diff --git a/Changelog b/Changelog index 2438d0b..1d8999f 100644 --- a/Changelog +++ b/Changelog @@ -63,6 +63,7 @@ Mon, 12 Jun 2006 Tue, 20 Jun 2006 Wed, 26 Jul 2006 + Wed, 23 Aug 2006 - Added modules: afs amavis (Erich Schubert) diff --git a/policy/mls b/policy/mls index 3a35bde..f9cd671 100644 --- a/policy/mls +++ b/policy/mls @@ -184,19 +184,12 @@ mlsconstrain dir search ( t2 == mlstrustedobject )); # the "single level" file "write" ops -mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton } +mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } (( l1 eq l2 ) or (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsfilewrite ) or ( t2 == mlstrustedobject )); -# the "ranged" file "write" ops -mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - mlsconstrain dir { add_name remove_name reparent rmdir } ((( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc index 2780ecb..b2a3c36 100644 --- a/policy/modules/admin/amanda.fc +++ b/policy/modules/admin/amanda.fc @@ -9,6 +9,7 @@ /tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0) /usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) +/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) /usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0) /usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0) diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index cf3b552..4632176 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.3.4) +policy_module(amanda,1.3.5) ####################################### # diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index 9ec5e44..69a3c68 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te @@ -1,5 +1,5 @@ -policy_module(anaconda,1.0.0) +policy_module(anaconda,1.0.1) ######################################## # @@ -7,6 +7,7 @@ policy_module(anaconda,1.0.0) # type anaconda_t; +type anaconda_exec_t; domain_type(anaconda_t) domain_obj_id_change_exemption(anaconda_t) role system_r types anaconda_t; @@ -16,6 +17,10 @@ role system_r types anaconda_t; # Local policy # +allow anaconda_t self:process execmem; + +kernel_domtrans_to(anaconda_t,anaconda_exec_t) + # Run other rc scripts in the anaconda_t domain. init_domtrans_script(anaconda_t) @@ -25,8 +30,12 @@ logging_send_syslog_msg(anaconda_t) modutils_domtrans_insmod(anaconda_t) +seutil_domtrans_semanage(anaconda_t) + unconfined_domain(anaconda_t) +userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) + ifdef(`distro_redhat',` bootloader_create_runtime_file(anaconda_t) ') @@ -41,6 +50,7 @@ optional_policy(` optional_policy(` rpm_domtrans(anaconda_t) + rpm_domtrans_script(anaconda_t) ') optional_policy(` @@ -50,10 +60,3 @@ optional_policy(` optional_policy(` usermanage_domtrans_admin_passwd(anaconda_t) ') - -ifdef(`TODO',` -optional_policy(` - role system_r types sysadm_ssh_agent_t; - domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) -') -') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 529bfe2..a01e35d 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.2.5) +policy_module(bootloader,1.2.6) ######################################## # @@ -83,8 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_read_rand(bootloader_t) dev_read_urand(bootloader_t) dev_read_sysfs(bootloader_t) -# for reading BIOS data -dev_read_raw_memory(bootloader_t) +# needed on some hardware +dev_rw_nvram(bootloader_t) fs_getattr_xattr_fs(bootloader_t) fs_getattr_tmpfs(bootloader_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 84a5306..e7bd3fa 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -1,5 +1,5 @@ -policy_module(consoletype,1.0.1) +policy_module(consoletype,1.0.2) ######################################## # @@ -113,4 +113,5 @@ optional_policy(` kernel_write_xen_state(consoletype_t) xen_append_log(consoletype_t) xen_dontaudit_rw_unix_stream_sockets(consoletype_t) + xen_dontaudit_use_fds(consoletype_t) ') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index b875c3f..36f2154 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -1,5 +1,5 @@ -policy_module(firstboot,1.1.3) +policy_module(firstboot,1.1.4) gen_require(` class passwd rootok; @@ -106,7 +106,7 @@ ifdef(`targeted_policy',` ') optional_policy(` - hal_dbus_send(firstboot_t) + hal_dbus_chat(firstboot_t) ') optional_policy(` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index c53929b..7b5c3f4 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.1.5) +policy_module(prelink,1.1.6) ######################################## # @@ -60,6 +60,8 @@ files_read_etc_runtime_files(prelink_t) fs_getattr_xattr_fs(prelink_t) +selinux_get_enforce_mode(prelink_t) + libs_use_ld_so(prelink_t) libs_exec_ld_so(prelink_t) libs_manage_ld_so(prelink_t) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index ee65a1e..49ebcf1 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.3.8) +policy_module(usermanage,1.3.9) ######################################## # @@ -256,7 +256,7 @@ optional_policy(` ') optional_policy(` - nscd_exec(groupadd_t) + nscd_domtrans(groupadd_t) ') optional_policy(` @@ -481,6 +481,7 @@ auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) auth_rw_lastlog(useradd_t) +auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) corecmd_exec_shell(useradd_t) @@ -526,7 +527,7 @@ optional_policy(` ') optional_policy(` - nscd_exec(useradd_t) + nscd_domtrans(useradd_t) ') optional_policy(` diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc index 918774e..b1e6a5a 100644 --- a/policy/modules/apps/java.fc +++ b/policy/modules/apps/java.fc @@ -8,5 +8,12 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 0c6045d..4ba05b8 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,5 +1,5 @@ -policy_module(java,1.1.2) +policy_module(java,1.1.3) ######################################## # diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index d4480b2..4d1b332 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -63,6 +63,7 @@ template(`mozilla_per_userdomain_template',` allow $1_mozilla_t self:unix_stream_socket { listen accept }; # Browse the web, connect to printer allow $1_mozilla_t self:tcp_socket create_socket_perms; + allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms; # for bash - old mozilla binary can_exec($1_mozilla_t, mozilla_exec_t) @@ -170,6 +171,7 @@ template(`mozilla_per_userdomain_template',` logging_send_syslog_msg($1_mozilla_t) miscfiles_read_fonts($1_mozilla_t) + miscfiles_read_localization($1_mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve($1_mozilla_t) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 5de7b51..fd9428c 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,5 +1,5 @@ -policy_module(mozilla,1.0.4) +policy_module(mozilla,1.0.5) ######################################## # diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 60aa4cf..dca2001 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -1,5 +1,5 @@ -policy_module(wine,1.1.2) +policy_module(wine,1.1.3) ######################################## # @@ -18,7 +18,7 @@ domain_entry_file(wine_t,wine_exec_t) # ifdef(`targeted_policy',` - allow wine_t self:process { execstack execmem }; + allow wine_t self:process { execstack execmem execheap }; unconfined_domain_noaudit(wine_t) files_execmod_all_files(wine_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index bcf84b3..e5101fd 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -61,6 +61,7 @@ ifdef(`distro_redhat',` /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_debian',` diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 5805cd0..3952087 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.3.12) +policy_module(corecommands,1.3.13) ######################################## # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index f27cc83..6d978b2 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.13) +policy_module(corenetwork,1.1.14) ######################################## # @@ -84,7 +84,7 @@ network_port(gopher, tcp,70,s0, udp,70,s0) network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) -network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) +network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) @@ -100,6 +100,7 @@ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon +network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(mail, tcp,2000,s0) network_port(monopd, tcp,1234,s0) network_port(mysqld, tcp,3306,s0) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index f8735a4..c2737f8 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -36,7 +36,7 @@ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) +/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index a9b1459..e17a5d5 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -1821,6 +1821,25 @@ interface(`dev_create_null_dev',` ######################################## ## +## Read and write BIOS non-volatile RAM. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_nvram',` + gen_require(` + type nvram_device_t; + ') + + allow $1 device_t:dir search_dir_perms; + allow $1 nvram_device_t:chr_file rw_file_perms; +') + +######################################## +## ## Get the attributes of the printer device nodes. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 2f5ad4d..c5575ad 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.1.18) +policy_module(devices,1.1.19) ######################################## # @@ -106,6 +106,12 @@ mls_trusted_object(null_device_t) sid devnull gen_context(system_u:object_r:null_device_t,s0) # +# Type for /dev/nvram +# +type nvram_device_t; +dev_node(nvram_device_t) + +# # Type for /dev/pmu # type power_device_t; @@ -166,7 +172,7 @@ type vmware_device_t; dev_node(vmware_device_t) type watchdog_device_t; -dev_node(vmware_device_t) +dev_node(watchdog_device_t) type xen_device_t; dev_node(xen_device_t) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a61282d..4123678 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2934,6 +2934,24 @@ interface(`files_search_tmp',` ######################################## ## +## Do not audit attempts to search the tmp directory (/tmp). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_search_tmp',` + gen_require(` + type tmp_t; + ') + + dontaudit $1 tmp_t:dir search_dir_perms; +') + +######################################## +## ## Read the tmp directory (/tmp). ## ## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index cf92894..9901261 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.13) +policy_module(files,1.2.14) ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index fc3c335..6f7d442 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -281,6 +281,42 @@ interface(`kernel_load_module',` ######################################## ## +## Allow search the kernel key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_search_key',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:key search; +') + +######################################## +## +## Allow link to the kernel key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_link_key',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:key link; +') + +######################################## +## ## Allows caller to read the ring buffer. ## ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 84e208d..34b4d1b 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.14) +policy_module(kernel,1.3.15) ######################################## # diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 774450e..5e65156 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -278,6 +278,24 @@ interface(`term_create_console_dev',` ######################################## ## +## Get the attributes of a pty filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`term_getattr_pty_fs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:filesystem getattr; +') + +######################################## +## ## Do not audit attempts to get the ## attributes of the /dev/pts directory. ## @@ -330,6 +348,7 @@ interface(`term_dontaudit_search_ptys',` type devpts_t; ') + dev_dontaudit_list_all_dev_nodes($1) dontaudit $1 devpts_t:dir search; ') @@ -1007,4 +1026,3 @@ interface(`term_dontaudit_use_all_user_ttys',` dontaudit $1 ttynode:chr_file { read write }; ') - diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index c2f3639..273d72e 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.1.5) +policy_module(terminal,1.1.6) ######################################## # diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index 3dbd868..1908b92 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -1,5 +1,5 @@ -policy_module(amavis,1.0.6) +policy_module(amavis,1.0.7) ######################################## # @@ -62,10 +62,12 @@ allow amavis_t amavis_quarantine_t:sock_file create_file_perms; allow amavis_t amavis_quarantine_t:dir create_dir_perms; # Spool Files +files_search_spool(amavis_t) allow amavis_t amavis_spool_t:dir manage_dir_perms; allow amavis_t amavis_spool_t:file manage_file_perms; allow amavis_t amavis_spool_t:sock_file manage_file_perms; files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file }) +type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t; # tmp files allow amavis_t amavis_tmp_t:file create_file_perms; @@ -116,6 +118,7 @@ corenet_tcp_connect_amavisd_send_port(amavis_t) # bind to incoming port corenet_tcp_bind_amavisd_recv_port(amavis_t) corenet_udp_bind_generic_port(amavis_t) +corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) dev_read_urand(amavis_t) @@ -165,6 +168,10 @@ optional_policy(` ') optional_policy(` + postfix_read_config(amavis_t) +') + +optional_policy(` pyzor_domtrans(amavis_t) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 2b6db56..c9996e2 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.3.16) +policy_module(apache,1.3.17) # # NOTES: @@ -271,7 +271,6 @@ seutil_dontaudit_search_config(httpd_t) sysnet_read_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) -userdom_dontaudit_search_sysadm_home_dirs(httpd_t) mta_send_mail(httpd_t) diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index d1d378f..b40896a 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi,1.2.4) +policy_module(avahi,1.2.5) ######################################## # @@ -64,6 +64,7 @@ domain_use_interactive_fds(avahi_t) files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) +files_read_usr_files(avahi_t) init_use_fds(avahi_t) init_use_script_ptys(avahi_t) @@ -76,6 +77,7 @@ libs_use_shared_libs(avahi_t) logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) +miscfiles_read_certs(avahi_t) sysnet_read_config(avahi_t) sysnet_use_ldap(avahi_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 2472732..02fdd40 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.1.8) +policy_module(bind,1.1.9) ######################################## # @@ -218,6 +218,7 @@ allow ndc_t self:tcp_socket create_socket_perms; allow ndc_t self:netlink_route_socket r_netlink_socket_perms; allow ndc_t dnssec_t:file { getattr read }; +allow ndc_t dnssec_t:lnk_file { getattr read }; allow ndc_t named_t:unix_stream_socket connectto; diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index 256df78..3027ed6 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -1,5 +1,5 @@ -policy_module(cpucontrol,1.0.1) +policy_module(cpucontrol,1.0.2) ######################################## # @@ -25,7 +25,7 @@ files_pid_file(cpuspeed_var_run_t) # CPU microcode loader local policy # -allow cpucontrol_t self:capability sys_rawio; +allow cpucontrol_t self:capability { ipc_lock sys_rawio }; dontaudit cpucontrol_t self:capability sys_tty_config; allow cpucontrol_t self:process signal_perms; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index e3b1abc..3032a63 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -194,13 +194,14 @@ template(`cron_per_userdomain_template',` allow crond_t $1_cron_spool_t:file create_file_perms; # dac_override is to create the file in the directory under /tmp - allow $1_crontab_t self:capability { setuid setgid chown dac_override }; + allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; allow $1_crontab_t self:process signal_perms; # create files in /var/spool/cron - allow $1_crontab_t $1_cron_spool_t:file create_file_perms; allow $1_crontab_t cron_spool_t:dir rw_dir_perms; - type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t; + allow $1_crontab_t $1_cron_spool_t:file manage_file_perms; + type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t; + files_search_spool($1_crontab_t) # crontab signals crond by updating the mtime on the spooldir allow $1_crontab_t cron_spool_t:dir setattr; @@ -238,12 +239,16 @@ template(`cron_per_userdomain_template',` # Read user crontabs userdom_read_user_home_content_files($1,$1_crontab_t) - tunable_policy(`fcron_crond', ` + tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u dontaudit $1_crontab_t crond_t:process signal; ') + optional_policy(` + nscd_socket_use($1_crontab_t) + ') + ifdef(`TODO',` allow $1_crond_t tmp_t:dir rw_dir_perms; type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t; diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 3ee3cf3..05c3cea 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.10) +policy_module(cron,1.3.11) gen_require(` class passwd rootok; @@ -138,6 +138,8 @@ userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_all_users_home_dirs(crond_t) +mta_send_mail(crond_t) + ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. @@ -173,8 +175,6 @@ ifdef(`targeted_policy',` allow crond_t crond_tmp_t:dir create_dir_perms; allow crond_t crond_tmp_t:file create_file_perms; files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) - - mta_send_mail(crond_t) ') tunable_policy(`fcron_crond', ` @@ -341,8 +341,6 @@ ifdef(`targeted_policy',` seutil_read_config(system_crond_t) - mta_send_mail(system_crond_t) - ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 15fe7ac..e879d56 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.3.11) +policy_module(cups,1.3.12) ######################################## # @@ -74,13 +74,14 @@ files_pid_file(ptal_var_run_t) # # /usr/lib/cups/backend/serial needs sys_admin(?!) -allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write }; +allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config audit_write }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; allow cupsd_t self:process { setsched signal_perms }; allow cupsd_t self:fifo_file rw_file_perms; allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow cupsd_t self:netlink_selinux_socket create_socket_perms; allow cupsd_t self:netlink_route_socket r_netlink_socket_perms; allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; @@ -152,6 +153,8 @@ dev_read_urand(cupsd_t) dev_read_sysfs(cupsd_t) dev_read_usbfs(cupsd_t) +domain_read_all_domains_state(cupsd_t) + fs_getattr_all_fs(cupsd_t) fs_search_auto_mountpoints(cupsd_t) # from old usercanread attrib: @@ -186,6 +189,8 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) +selinux_compute_access_vector(cupsd_t) + init_use_fds(cupsd_t) init_use_script_ptys(cupsd_t) init_exec_script_files(cupsd_t) @@ -201,7 +206,7 @@ miscfiles_read_localization(cupsd_t) # invoking ghostscript needs to read fonts miscfiles_read_fonts(cupsd_t) -seutil_dontaudit_read_config(cupsd_t) +seutil_read_config(cupsd_t) sysnet_read_config(cupsd_t) @@ -219,7 +224,7 @@ ifdef(`targeted_policy',` init_stream_connect_script(cupsd_t) - unconfined_read_pipes(cupsd_t) + unconfined_rw_pipes(cupsd_t) optional_policy(` init_dbus_chat_script(cupsd_t) @@ -231,6 +236,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + apm_domtrans_client(cupsd_t) +') + +optional_policy(` cron_system_entry(cupsd_t, cupsd_exec_t) ') @@ -254,6 +263,10 @@ optional_policy(` ') optional_policy(` + logrotate_domtrans(cupsd_t) +') + +optional_policy(` nscd_socket_use(cupsd_t) ') @@ -397,7 +410,7 @@ ifdef(`distro_redhat',` ') ') -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` files_dontaudit_read_root_files(cupsd_config_t) term_dontaudit_use_unallocated_ttys(cupsd_config_t) @@ -588,6 +601,7 @@ dev_rw_printer(hplip_t) dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) +dev_read_usbfs(hplip_t) fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 6199142..de78a50 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus,1.1.4) +policy_module(cyrus,1.1.5) ######################################## # @@ -69,10 +69,12 @@ corenet_tcp_sendrecv_all_ports(cyrus_t) corenet_udp_sendrecv_all_ports(cyrus_t) corenet_tcp_bind_all_nodes(cyrus_t) corenet_tcp_bind_mail_port(cyrus_t) +corenet_tcp_bind_lmtp_port(cyrus_t) corenet_tcp_bind_pop_port(cyrus_t) corenet_tcp_connect_all_ports(cyrus_t) corenet_sendrecv_mail_server_packets(cyrus_t) corenet_sendrecv_pop_server_packets(cyrus_t) +corenet_sendrecv_lmtp_server_packets(cyrus_t) corenet_sendrecv_all_client_packets(cyrus_t) dev_read_rand(cyrus_t) @@ -140,5 +142,9 @@ optional_policy(` ') optional_policy(` + snmp_read_snmp_var_lib_files(cyrus_t) +') + +optional_policy(` udev_read_db(cyrus_t) ') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index f134efa..605f253 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -139,6 +139,8 @@ template(`dbus_per_userdomain_template',` files_read_usr_files($1_dbusd_t) files_dontaudit_search_var($1_dbusd_t) + auth_read_pam_console_data($1_dbusd_t) + libs_use_ld_so($1_dbusd_t) libs_use_shared_libs($1_dbusd_t) @@ -160,7 +162,7 @@ template(`dbus_per_userdomain_template',` ') optional_policy(` - auth_read_pam_console_data($1_dbusd_t) + hal_dbus_chat($1_dbusd_t) ') optional_policy(` diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index a20b9f2..5f47c5f 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.2.7) +policy_module(dbus,1.2.8) gen_require(` class dbus { send_msg acquire_svc }; @@ -38,6 +38,7 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_dgram_socket create_socket_perms; allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms; # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; @@ -102,6 +103,7 @@ libs_use_shared_libs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) miscfiles_read_localization(system_dbusd_t) +miscfiles_read_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index dca87b9..6b914fb 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.2.5) +policy_module(dovecot,1.2.6) ######################################## # @@ -193,6 +193,8 @@ miscfiles_read_localization(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t) +sysnet_dns_name_resolve(dovecot_auth_t) + optional_policy(` kerberos_use(dovecot_auth_t) ') diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index d531219..f27fb24 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -1,5 +1,5 @@ -policy_module(inn,1.1.3) +policy_module(inn,1.1.4) ######################################## # @@ -36,6 +36,7 @@ allow innd_t self:unix_dgram_socket { sendto create_socket_perms }; allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow innd_t self:tcp_socket create_stream_socket_perms; allow innd_t self:udp_socket create_socket_perms; +allow innd_t self:netlink_route_socket r_netlink_socket_perms; allow innd_t innd_etc_t:file r_file_perms; allow innd_t innd_etc_t:dir r_dir_perms; diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc index d19d68b..3bd68bb 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -2,6 +2,8 @@ /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) +/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) ifdef(`distro_redhat',` /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index d4da5cb..4966081 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.3.8) +policy_module(mta,1.3.9) ######################################## # diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 512ce2d..dcdafd6 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn,1.0.3) +policy_module(openvpn,1.0.4) ######################################## # @@ -33,7 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow openvpn_t self:udp_socket create_socket_perms; allow openvpn_t self:tcp_socket create_socket_perms; -allow openvpn_t self:netlink_route_socket r_netlink_socket_perms; +allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; allow openvpn_t openvpn_etc_t:dir r_dir_perms; allow openvpn_t openvpn_etc_t:file r_file_perms; diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 1d7691e..9f574d2 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.2.11) +policy_module(postfix,1.2.12) ######################################## # @@ -251,6 +251,8 @@ allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms; allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; +corecmd_exec_bin(postfix_cleanup_t) + ######################################## # # Postfix local local policy @@ -285,6 +287,10 @@ mta_delete_spool(postfix_local_t) mta_read_config(postfix_local_t) optional_policy(` + clamav_search_lib(postfix_local_t) +') + +optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) ') @@ -520,6 +526,8 @@ allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search }; allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr }; allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; +corecmd_exec_bin(postfix_qmgr_t) + ######################################## # # Postfix showq local policy @@ -578,6 +586,8 @@ allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_p allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; +corecmd_exec_bin(postfix_smtpd_t) + # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) mta_read_aliases(postfix_smtpd_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index d37997f..6e8c9bb 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,5 +1,5 @@ -policy_module(postgresql,1.1.3) +policy_module(postgresql,1.1.4) ################################# # @@ -134,6 +134,7 @@ miscfiles_read_localization(postgresql_t) seutil_dontaudit_search_config(postgresql_t) sysnet_read_config(postgresql_t) +sysnet_use_ldap(postgresql_t) userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) userdom_dontaudit_use_sysadm_ttys(postgresql_t) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index 1def565..43c39d3 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -1,5 +1,5 @@ -policy_module(radius,1.1.3) +policy_module(radius,1.1.4) ######################################## # @@ -31,7 +31,7 @@ files_pid_file(radiusd_var_run_t) # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process setsched; +allow radiusd_t self:process { setsched signal }; allow radiusd_t self:fifo_file rw_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 510d5f5..9f76d61 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -51,6 +51,8 @@ template(`rpc_domain_template', ` kernel_rw_rpc_sysctls($1_t) dev_read_sysfs($1_t) + dev_read_urand($1_t) + dev_read_rand($1_t) corenet_non_ipsec_sendrecv($1_t) corenet_tcp_sendrecv_all_if($1_t) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 22cb0ad..b052590 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc,1.2.11) +policy_module(rpc,1.2.12) ######################################## # @@ -48,9 +48,6 @@ kernel_search_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) -dev_read_urand(rpcd_t) -dev_read_rand(rpcd_t) - fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) @@ -129,8 +126,6 @@ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) -dev_read_urand(gssd_t) - fs_list_rpc(gssd_t) fs_read_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 0a4cca7..961a000 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.2.9) +policy_module(samba,1.2.10) ################################# # @@ -171,7 +171,7 @@ optional_policy(` # # smbd Local policy # -allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search }; +allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -191,7 +191,7 @@ allow smbd_t self:netlink_route_socket r_netlink_socket_perms; allow smbd_t samba_etc_t:dir rw_dir_perms; allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -allow smbd_t samba_log_t:dir { ra_dir_perms setattr }; +allow smbd_t samba_log_t:dir { create ra_dir_perms setattr }; dontaudit smbd_t samba_log_t:dir remove_name; allow smbd_t samba_log_t:file { create ra_file_perms }; @@ -359,7 +359,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) allow nmbd_t samba_etc_t:dir { search getattr }; allow nmbd_t samba_etc_t:file { getattr read }; -allow nmbd_t samba_log_t:dir { ra_dir_perms setattr }; +allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr }; allow nmbd_t samba_log_t:file { create ra_file_perms }; allow nmbd_t samba_var_t:dir rw_dir_perms; @@ -638,8 +638,8 @@ allow winbind_t samba_secrets_t:file create_file_perms; allow winbind_t samba_etc_t:dir rw_dir_perms; type_transition winbind_t samba_etc_t:file samba_secrets_t; -allow winbind_t samba_log_t:dir rw_dir_perms; -allow winbind_t samba_log_t:file create_file_perms; +allow winbind_t samba_log_t:dir manage_dir_perms; +allow winbind_t samba_log_t:file manage_file_perms; allow winbind_t samba_log_t:lnk_file create_lnk_perms; allow winbind_t samba_var_t:dir rw_dir_perms; diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 31f15ca..5367cd3 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.3.10) +policy_module(spamassassin,1.3.11) ######################################## # @@ -170,6 +170,10 @@ optional_policy(` ') optional_policy(` + postfix_read_config(spamd_t) +') + +optional_policy(` postgresql_stream_connect(spamd_t) ') diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index eb8bd96..5d38434 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -1,5 +1,5 @@ -policy_module(squid,1.1.5) +policy_module(squid,1.1.6) ######################################## # @@ -28,9 +28,9 @@ files_pid_file(squid_var_run_t) # Local policy # -allow squid_t self:capability { setgid setuid dac_override }; +allow squid_t self:capability { setgid setuid dac_override sys_resource }; dontaudit squid_t self:capability sys_tty_config; -allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow squid_t self:fifo_file rw_file_perms; allow squid_t self:sock_file r_file_perms; allow squid_t self:fd use; diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 21ac35a..ae5e8b0 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -1,5 +1,5 @@ -policy_module(sysstat,1.0.0) +policy_module(sysstat,1.0.1) ######################################## # @@ -50,6 +50,7 @@ files_read_etc_files(sysstat_t) fs_getattr_xattr_fs(sysstat_t) term_use_console(sysstat_t) +term_use_all_terms(sysstat_t) init_use_fds(sysstat_t) init_use_script_ptys(sysstat_t) @@ -57,6 +58,8 @@ init_use_script_ptys(sysstat_t) libs_use_ld_so(sysstat_t) libs_use_shared_libs(sysstat_t) +locallogin_use_fds(sysstat_t) + miscfiles_read_localization(sysstat_t) userdom_dontaudit_list_sysadm_home_dirs(sysstat_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 1f592c6..aefc9e2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -109,7 +109,7 @@ template(`xserver_common_domain_template',` corenet_sendrecv_xserver_server_packets($1_xserver_t) corenet_sendrecv_all_client_packets($1_xserver_t) - dev_read_sysfs($1_xserver_t) + dev_rw_sysfs($1_xserver_t) dev_rw_mouse($1_xserver_t) dev_rw_mtrr($1_xserver_t) dev_rw_apm_bios($1_xserver_t) @@ -120,7 +120,7 @@ template(`xserver_common_domain_template',` dev_setattr_generic_dirs($1_xserver_t) # raw memory access is needed if not using the frame buffer dev_read_raw_memory($1_xserver_t) - dev_write_raw_memory($1_xserver_t) + dev_wx_raw_memory($1_xserver_t) # for other device nodes such as the NVidia binary-only driver dev_rw_xserver_misc($1_xserver_t) # read events - the synaptics touchpad driver reads raw events @@ -160,6 +160,10 @@ template(`xserver_common_domain_template',` sysnet_read_config($1_xserver_t) optional_policy(` + apm_stream_connect($1_xserver_t) + ') + + optional_policy(` auth_search_pam_console_data($1_xserver_t) ') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index dacc624..5121a2b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.1.13) +policy_module(xserver,1.1.14) ######################################## # @@ -81,15 +81,18 @@ optional_policy(` # allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; allow xdm_t self:fifo_file rw_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow xdm_t self:netlink_route_socket r_netlink_socket_perms; allow xdm_t self:unix_dgram_socket create_socket_perms; allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; -allow xdm_t self:key write; +allow xdm_t self:socket create_socket_perms; +allow xdm_t self:appletalk_socket create_socket_perms; +allow xdm_t self:key { search link write }; # Supress permission check on .ICE-unix dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; @@ -106,6 +109,8 @@ allow xdm_t xdm_rw_etc_t:file create_file_perms; kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) +kernel_read_net_sysctls(xdm_t) +kernel_read_network_state(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) @@ -154,6 +159,7 @@ domain_use_interactive_fds(xdm_t) domain_dontaudit_read_all_domains_state(xdm_t) files_read_etc_files(xdm_t) +files_read_var_files(xdm_t) files_read_etc_runtime_files(xdm_t) files_exec_etc_files(xdm_t) files_list_mnt(xdm_t) @@ -180,6 +186,8 @@ term_setattr_unallocated_ttys(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) +auth_rw_faillog(xdm_t) +auth_write_login_records(xdm_t) init_use_script_ptys(xdm_t) # Run telinit->init to shutdown. @@ -257,7 +265,7 @@ ifdef(`strict_policy',` allow xdm_t xdm_xserver_tmp_t:sock_file unlink; allow xdm_t xdm_xserver_tmp_t:file unlink; - allow xdm_t xserver_log_t:dir { rw_dir_perms setattr }; + allow xdm_t xserver_log_t:dir manage_dir_perms; allow xdm_t xserver_log_t:file manage_file_perms; allow xdm_t xserver_log_t:fifo_file manage_file_perms; logging_log_filetrans(xdm_t,xserver_log_t,file) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 1b0376d..769abdc 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.12) +policy_module(authlogin,1.3.13) ######################################## # @@ -215,6 +215,7 @@ libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) miscfiles_read_localization(pam_console_t) +miscfiles_read_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index dbe028b..8c5271e 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -1,5 +1,5 @@ -policy_module(hostname,1.2.0) +policy_module(hostname,1.2.1) ######################################## # @@ -56,6 +56,6 @@ miscfiles_read_localization(hostname_t) sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) - - - +optional_policy(` + xen_dontaudit_use_fds(hostname_t) +') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 7c2b112..76cf6f7 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -110,7 +110,6 @@ ifdef(`distro_gentoo',` /usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0) -/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -122,6 +121,8 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -182,6 +183,7 @@ ifdef(`distro_redhat',` /usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/seamonkey.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -213,8 +215,8 @@ ifdef(`distro_redhat',` /usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 0123603..1206d2c 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.3.11) +policy_module(libraries,1.3.12) ######################################## # diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 0b999f4..7a747b4 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.2.5) +policy_module(locallogin,1.2.6) ######################################## # @@ -47,7 +47,7 @@ allow local_login_t self:shm create_shm_perms; allow local_login_t self:sem create_sem_perms; allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; -allow local_login_t self:key write; +allow local_login_t self:key { search write }; allow local_login_t local_login_lock_t:file create_file_perms; files_lock_filetrans(local_login_t,local_login_lock_t,file) @@ -58,6 +58,8 @@ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) +kernel_search_key(local_login_t) +kernel_link_key(local_login_t) dev_setattr_mouse_dev(local_login_t) dev_getattr_mouse_dev(local_login_t) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 553f6ac..b9d91bf 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -30,6 +30,8 @@ ifdef(`distro_suse', ` /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255) +/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) +/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 4efe47f..62f6100 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -151,6 +151,27 @@ interface(`logging_run_auditd',` ######################################## ## +## Connect to auditdstored over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_stream_connect_auditd',` + gen_require(` + type auditd_t, auditd_var_run_t; + ') + + files_search_pids($1) + allow $1 auditd_var_run_t:dir search_dir_perms; + allow $1 auditd_var_run_t:sock_file rw_file_perms; + allow $1 auditd_t:unix_stream_socket connectto; +') + +######################################## +## ## Manage the auditd configuration files. ## ## diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 195a1a1..ee6a7d2 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.3.10) +policy_module(logging,1.3.11) ######################################## # @@ -120,9 +120,10 @@ allow auditd_t auditd_log_t:file create_file_perms; allow auditd_t auditd_log_t:lnk_file create_lnk_perms; allow auditd_t var_log_t:dir search; -allow auditd_t auditd_var_run_t:file create_file_perms; +allow auditd_t auditd_var_run_t:sock_file manage_file_perms; +allow auditd_t auditd_var_run_t:file manage_file_perms; allow auditd_t auditd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(auditd_t,auditd_var_run_t,file) +files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index 0339693..86feb56 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -85,6 +85,6 @@ # # /var # -/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) - /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) +/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +/var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 5c4a37d..114e1d8 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.3.5) +policy_module(lvm,1.3.6) ######################################## # @@ -133,6 +133,7 @@ allow lvm_t self:process setsched; allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file rw_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; +allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; allow lvm_t lvm_tmp_t:dir create_dir_perms; allow lvm_t lvm_tmp_t:file create_file_perms; @@ -150,9 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; files_lock_filetrans(lvm_t,lvm_lock_t,file) -allow lvm_t lvm_var_run_t:file create_file_perms; -allow lvm_t lvm_var_run_t:dir create_dir_perms; -files_pid_filetrans(lvm_t,lvm_var_run_t,file) +allow lvm_t lvm_var_run_t:file manage_file_perms; +allow lvm_t lvm_var_run_t:sock_file manage_file_perms; +allow lvm_t lvm_var_run_t:dir manage_dir_perms; +files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file }) allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms; diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 7f4bdcd..fb19fce 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -8,6 +8,7 @@ ifdef(`distro_gentoo',` # # /etc # +/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 7838a10..0c934e1 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -116,6 +116,26 @@ interface(`miscfiles_read_localization',` ######################################## ## +## Allow process to write localization info +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_rw_localization',` + gen_require(` + type locale_t; + ') + + files_search_usr($1) + allow $1 locale_t:dir list_dir_perms; + allow $1 locale_t:file rw_file_perms; +') + +######################################## +## ## Allow process to read legacy time localization info ## ## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 7ccd2bc..5ca7951 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,5 +1,5 @@ -policy_module(miscfiles,1.0.2) +policy_module(miscfiles,1.0.3) ######################################## # diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 4966251..03a2156 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.3.9) +policy_module(mount,1.3.10) ######################################## # @@ -80,6 +80,7 @@ files_unmount_all_file_type_fs(mount_t) files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) +files_list_mnt(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) @@ -97,6 +98,8 @@ mls_file_write_down(mount_t) sysnet_use_portmap(mount_t) +selinux_get_enforce_mode(mount_t) + userdom_use_all_users_fds(mount_t) ifdef(`distro_redhat',` @@ -166,6 +169,10 @@ optional_policy(` samba_domtrans_smbmount(mount_t) ') +optional_policy(` + nscd_socket_use(mount_t) +') + ######################################## # # Unconfined mount local policy diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 2e89f2b..295ab39 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.2.12) +policy_module(selinuxutil,1.2.13) ifdef(`strict_policy',` gen_require(` @@ -463,6 +463,10 @@ logging_send_syslog_msg(restorecond_t) miscfiles_read_localization(restorecond_t) optional_policy(` + rpm_use_script_fds(restorecond_t) +') + +optional_policy(` # restorecond watches for users logging in, # so it getspwnam when a user logs in to find his homedir nis_use_ypbind(restorecond_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 1a6c288..b6523d7 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,5 +1,6 @@ # udev +/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) /dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) /dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 1006bf0..7fadd24 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.3.4) +policy_module(udev,1.3.5) ######################################## # diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 36d1bf3..26df7d5 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` dev_unconfined($1) domain_unconfined($1) domain_dontaudit_read_all_domains_state($1) + domain_dontaudit_ptrace_all_domains($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 790aa31..6920aad 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.3.13) +policy_module(unconfined,1.3.14) ######################################## # @@ -195,4 +195,11 @@ ifdef(`targeted_policy',` ifdef(`targeted_policy',` allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) + + optional_policy(` + dbus_stub(unconfined_execmem_t) + + init_dbus_chat_script(unconfined_execmem_t) + unconfined_dbus_chat(unconfined_execmem_t) + ') ') diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index bfdc355..fbc62fa 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -23,6 +23,42 @@ interface(`xen_domtrans',` allow xend_t $1:process sigchld; ') +######################################## +## +## Inherit and use xen file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`xen_use_fds',` + gen_require(` + type xend_t; + ') + + allow $1 xend_t:fd use; +') + +######################################## +## +## Do not audit attempts to inherit +## xen file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`xen_dontaudit_use_fds',` + gen_require(` + type xend_t; + ') + + dontaudit $1 xend_t:fd use; +') ######################################## ## diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 720cfa7..4382e10 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen,1.0.8) +policy_module(xen,1.0.9) ######################################## # @@ -69,7 +69,9 @@ init_daemon_domain(xm_t, xm_exec_t) # allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; +dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { signal sigkill }; +dontaudit xend_t self:process ptrace; # internal communication is often done using fifo and unix sockets. allow xend_t self:fifo_file rw_file_perms; allow xend_t self:unix_stream_socket create_stream_socket_perms; @@ -79,7 +81,7 @@ allow xend_t self:tcp_socket create_stream_socket_perms; allow xend_t self:packet_socket create_socket_perms; allow xend_t xen_image_t:dir r_dir_perms; -allow xend_t xen_image_t:file r_file_perms; +allow xend_t xen_image_t:file rw_file_perms; # pid file allow xend_t xend_var_run_t:file manage_file_perms; @@ -128,8 +130,10 @@ corenet_tcp_sendrecv_all_ports(xend_t) corenet_tcp_bind_all_nodes(xend_t) corenet_tcp_bind_xen_port(xend_t) corenet_tcp_bind_soundd_port(xend_t) +corenet_tcp_bind_generic_port(xend_t) corenet_sendrecv_xen_server_packets(xend_t) corenet_sendrecv_soundd_server_packets(xend_t) +corenet_rw_tun_tap_dev(xend_t) dev_read_urand(xend_t) dev_manage_xen(xend_t) @@ -138,19 +142,24 @@ dev_rw_sysfs(xend_t) domain_read_all_domains_state(xend_t) domain_dontaudit_read_all_domains_state(xend_t) +domain_dontaudit_ptrace_all_domains(xend_t) files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) files_read_kernel_img(xend_t) files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t,file) +files_read_usr_files(xend_t) storage_raw_read_fixed_disk(xend_t) -term_dontaudit_getattr_all_user_ptys(xend_t) -term_dontaudit_use_generic_ptys(xend_t) +term_getattr_all_user_ptys(xend_t) +term_use_generic_ptys(xend_t) +term_use_ptmx(xend_t) +term_getattr_pty_fs(xend_t) init_use_fds(xend_t) +init_use_script_ptys(xend_t) libs_use_ld_so(xend_t) libs_use_shared_libs(xend_t) @@ -195,11 +204,14 @@ kernel_read_kernel_sysctls(xenconsoled_t) kernel_write_xen_state(xenconsoled_t) kernel_read_xen_state(xenconsoled_t) +domain_dontaudit_ptrace_all_domains(xenconsoled_t) + term_create_pty(xenconsoled_t,xen_devpts_t); -term_dontaudit_use_generic_ptys(xenconsoled_t) +term_use_generic_ptys(xenconsoled_t) term_use_console(xenconsoled_t) init_use_fds(xenconsoled_t) +init_use_script_ptys(xenconsoled_t) libs_use_ld_so(xenconsoled_t) libs_use_shared_libs(xenconsoled_t) @@ -238,10 +250,11 @@ dev_manage_xen(xenconsoled_t) dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) -term_dontaudit_use_generic_ptys(xenstored_t) -term_dontaudit_use_console(xenconsoled_t) +term_use_generic_ptys(xenstored_t) +term_use_console(xenconsoled_t) init_use_fds(xenstored_t) +init_use_script_ptys(xenstored_t) libs_use_ld_so(xenstored_t) libs_use_shared_libs(xenstored_t)