5b5992 100644 --- a/policy/modules/services/ntp.te @@ -20872,38 +21004,6 @@ index c61adc8..b5b5992 100644 term_use_ptmx(ntpd_t) -diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te -index 181bd88..35b9bfa 100644 ---- a/policy/modules/services/nut.te -+++ b/policy/modules/services/nut.te -@@ -41,7 +41,7 @@ read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) - manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) - manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) - manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) --files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file }) -+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file dir }) - - kernel_read_kernel_sysctls(nut_upsd_t) - -@@ -65,6 +65,7 @@ miscfiles_read_localization(nut_upsd_t) - allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; - allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; - allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; - allow nut_upsmon_t self:tcp_socket create_socket_perms; - - read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) -@@ -103,6 +104,10 @@ miscfiles_read_localization(nut_upsmon_t) - - mta_send_mail(nut_upsmon_t) - -+optional_policy(` -+ shutdown_domtrans(nut_upsmon_t) -+') -+ - ######################################## - # - # Local policy for upsdrvctl diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if index 79a225c..b1384ad 100644 --- a/policy/modules/services/nx.if @@ -20951,7 +21051,7 @@ index bdf8c89..5ee1598 100644 /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if -index bd76ec2..85f6ada 100644 +index bd76ec2..ca33ae3 100644 --- a/policy/modules/services/oddjob.if +++ b/policy/modules/services/oddjob.if @@ -22,6 +22,25 @@ interface(`oddjob_domtrans',` @@ -20965,7 +21065,7 @@ index bd76ec2..85f6ada 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -21040,22 +21140,6 @@ index 0a244b1..9097656 100644 logging_send_syslog_msg(oidentd_t) -diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te -index 4996f62..975deca 100644 ---- a/policy/modules/services/openct.te -+++ b/policy/modules/services/openct.te -@@ -20,9 +20,10 @@ files_pid_file(openct_var_run_t) - dontaudit openct_t self:capability sys_tty_config; - allow openct_t self:process signal_perms; - -+manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) - manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) - manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) --files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file }) -+files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file dir }) - - kernel_read_kernel_sysctls(openct_t) - kernel_list_proc(openct_t) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 8b550f4..ba7c06b 100644 --- a/policy/modules/services/openvpn.te @@ -21132,6 +21216,20 @@ index 8b550f4..ba7c06b 100644 +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') +diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if +index 8ac407e..4452d3b 100644 +--- a/policy/modules/services/pads.if ++++ b/policy/modules/services/pads.if +@@ -39,6 +39,9 @@ interface(`pads_admin', ` + role_transition $2 pads_initrc_exec_t system_r; + allow $2 system_r; + ++ files_search_pids($1) + admin_pattern($1, pads_var_run_t) ++ ++ files_search_etc($1) + admin_pattern($1, pads_config_t) + ') diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc new file mode 100644 index 0000000..8d00972 @@ -21293,20 +21391,6 @@ index 0000000..9cb0d1c + apache_append_log(passenger_t) + apache_read_sys_content(passenger_t) +') -diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te -index b881672..da06e9f 100644 ---- a/policy/modules/services/pcscd.te -+++ b/policy/modules/services/pcscd.te -@@ -44,7 +44,8 @@ corenet_tcp_connect_http_port(pcscd_t) - dev_rw_generic_usb_dev(pcscd_t) - dev_rw_smartcard(pcscd_t) - dev_rw_usbfs(pcscd_t) --dev_search_sysfs(pcscd_t) -+dev_list_sysfs(pcscd_t) -+dev_read_sysfs(pcscd_t) - - files_read_etc_files(pcscd_t) - files_read_etc_runtime_files(pcscd_t) diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index 3185114..e2e2f67 100644 --- a/policy/modules/services/pegasus.te @@ -21831,6 +21915,27 @@ index 0000000..0a5f27d +miscfiles_read_localization(piranha_domain) + +sysnet_read_config(piranha_domain) +diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if +index 9759ed8..fecc0dc 100644 +--- a/policy/modules/services/plymouthd.if ++++ b/policy/modules/services/plymouthd.if +@@ -249,12 +249,14 @@ interface(`plymouthd_admin', ` + type plymouthd_var_run_t; + ') + +- allow $1 plymouthd_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, plymouthd_t, plymouthd_t) ++ allow $1 plymouthd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, plymouthd_t) + ++ files_search_var_lib($1) + admin_pattern($1, plymouthd_spool_t) + + admin_pattern($1, plymouthd_var_lib_t) + ++ files_search_pids($1) + admin_pattern($1, plymouthd_var_run_t) + ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te index fb8dc84..c30505a 100644 --- a/policy/modules/services/plymouthd.te @@ -22183,7 +22288,7 @@ index c69d047..1d9fa76 100644 /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if -index 10300a0..4af4422 100644 +index 10300a0..d91c1f5 100644 --- a/policy/modules/services/portreserve.if +++ b/policy/modules/services/portreserve.if @@ -18,6 +18,24 @@ interface(`portreserve_domtrans',` @@ -22238,8 +22343,8 @@ index 10300a0..4af4422 100644 + type portreserve_initrc_exec_t, portreserve_var_run_t; + ') + -+ allow $1 portreserve_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, portreserve_t, portreserve_t) ++ allow $1 portreserve_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, portreserve_t) + + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -22305,7 +22410,7 @@ index 55e62d2..c114a40 100644 /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..b6d763d 100644 +index 46bee12..cfcbac7 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -77,6 +77,7 @@ template(`postfix_domain_template',` @@ -22457,26 +22562,26 @@ index 46bee12..b6d763d 100644 + type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; + ') + -+ allow $1 postfix_bounce_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_bounce_t, postfix_bounce_t) ++ allow $1 postfix_bounce_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_bounce_t) + -+ allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t) ++ allow $1 postfix_cleanup_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_cleanup_t) + -+ allow $1 postfix_local_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_local_t, postfix_local_t) ++ allow $1 postfix_local_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_local_t) + -+ allow $1 postfix_master_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_master_t, postfix_master_t) ++ allow $1 postfix_master_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_master_t) + -+ allow $1 postfix_pickup_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_pickup_t, postfix_pickup_t) ++ allow $1 postfix_pickup_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_pickup_t) + -+ allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t) ++ allow $1 postfix_qmgr_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_qmgr_t) + -+ allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t) ++ allow $1 postfix_smtpd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_smtpd_t) + + postfix_run_map($1,$2) + postfix_run_postdrop($1,$2) @@ -22696,23 +22801,42 @@ index 06e37d4..87043e1 100644 +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) +diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if +index 539a7c9..2c6b723 100644 +--- a/policy/modules/services/postgresql.if ++++ b/policy/modules/services/postgresql.if +@@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',` + ') + + files_search_pids($1) +- allow $1 postgresql_t:unix_stream_socket connectto; +- allow $1 postgresql_var_run_t:sock_file write; +- # Some versions of postgresql put the sock file in /tmp +- allow $1 postgresql_tmp_t:sock_file write; ++ files_search_tmp($1) ++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t) + ') + + ######################################## +@@ -441,10 +439,13 @@ interface(`postgresql_admin',` + + admin_pattern($1, postgresql_var_run_t) + ++ files_search_var_lib($1) + admin_pattern($1, postgresql_db_t) + ++ files_search_etc($1) + admin_pattern($1, postgresql_etc_t) + ++ logging_search_logs($1) + admin_pattern($1, postgresql_log_t) + + admin_pattern($1, postgresql_tmp_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index c0652ec..0ed1671 100644 +index 39abf57..4a85c12 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te -@@ -202,9 +202,10 @@ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) - files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) - fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) - -+manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) - manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) - manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) --files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) -+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(postgresql_t) - kernel_read_system_state(postgresql_t) -@@ -250,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -22722,22 +22846,28 @@ index c0652ec..0ed1671 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te -index 2c066b0..afaf453 100644 ---- a/policy/modules/services/postgrey.te -+++ b/policy/modules/services/postgrey.te -@@ -47,9 +47,10 @@ manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) - manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) - files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) - -+manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) - manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) - manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) --files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file }) -+files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file dir }) - - kernel_read_system_state(postgrey_t) - kernel_read_kernel_sysctls(postgrey_t) +diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if +index b524673..f916c76 100644 +--- a/policy/modules/services/ppp.if ++++ b/policy/modules/services/ppp.if +@@ -360,7 +360,7 @@ interface(`ppp_admin',` + type pppd_initrc_exec_t; + ') + +- allow $1 pppd_t:process { ptrace signal_perms getattr }; ++ allow $1 pppd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pppd_t) + + ppp_initrc_domtrans($1) +@@ -386,7 +386,7 @@ interface(`ppp_admin',` + files_list_pids($1) + admin_pattern($1, pppd_var_run_t) + +- allow $1 pptp_t:process { ptrace signal_perms getattr }; ++ allow $1 pptp_t:process { ptrace signal_perms }; + ps_process_pattern($1, pptp_t) + + admin_pattern($1, pptp_log_t) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 2af42e7..74f07f8 100644 --- a/policy/modules/services/ppp.te @@ -22783,22 +22913,40 @@ index 2af42e7..74f07f8 100644 kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) -diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te -index 4d66b76..3a12d03 100644 ---- a/policy/modules/services/prelude.te -+++ b/policy/modules/services/prelude.te -@@ -72,9 +72,10 @@ manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) - manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) - files_search_var_lib(prelude_t) - -+manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) - manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) - manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) --files_pid_filetrans(prelude_t, prelude_var_run_t, file) -+files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) - - kernel_read_system_state(prelude_t) - kernel_read_sysctl(prelude_t) +diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if +index 2316653..e4d8797 100644 +--- a/policy/modules/services/prelude.if ++++ b/policy/modules/services/prelude.if +@@ -136,9 +136,16 @@ interface(`prelude_admin',` + allow $2 system_r; + + admin_pattern($1, prelude_spool_t) ++ ++ files_search_var_lib($1) + admin_pattern($1, prelude_var_lib_t) ++ ++ files_search_pids($1) + admin_pattern($1, prelude_var_run_t) + admin_pattern($1, prelude_audisp_var_run_t) ++ ++ files_search_tmp($1) + admin_pattern($1, prelude_lml_tmp_t) ++ + admin_pattern($1, prelude_lml_var_run_t) + ') +diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if +index 1da26dc..c8f6cb5 100644 +--- a/policy/modules/services/privoxy.if ++++ b/policy/modules/services/privoxy.if +@@ -24,7 +24,7 @@ interface(`privoxy_admin',` + type privoxy_initrc_exec_t; + ') + +- allow $1 privoxy_t:process { ptrace signal_perms getattr }; ++ allow $1 privoxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, privoxy_t) + + init_labeled_script_domtrans($1, privoxy_initrc_exec_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 0d295a8..19138e1 100644 --- a/policy/modules/services/privoxy.te @@ -22971,7 +23119,7 @@ index d4000e0..c23cd14 100644 fs_getattr_all_fs(psad_t) diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..3588ebb 100644 +index 64c5f95..9587224 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) @@ -22987,21 +23135,21 @@ index 64c5f95..3588ebb 100644 allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) -+allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto }; ++allow puppetmaster_t puppet_log_t:file relabel_file_perms; manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -+allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto }; ++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -+allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto }; ++allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -+allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto }; ++allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_system_state(puppetmaster_t) @@ -23200,7 +23348,7 @@ index 0000000..f3b89e4 +/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if new file mode 100644 -index 0000000..039bd27 +index 0000000..5dbca44 --- /dev/null +++ b/policy/modules/services/qpidd.if @@ -0,0 +1,236 @@ @@ -23385,8 +23533,8 @@ index 0000000..039bd27 + type qpidd_t; + ') + -+ allow $1 qpidd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, qpidd_t, qpidd_t) ++ allow $1 qpidd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, qpidd_t) + + + gen_require(` @@ -23505,6 +23653,19 @@ index 0000000..cf9a327 +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) +diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if +index 9a78598..8f132e7 100644 +--- a/policy/modules/services/radius.if ++++ b/policy/modules/services/radius.if +@@ -38,7 +38,7 @@ interface(`radius_admin',` + type radiusd_initrc_exec_t; + ') + +- allow $1 radiusd_t:process { ptrace signal_perms getattr }; ++ allow $1 radiusd_t:process { ptrace signal_perms }; + ps_process_pattern($1, radiusd_t) + + init_labeled_script_domtrans($1, radiusd_initrc_exec_t) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index db6296a..b3f1fd3 100644 --- a/policy/modules/services/radius.te @@ -23537,21 +23698,6 @@ index db6296a..b3f1fd3 100644 samba_read_var_files(radiusd_t) ') -diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te -index 87fdb1c..2943342 100644 ---- a/policy/modules/services/radvd.te -+++ b/policy/modules/services/radvd.te -@@ -33,8 +33,9 @@ allow radvd_t self:fifo_file rw_file_perms; - - allow radvd_t radvd_etc_t:file read_file_perms; - -+manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) - manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) --files_pid_filetrans(radvd_t, radvd_var_run_t, file) -+files_pid_filetrans(radvd_t, radvd_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(radvd_t) - kernel_rw_net_sysctls(radvd_t) diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc index 1efba0c..71d657c 100644 --- a/policy/modules/services/razor.fc @@ -23562,10 +23708,10 @@ index 1efba0c..71d657c 100644 /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if -index f04a595..9011506 100644 +index f04a595..13ad2fe 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if -@@ -157,3 +157,45 @@ interface(`razor_domtrans',` +@@ -157,3 +157,44 @@ interface(`razor_domtrans',` domtrans_pattern($1, razor_exec_t, razor_t) ') @@ -23586,7 +23732,6 @@ index f04a595..9011506 100644 + type razor_home_t; + ') + -+ files_search_home($1) + userdom_search_user_home_dirs($1) + manage_files_pattern($1, razor_home_t, razor_home_t) + read_lnk_files_pattern($1, razor_home_t, razor_home_t) @@ -23686,6 +23831,19 @@ index 0a76027..cdd0542 100644 unconfined_shell_domtrans(remote_login_t) ') +diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if +index d457736..eabdd78 100644 +--- a/policy/modules/services/resmgr.if ++++ b/policy/modules/services/resmgr.if +@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',` + type resmgrd_var_run_t, resmgrd_t; + ') + +- allow $1 resmgrd_t:unix_stream_socket connectto; +- allow $1 resmgrd_var_run_t:sock_file { getattr write }; + files_search_pids($1) ++ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) + ') diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc index 3c97ef0..c025d59 100644 --- a/policy/modules/services/rgmanager.fc @@ -23697,7 +23855,7 @@ index 3c97ef0..c025d59 100644 /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if -index 7dc38d1..91dbe71 100644 +index 7dc38d1..aaf7c85 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',` @@ -23747,7 +23905,7 @@ index 7dc38d1..91dbe71 100644 + ') + + allow $1 rgmanager_t:process { ptrace signal_perms }; -+ read_files_pattern($1, rgmanager_t, rgmanager_t) ++ ps_process_pattern($1, rgmanager_t) + + init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + domain_system_change_exemption($1) @@ -23829,7 +23987,7 @@ index 00fa514..9ab1d80 100644 mysql_stream_connect(rgmanager_t) ') diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc -index c2ba53b..b19961e 100644 +index c2ba53b..a8676c7 100644 --- a/policy/modules/services/rhcs.fc +++ b/policy/modules/services/rhcs.fc @@ -1,6 +1,7 @@ @@ -23840,8 +23998,16 @@ index c2ba53b..b19961e 100644 /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) +@@ -9,6 +10,7 @@ + + /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) + ++/var/log/cluster/.*\.*log <> + /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) + /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) + /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if -index de37806..6928301 100644 +index de37806..d8b97c2 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -14,6 +14,8 @@ @@ -23937,7 +24103,7 @@ index de37806..6928301 100644 ###################################### ## ## Execute a domain transition to run qdiskd. -@@ -353,3 +416,21 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -353,3 +416,40 @@ interface(`rhcs_domtrans_qdiskd',` corecmd_search_bin($1) domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) ') @@ -23959,8 +24125,27 @@ index de37806..6928301 100644 + + allow $1 qdiskd_tmpfs_t:file read_file_perms; +') ++ ++###################################### ++## ++## Allow domain to read cluster lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_read_cluster_lib_files',` ++ gen_require(` ++ type cluster_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te -index 93c896a..68f2b99 100644 +index 93c896a..1ebc84d 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -13,6 +13,8 @@ policy_module(rhcs, 1.1.0) @@ -23972,7 +24157,18 @@ index 93c896a..68f2b99 100644 rhcs_domain_template(dlm_controld) -@@ -55,17 +57,13 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -33,6 +35,10 @@ rhcs_domain_template(qdiskd) + type qdiskd_var_lib_t; + files_type(qdiskd_var_lib_t) + ++# type for cluster lib files ++type cluster_var_lib_t; ++files_type(cluster_var_lib_t) ++ + ##################################### + # + # dlm_controld local policy +@@ -55,17 +61,13 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -23991,7 +24187,7 @@ index 93c896a..68f2b99 100644 allow fenced_t self:tcp_socket create_stream_socket_perms; allow fenced_t self:udp_socket create_socket_perms; -@@ -82,7 +80,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -82,7 +84,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -24002,15 +24198,22 @@ index 93c896a..68f2b99 100644 corenet_tcp_connect_http_port(fenced_t) -@@ -106,7 +107,6 @@ tunable_policy(`fenced_can_network_connect',` +@@ -104,9 +109,13 @@ tunable_policy(`fenced_can_network_connect',` + corenet_tcp_connect_all_ports(fenced_t) + ') ++# needed by fence_scsi ++optional_policy(` ++ corosync_exec(fenced_t) ++') ++ optional_policy(` ccs_read_config(fenced_t) - ccs_stream_connect(fenced_t) ') optional_policy(` -@@ -139,10 +139,6 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -24021,7 +24224,7 @@ index 93c896a..68f2b99 100644 lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -168,7 +164,7 @@ init_rw_script_tmp_files(groupd_t) +@@ -168,7 +173,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # @@ -24030,7 +24233,7 @@ index 93c896a..68f2b99 100644 allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -207,10 +203,6 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -24041,7 +24244,15 @@ index 93c896a..68f2b99 100644 netutils_domtrans_ping(qdiskd_t) ') -@@ -236,5 +228,9 @@ logging_send_syslog_msg(cluster_domain) +@@ -231,10 +232,17 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms; + allow cluster_domain self:unix_stream_socket create_stream_socket_perms; + allow cluster_domain self:unix_dgram_socket create_socket_perms; + ++manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) ++manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) ++ + logging_send_syslog_msg(cluster_domain) + miscfiles_read_localization(cluster_domain) optional_policy(` @@ -24063,7 +24274,7 @@ index 5b08327..ed5dc05 100644 /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if -index f7826f9..f326085 100644 +index f7826f9..ecc341c 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -18,6 +18,24 @@ interface(`ricci_domtrans',` @@ -24091,10 +24302,17 @@ index f7826f9..f326085 100644 ######################################## ## ## Execute a domain transition to run ricci_modcluster. -@@ -96,6 +114,24 @@ interface(`ricci_stream_connect_modclusterd',` +@@ -90,8 +108,25 @@ interface(`ricci_stream_connect_modclusterd',` + ') - ######################################## - ## + files_search_pids($1) +- allow $1 ricci_modcluster_var_run_t:sock_file write; +- allow $1 ricci_modclusterd_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) ++') ++ ++######################################## ++## +## Read and write to ricci_modcluserd temporary file system. +## +## @@ -24109,14 +24327,10 @@ index f7826f9..f326085 100644 + ') + + allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms; -+') -+ -+######################################## -+## - ## Execute a domain transition to run ricci_modlog. - ## - ## -@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',` + ') + + ######################################## +@@ -165,3 +200,67 @@ interface(`ricci_domtrans_modstorage',` domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') @@ -24312,7 +24526,7 @@ index 779fa44..29a5d0d 100644 remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if -index cda37bb..b0eac5b 100644 +index cda37bb..b65be0c 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -246,6 +246,26 @@ interface(`rpc_domtrans_rpcd',` @@ -24346,7 +24560,7 @@ index cda37bb..b0eac5b 100644 files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ++ allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 8e1ab72..9ae080e 100644 @@ -24428,10 +24642,20 @@ index f5c47d6..5a965e9 100644 /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if -index a96249c..ca97ead 100644 +index a96249c..5a4d69d 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if -@@ -141,7 +141,7 @@ interface(`rpcbind_admin',` +@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',` + ') + + files_search_pids($1) +- allow $1 rpcbind_var_run_t:sock_file write; +- allow $1 rpcbind_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) + ') + + ######################################## +@@ -141,8 +140,14 @@ interface(`rpcbind_admin',` allow $1 rpcbind_t:process { ptrace signal_perms }; ps_process_pattern($1, rpcbind_t) @@ -24440,6 +24664,13 @@ index a96249c..ca97ead 100644 domain_system_change_exemption($1) role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, rpcbind_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, rpcbind_var_run_t) + ') diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te index d6d76e1..9cb5e25 100644 --- a/policy/modules/services/rpcbind.te @@ -24671,7 +24902,7 @@ index 69a6074..73db5ba 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..89935be 100644 +index 82cb169..84732e5 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -79,6 +79,25 @@ interface(`samba_domtrans_net',` @@ -24700,7 +24931,7 @@ index 82cb169..89935be 100644 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -103,6 +122,50 @@ interface(`samba_run_net',` +@@ -103,6 +122,51 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -24713,6 +24944,7 @@ index 82cb169..89935be 100644 +## The role to be allowed the samba_net domain. +## +## ++## +# +template(`samba_role_notrans',` + gen_require(` @@ -24751,7 +24983,7 @@ index 82cb169..89935be 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -412,6 +475,7 @@ interface(`samba_manage_var_files',` +@@ -412,6 +476,7 @@ interface(`samba_manage_var_files',` files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) @@ -24759,6 +24991,25 @@ index 82cb169..89935be 100644 ') ######################################## +@@ -419,15 +484,14 @@ interface(`samba_manage_var_files',` + ## Execute a domain transition to run smbcontrol. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`samba_domtrans_smbcontrol',` + gen_require(` +- type smbcontrol_t; +- type smbcontrol_exec_t; ++ type smbcontrol_t, smbcontrol_exec_t; + ') + + domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) @@ -564,6 +628,7 @@ interface(`samba_domtrans_winbind_helper',` ') @@ -24767,7 +25018,7 @@ index 82cb169..89935be 100644 ') ######################################## -@@ -644,6 +709,36 @@ interface(`samba_stream_connect_winbind',` +@@ -644,6 +709,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -24783,7 +25034,9 @@ index 82cb169..89935be 100644 +template(`samba_helper_template',` + gen_require(` + type smbd_t; ++ role system_r; + ') ++ + #This type is for samba helper scripts + type samba_$1_script_t; + domain_type(samba_$1_script_t) @@ -24796,7 +25049,6 @@ index 82cb169..89935be 100644 + + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; -+ +') + +######################################## @@ -24804,35 +25056,44 @@ index 82cb169..89935be 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -664,7 +759,7 @@ interface(`samba_admin',` - type nmbd_t, nmbd_var_run_t; - type smbd_t, smbd_tmp_t; - type smbd_var_run_t; +@@ -661,21 +757,13 @@ interface(`samba_stream_connect_winbind',` + # + interface(`samba_admin',` + gen_require(` +- type nmbd_t, nmbd_var_run_t; +- type smbd_t, smbd_tmp_t; +- type smbd_var_run_t; - type smbd_spool_t; -+ type samba_initrc_exec_t; - - type samba_log_t, samba_var_t; - type samba_etc_t, samba_share_t; -@@ -675,7 +770,7 @@ interface(`samba_admin',` +- +- type samba_log_t, samba_var_t; +- type samba_etc_t, samba_share_t; +- type samba_secrets_t; +- ++ type nmbd_t, nmbd_var_run_t, smbd_var_run_t; ++ type smbd_t, smbd_tmp_t, samba_secrets_t; ++ type samba_initrc_exec_t, samba_log_t, samba_var_t; ++ type samba_etc_t, samba_share_t, winbind_log_t; + type swat_var_run_t, swat_tmp_t; +- type winbind_var_run_t, winbind_tmp_t; - type winbind_log_t; - +- type winbind_log_t; +- - type samba_initrc_exec_t; + type samba_unconfined_script_t, samba_unconfined_script_exec_t; ') allow $1 smbd_t:process { ptrace signal_perms }; -@@ -684,6 +779,9 @@ interface(`samba_admin',` +@@ -684,6 +772,9 @@ interface(`samba_admin',` allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) -+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) -+ ++ allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, samba_unconfined_script_t) ++ samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -709,9 +807,6 @@ interface(`samba_admin',` +@@ -709,9 +800,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -24842,7 +25103,7 @@ index 82cb169..89935be 100644 admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +822,5 @@ interface(`samba_admin',` +@@ -727,4 +815,5 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -25051,6 +25312,19 @@ index e30bb63..2a5981d 100644 +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') +diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if +index f1aea88..c3ffa9d 100644 +--- a/policy/modules/services/sasl.if ++++ b/policy/modules/services/sasl.if +@@ -42,7 +42,7 @@ interface(`sasl_admin',` + type saslauthd_initrc_exec_t; + ') + +- allow $1 saslauthd_t:process { ptrace signal_perms getattr }; ++ allow $1 saslauthd_t:process { ptrace signal_perms }; + ps_process_pattern($1, saslauthd_t) + + init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 22184ad..87810ec 100644 --- a/policy/modules/services/sasl.te @@ -25086,35 +25360,56 @@ index a86ec50..ef4199b 100644 /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if -index 7e94c7c..4f7eb51 100644 +index 7e94c7c..cf9fdcd 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if -@@ -57,6 +57,24 @@ interface(`sendmail_domtrans',` - allow sendmail_t $1:process sigchld; - ') +@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',` + ') + mta_sendmail_domtrans($1, sendmail_t) ++') ++ +####################################### +## +## Execute sendmail in the sendmail domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`sendmail_initrc_domtrans', ` -+ gen_require(` -+ type sendmail_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t) -+') -+ ++interface(`sendmail_initrc_domtrans',` ++ gen_require(` ++ type sendmail_initrc_exec_t; ++ ') + +- allow sendmail_t $1:fd use; +- allow sendmail_t $1:fifo_file rw_file_perms; +- allow sendmail_t $1:process sigchld; ++ init_labeled_script_domtrans($1, sendmail_initrc_exec_t) + ') + ######################################## - ## - ## Execute the sendmail program in the sendmail domain. -@@ -295,3 +313,50 @@ interface(`sendmail_run_unconfined',` +@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',` + type sendmail_t; + ') + +- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; ++ allow $1 sendmail_t:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` + type sendmail_t; + ') + +- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; ++ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -295,3 +309,50 @@ interface(`sendmail_run_unconfined',` sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; ') @@ -25143,11 +25438,11 @@ index 7e94c7c..4f7eb51 100644 + type mail_spool_t; + ') + -+ allow $1 sendmail_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, sendmail_t, sendmail_t) ++ allow $1 sendmail_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sendmail_t) + -+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t) ++ allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, unconfined_sendmail_t) + + sendmail_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -25232,7 +25527,7 @@ index 22dac1f..b6781d5 100644 + unconfined_domain_noaudit(unconfined_sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if -index 22dfeb4..9dc4091 100644 +index 22dfeb4..a7fbedc 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',` @@ -25243,7 +25538,7 @@ index 22dfeb4..9dc4091 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -25344,6 +25639,27 @@ index 086cd5f..679558c 100644 optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) +diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if +index adea9f9..d5b2d93 100644 +--- a/policy/modules/services/smartmon.if ++++ b/policy/modules/services/smartmon.if +@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',` + type fsdaemon_tmp_t; + ') + ++ files_search_tmp($1) + allow $1 fsdaemon_tmp_t:file read_file_perms; + ') + +@@ -41,7 +42,7 @@ interface(`smartmon_admin',` + type fsdaemon_initrc_exec_t; + ') + +- allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; ++ allow $1 fsdaemon_t:process { ptrace signal_perms }; + ps_process_pattern($1, fsdaemon_t) + + init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 4804f14..894f62d 100644 --- a/policy/modules/services/smartmon.te @@ -25357,6 +25673,22 @@ index 4804f14..894f62d 100644 term_dontaudit_search_ptys(fsdaemon_t) +diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if +index 824d206..8265278 100644 +--- a/policy/modules/services/smokeping.if ++++ b/policy/modules/services/smokeping.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run smokeping. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`smokeping_domtrans',` diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te index 4ca5449..058bfc9 100644 --- a/policy/modules/services/smokeping.te @@ -25390,6 +25722,56 @@ index 623c8fa..ac10740 100644 /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) +diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if +index 275f9fb..6aa68d8 100644 +--- a/policy/modules/services/snmp.if ++++ b/policy/modules/services/snmp.if +@@ -11,12 +11,12 @@ + ## + # + interface(`snmp_stream_connect',` +- gen_require(` ++ gen_require(` + type snmpd_t, snmpd_var_lib_t; +- ') ++ ') + +- files_search_var_lib($1) +- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) ++ files_search_var_lib($1) ++ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) + ') + + ######################################## +@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',` + type snmpd_var_lib_t; + ') + ++ files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +@@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') ++ + dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; + dontaudit $1 snmpd_var_lib_t:file read_file_perms; +- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; ++ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -128,7 +130,7 @@ interface(`snmp_admin',` + type snmpd_initrc_exec_t; + ') + +- allow $1 snmpd_t:process { ptrace signal_perms getattr }; ++ allow $1 snmpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, snmpd_t) + + init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 3d8d1b3..b5cd366 100644 --- a/policy/modules/services/snmp.te @@ -25422,26 +25804,22 @@ index 3d8d1b3..b5cd366 100644 auth_use_nsswitch(snmpd_t) auth_read_all_dirs_except_shadow(snmpd_t) -diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te -index bf59f60..814a47a 100644 ---- a/policy/modules/services/snort.te -+++ b/policy/modules/services/snort.te -@@ -61,6 +61,7 @@ kernel_list_proc(snort_t) - kernel_read_proc_symlinks(snort_t) - kernel_request_load_module(snort_t) - kernel_dontaudit_read_system_state(snort_t) -+kernel_read_network_state(snort_t) - - corenet_all_recvfrom_unlabeled(snort_t) - corenet_all_recvfrom_netlabel(snort_t) -@@ -77,6 +78,7 @@ corenet_tcp_connect_prelude_port(snort_t) - dev_read_sysfs(snort_t) - dev_read_rand(snort_t) - dev_read_urand(snort_t) -+dev_read_usbmon_dev(snort_t) - # Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon - # Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? - dev_rw_generic_usb_dev(snort_t) +diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if +index c117e8b..215f425 100644 +--- a/policy/modules/services/snort.if ++++ b/policy/modules/services/snort.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run snort. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`snort_domtrans',` diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index 6b3abf9..540981f 100644 --- a/policy/modules/services/spamassassin.fc @@ -25476,10 +25854,40 @@ index 6b3abf9..540981f 100644 +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if -index c954f31..76cfada 100644 +index c954f31..7f57f22 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if -@@ -111,6 +111,45 @@ interface(`spamassassin_domtrans_client',` +@@ -14,6 +14,7 @@ + ## User domain for the role + ## + ## ++## + # + interface(`spamassassin_role',` + gen_require(` +@@ -25,9 +26,13 @@ interface(`spamassassin_role',` + role $1 types { spamc_t spamassassin_t }; + + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) ++ ++ allow $2 spamassassin_t:process { ptrace signal_perms }; + ps_process_pattern($2, spamassassin_t) + + domtrans_pattern($2, spamc_exec_t, spamc_t) ++ ++ allow $2 spamc_t:process { ptrace signal_perms }; + ps_process_pattern($2, spamc_t) + + manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) +@@ -55,7 +60,6 @@ interface(`spamassassin_exec',` + ') + + can_exec($1, spamassassin_exec_t) +- + ') + + ######################################## +@@ -111,6 +115,46 @@ interface(`spamassassin_domtrans_client',` ') domtrans_pattern($1, spamc_exec_t, spamc_t) @@ -25519,13 +25927,14 @@ index c954f31..76cfada 100644 + type spamc_home_t; + ') + ++ userdom_search_user_home_dirs($1) + manage_dirs_pattern($1, spamc_home_t, spamc_home_t) + manage_files_pattern($1, spamc_home_t, spamc_home_t) + manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ') ######################################## -@@ -166,7 +205,9 @@ interface(`spamassassin_read_lib_files',` +@@ -166,7 +210,9 @@ interface(`spamassassin_read_lib_files',` ') files_search_var_lib($1) @@ -25535,10 +25944,21 @@ index c954f31..76cfada 100644 ') ######################################## -@@ -225,3 +266,69 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +@@ -204,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',` + type spamd_tmp_t; + ') - dontaudit $1 spamd_tmp_t:sock_file getattr; ++ files_search_tmp($1) + allow $1 spamd_tmp_t:file read_file_perms; ') + +@@ -223,5 +270,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + type spamd_tmp_t; + ') + +- dontaudit $1 spamd_tmp_t:sock_file getattr; ++ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; ++') + +######################################## +## @@ -25552,9 +25972,10 @@ index c954f31..76cfada 100644 +# +interface(`spamd_stream_connect',` + gen_require(` -+ type spamd_t, spamd_var_run_t, spamd_spool_t; ++ type spamd_t, spamd_var_run_t; + ') + ++ files_search_pids($1) + stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + @@ -25584,7 +26005,7 @@ index c954f31..76cfada 100644 + + allow $1 spamd_t:process { ptrace signal_perms }; + ps_process_pattern($1, spamd_t) -+ ++ + init_labeled_script_domtrans($1, spamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 spamd_initrc_exec_t system_r; @@ -25604,7 +26025,7 @@ index c954f31..76cfada 100644 + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) -+') + ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 9d40380..9ad4eff 100644 --- a/policy/modules/services/spamassassin.te @@ -25908,6 +26329,27 @@ index 9d40380..9ad4eff 100644 ') optional_policy(` +diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if +index d2496bd..dc4f590 100644 +--- a/policy/modules/services/squid.if ++++ b/policy/modules/services/squid.if +@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',` + type squid_t; + ') + +- allow $1 squid_t:unix_stream_socket { getattr read write }; ++ allow $1 squid_t:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',` + ## Domain to not audit. + ## + ## +-## + # + interface(`squid_dontaudit_search_cache',` + gen_require(` diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 078bcd7..dd706b0 100644 --- a/policy/modules/services/ssh.fc @@ -25931,10 +26373,14 @@ index 078bcd7..dd706b0 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..3061e83 100644 +index 22adaca..784c363 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if -@@ -36,6 +36,7 @@ template(`ssh_basic_client_template',` +@@ -32,10 +32,10 @@ + ## + # + template(`ssh_basic_client_template',` +- gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; @@ -25942,7 +26388,7 @@ index 22adaca..3061e83 100644 ') ############################## -@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` +@@ -47,10 +47,6 @@ template(`ssh_basic_client_template',` application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; @@ -25953,7 +26399,7 @@ index 22adaca..3061e83 100644 ############################## # # Client local policy -@@ -93,18 +90,18 @@ template(`ssh_basic_client_template',` +@@ -93,18 +89,18 @@ template(`ssh_basic_client_template',` ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config @@ -25980,7 +26426,7 @@ index 22adaca..3061e83 100644 kernel_read_kernel_sysctls($1_ssh_t) kernel_read_system_state($1_ssh_t) -@@ -116,6 +113,8 @@ template(`ssh_basic_client_template',` +@@ -116,6 +112,8 @@ template(`ssh_basic_client_template',` corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) @@ -25989,7 +26435,16 @@ index 22adaca..3061e83 100644 dev_read_urand($1_ssh_t) -@@ -181,9 +180,9 @@ template(`ssh_server_template', ` +@@ -168,7 +166,7 @@ template(`ssh_basic_client_template',` + ## + ## + # +-template(`ssh_server_template', ` ++template(`ssh_server_template',` + type $1_t, ssh_server; + auth_login_pgm_domain($1_t) + +@@ -181,16 +179,16 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) @@ -26001,7 +26456,15 @@ index 22adaca..3061e83 100644 allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: -@@ -206,6 +205,7 @@ template(`ssh_server_template', ` + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; + +- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; + term_create_pty($1_t, $1_devpts_t) + + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +@@ -206,6 +204,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) @@ -26009,7 +26472,7 @@ index 22adaca..3061e83 100644 corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,8 +220,11 @@ template(`ssh_server_template', ` +@@ -220,8 +219,11 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -26022,7 +26485,7 @@ index 22adaca..3061e83 100644 fs_dontaudit_getattr_all_fs($1_t) -@@ -234,6 +237,7 @@ template(`ssh_server_template', ` +@@ -234,6 +236,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -26030,18 +26493,18 @@ index 22adaca..3061e83 100644 files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -243,9 +247,9 @@ template(`ssh_server_template', ` +@@ -243,9 +246,8 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) - userdom_create_all_users_keys($1_t) userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_search_user_home_dirs($1_t) +- userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) # Allow checking users mail at login mta_getattr_spool($1_t) -@@ -268,6 +272,14 @@ template(`ssh_server_template', ` +@@ -268,6 +270,14 @@ template(`ssh_server_template', ` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') @@ -26056,7 +26519,29 @@ index 22adaca..3061e83 100644 ') ######################################## -@@ -338,6 +350,7 @@ template(`ssh_role_template',` +@@ -290,11 +300,11 @@ template(`ssh_server_template', ` + ## User domain for the role + ## + ## ++## + # + template(`ssh_role_template',` + gen_require(` + attribute ssh_server, ssh_agent_type; +- + type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; + type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; + type ssh_agent_tmp_t; +@@ -327,7 +337,7 @@ template(`ssh_role_template',` + + # allow ps to show ssh + ps_process_pattern($3, ssh_t) +- allow $3 ssh_t:process signal; ++ allow $3 ssh_t:process { ptrace signal_perms }; + + # for rsync + allow ssh_t $3:unix_stream_socket rw_socket_perms; +@@ -338,6 +348,7 @@ template(`ssh_role_template',` manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) @@ -26064,13 +26549,57 @@ index 22adaca..3061e83 100644 ############################## # -@@ -584,6 +597,25 @@ interface(`ssh_domtrans',` - domtrans_pattern($1, sshd_exec_t, sshd_t) - ') +@@ -359,7 +370,7 @@ template(`ssh_role_template',` + stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) + + # Allow the user shell to signal the ssh program. +- allow $3 $1_ssh_agent_t:process signal; ++ allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; + + # allow ps to show ssh + ps_process_pattern($3, $1_ssh_agent_t) +@@ -381,7 +392,6 @@ template(`ssh_role_template',` + + files_read_etc_files($1_ssh_agent_t) + files_read_etc_runtime_files($1_ssh_agent_t) +- files_search_home($1_ssh_agent_t) + + libs_read_lib_files($1_ssh_agent_t) + +@@ -398,9 +408,6 @@ template(`ssh_role_template',` + # for the transition back to normal privs upon exec + userdom_search_user_home_content($1_ssh_agent_t) + userdom_user_home_domtrans($1_ssh_agent_t, $3) +- allow $3 $1_ssh_agent_t:fd use; +- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; +- allow $3 $1_ssh_agent_t:process sigchld; + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_ssh_agent_t) +@@ -477,8 +484,9 @@ interface(`ssh_read_pipes',` + type sshd_t; + ') +- allow $1 sshd_t:fifo_file { getattr read }; ++ allow $1 sshd_t:fifo_file read_fifo_file_perms; + ') + -+######################################## -+## + ######################################## + ## + ## Read and write a ssh server unnamed pipe. +@@ -494,7 +502,7 @@ interface(`ssh_rw_pipes',` + type sshd_t; + ') + +- allow $1 sshd_t:fifo_file { write read getattr ioctl }; ++ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -586,6 +594,24 @@ interface(`ssh_domtrans',` + + ######################################## + ## +## Execute sshd server in the sshd domain. +## +## @@ -26087,10 +26616,30 @@ index 22adaca..3061e83 100644 + init_labeled_script_domtrans($1, sshd_initrc_exec_t) +') + - ######################################## - ## ++######################################## ++## ## Execute the ssh client in the caller domain. -@@ -735,3 +767,22 @@ interface(`ssh_delete_tmp',` + ## + ## +@@ -618,7 +644,7 @@ interface(`ssh_setattr_key_files',` + type sshd_key_t; + ') + +- allow $1 sshd_key_t:file setattr; ++ allow $1 sshd_key_t:file setattr_file_perms; + files_search_pids($1) + ') + +@@ -695,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',` + type sshd_key_t; + ') + +- dontaudit $1 sshd_key_t:file { getattr read }; ++ dontaudit $1 sshd_key_t:file read_file_perms; + ') + + ###################################### +@@ -735,3 +761,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -26112,7 +26661,6 @@ index 22adaca..3061e83 100644 + + allow $1 sshd_t:process signull; +') -+ diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 2dad3c8..68c3057 100644 --- a/policy/modules/services/ssh.te @@ -26356,6 +26904,63 @@ index 2dad3c8..68c3057 100644 seutil_sigchld_newrole(ssh_keygen_t) ') +diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if +index 941380a..6dbfc01 100644 +--- a/policy/modules/services/sssd.if ++++ b/policy/modules/services/sssd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run sssd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`sssd_domtrans',` +@@ -89,6 +89,7 @@ interface(`sssd_manage_pids',` + type sssd_var_run_t; + ') + ++ files_search_pids($1) + manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) + ') +@@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',` + ') + + dontaudit $1 sssd_var_lib_t:dir search_dir_perms; +- files_search_var_lib($1) + ') + + ######################################## +@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',` + ## The role to be allowed to manage the sssd domain. + ## + ## +-## +-## +-## The type of the user terminal. +-## +-## + ## + # + interface(`sssd_admin',` + gen_require(` +- type sssd_t, sssd_public_t; +- type sssd_initrc_exec_t; ++ type sssd_t, sssd_public_t, sssd_initrc_exec_t; + ') + +- allow $1 sssd_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, sssd_t, sssd_t) ++ allow $1 sssd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sssd_t) + + # Allow sssd_t to restart the apache service + sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te index 8ffa257..07d6748 100644 --- a/policy/modules/services/sssd.te @@ -26389,21 +26994,18 @@ index 8ffa257..07d6748 100644 optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te -index 02e751d..733250d 100644 ---- a/policy/modules/services/stunnel.te -+++ b/policy/modules/services/stunnel.te -@@ -46,8 +46,9 @@ manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) - manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) - files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) - -+manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) - manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) --files_pid_filetrans(stunnel_t, stunnel_var_run_t, file) -+files_pid_filetrans(stunnel_t, stunnel_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(stunnel_t) - kernel_read_system_state(stunnel_t) +diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if +index 6073656..eaf49b2 100644 +--- a/policy/modules/services/stunnel.if ++++ b/policy/modules/services/stunnel.if +@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',` + type stunnel_t; + ') + +- domtrans_pattern(stunnel_t,$2,$1) ++ domtrans_pattern(stunnel_t, $2, $1) + allow $1 stunnel_t:tcp_socket rw_socket_perms; + ') diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 52f0d6c..111b041 100644 --- a/policy/modules/services/sysstat.te @@ -26449,7 +27051,7 @@ index f40e67b..a0eeea9 100644 optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if -index 38bb312..4d10dda 100644 +index 38bb312..1427b54 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -16,6 +16,26 @@ interface(`tftp_read_content',` @@ -26487,19 +27089,19 @@ index 38bb312..4d10dda 100644 +## with specified types. +## +## -+## ++## +## Domain allowed access. -+## ++## +## +## -+## ++## +## Private file type. -+## ++## +## +## -+## ++## +## Class of the object being created. -+## ++## +## +# +interface(`tftp_filetrans_tftpdir',` @@ -26516,6 +27118,18 @@ index 38bb312..4d10dda 100644 ## All of the rules required to administrate ## an tftp environment ## +@@ -55,9 +105,10 @@ interface(`tftp_admin',` + type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; + ') + +- allow $1 tftpd_t:process { ptrace signal_perms getattr }; ++ allow $1 tftpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, tftpd_t) + ++ files_list_var_lib($1) + admin_pattern($1, tftpdir_rw_t) + + admin_pattern($1, tftpdir_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index d50c10d..66bfd1c 100644 --- a/policy/modules/services/tftp.te @@ -26531,12 +27145,65 @@ index d50c10d..66bfd1c 100644 inetd_udp_service_domain(tftpd_t, tftpd_exec_t) ') +diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if +index b113b41..c2ed23a 100644 +--- a/policy/modules/services/tgtd.if ++++ b/policy/modules/services/tgtd.if +@@ -11,18 +11,36 @@ + + ##################################### + ## +-## Allow read and write access to tgtd semaphores. ++## Allow read and write access to tgtd semaphores. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`tgtd_rw_semaphores',` +- gen_require(` +- type tgtd_t; +- ') ++ gen_require(` ++ type tgtd_t; ++ ') + +- allow $1 tgtd_t:sem rw_sem_perms; ++ allow $1 tgtd_t:sem rw_sem_perms; ++') ++ ++###################################### ++## ++## Manage tgtd sempaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tgtd_manage_semaphores',` ++ gen_require(` ++ type tgtd_t; ++ ') ++ ++ allow $1 tgtd_t:sem create_sem_perms; + ') diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te -index aa0cc45..debff69 100644 +index aa0cc45..678ab90 100644 --- a/policy/modules/services/tgtd.te +++ b/policy/modules/services/tgtd.te -@@ -59,8 +59,12 @@ corenet_sendrecv_iscsi_server_packets(tgtd_t) +@@ -57,10 +57,18 @@ corenet_tcp_bind_generic_node(tgtd_t) + corenet_tcp_bind_iscsi_port(tgtd_t) + corenet_sendrecv_iscsi_server_packets(tgtd_t) ++dev_search_sysfs(tgtd_t) ++ files_read_etc_files(tgtd_t) +fs_read_anon_inodefs_files(tgtd_t) @@ -26547,7 +27214,22 @@ index aa0cc45..debff69 100644 miscfiles_read_localization(tgtd_t) + -+iscsi_manage_semaphores(tgtd_t) ++optional_policy(` ++ iscsi_manage_semaphores(tgtd_t) ++') +diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if +index 904f13e..464347f 100644 +--- a/policy/modules/services/tor.if ++++ b/policy/modules/services/tor.if +@@ -42,7 +42,7 @@ interface(`tor_admin',` + type tor_initrc_exec_t; + ') + +- allow $1 tor_t:process { ptrace signal_perms getattr }; ++ allow $1 tor_t:process { ptrace signal_perms }; + ps_process_pattern($1, tor_t) + + init_labeled_script_domtrans($1, tor_initrc_exec_t) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index 9fa94e4..0a0074c 100644 --- a/policy/modules/services/tor.te @@ -26590,6 +27272,32 @@ index 9fa94e4..0a0074c 100644 miscfiles_read_localization(tor_t) tunable_policy(`tor_bind_all_unreserved_ports', ` +diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if +index 54b8605..329f139 100644 +--- a/policy/modules/services/tuned.if ++++ b/policy/modules/services/tuned.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run tuned. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`tuned_domtrans',` +@@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',` + # + interface(`tuned_admin',` + gen_require(` +- type tuned_t, tuned_var_run_t; +- type tuned_initrc_exec_t; ++ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; + ') + + allow $1 tuned_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te index db9d2a5..b3983a9 100644 --- a/policy/modules/services/tuned.te @@ -26613,6 +27321,29 @@ index db9d2a5..b3983a9 100644 # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) +diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if +index c1feba4..1f6f55b 100644 +--- a/policy/modules/services/ucspitcp.if ++++ b/policy/modules/services/ucspitcp.if +@@ -20,7 +20,7 @@ + ## + ## + # +-interface(`ucspitcp_service_domain', ` ++interface(`ucspitcp_service_domain',` + gen_require(` + type ucspitcp_t; + role system_r; +@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', ` + + role system_r types $1; + +- domain_auto_trans(ucspitcp_t, $2, $1) +- allow $1 ucspitcp_t:fd use; +- allow $1 ucspitcp_t:process sigchld; +- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; ++ domtrans_pattern(ucspitcp_t, $2, $1) + ') diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te index a0794bf..dd23a9c 100644 --- a/policy/modules/services/ucspitcp.te @@ -26626,6 +27357,45 @@ index a0794bf..dd23a9c 100644 + daemontools_sigchld_run(ucspitcp_t) +') + +diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if +index b078bf7..e3c66d8 100644 +--- a/policy/modules/services/ulogd.if ++++ b/policy/modules/services/ulogd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run ulogd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ulogd_domtrans',` +@@ -65,9 +65,9 @@ interface(`ulogd_read_log',` + ## Allow the specified domain to search ulogd's log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`ulogd_search_log',` +@@ -119,9 +119,8 @@ interface(`ulogd_append_log',` + # + interface(`ulogd_admin',` + gen_require(` +- type ulogd_t, ulogd_etc_t; ++ type ulogd_t, ulogd_etc_t, ulogd_modules_t; + type ulogd_var_log_t, ulogd_initrc_exec_t; +- type ulogd_modules_t; + ') + + allow $1 ulogd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te index eeaa641..eb4d8d5 100644 --- a/policy/modules/services/ulogd.te @@ -26669,8 +27439,24 @@ index fa54aee..40b8b8d 100644 -/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if +index 5015043..53792d3 100644 +--- a/policy/modules/services/usbmuxd.if ++++ b/policy/modules/services/usbmuxd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run usbmuxd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`usbmuxd_domtrans',` diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if -index a4fbe31..0e4774c 100644 +index a4fbe31..a717e2d 100644 --- a/policy/modules/services/uucp.if +++ b/policy/modules/services/uucp.if @@ -2,6 +2,25 @@ @@ -26699,6 +27485,15 @@ index a4fbe31..0e4774c 100644 ## Allow the specified domain to append ## to uucp log files. ## +@@ -80,7 +99,7 @@ interface(`uucp_admin',` + type uucpd_var_run_t; + ') + +- allow $1 uucpd_t:process { ptrace signal_perms getattr }; ++ allow $1 uucpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, uucpd_t) + + logging_list_logs($1) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index b775aaf..ec1562b 100644 --- a/policy/modules/services/uucp.te @@ -26723,9 +27518,18 @@ index b775aaf..ec1562b 100644 # # UUX Local policy diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if -index b4d90ac..9214237 100644 +index b4d90ac..e0f819e 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if +@@ -21,7 +21,7 @@ interface(`varnishd_domtrans',` + + ####################################### + ## +-## Execute varnishd ++## Execute varnishd + ## + ## + ## @@ -56,6 +56,25 @@ interface(`varnishd_read_config',` read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) ') @@ -26735,23 +27539,62 @@ index b4d90ac..9214237 100644 +## Read varnish lib files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`varnishd_read_lib_files',` -+ gen_require(` -+ type varnishd_var_lib_t; -+ ') ++ gen_require(` ++ type varnishd_var_lib_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) +') + ####################################### ## ## Read varnish logs. +@@ -132,9 +151,8 @@ interface(`varnishd_manage_log',` + # + interface(`varnishd_admin_varnishlog',` + gen_require(` +- type varnishlog_t; ++ type varnishlog_t, varnishlog_initrc_exec_t; + type varnishlog_var_run_t, varnishlog_log_t; +- type varnishlog_initrc_exec_t; + ') + + allow $1 varnishlog_t:process { ptrace signal_perms }; +@@ -146,11 +164,10 @@ interface(`varnishd_admin_varnishlog',` + allow $2 system_r; + + files_search_pids($1) +- admin_pattern($1, varnishlog_var_run_t) ++ admin_pattern($1, varnishlog_var_run_t) + + logging_list_logs($1) + admin_pattern($1, varnishlog_log_t) +- + ') + + ####################################### +@@ -173,7 +190,7 @@ interface(`varnishd_admin_varnishlog',` + interface(`varnishd_admin',` + gen_require(` + type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; +- type varnishd_var_run_t, varnishd_tmp_t; ++ type varnishd_var_run_t, varnishd_tmp_t; + type varnishd_initrc_exec_t; + ') + +@@ -196,5 +213,4 @@ interface(`varnishd_admin',` + + files_search_tmp($1) + admin_pattern($1, varnishd_tmp_t) +- + ') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index 1cc80e8..95c6dc3 100644 --- a/policy/modules/services/varnishd.te @@ -26767,10 +27610,59 @@ index 1cc80e8..95c6dc3 100644 allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if -index 1f872b5..dadae8e 100644 +index 1f872b5..da605ba 100644 --- a/policy/modules/services/vhostmd.if +++ b/policy/modules/services/vhostmd.if -@@ -209,7 +209,7 @@ interface(`vhostmd_admin',` +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run vhostmd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`vhostmd_domtrans',` +@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',` + ') + + allow $1 vhostmd_tmpfs_t:file read_file_perms; +- files_search_tmp($1) ++ fs_search_tmpfs($1) + ') + + ######################################## +@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',` + ') + + rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +- files_search_tmp($1) ++ fs_search_tmpfs($1) + ') + + ######################################## +@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',` + ') + + manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +- files_search_tmp($1) ++ fs_search_tmpfs($1) + ') + + ######################################## +@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',` + type vhostmd_var_run_t; + ') + +- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ++ files_search_pids($1) ++ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) + ') + + ######################################## +@@ -209,7 +210,7 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') @@ -26779,6 +27671,12 @@ index 1f872b5..dadae8e 100644 ps_process_pattern($1, vhostmd_t) vhostmd_initrc_domtrans($1) +@@ -220,5 +221,4 @@ interface(`vhostmd_admin',` + vhostmd_manage_tmpfs_files($1) + + vhostmd_manage_pid_files($1) +- + ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index 32a3c13..f56f51f 100644 --- a/policy/modules/services/vhostmd.te @@ -26833,10 +27731,18 @@ index 2124b6a..be4b00f 100644 /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..1a0701b 100644 +index 7c5d8d8..e584e21 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if -@@ -21,6 +21,7 @@ template(`virt_domain_template',` +@@ -14,13 +14,13 @@ + template(`virt_domain_template',` + gen_require(` + type virtd_t; +- attribute virt_image_type; +- attribute virt_domain; ++ attribute virt_image_type, virt_domain; + ') + type $1_t, virt_domain; domain_type($1_t) domain_user_exemption_target($1_t) @@ -26844,16 +27750,17 @@ index 7c5d8d8..1a0701b 100644 role system_r types $1_t; type $1_devpts_t; -@@ -35,17 +36,18 @@ template(`virt_domain_template',` +@@ -35,17 +35,18 @@ template(`virt_domain_template',` type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) -- -- type $1_var_run_t; -- files_pid_file($1_var_run_t) + dev_associate_sysfs($1_image_t) - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; +- type $1_var_run_t; +- files_pid_file($1_var_run_t) +- +- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) manage_dirs_pattern($1_t, $1_image_t, $1_image_t) @@ -26866,7 +27773,7 @@ index 7c5d8d8..1a0701b 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +59,6 @@ template(`virt_domain_template',` +@@ -57,18 +58,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -26885,7 +27792,27 @@ index 7c5d8d8..1a0701b 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -171,6 +161,7 @@ interface(`virt_read_config',` +@@ -101,9 +90,9 @@ interface(`virt_image',` + ## Execute a domain transition to run virt. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`virt_domtrans',` +@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',` + # + interface(`virt_read_config',` + gen_require(` +- type virt_etc_t; +- type virt_etc_rw_t; ++ type virt_etc_t, virt_etc_rw_t; + ') + files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -26893,7 +27820,15 @@ index 7c5d8d8..1a0701b 100644 ') ######################################## -@@ -192,6 +183,7 @@ interface(`virt_manage_config',` +@@ -185,13 +174,13 @@ interface(`virt_read_config',` + # + interface(`virt_manage_config',` + gen_require(` +- type virt_etc_t; +- type virt_etc_rw_t; ++ type virt_etc_t, virt_etc_rw_t; + ') + files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -26901,7 +27836,7 @@ index 7c5d8d8..1a0701b 100644 ') ######################################## -@@ -231,6 +223,24 @@ interface(`virt_read_content',` +@@ -231,6 +220,24 @@ interface(`virt_read_content',` ######################################## ## @@ -26909,7 +27844,7 @@ index 7c5d8d8..1a0701b 100644 +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# @@ -26926,7 +27861,7 @@ index 7c5d8d8..1a0701b 100644 ## Read virt PID files. ## ## -@@ -308,6 +318,24 @@ interface(`virt_read_lib_files',` +@@ -308,6 +315,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -26951,7 +27886,19 @@ index 7c5d8d8..1a0701b 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -424,6 +452,24 @@ interface(`virt_read_images',` +@@ -352,9 +377,9 @@ interface(`virt_read_log',` + ## virt log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`virt_append_log',` +@@ -424,6 +449,24 @@ interface(`virt_read_images',` ######################################## ## @@ -26976,7 +27923,7 @@ index 7c5d8d8..1a0701b 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +479,15 @@ interface(`virt_read_images',` +@@ -433,15 +476,15 @@ interface(`virt_read_images',` ## ## # @@ -26997,7 +27944,7 @@ index 7c5d8d8..1a0701b 100644 ') ######################################## -@@ -516,3 +562,51 @@ interface(`virt_admin',` +@@ -516,3 +559,51 @@ interface(`virt_admin',` virt_manage_log($1) ') @@ -27017,6 +27964,7 @@ index 7c5d8d8..1a0701b 100644 +## The role to be allowed the sandbox domain. +## +## ++## +# +interface(`virt_transition_svirt',` + gen_require(` @@ -27048,9 +27996,8 @@ index 7c5d8d8..1a0701b 100644 + + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') -+ diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..91a1d0a 100644 +index 3eca020..fec701f 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -4,6 +4,7 @@ policy_module(virt, 1.4.0) @@ -27219,22 +28166,23 @@ index 3eca020..91a1d0a 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,9 +237,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +237,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) +-allow virtd_t virt_image_type:file { relabelfrom relabelto }; +-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) - allow virtd_t virt_image_type:file { relabelfrom relabelto }; - allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; - ++allow virtd_t virt_image_type:file relabel_file_perms; ++allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; ++ +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) +can_exec(virtd_t, virt_tmp_t) -+ + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) - logging_log_filetrans(virtd_t, virt_log_t, { file dir }) @@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -27529,6 +28477,16 @@ index 1174ad8..f4c4c1b 100644 sysnet_dns_name_resolve(httpd_w3c_validator_script_t) + +apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) +diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if +index aa6e5a8..42a0efb 100644 +--- a/policy/modules/services/xfs.if ++++ b/policy/modules/services/xfs.if +@@ -1,4 +1,4 @@ +-## X Windows Font Server ++## X Windows Font Server + + ######################################## + ## diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 6f1e3c7..39c2bb3 100644 --- a/policy/modules/services/xserver.fc @@ -27655,7 +28613,7 @@ index 6f1e3c7..39c2bb3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..4bc9fff 100644 +index da2601a..f34a53f 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -27693,40 +28651,37 @@ index da2601a..4bc9fff 100644 files_search_tmp($2) # Communicate via System V shared memory. -@@ -56,6 +59,10 @@ interface(`xserver_restricted_role',` - - domtrans_pattern($2, iceauth_exec_t, iceauth_t) - -+ifdef(`hide_broken_symptoms', ` -+ dontaudit iceauth_t $2:socket_class_set { read write }; -+') -+ - allow $2 iceauth_home_t:file read_file_perms; +@@ -70,17 +73,21 @@ interface(`xserver_restricted_role',` - domtrans_pattern($2, xauth_exec_t, xauth_t) -@@ -71,9 +78,13 @@ interface(`xserver_restricted_role',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; +- allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; +- allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; + allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; dontaudit $2 xdm_t:tcp_socket { read write }; -+ dontaudit $2 xdm_tmp_t:dir setattr; ++ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms; + + allow $2 xdm_t:dbus send_msg; + allow xdm_t $2:dbus send_msg; # Client read xserver shm allow $2 xserver_t:fd use; -@@ -89,14 +100,17 @@ interface(`xserver_restricted_role',` + allow $2 xserver_tmpfs_t:file read_file_perms; + + # Read /tmp/.X0-lock +- allow $2 xserver_tmp_t:file { getattr read }; ++ allow $2 xserver_tmp_t:file read_inherited_file_perms; + + dev_rw_xserver_misc($2) + dev_rw_power_management($2) +@@ -89,14 +96,14 @@ interface(`xserver_restricted_role',` dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) -+ tunable_policy(`user_direct_dri',` -+ dev_rw_dri($2) -+ ') + # GNOME checks for usb and other devices: dev_rw_usbfs($2) @@ -27739,9 +28694,36 @@ index da2601a..4bc9fff 100644 xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -148,8 +162,10 @@ interface(`xserver_role',` +@@ -107,11 +114,19 @@ interface(`xserver_restricted_role',` + # Needed for escd, remove if we get escd policy + xserver_manage_xdm_tmp_files($2) + ++ ifdef(`hide_broken_symptoms',` ++ dontaudit iceauth_t $2:socket_class_set { read write }; ++ ') ++ + # Client write xserver shm + tunable_policy(`allow_write_xshm',` + allow $2 xserver_t:shm rw_shm_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; + ') ++ ++ tunable_policy(`user_direct_dri',` ++ dev_rw_dri($2) ++ ') + ') + + ######################################## +@@ -143,13 +158,15 @@ interface(`xserver_role',` + allow $2 xserver_tmpfs_t:file rw_file_perms; + + allow $2 iceauth_home_t:file manage_file_perms; +- allow $2 iceauth_home_t:file { relabelfrom relabelto }; ++ allow $2 iceauth_home_t:file relabel_file_perms; + allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; +- allow $2 xauth_home_t:file { relabelfrom relabelto }; ++ allow $2 xauth_home_t:file relabel_file_perms; + mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) @@ -27750,6 +28732,14 @@ index da2601a..4bc9fff 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) +@@ -162,7 +179,6 @@ interface(`xserver_role',` + manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) +- + ') + + ####################################### @@ -197,7 +213,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; @@ -27775,7 +28765,16 @@ index da2601a..4bc9fff 100644 allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',` +@@ -347,14 +363,19 @@ template(`xserver_common_x_domain_template',` + type xevent_t, client_xevent_t; + type input_xevent_t, $1_input_xevent_t; + +- attribute x_domain; ++ attribute x_domain, input_xevent_type; + attribute xdrawable_type, xcolormap_type; +- attribute input_xevent_type; + + class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -27788,7 +28787,7 @@ index da2601a..4bc9fff 100644 ') ############################## -@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +407,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -27804,7 +28803,24 @@ index da2601a..4bc9fff 100644 ') ####################################### -@@ -476,11 +507,16 @@ template(`xserver_user_x_domain_template',` +@@ -458,9 +488,9 @@ template(`xserver_user_x_domain_template',` + + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; +- allow $2 xdm_t:fifo_file { getattr read write ioctl }; ++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; + allow $2 xdm_tmp_t:dir search_dir_perms; +- allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; + dontaudit $2 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. +@@ -472,20 +502,25 @@ template(`xserver_user_x_domain_template',` + # for .xsession-errors + userdom_dontaudit_write_user_home_content_files($2) + +- xserver_ro_session($2,$3) ++ xserver_ro_session($2, $3) xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -27812,16 +28828,22 @@ index da2601a..4bc9fff 100644 # X object manager xserver_object_types_template($1) - xserver_common_x_domain_template($1,$2) +- xserver_common_x_domain_template($1,$2) ++ xserver_common_x_domain_template($1, $2) -+ tunable_policy(`user_direct_dri',` -+ dev_rw_dri($2) -+ ') -+ # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; -@@ -517,6 +553,7 @@ interface(`xserver_use_user_fonts',` + allow $2 xserver_tmpfs_t:file rw_file_perms; + ') ++ ++ tunable_policy(`user_direct_dri',` ++ dev_rw_dri($2) ++ ') + ') + + ######################################## +@@ -517,6 +552,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -27829,11 +28851,12 @@ index da2601a..4bc9fff 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -545,6 +582,27 @@ interface(`xserver_domtrans_xauth',` +@@ -545,6 +581,28 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) -+ ifdef(`hide_broken_symptoms', ` ++ ++ ifdef(`hide_broken_symptoms',` + dontaudit xauth_t $1:socket_class_set { read write }; + ') +') @@ -27865,20 +28888,81 @@ index da2601a..4bc9fff 100644 ') ######################################## -@@ -725,10 +784,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -615,7 +674,7 @@ interface(`xserver_setattr_console_pipes',` + type xconsole_device_t; + ') + +- allow $1 xconsole_device_t:fifo_file setattr; ++ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; + ') + + ######################################## +@@ -651,7 +710,7 @@ interface(`xserver_use_xdm_fds',` + type xdm_t; + ') + +- allow $1 xdm_t:fd use; ++ allow $1 xdm_t:fd use; + ') + + ######################################## +@@ -670,7 +729,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` + type xdm_t; + ') + +- dontaudit $1 xdm_t:fd use; ++ dontaudit $1 xdm_t:fd use; + ') + + ######################################## +@@ -688,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',` + type xdm_t; + ') + +- allow $1 xdm_t:fifo_file { getattr read write }; ++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -703,12 +762,11 @@ interface(`xserver_rw_xdm_pipes',` + ## + # + interface(`xserver_dontaudit_rw_xdm_pipes',` +- + gen_require(` + type xdm_t; + ') + +- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## +@@ -724,11 +782,13 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` + # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xdm_tmp_t; -+ type xdm_var_run_t; +- type xdm_t, xdm_tmp_t; ++ type xdm_t, xdm_tmp_t, xdm_var_run_t; ') files_search_tmp($1) ++ files_search_pids($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) ') ######################################## -@@ -805,7 +866,7 @@ interface(`xserver_read_xdm_pid',` +@@ -765,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` + type xdm_tmp_t; + ') + +- allow $1 xdm_tmp_t:dir setattr; ++ allow $1 xdm_tmp_t:dir setattr_dir_perms; + ') + + ######################################## +@@ -805,7 +865,7 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -27887,7 +28971,16 @@ index da2601a..4bc9fff 100644 ') ######################################## -@@ -916,7 +977,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -897,7 +957,7 @@ interface(`xserver_getattr_log',` + ') + + logging_search_logs($1) +- allow $1 xserver_log_t:file getattr; ++ allow $1 xserver_log_t:file getattr_file_perms; + ') + + ######################################## +@@ -916,7 +976,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -27896,7 +28989,7 @@ index da2601a..4bc9fff 100644 ') ######################################## -@@ -963,6 +1024,44 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1023,44 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -27913,7 +29006,7 @@ index da2601a..4bc9fff 100644 + type xdm_etc_t; + ') + -+ files_search_etc($1) ++ files_search_etc($1) + read_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + @@ -27932,7 +29025,7 @@ index da2601a..4bc9fff 100644 + type xdm_etc_t; + ') + -+ files_search_etc($1) ++ files_search_etc($1) + manage_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + @@ -27941,16 +29034,37 @@ index da2601a..4bc9fff 100644 ## Read xdm temporary files. ## ## -@@ -1072,6 +1171,8 @@ interface(`xserver_domtrans',` +@@ -976,7 +1074,7 @@ interface(`xserver_read_xdm_tmp_files',` + type xdm_tmp_t; + ') + +- files_search_tmp($1) ++ files_search_tmp($1) + read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + ') - allow $1 xserver_t:process siginh; +@@ -1052,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + type xdm_tmp_t; + ') + +- dontaudit $1 xdm_tmp_t:sock_file getattr; ++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; + ') + + ######################################## +@@ -1070,8 +1168,10 @@ interface(`xserver_domtrans',` + type xserver_t, xserver_exec_t; + ') + +- allow $1 xserver_t:process siginh; ++ allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) + + allow xserver_t $1:process getpgid; ') ######################################## -@@ -1185,6 +1286,7 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1285,7 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -27958,13 +29072,26 @@ index da2601a..4bc9fff 100644 ') ######################################## -@@ -1224,9 +1326,20 @@ interface(`xserver_manage_core_devices',` +@@ -1210,7 +1311,7 @@ interface(`xserver_read_tmp_files',` + ## + ## Interface to provide X object permissions on a given X server to + ## an X client domain. Gives the domain permission to read the +-## virtual core keyboard and virtual core pointer devices. ++## virtual core keyboard and virtual core pointer devices. + ## + ## + ## +@@ -1220,13 +1321,23 @@ interface(`xserver_read_tmp_files',` + # + interface(`xserver_manage_core_devices',` + gen_require(` +- type xserver_t; ++ type xserver_t, root_xdrawable_t; class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; + class x_screen all_x_screen_perms; + class x_drawable { manage }; -+ type root_xdrawable_t; + attribute x_domain; + class x_drawable { read manage setattr show }; + class x_resource { write read }; @@ -27979,7 +29106,15 @@ index da2601a..4bc9fff 100644 ') ######################################## -@@ -1250,3 +1363,329 @@ interface(`xserver_unconfined',` +@@ -1243,10 +1354,331 @@ interface(`xserver_manage_core_devices',` + # + interface(`xserver_unconfined',` + gen_require(` +- attribute x_domain; +- attribute xserver_unconfined_type; ++ attribute x_domain, xserver_unconfined_type; + ') + typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -27996,8 +29131,7 @@ index da2601a..4bc9fff 100644 +# +interface(`xserver_dontaudit_append_xdm_home_files',` + gen_require(` -+ type xdm_home_t; -+ type xserver_tmp_t; ++ type xdm_home_t, xserver_tmp_t; + ') + + dontaudit $1 xdm_home_t:file rw_inherited_file_perms; @@ -28024,8 +29158,7 @@ index da2601a..4bc9fff 100644 +# +interface(`xserver_append_xdm_home_files',` + gen_require(` -+ type xdm_home_t; -+ type xserver_tmp_t; ++ type xdm_home_t, xserver_tmp_t; + ') + + allow $1 xdm_home_t:file append_file_perms; @@ -28186,12 +29319,10 @@ index da2601a..4bc9fff 100644 +## Domain allowed access. +## +## -+## +# +interface(`xserver_rw_inherited_user_fonts',` + gen_require(` -+ type user_fonts_t; -+ type user_fonts_config_t; ++ type user_fonts_t, user_fonts_config_t; + ') + + allow $1 user_fonts_t:file rw_inherited_file_perms; @@ -28218,7 +29349,6 @@ index da2601a..4bc9fff 100644 + allow $1 xdm_var_lib_t:dir search_dir_perms; +') + -+ +######################################## +## +## Make an X executable an entrypoint for the specified domain. @@ -28252,6 +29382,7 @@ index da2601a..4bc9fff 100644 +## The role to be allowed the xserver domain. +## +## ++## +# +interface(`xserver_run',` + gen_require(` @@ -28277,6 +29408,7 @@ index da2601a..4bc9fff 100644 +## The role to be allowed the xserver domain. +## +## ++## +# +interface(`xserver_run_xauth',` + gen_require(` @@ -28299,8 +29431,7 @@ index da2601a..4bc9fff 100644 +# +interface(`xserver_manage_home_fonts',` + gen_require(` -+ type user_fonts_t; -+ type user_fonts_config_t; ++ type user_fonts_t, user_fonts_config_t; + ') + + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) @@ -29233,21 +30364,34 @@ index e226da4..5fbf38f 100644 +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') -diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index 2e0f6f6..2ae7a3d 100644 ---- a/policy/modules/services/zabbix.te -+++ b/policy/modules/services/zabbix.te -@@ -35,8 +35,9 @@ manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) - logging_log_filetrans(zabbix_t, zabbix_log_t, file) - - # pid file -+manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) - manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) --files_pid_filetrans(zabbix_t, zabbix_var_run_t, file) -+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { file dir }) - - files_read_etc_files(zabbix_t) - +diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if +index d77e631..4776863 100644 +--- a/policy/modules/services/zabbix.if ++++ b/policy/modules/services/zabbix.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run zabbix. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`zabbix_domtrans',` +@@ -44,9 +44,9 @@ interface(`zabbix_read_log',` + ## zabbix log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`zabbix_append_log',` diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 index 0000000..56cb5af @@ -29283,37 +30427,35 @@ index 0000000..56cb5af +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if new file mode 100644 -index 0000000..bba3124 +index 0000000..78fc104 --- /dev/null +++ b/policy/modules/services/zarafa.if -@@ -0,0 +1,105 @@ -+ +@@ -0,0 +1,102 @@ +## policy for zarafa services + +###################################### +## -+## Creates types and rules for a basic -+## zararfa init daemon domain. ++## Creates types and rules for a basic ++## zararfa init daemon domain. +## +## -+## -+## Prefix for the domain. -+## ++## ++## Prefix for the domain. ++## +## +# +template(`zarafa_domain_template',` -+ + gen_require(` + attribute zarafa_domain; + ') + + ############################## -+ # -+ # $1_t declarations -+ # ++ # ++ # $1_t declarations ++ # + + type zarafa_$1_t, zarafa_domain; -+ type zarafa_$1_exec_t; ++ type zarafa_$1_exec_t; + init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) + + type zarafa_$1_log_t; @@ -29323,28 +30465,28 @@ index 0000000..bba3124 + files_pid_file(zarafa_$1_var_run_t) + + ############################## -+ # ++ # + # $1_t local policy -+ # ++ # + + manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) -+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) -+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) ++ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) ++ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t) + + manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) + #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) + logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file }) -+') -+ ++') ++ +######################################## +## +## Execute a domain transition to run zarafa_server. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`zarafa_server_domtrans',` @@ -29355,15 +30497,14 @@ index 0000000..bba3124 + domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) +') + -+ +######################################## +## +## Execute a domain transition to run zarafa_deliver. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`zarafa_deliver_domtrans',` @@ -29376,21 +30517,21 @@ index 0000000..bba3124 + +####################################### +## -+## Connect to zarafa-server unix domain stream socket. ++## Connect to zarafa-server unix domain stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## +# +interface(`zarafa_stream_connect_server',` -+ gen_require(` -+ type zarafa_server_t, zarafa_server_var_run_t; -+ ') ++ gen_require(` ++ type zarafa_server_t, zarafa_server_var_run_t; ++ ') + -+ stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) ++ files_search_var_lib($1) ++ stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 @@ -29531,22 +30672,36 @@ index 0000000..3509088 +optional_policy(` + apache_content_template(zarafa) +') -diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te -index 086cbef..9939bff 100644 ---- a/policy/modules/services/zebra.te -+++ b/policy/modules/services/zebra.te -@@ -61,9 +61,10 @@ logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) - allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; - files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) - -+manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) - manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) - manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) --files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file }) -+files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file dir }) - - kernel_read_system_state(zebra_t) - kernel_read_network_state(zebra_t) +diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if +index 6b87605..5860687 100644 +--- a/policy/modules/services/zebra.if ++++ b/policy/modules/services/zebra.if +@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',` + ') + + files_search_pids($1) +- allow $1 zebra_var_run_t:sock_file write; +- allow $1 zebra_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) + ') + + ######################################## +diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if +index 702e768..1d24e1e 100644 +--- a/policy/modules/services/zosremote.if ++++ b/policy/modules/services/zosremote.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run audispd-zos-remote. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`zosremote_domtrans',` diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if index ac50333..108595b 100644 --- a/policy/modules/system/application.if @@ -29621,7 +30776,7 @@ index 1c4b1e7..2997dd7 100644 /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..bd3185e 100644 +index bea0ade..5819211 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -29751,6 +30906,15 @@ index bea0ade..bd3185e 100644 ') ######################################## +@@ -694,7 +741,7 @@ interface(`auth_relabel_shadow',` + ') + + files_search_etc($1) +- allow $1 shadow_t:file { relabelfrom relabelto }; ++ allow $1 shadow_t:file relabel_file_perms; + typeattribute $1 can_relabelto_shadow_passwords; + ') + @@ -874,6 +921,26 @@ interface(`auth_exec_pam',` ######################################## @@ -31666,7 +32830,7 @@ index 663a47b..ad0b864 100644 + allow $1 iscsid_t:sem create_sem_perms; +') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te -index 1d1c399..0787687 100644 +index 1d1c399..3ab3a47 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -76,6 +76,8 @@ corenet_tcp_connect_isns_port(iscsid_t) @@ -31678,6 +32842,13 @@ index 1d1c399..0787687 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) +@@ -91,5 +93,5 @@ logging_send_syslog_msg(iscsid_t) + miscfiles_read_localization(iscsid_t) + + optional_policy(` +- tgtd_rw_semaphores(iscsid_t) ++ tgtd_manage_semaphores(iscsid_t) + ') diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te index 57c645b..7682697 100644 --- a/policy/modules/system/kdump.te @@ -32157,7 +33328,7 @@ index 362614c..a76d2fc 100644 + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index c7cfb62..aa09d1c 100644 +index c7cfb62..453377e 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -545,6 +545,25 @@ interface(`logging_send_syslog_msg',` @@ -32226,8 +33397,8 @@ index c7cfb62..aa09d1c 100644 manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) -+ allow $1 logfile:dir { relabelfrom relabelto }; -+ allow $1 logfile:file { relabelfrom relabelto }; ++ allow $1 logfile:dir relabel_dir_perms; ++ allow $1 logfile:file relabel_file_perms; init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) @@ -34884,7 +36055,7 @@ index 0291685..44fe366 100644 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 025348a..59bc26b 100644 +index 025348a..5b277ea 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -34895,6 +36066,16 @@ index 025348a..59bc26b 100644 ') ######################################## +@@ -88,8 +89,7 @@ interface(`udev_read_state',` + ') + + kernel_search_proc($1) +- allow $1 udev_t:file read_file_perms; +- allow $1 udev_t:lnk_file read_lnk_file_perms; ++ ps_process_pattern($1, udev_t) + ') + + ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index a054cf5..4867243 100644 --- a/policy/modules/system/udev.te @@ -35758,7 +36939,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 2aa8928..c67c8e8 100644 +index 2aa8928..b4d758b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -35772,7 +36953,7 @@ index 2aa8928..c67c8e8 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,95 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,98 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -35903,6 +37084,9 @@ index 2aa8928..c67c8e8 100644 - libs_exec_ld_so($1_t) + init_stream_connect($1_usertype) ++ # The library functions always try to open read-write first, ++ # then fall back to read-only if it fails. ++ init_dontaudit_rw_utmp($1_usertype) + + libs_exec_ld_so($1_usertype) @@ -35917,7 +37101,7 @@ index 2aa8928..c67c8e8 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +143,16 @@ template(`userdom_base_user_template',` +@@ -116,6 +146,16 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -35934,7 +37118,7 @@ index 2aa8928..c67c8e8 100644 ') ####################################### -@@ -149,6 +186,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +189,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -35943,7 +37127,7 @@ index 2aa8928..c67c8e8 100644 ############################## # # Domain access to home dir -@@ -166,27 +205,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +208,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -35971,7 +37155,7 @@ index 2aa8928..c67c8e8 100644 ') ####################################### -@@ -218,8 +236,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +239,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -35983,7 +37167,7 @@ index 2aa8928..c67c8e8 100644 ############################## # # Domain access to home dir -@@ -228,17 +249,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +252,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -36015,7 +37199,7 @@ index 2aa8928..c67c8e8 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +271,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +274,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -36045,7 +37229,7 @@ index 2aa8928..c67c8e8 100644 ') ') -@@ -289,6 +312,8 @@ interface(`userdom_manage_tmp_role',` +@@ -289,6 +315,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -36054,7 +37238,7 @@ index 2aa8928..c67c8e8 100644 files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +322,45 @@ interface(`userdom_manage_tmp_role',` +@@ -297,6 +325,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -36100,7 +37284,7 @@ index 2aa8928..c67c8e8 100644 ') ####################################### -@@ -316,6 +380,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +383,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -36108,7 +37292,7 @@ index 2aa8928..c67c8e8 100644 files_search_tmp($1) ') -@@ -350,6 +415,8 @@ interface(`userdom_manage_tmpfs_role',` +@@ -350,6 +418,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -36117,7 +37301,7 @@ index 2aa8928..c67c8e8 100644 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +427,41 @@ interface(`userdom_manage_tmpfs_role',` +@@ -360,46 +430,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -36186,7 +37370,7 @@ index 2aa8928..c67c8e8 100644 ') ####################################### -@@ -430,6 +492,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +495,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -36194,7 +37378,7 @@ index 2aa8928..c67c8e8 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +553,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +556,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -36203,7 +37387,7 @@ index 2aa8928..c67c8e8 100644 ############################## # -@@ -500,73 +563,78 @@ template(`userdom_common_user_template',` +@@ -500,73 +566,78 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -36321,7 +37505,7 @@ index 2aa8928..c67c8e8 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,65 +642,108 @@ template(`userdom_common_user_template',` +@@ -574,65 +645,108 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -36372,47 +37556,47 @@ index 2aa8928..c67c8e8 100644 + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + ') ++ ++ optional_policy(` ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ hal_dbus_chat($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) - ') -+ -+ optional_policy(` + vpn_dbus_chat($1_usertype) -+ ') -+ ') -+ -+ optional_policy(` -+ git_session_role($1_r, $1_usertype) + ') ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) ++ git_session_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') @@ -36435,20 +37619,20 @@ index 2aa8928..c67c8e8 100644 optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ++ ') ++ ++ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -643,41 +754,50 @@ template(`userdom_common_user_template',` +@@ -643,41 +757,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -36480,53 +37664,51 @@ index 2aa8928..c67c8e8 100644 + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpcbind_stream_connect($1_usertype) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ seunshare_role_template($1, $1_r, $1_t) - ') -+ -+ optional_policy(` + slrnpull_search_spool($1_usertype) -+ ') + ') + ') ####################################### -@@ -705,13 +825,26 @@ template(`userdom_login_user_template', ` +@@ -705,13 +828,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -36534,7 +37716,9 @@ index 2aa8928..c67c8e8 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -36542,7 +37726,7 @@ index 2aa8928..c67c8e8 100644 userdom_change_password_template($1) -@@ -729,72 +862,74 @@ template(`userdom_login_user_template', ` +@@ -729,72 +865,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -36584,14 +37768,13 @@ index 2aa8928..c67c8e8 100644 + fs_rw_anon_inodefs_files($1_usertype) auth_dontaudit_write_login_records($1_t) -- -- application_exec_all($1_t) + auth_rw_cache($1_t) - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. +- application_exec_all($1_t) +- +- # The library functions always try to open read-write first, +- # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_t) -+ init_dontaudit_rw_utmp($1_usertype) # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) @@ -37049,7 +38232,7 @@ index 2aa8928..c67c8e8 100644 + type user_home_t; + ') + -+ allow $1 user_home_t:file { relabelto relabelfrom }; ++ allow $1 user_home_t:file relabel_file_perms; +') + ######################################## @@ -37079,33 +38262,69 @@ index 2aa8928..c67c8e8 100644 ') ######################################## -@@ -1638,6 +1922,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1638,34 +1922,53 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## +-## Do not audit attempts to set the +-## attributes of user home files. +## Set the attributes of user home files. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## + ## + ## +## -+# + # +-interface(`userdom_dontaudit_setattr_user_home_content_files',` +interface(`userdom_setattr_user_home_content_files',` + gen_require(` + type user_home_t; + ') + +- dontaudit $1 user_home_t:file setattr_file_perms; ++ allow $1 user_home_t:file setattr; + ') + + ######################################## + ## +-## Mmap user home files. ++## Do not audit attempts to set the ++## attributes of user home files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`userdom_mmap_user_home_content_files',` ++interface(`userdom_dontaudit_setattr_user_home_content_files',` + gen_require(` + type user_home_t; + ') + -+ allow $1 user_home_t:file setattr; ++ dontaudit $1 user_home_t:file setattr_file_perms; +') + +######################################## +## - ## Do not audit attempts to set the - ## attributes of user home files. - ## -@@ -1689,13 +1992,33 @@ interface(`userdom_read_user_home_content_files',` ++## Mmap user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_mmap_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') +@@ -1689,12 +1992,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -37116,7 +38335,6 @@ index 2aa8928..c67c8e8 100644 ######################################## ## --## Do not audit attempts to read user home files. +## Do not audit attempts to getattr user home files. +## +## @@ -37136,10 +38354,9 @@ index 2aa8928..c67c8e8 100644 + +######################################## +## -+## Do not audit attempts to read user home files. + ## Do not audit attempts to read user home files. ## ## - ## @@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` @@ -37168,7 +38385,7 @@ index 2aa8928..c67c8e8 100644 ') ######################################## -@@ -1816,21 +2141,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1816,20 +2141,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -37182,18 +38399,17 @@ index 2aa8928..c67c8e8 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. @@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -38286,7 +39502,7 @@ index 8c827f8..744fa64 100644 ifdef(`distro_debian',` diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if -index 77d41b6..4af4e6b 100644 +index 77d41b6..4aa96c6 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -87,6 +87,26 @@ interface(`xen_read_image_files',` @@ -38327,6 +39543,15 @@ index 77d41b6..4af4e6b 100644 domtrans_pattern($1, xm_exec_t, xm_t) ') +@@ -230,7 +251,7 @@ interface(`xen_domtrans_xm',` + # + interface(`xen_stream_connect_xm',` + gen_require(` +- type xm_t; ++ type xm_t, xenstored_var_run_t; + ') + + files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index f661f5a..600d43f 100644 --- a/policy/modules/system/xen.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 62be418..e2f8051 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.4 -Release: 2%{?dist} +Version: 3.9.5 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,15 @@ exit 0 %endif %changelog +* Thu Sep 16 2010 Dan Walsh 3.9.5-1 +- Update to upstream + +* Wed Sep 15 2010 Dan Walsh 3.9.4-3 +- Add the ability to send audit messages to confined admin policies +- Remove permissive domain from cmirrord and dontaudit sys_tty_config +- Split out unconfined_domain() calls from other unconfined_ calls so we can d +- virt needs to be able to read processes to clearance for MLS + * Tue Sep 14 2010 Dan Walsh 3.9.4-2 - Allow all domains that can use cgroups to search tmpfs_t directory - Allow init to send audit messages diff --git a/sources b/sources index 11bf11d..1e6d985 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c610a100e8448f4fdc2559d1e509494c serefpolicy-3.9.4.tgz +92b67fbf7e35e89cd46d04881966d2ae serefpolicy-3.9.5.tgz