diff --git a/policy-F16.patch b/policy-F16.patch index 9083cd5..b066667 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1937,10 +1937,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..c66d190 +index 0000000..0bd2028 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,343 @@ +@@ -0,0 +1,349 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -2283,7 +2283,13 @@ index 0000000..c66d190 + permissive chrome_sandbox_nacl_t; +') + ++optional_policy(` ++ gen_require(` ++ type matahari_sysconfigd_t; ++ ') + ++ permissive matahari_sysconfigd_t; ++') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -3859,10 +3865,10 @@ index 975af1a..634c47a 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index 2731fa1..22beabf 100644 +index 2731fa1..11212f2 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,110 @@ attribute sudodomain; +@@ -7,3 +7,111 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -3919,7 +3925,7 @@ index 2731fa1..22beabf 100644 +files_list_tmp(sudodomain) + +fs_search_auto_mountpoints(sudodomain) -+fs_getattr_xattr_fs(sudodomain) ++fs_getattr_all_fs(sudodomain) + +selinux_validate_context(sudodomain) +selinux_compute_relabel_context(sudodomain) @@ -3940,6 +3946,7 @@ index 2731fa1..22beabf 100644 + +logging_send_audit_msgs(sudodomain) +logging_send_syslog_msg(sudodomain) ++logging_set_audit_parameters(sudodomain) + +miscfiles_read_localization(sudodomain) + @@ -4664,10 +4671,10 @@ index 0000000..5901e21 +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..7cbe3a7 +index 0000000..1553356 --- /dev/null +++ b/policy/modules/apps/chrome.if -@@ -0,0 +1,131 @@ +@@ -0,0 +1,133 @@ + +## policy for chrome + @@ -4755,6 +4762,8 @@ index 0000000..7cbe3a7 + allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; + allow chrome_sandbox_t $2:unix_stream_socket { getattr read write }; ++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write }; ++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; + allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; + + allow $2 chrome_sandbox_t:shm rw_shm_perms; @@ -4801,10 +4810,10 @@ index 0000000..7cbe3a7 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..0eb3c23 +index 0000000..859eb9f --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,173 @@ +@@ -0,0 +1,177 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4889,6 +4898,7 @@ index 0000000..0eb3c23 +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) +userdom_read_inherited_user_home_content_files(chrome_sandbox_t) +userdom_dontaudit_use_user_terminals(chrome_sandbox_t) ++userdom_search_user_home_content(chrome_sandbox_t) + +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) @@ -4950,6 +4960,8 @@ index 0000000..0eb3c23 +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_nacl_t self:shm create_shm_perms; +allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read }; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read }; + +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; @@ -4963,6 +4975,7 @@ index 0000000..0eb3c23 +dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; + +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) ++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) + +kernel_read_system_state(chrome_sandbox_nacl_t) + @@ -7174,7 +7187,7 @@ index 40e0a2a..93d212c 100644 ## ## Send generic signals to user gpg processes. diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te -index 9050e8c..b5d4ca3 100644 +index 9050e8c..401a4ec 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0) @@ -7249,7 +7262,7 @@ index 9050e8c..b5d4ca3 100644 mta_write_config(gpg_t) -@@ -142,6 +161,15 @@ tunable_policy(`use_samba_home_dirs',` +@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -7265,22 +7278,29 @@ index 9050e8c..b5d4ca3 100644 mozilla_read_user_home_files(gpg_t) mozilla_write_user_home_files(gpg_t) ') -@@ -151,10 +179,10 @@ optional_policy(` - xserver_rw_xdm_pipes(gpg_t) + + optional_policy(` +- xserver_use_xdm_fds(gpg_t) +- xserver_rw_xdm_pipes(gpg_t) ++ spamassassin_read_spamd_tmp_files(gpg_t) ') --optional_policy(` + optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) --') ++ xserver_use_xdm_fds(gpg_t) ++ xserver_rw_xdm_pipes(gpg_t) + ') + +#optional_policy(` +# cron_system_entry(gpg_t, gpg_exec_t) +# cron_read_system_job_tmp_files(gpg_t) +#') - ++ ######################################## # -@@ -191,7 +219,7 @@ files_read_etc_files(gpg_helper_t) + # GPG helper local policy +@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) @@ -7289,7 +7309,7 @@ index 9050e8c..b5d4ca3 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -205,11 +233,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -7303,7 +7323,7 @@ index 9050e8c..b5d4ca3 100644 allow gpg_agent_t self:fifo_file rw_fifo_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -@@ -239,19 +268,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) +@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -7326,7 +7346,7 @@ index 9050e8c..b5d4ca3 100644 userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) ') -@@ -332,6 +362,10 @@ miscfiles_read_localization(gpg_pinentry_t) +@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -7337,7 +7357,7 @@ index 9050e8c..b5d4ca3 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) -@@ -342,11 +376,21 @@ tunable_policy(`use_samba_home_dirs',` +@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -7359,7 +7379,7 @@ index 9050e8c..b5d4ca3 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +400,28 @@ optional_policy(` +@@ -356,4 +404,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -8010,7 +8030,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..6c95832 100644 +index fbb5c5a..8fe4551 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -8048,7 +8068,14 @@ index fbb5c5a..6c95832 100644 ') ######################################## -@@ -203,6 +213,15 @@ interface(`mozilla_domtrans_plugin',` +@@ -197,12 +207,21 @@ interface(`mozilla_domtrans',` + # + interface(`mozilla_domtrans_plugin',` + gen_require(` +- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; ++ type mozilla_plugin_t, mozilla_plugin_exec_t; + class dbus send_msg; + ') domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) allow mozilla_plugin_t $1:process signull; @@ -14318,7 +14345,7 @@ index 6cf8784..12bd6fc 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..60394ec 100644 +index f820f3b..c2a334f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -14610,7 +14637,34 @@ index f820f3b..60394ec 100644 ## Delete all block device files. ## ## -@@ -2358,7 +2504,97 @@ interface(`dev_filetrans_lirc',` +@@ -1648,6 +1794,26 @@ interface(`dev_filetrans_cardmgr',` + + ######################################## + ## ++## Automatic type transition to the type ++## for xserver misc device nodes when ++## created in /dev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_xserver_misc',` ++ gen_require(` ++ type device_t, xserver_misc_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file ) ++') ++ ++######################################## ++## + ## Get the attributes of the CPU + ## microcode and id interfaces. + ## +@@ -2358,7 +2524,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -14709,7 +14763,7 @@ index f820f3b..60394ec 100644 ## ## ## -@@ -2681,7 +2917,7 @@ interface(`dev_write_misc',` +@@ -2681,7 +2937,7 @@ interface(`dev_write_misc',` ## ## ## @@ -14718,7 +14772,7 @@ index f820f3b..60394ec 100644 ## ## # -@@ -2931,8 +3167,8 @@ interface(`dev_dontaudit_write_mtrr',` +@@ -2931,8 +3187,8 @@ interface(`dev_dontaudit_write_mtrr',` type mtrr_device_t; ') @@ -14729,7 +14783,7 @@ index f820f3b..60394ec 100644 ') ######################################## -@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',` +@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -14754,7 +14808,7 @@ index f820f3b..60394ec 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3811,6 +4029,42 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -14797,7 +14851,7 @@ index f820f3b..60394ec 100644 ## Search the sysfs directories. ## ## -@@ -3902,25 +4156,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -14823,7 +14877,7 @@ index f820f3b..60394ec 100644 ## Read hardware state information. ## ## -@@ -3972,6 +4207,42 @@ interface(`dev_rw_sysfs',` +@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -14866,7 +14920,7 @@ index f820f3b..60394ec 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4340,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -14892,7 +14946,7 @@ index f820f3b..60394ec 100644 ## Getattr generic the USB devices. ## ## -@@ -4495,6 +4785,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4805,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -14917,7 +14971,34 @@ index f820f3b..60394ec 100644 ## Read and write VMWare devices. ## ## -@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',` +@@ -4695,6 +5023,26 @@ interface(`dev_rw_xserver_misc',` + + ######################################## + ## ++## Read and write X server miscellaneous devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_xserver_misc',` ++ gen_require(` ++ type device_t, xserver_misc_device_t; ++ ') ++ ++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t) ++ ++ dev_filetrans_xserver_named_dev($1) ++') ++ ++######################################## ++## + ## Read and write to the zero device (/dev/zero). + ## + ## +@@ -4784,3 +5132,812 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -14956,7 +15037,6 @@ index f820f3b..60394ec 100644 +gen_require(` + type device_t; + type usb_device_t; -+ type xserver_misc_device_t; + type sound_device_t; + type apm_bios_t; + type mouse_device_t; @@ -15000,7 +15080,6 @@ index f820f3b..60394ec 100644 + type mtrr_device_t; +') + -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") @@ -15075,7 +15154,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep") + filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") + filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1") @@ -15172,8 +15250,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") @@ -15291,16 +15367,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0") @@ -15359,20 +15425,8 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9") + filetrans_pattern($1, device_t, null_device_t, chr_file, "null") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") + filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") @@ -15520,17 +15574,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1") @@ -15587,16 +15630,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9") + filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt") + filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2") @@ -15711,6 +15744,72 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") ++ dev_filetrans_xserver_named_dev($1) ++') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_xserver_named_dev',` ++ ++ gen_require(` ++ type xserver_misc_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 08f01e7..1c2562c 100644 @@ -15840,7 +15939,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..b949cfb 100644 +index fae1ab1..a60d2f8 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -15933,11 +16032,104 @@ index fae1ab1..b949cfb 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,122 @@ allow unconfined_domain_type domain:key *; +@@ -158,5 +195,215 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; + # act on all domains keys + allow unconfined_domain_type domain:key *; ++dev_filetrans_all_named_dev(unconfined_domain_type) ++ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + ++storage_filetrans_all_named_dev(unconfined_domain_type) ++ ++term_filetrans_all_named_dev(unconfined_domain_type) ++ ++optional_policy(` ++ authlogin_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ alsa_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ apache_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ bootloader_filetrans_config(unconfined_domain_type) ++') ++ ++optional_policy(` ++ gnome_filetrans_admin_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ devicekit_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ dnsmasq_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ kerberos_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ libs_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ miscfiles_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ mta_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ modules_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ networkmanager_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ nx_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ postfix_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ pulseaudio_filetrans_home_content(unconfined_domain_type) ++ pulseaudio_filetrans_admin_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ quota_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ sysnet_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) ++') ++ ++optional_policy(` ++ virt_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(unconfined_domain_type) ++') ++ +selinux_getattr_fs(domain) +selinux_search_fs(domain) +selinux_dontaudit_read_fs(domain) @@ -21006,7 +21198,7 @@ index 2be17d2..b172ab4 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..2d6db89 100644 +index e14b961..c6aa0bc 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,52 @@ ifndef(`enable_mls',` @@ -21150,14 +21342,14 @@ index e14b961..2d6db89 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` -+ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) ++ kudzu_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -21239,43 +21431,47 @@ index e14b961..2d6db89 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,19 +334,19 @@ optional_policy(` +@@ -253,31 +334,32 @@ optional_policy(` ') optional_policy(` - pyzor_role(sysadm_r, sysadm_t) -+ prelink_run(sysadm_t, sysadm_r) ++ postfix_filetrans_named_content(sysadm_t) ') optional_policy(` - quota_run(sysadm_t, sysadm_r) -+ puppet_run_puppetca(sysadm_t, sysadm_r) ++ prelink_run(sysadm_t, sysadm_r) ') optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) -+ quota_run(sysadm_t, sysadm_r) ++ puppet_run_puppetca(sysadm_t, sysadm_r) ') optional_policy(` - razor_role(sysadm_r, sysadm_t) ++ quota_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- rpc_domtrans_nfsd(sysadm_t) + raid_domtrans_mdadm(sysadm_t) ') optional_policy(` -@@ -274,10 +355,7 @@ optional_policy(` +- rpm_run(sysadm_t, sysadm_r) ++ rpc_domtrans_nfsd(sysadm_t) + ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) --') -- --optional_policy(` - rssh_role(sysadm_r, sysadm_t) ++ rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') optional_policy(` -@@ -302,12 +380,18 @@ optional_policy(` +@@ -302,12 +384,18 @@ optional_policy(` ') optional_policy(` @@ -21295,7 +21491,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -332,7 +416,10 @@ optional_policy(` +@@ -332,7 +420,10 @@ optional_policy(` ') optional_policy(` @@ -21307,7 +21503,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -343,19 +430,15 @@ optional_policy(` +@@ -343,19 +434,15 @@ optional_policy(` ') optional_policy(` @@ -21329,7 +21525,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -367,45 +450,45 @@ optional_policy(` +@@ -367,45 +454,45 @@ optional_policy(` ') optional_policy(` @@ -21386,7 +21582,7 @@ index e14b961..2d6db89 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +501,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +505,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21397,7 +21593,7 @@ index e14b961..2d6db89 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +518,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +522,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -21405,7 +21601,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -446,11 +526,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +530,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22184,10 +22380,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..b1e60db +index 0000000..4163dc5 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,499 @@ +@@ -0,0 +1,442 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -22271,20 +22467,6 @@ index 0000000..b1e60db +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) + -+dev_filetrans_all_named_dev(unconfined_t) -+storage_filetrans_all_named_dev(unconfined_t) -+term_filetrans_all_named_dev(unconfined_t) -+ -+authlogin_filetrans_named_content(unconfined_t) -+ -+miscfiles_filetrans_named_content(unconfined_t) -+ -+sysnet_filetrans_named_content(unconfined_t) -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(unconfined_t) -+') -+ +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) +mls_file_write_all_levels(unconfined_t) @@ -22293,8 +22475,6 @@ index 0000000..b1e60db +init_domtrans_script(unconfined_t) +init_telinit(unconfined_t) + -+lib_filetrans_named_content(unconfined_t) -+ +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + @@ -22307,8 +22487,6 @@ index 0000000..b1e60db + +unconfined_domain_noaudit(unconfined_t) + -+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) -+ +usermanage_run_passwd(unconfined_t, unconfined_r) +usermanage_run_chfn(unconfined_t, unconfined_r) + @@ -22361,7 +22539,6 @@ index 0000000..b1e60db + devicekit_dbus_chat(unconfined_usertype) + devicekit_dbus_chat_disk(unconfined_usertype) + devicekit_dbus_chat_power(unconfined_usertype) -+ devicekit_filetrans_named_content(unconfined_usertype) + ') + + optional_policy(` @@ -22370,7 +22547,6 @@ index 0000000..b1e60db + + optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) -+ networkmanager_filetrans_named_content(unconfined_usertype) + ') + + optional_policy(` @@ -22415,12 +22591,7 @@ index 0000000..b1e60db +') + +optional_policy(` -+ alsa_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + apache_run_helper(unconfined_t, unconfined_r) -+ apache_filetrans_home_content(unconfined_t) +') + +optional_policy(` @@ -22428,10 +22599,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ bootloader_filetrans_config(unconfined_t) -+') -+ -+optional_policy(` + chrome_role_notrans(unconfined_r, unconfined_usertype) + + tunable_policy(`unconfined_chrome_sandbox_transition',` @@ -22475,7 +22642,6 @@ index 0000000..b1e60db + optional_policy(` + gnomeclock_dbus_chat(unconfined_usertype) + gnome_dbus_chat_gconfdefault(unconfined_usertype) -+ gnome_filetrans_admin_home_content(unconfined_usertype) + gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + @@ -22505,10 +22671,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ dnsmasq_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + firstboot_run(unconfined_t, unconfined_r) +') + @@ -22525,10 +22687,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ kerberos_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + livecd_run(unconfined_t, unconfined_r) +') + @@ -22542,7 +22700,6 @@ index 0000000..b1e60db + +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) -+ modules_filetrans_named_content(unconfined_t) +') + +optional_policy(` @@ -22561,18 +22718,10 @@ index 0000000..b1e60db +') + +optional_policy(` -+ mta_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + ncftool_run(unconfined_t, unconfined_r) +') + +optional_policy(` -+ nx_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) +') + @@ -22585,15 +22734,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ pulseaudio_filetrans_admin_home_content(unconfined_usertype) -+ pulseaudio_filetrans_home_content(unconfined_usertype) -+') -+ -+optional_policy(` -+ quota_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -22622,7 +22762,6 @@ index 0000000..b1e60db + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) -+ virt_filetrans_home_content(unconfined_t) +') + +optional_policy(` @@ -23069,7 +23208,7 @@ index 1bd5812..0d7d8d1 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..6b739e6 100644 +index 0b827c5..b2d6129 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -23090,7 +23229,7 @@ index 0b827c5..6b739e6 100644 ## ## ## -@@ -169,12 +169,51 @@ interface(`abrt_run_helper',` +@@ -169,12 +169,52 @@ interface(`abrt_run_helper',` ## ## # @@ -23139,11 +23278,12 @@ index 0b827c5..6b739e6 100644 ') manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ++ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ') #################################### -@@ -253,6 +292,24 @@ interface(`abrt_manage_pid_files',` +@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -23168,7 +23308,7 @@ index 0b827c5..6b739e6 100644 ##################################### ## ## All of the rules required to administrate -@@ -286,18 +343,116 @@ interface(`abrt_admin',` +@@ -286,18 +344,116 @@ interface(`abrt_admin',` role_transition $2 abrt_initrc_exec_t system_r; allow $2 system_r; @@ -24127,7 +24267,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..8002a1f 100644 +index 9e39aa5..a9959fa 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -24139,8 +24279,8 @@ index 9e39aa5..8002a1f 100644 /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) @@ -24191,8 +24331,8 @@ index 9e39aa5..8002a1f 100644 -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -24217,7 +24357,7 @@ index 9e39aa5..8002a1f 100644 /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -29165,10 +29305,10 @@ index 6077339..d10acd2 100644 dev_manage_generic_blk_files(clogd_t) diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc new file mode 100644 -index 0000000..2c745ea +index 0000000..b5058ac --- /dev/null +++ b/policy/modules/services/cloudform.fc -@@ -0,0 +1,16 @@ +@@ -0,0 +1,23 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + @@ -29177,6 +29317,8 @@ index 0000000..2c745ea +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) + ++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) ++ +/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) +/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0) +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) @@ -29185,6 +29327,11 @@ index 0000000..2c745ea +/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) +/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) + ++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) ++ ++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) ++ ++ diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if new file mode 100644 index 0000000..917f8d4 @@ -29216,10 +29363,10 @@ index 0000000..917f8d4 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..1852397 +index 0000000..c7ee7dd --- /dev/null +++ b/policy/modules/services/cloudform.te -@@ -0,0 +1,201 @@ +@@ -0,0 +1,207 @@ +policy_module(cloudform, 1.0) + +######################################## @@ -29355,14 +29502,11 @@ index 0000000..1852397 +# mongod local policy +# + -+#WHY? -+allow mongod_t self:process execmem; -+ -+allow mongod_t self:process setsched; -+ -+allow mongod_t self:process { fork signal }; ++allow mongod_t self:process { setsched signal }; + ++allow mongod_t self:netlink_route_socket r_netlink_socket_perms; +allow mongod_t self:unix_stream_socket create_stream_socket_perms; ++allow mongod_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) +manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) @@ -29377,12 +29521,21 @@ index 0000000..1852397 + +manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) +manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++#needed by dbomatic ++files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) + +corenet_tcp_bind_generic_node(mongod_t) -+#temporary +corenet_tcp_bind_generic_port(mongod_t) + -+domain_use_interactive_fds(mongod_t) ++files_read_usr_files(mongod_t) ++ ++optional_policy(` ++ mysql_stream_connect(mongod_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(mongod_t) ++') + +optional_policy(` + sysnet_dns_name_resolve(mongod_t) @@ -33521,7 +33674,7 @@ index 418a5a0..c25fbdc 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..afb61c9 100644 +index f706b99..5001351 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -33645,7 +33798,7 @@ index f706b99..afb61c9 100644 + type devicekit_var_log_t; + ') + -+ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms; ++ dontaudit $1 devicekit_var_log_t:file rw_file_perms; +') + +######################################## @@ -35304,7 +35457,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..87949e8 100644 +index acf6d4f..2fbb869 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -35395,15 +35548,17 @@ index acf6d4f..87949e8 100644 postgresql_stream_connect(dovecot_t) ') -@@ -180,7 +196,7 @@ optional_policy(` +@@ -180,8 +196,8 @@ optional_policy(` # dovecot auth local policy # -allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; -+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid }; - allow dovecot_auth_t self:process { signal_perms getcap setcap }; +-allow dovecot_auth_t self:process { signal_perms getcap setcap }; ++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; ++allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; + allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -38642,10 +38797,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..86ba356 100644 +index 4fde46b..4978f18 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -38653,14 +38808,17 @@ index 4fde46b..86ba356 100644 +allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; - -+kernel_read_system_state(gnomeclock_t) ++allow gnomeclock_t self:unix_dgram_socket create_socket_perms; + ++kernel_read_system_state(gnomeclock_t) + corecmd_exec_bin(gnomeclock_t) +corecmd_exec_shell(gnomeclock_t) +corecmd_dontaudit_access_check_bin(gnomeclock_t) ++ ++dev_read_sysfs(gnomeclock_t) - files_read_etc_files(gnomeclock_t) +-files_read_etc_files(gnomeclock_t) +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) @@ -38672,7 +38830,7 @@ index 4fde46b..86ba356 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -41059,7 +41217,7 @@ index 3aa8fa7..40b10fa 100644 + ldap_systemctl($1) ') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te -index 64fd1ff..211180e 100644 +index 64fd1ff..0f5d0b7 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -41119,6 +41277,14 @@ index 64fd1ff..211180e 100644 kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) +@@ -106,6 +123,7 @@ files_read_usr_files(slapd_t) + files_list_var_lib(slapd_t) + + auth_use_nsswitch(slapd_t) ++auth_rw_cache(slapd_t) + + logging_send_syslog_msg(slapd_t) + diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if index 771e04b..81d98b3 100644 --- a/policy/modules/services/likewise.if @@ -41984,13 +42150,14 @@ index 0000000..5b84980 +') diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc new file mode 100644 -index 0000000..ac84e59 +index 0000000..7f36870 --- /dev/null +++ b/policy/modules/services/matahari.fc -@@ -0,0 +1,27 @@ +@@ -0,0 +1,30 @@ +/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0) + +/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) + @@ -41998,6 +42165,8 @@ index 0000000..ac84e59 + +/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) + ++/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0) ++ +/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) + +/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) @@ -42017,10 +42186,10 @@ index 0000000..ac84e59 +/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if new file mode 100644 -index 0000000..0432f2e +index 0000000..0d771fd --- /dev/null +++ b/policy/modules/services/matahari.if -@@ -0,0 +1,247 @@ +@@ -0,0 +1,250 @@ +## policy for matahari + +###################################### @@ -42039,10 +42208,10 @@ index 0000000..0432f2e + attribute matahari_domain; + ') + -+ ############################## -+ # -+ # Declarations -+ # ++ ############################## ++ # ++ # Declarations ++ # + + type matahari_$1_t, matahari_domain; + type matahari_$1_exec_t; @@ -42261,6 +42430,9 @@ index 0000000..0432f2e + allow $1 matahari_serviced_t:process { ptrace signal_perms }; + ps_process_pattern($1, matahari_serviced_t) + ++ allow $1 matahari_sysconfigd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, matahari_sysconfigd_t) ++ + files_search_var_lib($1) + admin_pattern($1, matahari_var_lib_t) + @@ -42270,10 +42442,10 @@ index 0000000..0432f2e +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..19d82c3 +index 0000000..215407c --- /dev/null +++ b/policy/modules/services/matahari.te -@@ -0,0 +1,83 @@ +@@ -0,0 +1,100 @@ +policy_module(matahari,1.0.0) + +######################################## @@ -42286,6 +42458,7 @@ index 0000000..19d82c3 +matahari_domain_template(hostd) +matahari_domain_template(netd) +matahari_domain_template(serviced) ++matahari_domain_template(sysconfigd) + +type matahari_initrc_exec_t; +init_script_file(matahari_initrc_exec_t) @@ -42330,9 +42503,25 @@ index 0000000..19d82c3 +# +# matahari_serviced local policy +# ++allow matahari_serviced_t self:process setpgid; ++ ++kernel_read_network_state(matahari_serviced_t) ++ ++dev_read_sysfs(matahari_serviced_t) + +domain_use_interactive_fds(matahari_serviced_t) -+init_spec_domtrans_script(matahari_serviced_t) ++ ++files_read_etc_runtime_files(matahari_serviced_t) ++ ++init_domtrans_script(matahari_serviced_t) ++ ++systemd_config_all_services(matahari_serviced_t) ++ ++######################################## ++# ++# matahari_sysconfigd local policy ++# ++dev_read_sysfs(matahari_sysconfigd_t) + +####################################### +# @@ -48079,7 +48268,7 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index 06e217d..4f9a575 100644 +index 06e217d..ab25c8c 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1) @@ -48116,7 +48305,7 @@ index 06e217d..4f9a575 100644 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -60,10 +68,25 @@ domain_use_interactive_fds(plymouthd_t) +@@ -60,10 +68,26 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -48135,6 +48324,7 @@ index 06e217d..4f9a575 100644 + +optional_policy(` + xserver_xdm_manage_spool(plymouthd_t) ++ xserver_read_state_xdm(plymouthd_t) +') + +term_use_unallocated_ttys(plymouthd_t) @@ -48142,7 +48332,7 @@ index 06e217d..4f9a575 100644 ######################################## # # Plymouth private policy -@@ -74,6 +97,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +98,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -48150,7 +48340,7 @@ index 06e217d..4f9a575 100644 domain_use_interactive_fds(plymouth_t) -@@ -87,7 +111,7 @@ sysnet_read_config(plymouth_t) +@@ -87,7 +112,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) @@ -49046,7 +49236,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..c22af86 100644 +index 46bee12..ca32d30 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -49095,6 +49285,15 @@ index 46bee12..c22af86 100644 ') ######################################## +@@ -215,7 +219,7 @@ interface(`postfix_config_filetrans',` + ') + + files_search_etc($1) +- filetrans_pattern($1, postfix_etc_t, $2, $3) ++ filetrans_pattern($1, postfix_etc_t, $2, $3, $4) + ') + + ######################################## @@ -272,7 +276,8 @@ interface(`postfix_read_local_state',` type postfix_local_t; ') @@ -49282,7 +49481,7 @@ index 46bee12..c22af86 100644 ') ######################################## -@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +701,125 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -49359,6 +49558,8 @@ index 46bee12..c22af86 100644 + admin_pattern($1, postfix_prng_t) + + admin_pattern($1, postfix_public_t) ++ ++ postfix_filetrans_named_content($1) +') + +######################################## @@ -49386,6 +49587,26 @@ index 46bee12..c22af86 100644 + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; +') ++ ++######################################## ++## ++## Transition to postfix named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_filetrans_named_content',` ++ gen_require(` ++ type postfix_exec_t; ++ type postfix_prng_t; ++ ') ++ ++ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script") ++ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ++') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index a32c4b3..3a59bac 100644 --- a/policy/modules/services/postfix.te @@ -50251,7 +50472,7 @@ index b524673..921a60f 100644 + ppp_systemctl($1) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..399a452 100644 +index 2af42e7..20f5d6b 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -50378,7 +50599,7 @@ index 2af42e7..399a452 100644 ') optional_policy(` -@@ -243,14 +252,17 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -50391,13 +50612,14 @@ index 2af42e7..399a452 100644 kernel_list_proc(pptp_t) +kernel_signal(pptp_t) kernel_read_kernel_sysctls(pptp_t) ++kernel_read_network_state(pptp_t) kernel_read_proc_symlinks(pptp_t) kernel_read_system_state(pptp_t) +kernel_signal(pptp_t) dev_read_sysfs(pptp_t) -@@ -265,9 +277,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) +@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) corenet_raw_sendrecv_generic_node(pptp_t) corenet_tcp_sendrecv_all_ports(pptp_t) corenet_tcp_bind_generic_node(pptp_t) @@ -55588,7 +55810,7 @@ index 82cb169..0a29f68 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..f0f6907 100644 +index e30bb63..9010ac2 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -55632,7 +55854,7 @@ index e30bb63..f0f6907 100644 # smbd Local policy # -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -59626,7 +59848,7 @@ index 904f13e..464347f 100644 init_labeled_script_domtrans($1, tor_initrc_exec_t) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te -index c842cad..fe5deee 100644 +index c842cad..1136b10 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t) @@ -59637,7 +59859,7 @@ index c842cad..fe5deee 100644 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -95,6 +96,7 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -59645,6 +59867,10 @@ index c842cad..fe5deee 100644 # tor uses crypto and needs random dev_read_urand(tor_t) ++dev_read_sysfs(tor_t) + + domain_use_interactive_fds(tor_t) + diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if index 54b8605..752697f 100644 --- a/policy/modules/services/tuned.if @@ -60476,7 +60702,7 @@ index 32a3c13..7baeb6f 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..b944b61 100644 +index 2124b6a..49c15d1 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -1,5 +1,6 @@ @@ -60488,7 +60714,7 @@ index 2124b6a..b944b61 100644 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +13,37 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +13,39 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -60521,8 +60747,10 @@ index 2124b6a..b944b61 100644 /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +# support for AEOLUS project ++/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) +/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) ++/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) @@ -61075,7 +61303,7 @@ index 7c5d8d8..d711fd5 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..d2d599b 100644 +index 3eca020..f6d46db 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) @@ -61301,7 +61529,7 @@ index 3eca020..d2d599b 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +224,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +224,24 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -61323,14 +61551,10 @@ index 3eca020..d2d599b 100644 +') + +optional_policy(` -+ xen_rw_image_files(svirt_t) -+') -+ -+optional_policy(` xen_rw_image_files(svirt_t) ') -@@ -174,21 +255,36 @@ optional_policy(` +@@ -174,21 +251,36 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -61373,9 +61597,11 @@ index 3eca020..d2d599b 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +296,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -199,9 +291,17 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) ++manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) -allow virtd_t virt_image_type:file { relabelfrom relabelto }; -allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; @@ -61391,7 +61617,7 @@ index 3eca020..d2d599b 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +320,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +317,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -61407,7 +61633,7 @@ index 3eca020..d2d599b 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +348,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +345,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -61440,7 +61666,7 @@ index 3eca020..d2d599b 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +377,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -61459,14 +61685,14 @@ index 3eca020..d2d599b 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +415,29 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +412,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -61485,11 +61711,12 @@ index 3eca020..d2d599b 100644 +manage_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) -+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) ++#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) ++virt_filetrans_home_content(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +456,10 @@ optional_policy(` +@@ -313,6 +454,10 @@ optional_policy(` ') optional_policy(` @@ -61500,7 +61727,7 @@ index 3eca020..d2d599b 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,16 +476,23 @@ optional_policy(` +@@ -329,16 +474,23 @@ optional_policy(` ') optional_policy(` @@ -61524,7 +61751,7 @@ index 3eca020..d2d599b 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -360,11 +514,12 @@ optional_policy(` +@@ -360,11 +512,12 @@ optional_policy(` ') optional_policy(` @@ -61542,7 +61769,7 @@ index 3eca020..d2d599b 100644 ') optional_policy(` -@@ -394,20 +549,36 @@ optional_policy(` +@@ -394,20 +547,36 @@ optional_policy(` # virtual domains common policy # @@ -61582,7 +61809,7 @@ index 3eca020..d2d599b 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +587,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -61595,7 +61822,7 @@ index 3eca020..d2d599b 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +601,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +599,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -61608,7 +61835,7 @@ index 3eca020..d2d599b 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +614,359 @@ files_search_all(virt_domain) +@@ -440,25 +612,362 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -61772,6 +61999,7 @@ index 3eca020..d2d599b 100644 +allow virtd_lxc_t self:packet_socket create_socket_perms; + +allow virtd_lxc_t virt_image_type:dir mounton; ++manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) + +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t virtd_lxc_t:process { signal signull sigkill }; @@ -61790,6 +62018,8 @@ index 3eca020..d2d599b 100644 +manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; + ++storage_manage_fixed_disk(virtd_lxc_t) ++ +kernel_read_network_state(virtd_lxc_t) +kernel_search_network_sysctl(virtd_lxc_t) +kernel_read_sysctl(virtd_lxc_t) @@ -63574,7 +63804,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..c3e4d56 100644 +index 143c893..40e56f1 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -64438,7 +64668,7 @@ index 143c893..c3e4d56 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1018,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,21 +1018,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -64446,8 +64676,13 @@ index 143c893..c3e4d56 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1027,17 @@ dev_wx_raw_memory(xserver_t) - dev_rw_xserver_misc(xserver_t) + dev_read_raw_memory(xserver_t) + dev_wx_raw_memory(xserver_t) + # for other device nodes such as the NVidia binary-only driver +-dev_rw_xserver_misc(xserver_t) ++dev_manage_xserver_misc(xserver_t) ++dev_filetrans_xserver_misc(xserver_t) ++ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) +dev_read_raw_memory(xserver_t) @@ -64464,7 +64699,7 @@ index 143c893..c3e4d56 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1048,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1050,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -64478,7 +64713,7 @@ index 143c893..c3e4d56 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1067,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1069,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -64487,7 +64722,7 @@ index 143c893..c3e4d56 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1074,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1076,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -64502,7 +64737,7 @@ index 143c893..c3e4d56 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1133,40 @@ optional_policy(` +@@ -778,16 +1135,40 @@ optional_policy(` ') optional_policy(` @@ -64544,7 +64779,7 @@ index 143c893..c3e4d56 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1175,10 @@ optional_policy(` +@@ -796,6 +1177,10 @@ optional_policy(` ') optional_policy(` @@ -64555,7 +64790,7 @@ index 143c893..c3e4d56 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1194,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1196,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -64569,7 +64804,7 @@ index 143c893..c3e4d56 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1205,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1207,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -64578,7 +64813,7 @@ index 143c893..c3e4d56 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1218,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1220,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -64588,7 +64823,7 @@ index 143c893..c3e4d56 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1228,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1230,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -64600,7 +64835,7 @@ index 143c893..c3e4d56 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1241,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1243,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -64617,7 +64852,7 @@ index 143c893..c3e4d56 100644 ') optional_policy(` -@@ -862,6 +1256,10 @@ optional_policy(` +@@ -862,6 +1258,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -64628,7 +64863,7 @@ index 143c893..c3e4d56 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -64637,7 +64872,7 @@ index 143c893..c3e4d56 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1357,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1359,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -64669,7 +64904,7 @@ index 143c893..c3e4d56 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1403,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1405,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -65592,7 +65827,7 @@ index 73554ec..6a25dd6 100644 + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index b7a5f00..a53db2b 100644 +index b7a5f00..2c39af1 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1) @@ -65635,7 +65870,7 @@ index b7a5f00..a53db2b 100644 seutil_dontaudit_use_newrole_fds(chkpwd_t) -userdom_use_user_terminals(chkpwd_t) -+userdom_use_inherited_user_terminals(chkpwd_t) ++userdom_dontaudit_use_user_ttys(chkpwd_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -67045,7 +67280,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..29930e4 100644 +index 29a9565..77fb967 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -67469,14 +67704,13 @@ index 29a9565..29930e4 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +512,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +512,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) -# Early devtmpfs -dev_rw_generic_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) -+dev_filetrans_all_named_dev(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) @@ -67486,7 +67720,7 @@ index 29a9565..29930e4 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +531,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -67494,7 +67728,7 @@ index 29a9565..29930e4 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +539,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +538,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -67506,7 +67740,7 @@ index 29a9565..29930e4 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +558,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +557,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -67520,7 +67754,7 @@ index 29a9565..29930e4 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +573,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +572,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -67529,7 +67763,7 @@ index 29a9565..29930e4 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +587,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +586,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -67537,7 +67771,7 @@ index 29a9565..29930e4 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +599,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +598,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -67545,7 +67779,7 @@ index 29a9565..29930e4 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +620,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +619,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -67567,7 +67801,7 @@ index 29a9565..29930e4 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +683,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +682,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -67578,7 +67812,7 @@ index 29a9565..29930e4 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +707,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +706,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -67587,7 +67821,7 @@ index 29a9565..29930e4 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +722,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +721,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -67595,7 +67829,7 @@ index 29a9565..29930e4 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +752,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +751,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -67629,7 +67863,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -531,10 +786,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +785,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -67652,7 +67886,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -549,6 +816,39 @@ ifdef(`distro_suse',` +@@ -549,6 +815,39 @@ ifdef(`distro_suse',` ') ') @@ -67692,7 +67926,7 @@ index 29a9565..29930e4 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +861,8 @@ optional_policy(` +@@ -561,6 +860,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -67701,7 +67935,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -577,6 +879,7 @@ optional_policy(` +@@ -577,6 +878,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -67709,7 +67943,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -589,6 +892,17 @@ optional_policy(` +@@ -589,6 +891,17 @@ optional_policy(` ') optional_policy(` @@ -67727,7 +67961,7 @@ index 29a9565..29930e4 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +919,13 @@ optional_policy(` +@@ -605,9 +918,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -67741,7 +67975,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -632,6 +950,10 @@ optional_policy(` +@@ -632,6 +949,10 @@ optional_policy(` ') optional_policy(` @@ -67752,7 +67986,7 @@ index 29a9565..29930e4 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +971,11 @@ optional_policy(` +@@ -649,6 +970,11 @@ optional_policy(` ') optional_policy(` @@ -67764,7 +67998,7 @@ index 29a9565..29930e4 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1016,7 @@ optional_policy(` +@@ -689,6 +1015,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -67772,7 +68006,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -706,7 +1034,13 @@ optional_policy(` +@@ -706,7 +1033,13 @@ optional_policy(` ') optional_policy(` @@ -67786,7 +68020,7 @@ index 29a9565..29930e4 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1063,10 @@ optional_policy(` +@@ -729,6 +1062,10 @@ optional_policy(` ') optional_policy(` @@ -67797,7 +68031,7 @@ index 29a9565..29930e4 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1076,20 @@ optional_policy(` +@@ -738,10 +1075,20 @@ optional_policy(` ') optional_policy(` @@ -67818,7 +68052,7 @@ index 29a9565..29930e4 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1098,10 @@ optional_policy(` +@@ -750,6 +1097,10 @@ optional_policy(` ') optional_policy(` @@ -67829,7 +68063,7 @@ index 29a9565..29930e4 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1123,6 @@ optional_policy(` +@@ -771,8 +1122,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -67838,7 +68072,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -790,10 +1140,12 @@ optional_policy(` +@@ -790,10 +1139,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -67851,7 +68085,7 @@ index 29a9565..29930e4 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1157,6 @@ optional_policy(` +@@ -805,7 +1156,6 @@ optional_policy(` ') optional_policy(` @@ -67859,7 +68093,7 @@ index 29a9565..29930e4 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1166,26 @@ optional_policy(` +@@ -815,11 +1165,26 @@ optional_policy(` ') optional_policy(` @@ -67887,7 +68121,7 @@ index 29a9565..29930e4 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1195,25 @@ optional_policy(` +@@ -829,6 +1194,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -67913,7 +68147,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -844,6 +1229,10 @@ optional_policy(` +@@ -844,6 +1228,10 @@ optional_policy(` ') optional_policy(` @@ -67924,7 +68158,7 @@ index 29a9565..29930e4 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1243,160 @@ optional_policy(` +@@ -854,3 +1242,160 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -68952,7 +69186,7 @@ index 560dc48..4986f1b 100644 +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..8f5a243 100644 +index 808ba93..eb621fd 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -207,6 +207,23 @@ interface(`libs_search_lib',` @@ -69050,7 +69284,7 @@ index 808ba93..8f5a243 100644 +## +## +# -+interface(`lib_filetrans_named_content',` ++interface(`libs_filetrans_named_content',` + gen_require(` + type ld_so_cache_t; + ') @@ -72966,10 +73200,10 @@ index 0000000..db57bc7 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..79c358c +index 0000000..5571350 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,502 @@ +@@ -0,0 +1,503 @@ +## SELinux policy for systemd components + +####################################### @@ -73018,6 +73252,7 @@ index 0000000..79c358c + can_exec($1, systemd_systemctl_exec_t) + + fs_list_cgroup_dirs($1) ++ fs_read_cgroup_files($1) + systemd_list_unit_dirs($1) + init_list_pid_dirs($1) + init_read_state($1) @@ -75062,7 +75297,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..af43357 100644 +index 4b2878a..9b49159 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -77186,10 +77421,16 @@ index 4b2878a..af43357 100644 ') ######################################## -@@ -2644,6 +3313,25 @@ interface(`userdom_dontaudit_use_user_terminals',` - dontaudit $1 user_devpts_t:chr_file rw_term_perms; - ') +@@ -2640,8 +3309,27 @@ interface(`userdom_dontaudit_use_user_terminals',` + type user_tty_device_t, user_devpts_t; + ') +- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; +- dontaudit $1 user_devpts_t:chr_file rw_term_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; ++ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; ++') ++ + +######################################## +## @@ -77207,11 +77448,9 @@ index 4b2878a..af43357 100644 + ') + + allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; -+') -+ + ') + ######################################## - ## - ## Execute a shell in all user domains. This @@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -77387,6 +77626,15 @@ index 4b2878a..af43357 100644 ') ######################################## +@@ -3045,7 +3736,7 @@ interface(`userdom_dontaudit_use_user_ttys',` + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + + ######################################## @@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',` ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 4033277..b3eedad 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 52%{?dist} +Release: 53%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -483,6 +483,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Nov 1 2011 Miroslav Grepl 3.10.0-53 +- Make nvidia* to be labeled correctly +- Fix abrt_manage_cache() interface +- Make filetrans rules optional so base policy will build +- Dontaudit chkpwd_t access to inherited TTYS +- Make sure postfix content gets created with the correct label +- Allow gnomeclock to read cgroup +- Fixes for cloudform policy + * Thu Oct 27 2011 Miroslav Grepl 3.10.0-52 - Check in fixed for Chrome nacl support