diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b0299f5..63f5c85 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1802,7 +1802,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..c7fe2c6 100644 +index c44c359..ec441aa 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -1818,6 +1818,15 @@ index c44c359..c7fe2c6 100644 type netutils_t; type netutils_exec_t; +@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t) + # + + # Perform network administration operations and have raw access to the network. +-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; ++allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot }; + dontaudit netutils_t self:capability { dac_override sys_tty_config }; + allow netutils_t self:process { setcap signal_perms }; + allow netutils_t self:netlink_route_socket create_netlink_socket_perms; @@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; allow netutils_t self:tcp_socket create_stream_socket_perms; @@ -9565,7 +9574,7 @@ index cf04cb5..005fd45 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..ad25566 100644 +index b876c48..6bfb954 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9585,7 +9594,7 @@ index b876c48..ad25566 100644 /boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/\.journal <> /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -@@ -38,27 +39,35 @@ ifdef(`distro_suse',` +@@ -38,27 +39,36 @@ ifdef(`distro_suse',` # # /emul # @@ -9625,10 +9634,11 @@ index b876c48..ad25566 100644 +/etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) + +/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0) ++/ostree/deploy/rhel-atomic-host/deploy(/.*)? gen_context(system_u:object_r:system_conf_t,s0) /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -70,7 +79,10 @@ ifdef(`distro_suse',` +@@ -70,7 +80,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9640,7 +9650,7 @@ index b876c48..ad25566 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -78,10 +90,6 @@ ifdef(`distro_gentoo', ` +@@ -78,10 +91,6 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -9651,7 +9661,7 @@ index b876c48..ad25566 100644 ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -104,7 +113,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -9660,7 +9670,7 @@ index b876c48..ad25566 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -125,10 +133,13 @@ ifdef(`distro_debian',` +@@ -125,10 +134,13 @@ ifdef(`distro_debian',` # # Mount points; do not relabel subdirectories, since # we don't want to change any removable media by default. @@ -9675,7 +9685,7 @@ index b876c48..ad25566 100644 # # /misc -@@ -138,7 +149,7 @@ ifdef(`distro_debian',` +@@ -138,7 +150,7 @@ ifdef(`distro_debian',` # # /mnt # @@ -9684,7 +9694,7 @@ index b876c48..ad25566 100644 /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /mnt/[^/]*/.* <> -@@ -150,10 +161,10 @@ ifdef(`distro_debian',` +@@ -150,10 +162,10 @@ ifdef(`distro_debian',` # # /opt # @@ -9697,7 +9707,7 @@ index b876c48..ad25566 100644 # # /proc -@@ -161,6 +172,12 @@ ifdef(`distro_debian',` +@@ -161,6 +173,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> @@ -9710,7 +9720,7 @@ index b876c48..ad25566 100644 # # /run # -@@ -169,6 +186,7 @@ ifdef(`distro_debian',` +@@ -169,6 +187,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) @@ -9718,7 +9728,7 @@ index b876c48..ad25566 100644 # # /selinux # -@@ -178,13 +196,14 @@ ifdef(`distro_debian',` +@@ -178,13 +197,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9735,7 +9745,7 @@ index b876c48..ad25566 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +213,11 @@ ifdef(`distro_debian',` +@@ -194,9 +214,11 @@ ifdef(`distro_debian',` # # /usr # @@ -9748,7 +9758,7 @@ index b876c48..ad25566 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +225,9 @@ ifdef(`distro_debian',` +@@ -204,15 +226,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9765,7 +9775,7 @@ index b876c48..ad25566 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +235,6 @@ ifdef(`distro_debian',` +@@ -220,8 +236,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9774,7 +9784,7 @@ index b876c48..ad25566 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +242,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +243,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9783,7 +9793,7 @@ index b876c48..ad25566 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +250,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +251,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9810,7 +9820,7 @@ index b876c48..ad25566 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +283,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +284,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9825,7 +9835,7 @@ index b876c48..ad25566 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +300,5 @@ ifdef(`distro_debian',` +@@ -271,3 +301,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -32669,7 +32679,7 @@ index 0d4c8d3..9395313 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..1cce3ba 100644 +index 312cd04..dd6638a 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -32763,7 +32773,7 @@ index 312cd04..1cce3ba 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,24 +170,33 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -32778,11 +32788,11 @@ index 312cd04..1cce3ba 100644 init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) -+logging_read_all_logs(ipsec_mgmt_t) ++logging_send_audit_msgs(ipsec_t) logging_send_syslog_msg(ipsec_t) -miscfiles_read_localization(ipsec_t) - +- sysnet_domtrans_ifconfig(ipsec_t) +sysnet_manage_config(ipsec_t) +sysnet_etc_filetrans_config(ipsec_t) @@ -32798,7 +32808,7 @@ index 312cd04..1cce3ba 100644 seutil_sigchld_newrole(ipsec_t) ') -@@ -187,10 +209,10 @@ optional_policy(` +@@ -187,10 +208,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -32813,7 +32823,7 @@ index 312cd04..1cce3ba 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -208,12 +230,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -32829,7 +32839,7 @@ index 312cd04..1cce3ba 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +270,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -32846,7 +32856,7 @@ index 312cd04..1cce3ba 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +289,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -32855,7 +32865,7 @@ index 312cd04..1cce3ba 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +305,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -32863,7 +32873,7 @@ index 312cd04..1cce3ba 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +315,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -32875,16 +32885,17 @@ index 312cd04..1cce3ba 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +326,23 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) -logging_send_syslog_msg(ipsec_mgmt_t) +- +-miscfiles_read_localization(ipsec_mgmt_t) +ipsec_mgmt_systemctl(ipsec_mgmt_t) --miscfiles_read_localization(ipsec_mgmt_t) -- -seutil_dontaudit_search_config(ipsec_mgmt_t) ++logging_read_all_logs(ipsec_mgmt_t) +logging_send_syslog_msg(ipsec_mgmt_t) sysnet_manage_config(ipsec_mgmt_t) @@ -32897,6 +32908,7 @@ index 312cd04..1cce3ba 100644 +userdom_use_inherited_user_terminals(ipsec_mgmt_t) + +optional_policy(` ++ bind_domtrans(ipsec_mgmt_t) + bind_read_dnssec_keys(ipsec_mgmt_t) + bind_read_config(ipsec_mgmt_t) + bind_read_state(ipsec_mgmt_t) @@ -32904,7 +32916,7 @@ index 312cd04..1cce3ba 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +366,10 @@ optional_policy(` +@@ -322,6 +367,10 @@ optional_policy(` ') optional_policy(` @@ -32915,7 +32927,7 @@ index 312cd04..1cce3ba 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +383,7 @@ optional_policy(` +@@ -335,7 +384,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -32924,7 +32936,7 @@ index 312cd04..1cce3ba 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +418,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -32944,7 +32956,7 @@ index 312cd04..1cce3ba 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +448,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -32957,7 +32969,7 @@ index 312cd04..1cce3ba 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +485,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -34744,7 +34756,7 @@ index 4e94884..8de26ad 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..077c808 100644 +index 59b04c1..89471ff 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -34967,18 +34979,19 @@ index 59b04c1..077c808 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,8 +412,11 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; +allow syslogd_t self:rawip_socket create_socket_perms; ++allow syslogd_t self:netlink_audit_socket r_netlink_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +435,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -35028,7 +35041,7 @@ index 59b04c1..077c808 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -35037,7 +35050,7 @@ index 59b04c1..077c808 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -35065,7 +35078,7 @@ index 59b04c1..077c808 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -35083,7 +35096,7 @@ index 59b04c1..077c808 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +550,11 @@ init_use_fds(syslogd_t) +@@ -466,11 +551,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -35098,7 +35111,7 @@ index 59b04c1..077c808 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +581,7 @@ optional_policy(` +@@ -497,6 +582,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -35106,7 +35119,7 @@ index 59b04c1..077c808 100644 ') optional_policy(` -@@ -507,15 +592,40 @@ optional_policy(` +@@ -507,15 +593,40 @@ optional_policy(` ') optional_policy(` @@ -35147,7 +35160,7 @@ index 59b04c1..077c808 100644 ') optional_policy(` -@@ -526,3 +636,26 @@ optional_policy(` +@@ -526,3 +637,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e24de0a..e539d41 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10898,10 +10898,10 @@ index 0000000..2d2e60c +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..23a4606 +index 0000000..acaf519 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,62 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10936,6 +10936,7 @@ index 0000000..23a4606 +files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file }) + +kernel_read_system_state(bumblebee_t) ++kernel_read_network_state(bumblebee_t) +kernel_dontaudit_access_check_proc(bumblebee_t) +kernel_dontaudit_write_proc_files(bumblebee_t) +kernel_manage_debugfs(bumblebee_t) @@ -16390,7 +16391,7 @@ index 715a826..a1cbdb2 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index ae1c1b1..a3af6c9 100644 +index ae1c1b1..81803f9 100644 --- a/couchdb.te +++ b/couchdb.te @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t) @@ -16433,7 +16434,7 @@ index ae1c1b1..a3af6c9 100644 corecmd_exec_bin(couchdb_t) corecmd_exec_shell(couchdb_t) -@@ -75,14 +80,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) +@@ -75,14 +80,25 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) corenet_tcp_bind_couchdb_port(couchdb_t) corenet_tcp_sendrecv_couchdb_port(couchdb_t) @@ -16446,6 +16447,8 @@ index ae1c1b1..a3af6c9 100644 +files_getattr_lost_found_dirs(couchdb_t) +files_dontaudit_list_var(couchdb_t) + ++gnome_dontaudit_search_config(couchdb_t) ++ dev_list_sysfs(couchdb_t) dev_read_sysfs(couchdb_t) dev_read_urand(couchdb_t) @@ -22499,7 +22502,7 @@ index 583a527..1053281 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/devicekit.if b/devicekit.if -index 8ce99ff..0819898 100644 +index 8ce99ff..1bc5d3a 100644 --- a/devicekit.if +++ b/devicekit.if @@ -1,4 +1,4 @@ @@ -22635,7 +22638,7 @@ index 8ce99ff..0819898 100644 ## ## ## -@@ -149,40 +165,78 @@ interface(`devicekit_use_fds_power',` +@@ -149,40 +165,97 @@ interface(`devicekit_use_fds_power',` ## ## # @@ -22695,26 +22698,44 @@ index 8ce99ff..0819898 100644 ## -## Create, read, write, and delete -## devicekit log files. -+## Do not audit attempts to write the devicekit -+## log files. ++## Allow read devicekit log files. ## ## -## -## Domain allowed access. -## +## -+## Domain to not audit. ++## Domain allowed access. +## ## # -interface(`devicekit_manage_log_files',` -+interface(`devicekit_dontaudit_rw_log',` ++interface(`devicekit_read_log_files',` gen_require(` type devicekit_var_log_t; ') -- logging_search_logs($1) + logging_search_logs($1) - manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ allow $1 devicekit_var_log_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Do not audit attempts to write the devicekit ++## log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_rw_log',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ + dontaudit $1 devicekit_var_log_t:file rw_file_perms; ') @@ -22725,7 +22746,7 @@ index 8ce99ff..0819898 100644 ## ## ## -@@ -190,13 +244,13 @@ interface(`devicekit_manage_log_files',` +@@ -190,13 +263,13 @@ interface(`devicekit_manage_log_files',` ## ## # @@ -22743,7 +22764,7 @@ index 8ce99ff..0819898 100644 ') ######################################## -@@ -220,11 +274,30 @@ interface(`devicekit_read_pid_files',` +@@ -220,11 +293,30 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -22775,7 +22796,7 @@ index 8ce99ff..0819898 100644 ## Domain allowed access. ## ## -@@ -235,22 +308,59 @@ interface(`devicekit_manage_pid_files',` +@@ -235,22 +327,59 @@ interface(`devicekit_manage_pid_files',` ') files_search_pids($1) @@ -22839,7 +22860,7 @@ index 8ce99ff..0819898 100644 ## ## ## -@@ -259,21 +369,48 @@ interface(`devicekit_admin',` +@@ -259,21 +388,48 @@ interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; @@ -25227,10 +25248,10 @@ index 0000000..c8e5981 + diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..4cf83fd +index 0000000..4561111 --- /dev/null +++ b/docker.te -@@ -0,0 +1,302 @@ +@@ -0,0 +1,305 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -25297,7 +25318,7 @@ index 0000000..4cf83fd +# docker local policy +# +allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap }; -+allow docker_t self:process { getattr signal_perms }; ++allow docker_t self:process { getattr signal_perms setrlimit }; +allow docker_t self:fifo_file rw_fifo_file_perms; +allow docker_t self:unix_stream_socket create_stream_socket_perms; +allow docker_t self:tcp_socket create_stream_socket_perms; @@ -25341,6 +25362,7 @@ index 0000000..4cf83fd +manage_files_pattern(docker_t, docker_share_t, docker_share_t) +manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) +allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto }; ++ +can_exec(docker_t, docker_share_t) +#docker_filetrans_named_content(docker_t) + @@ -25520,6 +25542,7 @@ index 0000000..4cf83fd + # for lxc + virt_transition_svirt_sandbox(docker_t, system_r) + virt_mounton_sandbox_file(docker_t) ++ virt_attach_sandbox_tun_iface(docker_t) +') + +tunable_policy(`docker_connect_any',` @@ -25532,6 +25555,7 @@ index 0000000..4cf83fd + unconfined_transition(docker_t, docker_share_t) + unconfined_transition(docker_t, docker_var_lib_t) + unconfined_setsched(docker_t) ++ userdom_attach_admin_tun_iface(docker_t) +') diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 @@ -30529,7 +30553,7 @@ index 9eacb2c..7b19ad2 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index 5cd0909..a0b3bfb 100644 +index 5cd0909..cdba87f 100644 --- a/glance.te +++ b/glance.te @@ -5,10 +5,31 @@ policy_module(glance, 1.1.0) @@ -30647,7 +30671,7 @@ index 5cd0909..a0b3bfb 100644 ######################################## # # Registry local policy -@@ -88,8 +129,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm +@@ -88,8 +129,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) @@ -30659,10 +30683,12 @@ index 5cd0909..a0b3bfb 100644 corenet_sendrecv_glance_registry_server_packets(glance_registry_t) corenet_tcp_bind_glance_registry_port(glance_registry_t) +corenet_tcp_connect_all_ephemeral_ports(glance_registry_t) ++ ++corenet_tcp_connect_keystone_port(glance_registry_t) logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +155,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +157,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -34253,7 +34279,7 @@ index 180f1b7..3c8757e 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82..9d13873 100644 +index 0e97e82..64cb452 100644 --- a/gpg.te +++ b/gpg.te @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0) @@ -34273,21 +34299,13 @@ index 0e97e82..9d13873 100644 attribute_role gpg_roles; roleattribute system_r gpg_roles; -@@ -24,7 +16,23 @@ roleattribute system_r gpg_helper_roles; +@@ -24,7 +16,15 @@ roleattribute system_r gpg_helper_roles; attribute_role gpg_pinentry_roles; -type gpg_t; +## +##

-+## Allow usage of the gpg-agent --write-env-file option. -+## This also allows gpg-agent to manage user files. -+##

-+##
-+gen_tunable(gpg_agent_env_file, false) -+ -+## -+##

+## Allow gpg web domain to modify public files +## used for public file transfer services. +##

@@ -34298,7 +34316,7 @@ index 0e97e82..9d13873 100644 type gpg_exec_t; typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; -@@ -69,95 +77,100 @@ type gpg_pinentry_tmpfs_t; +@@ -69,95 +69,100 @@ type gpg_pinentry_tmpfs_t; userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) optional_policy(` @@ -34440,7 +34458,7 @@ index 0e97e82..9d13873 100644 ') optional_policy(` -@@ -165,37 +178,51 @@ optional_policy(` +@@ -165,37 +170,51 @@ optional_policy(` ') optional_policy(` @@ -34503,7 +34521,7 @@ index 0e97e82..9d13873 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -207,29 +234,36 @@ tunable_policy(`use_samba_home_dirs',` +@@ -207,29 +226,36 @@ tunable_policy(`use_samba_home_dirs',` ######################################## # @@ -34547,7 +34565,7 @@ index 0e97e82..9d13873 100644 corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,37 +273,42 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,35 +265,35 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) @@ -34560,49 +34578,46 @@ index 0e97e82..9d13873 100644 +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) userdom_search_user_home_dirs(gpg_agent_t) +userdom_filetrans_home_content(gpg_agent_t) ++ ++userdom_manage_user_home_content_dirs(gpg_agent_t) ++userdom_manage_user_home_content_files(gpg_agent_t) ++userdom_manage_all_user_tmp_content(gpg_agent_t) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) + userdom_dontaudit_write_user_tmp_files(gpg_agent_t) ') - tunable_policy(`gpg_agent_env_file',` -+ # write ~/.gpg-agent-info or a similar to the users home dir -+ # or subdir (gpg-agent --write-env-file option) -+ # - userdom_manage_user_home_content_dirs(gpg_agent_t) - userdom_manage_user_home_content_files(gpg_agent_t) +-tunable_policy(`gpg_agent_env_file',` +- userdom_manage_user_home_content_dirs(gpg_agent_t) +- userdom_manage_user_home_content_files(gpg_agent_t) - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) -+ userdom_manage_all_user_tmp_content(gpg_agent_t) - ') +-') ++userdom_home_manager(gpg_agent_t) -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_agent_t) - fs_manage_nfs_files(gpg_agent_t) - fs_manage_nfs_symlinks(gpg_agent_t) --') -+userdom_home_manager(gpg_agent_t) ++optional_policy(` ++ gnome_manage_config(gpg_agent_t) + ') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_agent_t) - fs_manage_cifs_files(gpg_agent_t) - fs_manage_cifs_symlinks(gpg_agent_t) +optional_policy(` -+ gnome_manage_config(gpg_agent_t) ++ mozilla_dontaudit_rw_user_home_files(gpg_agent_t) ') optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) +- mozilla_dontaudit_rw_user_home_files(gpg_agent_t) ++ pcscd_stream_connect(gpg_agent_t) ') -+optional_policy(` -+ pcscd_stream_connect(gpg_agent_t) -+') -+ ############################## - # - # Pinentry local policy -@@ -277,8 +316,17 @@ optional_policy(` +@@ -277,8 +303,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -34621,7 +34636,7 @@ index 0e97e82..9d13873 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +335,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +322,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -35624,10 +35639,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..ccb563e 100644 +index 4eb7041..041d6ab 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,81 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,103 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -35651,6 +35666,9 @@ index 4eb7041..ccb563e 100644 +type hypervkvp_var_lib_t; +files_type(hypervkvp_var_lib_t) + ++type hypervkvp_tmp_t; ++files_tmpfs_file(hypervkvp_tmp_t) ++ +type hypervvssd_t, hyperv_domain; +type hypervvssd_exec_t; +init_daemon_domain(hypervvssd_t, hypervvssd_exec_t) @@ -35686,14 +35704,29 @@ index 4eb7041..ccb563e 100644 +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) + ++manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t) ++manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t) ++files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir }) ++ ++kernel_read_system_state(hypervkvp_t) ++kernel_read_network_state(hypervkvp_t) ++ +domain_read_all_domains_state(hypervkvp_t) + +files_dontaudit_search_home(hypervkvp_t) + +logging_send_syslog_msg(hypervkvp_t) + ++libs_exec_ldconfig(hypervkvp_t) ++ ++modutils_domtrans_insmod(hypervkvp_t) ++ +sysnet_dns_name_resolve(hypervkvp_t) +sysnet_domtrans_dhcpc(hypervkvp_t) ++sysnet_domtrans_ifconfig(hypervkvp_t) ++ ++sysnet_manage_config(hypervkvp_t) ++sysnet_etc_filetrans_config(hypervkvp_t) + +systemd_exec_systemctl(hypervkvp_t) + @@ -35707,6 +35740,10 @@ index 4eb7041..ccb563e 100644 + sysnet_exec_ifconfig(hypervkvp_t) +') + ++optional_policy(` ++ rpm_exec(hypervkvp_t) ++') ++ +######################################## +# +# hypervvssd local policy @@ -43909,7 +43946,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..c87e394 100644 +index 4ec0eea..930b3f2 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -43944,7 +43981,7 @@ index 4ec0eea..c87e394 100644 ######################################## # # Local policy -@@ -26,4 +44,52 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,54 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -43996,6 +44033,8 @@ index 4ec0eea..c87e394 100644 + +logging_send_syslog_msg(lsmd_plugin_t) + ++miscfiles_read_certs(lsmd_plugin_t) ++ +sysnet_read_config(lsmd_plugin_t) diff --git a/mailman.fc b/mailman.fc index 995d0a5..3d40d59 100644 @@ -65787,7 +65826,7 @@ index 21a6ecb..b99e4cb 100644 domain_system_change_exemption($1) role_transition $2 pingd_initrc_exec_t system_r; diff --git a/pingd.te b/pingd.te -index ab01060..3817823 100644 +index ab01060..778c8eb 100644 --- a/pingd.te +++ b/pingd.te @@ -10,7 +10,7 @@ type pingd_exec_t; @@ -65799,7 +65838,14 @@ index ab01060..3817823 100644 type pingd_initrc_exec_t; init_script_file(pingd_initrc_exec_t) -@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t) +@@ -45,10 +45,10 @@ corenet_tcp_bind_generic_node(pingd_t) + corenet_sendrecv_pingd_server_packets(pingd_t) + corenet_tcp_bind_pingd_port(pingd_t) + ++dev_read_urand(pingd_t) ++ + auth_use_nsswitch(pingd_t) + files_search_usr(pingd_t) logging_send_syslog_msg(pingd_t) @@ -66361,10 +66407,10 @@ index 69be2aa..2d7b3f6 100644 admin_pattern($1, pkcs_slotd_var_run_t) diff --git a/pkcs.te b/pkcs.te -index 8eb3f7b..b0fc2a7 100644 +index 8eb3f7b..e04f9e1 100644 --- a/pkcs.te +++ b/pkcs.te -@@ -7,21 +7,30 @@ policy_module(pkcs, 1.0.1) +@@ -7,21 +7,31 @@ policy_module(pkcs, 1.0.1) type pkcs_slotd_t; type pkcs_slotd_exec_t; @@ -66380,6 +66426,7 @@ index 8eb3f7b..b0fc2a7 100644 files_type(pkcs_slotd_var_lib_t) +type pkcs_slotd_lock_t; ++typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t; +files_lock_file(pkcs_slotd_lock_t) + type pkcs_slotd_var_run_t; @@ -66395,7 +66442,7 @@ index 8eb3f7b..b0fc2a7 100644 files_tmpfs_file(pkcs_slotd_tmpfs_t) ######################################## -@@ -40,6 +49,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +@@ -40,6 +50,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) @@ -66404,7 +66451,7 @@ index 8eb3f7b..b0fc2a7 100644 manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) -@@ -51,10 +62,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) +@@ -51,10 +63,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) @@ -77633,10 +77680,10 @@ index afc0068..589a7fd 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..0bee752 100644 +index 8644d8b..4d073e9 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,178 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -77723,8 +77770,6 @@ index 8644d8b..0bee752 100644 - -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) -- --files_read_usr_files(quantum_t) +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; @@ -77812,18 +77857,17 @@ index 8644d8b..0bee752 100644 + corenet_tcp_sendrecv_all_ports(neutron_t) +') --auth_use_nsswitch(quantum_t) +-files_read_usr_files(quantum_t) +optional_policy(` + dbus_system_bus_client(neutron_t) +') --libs_exec_ldconfig(quantum_t) +-auth_use_nsswitch(quantum_t) +optional_policy(` + brctl_domtrans(neutron_t) +') --logging_send_audit_msgs(quantum_t) --logging_send_syslog_msg(quantum_t) +-libs_exec_ldconfig(quantum_t) +optional_policy(` + dnsmasq_domtrans(neutron_t) + dnsmasq_signal(neutron_t) @@ -77831,43 +77875,50 @@ index 8644d8b..0bee752 100644 + dnsmasq_read_state(neutron_t) +') --miscfiles_read_localization(quantum_t) +-logging_send_audit_msgs(quantum_t) +-logging_send_syslog_msg(quantum_t) +optional_policy(` + rhcs_domtrans_haproxy(neutron_t) + rhcs_stream_connect_haproxy(neutron_t) +') --sysnet_domtrans_ifconfig(quantum_t) +-miscfiles_read_localization(quantum_t) +optional_policy(` + iptables_domtrans(neutron_t) +') - optional_policy(` -- brctl_domtrans(quantum_t) +-sysnet_domtrans_ifconfig(quantum_t) ++optional_policy(` + modutils_domtrans_insmod(neutron_t) - ') ++') optional_policy(` -- mysql_stream_connect(quantum_t) -- mysql_read_config(quantum_t) +- brctl_domtrans(quantum_t) + mysql_stream_connect(neutron_t) + mysql_read_db_lnk_files(neutron_t) + mysql_read_config(neutron_t) + mysql_tcp_connect(neutron_t) -+') + ') -- mysql_tcp_connect(quantum_t) -+optional_policy(` + optional_policy(` +- mysql_stream_connect(quantum_t) +- mysql_read_config(quantum_t) + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + postgresql_tcp_connect(neutron_t) ++') + +- mysql_tcp_connect(quantum_t) ++optional_policy(` ++ openvswitch_domtrans(neutron_t) ++ openvswitch_stream_connect(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) -+ openvswitch_domtrans(neutron_t) -+ openvswitch_stream_connect(neutron_t) ++ rpm_exec(neutron_t) ++ rpm_read_db(neutron_t) +') - postgresql_tcp_connect(quantum_t) @@ -78628,7 +78679,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..0e88460 100644 +index 403a4fe..e8ba49e 100644 --- a/radius.te +++ b/radius.te @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) @@ -78665,7 +78716,7 @@ index 403a4fe..0e88460 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,10 +75,15 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) +@@ -74,12 +75,21 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) @@ -78680,8 +78731,14 @@ index 403a4fe..0e88460 100644 +corenet_tcp_bind_radius_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t) ++corenet_sendrecv_radsec_server_packets(radiusd_t) ++corenet_tcp_bind_radsec_port(radiusd_t) ++corenet_udp_bind_radsec_port(radiusd_t) ++ corenet_sendrecv_snmp_client_packets(radiusd_t) -@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t) + corenet_tcp_connect_snmp_port(radiusd_t) + +@@ -97,7 +107,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -78689,7 +78746,7 @@ index 403a4fe..0e88460 100644 files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) -@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +118,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -78697,7 +78754,7 @@ index 403a4fe..0e88460 100644 miscfiles_read_generic_certs(radiusd_t) sysnet_use_ldap(radiusd_t) -@@ -122,6 +126,11 @@ optional_policy(` +@@ -122,6 +130,11 @@ optional_policy(` ') optional_policy(` @@ -78709,7 +78766,7 @@ index 403a4fe..0e88460 100644 logrotate_exec(radiusd_t) ') -@@ -140,5 +149,10 @@ optional_policy(` +@@ -140,5 +153,10 @@ optional_policy(` ') optional_policy(` @@ -92139,7 +92196,7 @@ index 98c9e0a..562666e 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..3502684 100644 +index 299756b..2b642a3 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -92245,7 +92302,7 @@ index 299756b..3502684 100644 ') optional_policy(` -@@ -117,6 +133,58 @@ optional_policy(` +@@ -117,6 +133,59 @@ optional_policy(` # Reposd local policy # @@ -92304,6 +92361,7 @@ index 299756b..3502684 100644 + virt_manage_config(sblim_sfcbd_t) + virt_stream_connect(sblim_sfcbd_t) + virt_search_images(sblim_sfcbd_t) ++ virt_getattr_images(sblim_sfcbd_t) +') diff --git a/screen.fc b/screen.fc index e7c2cf7..435aaa6 100644 @@ -98305,7 +98363,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..bce5858 100644 +index 2d8db1f..26fb335 100644 --- a/sssd.te +++ b/sssd.te @@ -28,9 +28,17 @@ logging_log_file(sssd_var_log_t) @@ -98408,7 +98466,7 @@ index 2d8db1f..bce5858 100644 init_read_utmp(sssd_t) -@@ -112,18 +120,55 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +120,56 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -98420,6 +98478,7 @@ index 2d8db1f..bce5858 100644 +userdom_manage_tmp_role(system_r, sssd_t) +userdom_manage_all_users_keys(sssd_t) ++userdom_dbus_send_all_users(sssd_t) +userdom_home_reader(sssd_t) + optional_policy(` @@ -104626,7 +104685,7 @@ index a4f20bc..b3bd64f 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..aacee65 100644 +index facdee8..f6b8a09 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -104813,7 +104872,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -157,162 +89,71 @@ interface(`virt_domtrans',` +@@ -157,162 +89,90 @@ interface(`virt_domtrans',` ## ## # @@ -104896,47 +104955,30 @@ index facdee8..aacee65 100644 -## -## Role allowed access. -## --## --# ++## + ## + # -interface(`virt_run_virt_domain',` -- gen_require(` ++interface(`virt_domtrans_qmf',` + gen_require(` - attribute virt_domain; - attribute_role virt_domain_roles; -- ') -- ++ type virt_qmf_t, virt_qmf_exec_t; + ') + - allow $1 virt_domain:process { signal transition }; - roleattribute $2 virt_domain_roles; - - allow virt_domain $1:fd use; - allow virt_domain $1:fifo_file rw_fifo_file_perms; - allow virt_domain $1:process sigchld; --') -- --######################################## --## --## Send generic signals to all virt domains. - ## --## --## --## Domain allowed access. --## - ## - # --interface(`virt_signal_all_virt_domains',` -+interface(`virt_domtrans_qmf',` - gen_require(` -- attribute virt_domain; -+ type virt_qmf_t, virt_qmf_exec_t; - ') - -- allow $1 virt_domain:process signal; + corecmd_search_bin($1) + domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) ') ######################################## ## --## Send kill signals to all virt domains. +-## Send generic signals to all virt domains. +## Transition to virt_bridgehelper. ## ## @@ -104945,38 +104987,62 @@ index facdee8..aacee65 100644 -## -## -# --interface(`virt_kill_all_virt_domains',` +-interface(`virt_signal_all_virt_domains',` - gen_require(` - attribute virt_domain; - ') - -- allow $1 virt_domain:process sigkill; +- allow $1 virt_domain:process signal; -') - -######################################## ## --## Execute svirt lxc domains in their --## domain, and allow the specified --## role that svirt lxc domain. +-## Send kill signals to all virt domains. +## Domain allowed to transition. ## -## -## +-## Domain allowed access. +-## + ## +-# +-interface(`virt_kill_all_virt_domains',` ++interface(`virt_domtrans_bridgehelper',` + gen_require(` +- attribute virt_domain; ++ type virt_bridgehelper_t, virt_bridgehelper_exec_t; + ') + +- allow $1 virt_domain:process sigkill; ++ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) + ') + +-######################################## ++####################################### + ## +-## Execute svirt lxc domains in their +-## domain, and allow the specified +-## role that svirt lxc domain. ++## Connect to virt over a unix domain stream socket. + ## + ## + ## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. --## ++## Domain allowed access. + ## ## --# + # -interface(`virt_run_svirt_lxc_domain',` -+interface(`virt_domtrans_bridgehelper',` ++interface(`virt_stream_connect',` gen_require(` - attribute svirt_lxc_domain; - attribute_role svirt_lxc_domain_roles; -+ type virt_bridgehelper_t, virt_bridgehelper_exec_t; ++ type virtd_t, virt_var_run_t; ') - allow $1 svirt_lxc_domain:process { signal transition }; @@ -104985,64 +105051,80 @@ index facdee8..aacee65 100644 - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; -+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') ####################################### ## -## Get attributes of virtd executable files. -+## Connect to virt over a unix domain stream socket. ++## Connect to svirt process over a unix domain stream socket. ## ## ## -@@ -320,18 +161,18 @@ interface(`virt_run_svirt_lxc_domain',` +@@ -320,18 +180,17 @@ interface(`virt_run_svirt_lxc_domain',` ## ## # -interface(`virt_getattr_virtd_exec_files',` -+interface(`virt_stream_connect',` ++interface(`virt_stream_connect_svirt',` gen_require(` - type virtd_exec_t; -+ type virtd_t, virt_var_run_t; ++ type svirt_t; ') - allow $1 virtd_exec_t:file getattr_file_perms; -+ files_search_pids($1) -+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ++ allow $1 svirt_t:unix_stream_socket connectto; ') - ####################################### +-####################################### ++######################################## ## -## Connect to virt with a unix -## domain stream socket. -+## Connect to svirt process over a unix domain stream socket. ++## Allow domain to attach to virt TUN devices ## ## ## -@@ -339,18 +180,17 @@ interface(`virt_getattr_virtd_exec_files',` +@@ -339,18 +198,18 @@ interface(`virt_getattr_virtd_exec_files',` ## ## # -interface(`virt_stream_connect',` -+interface(`virt_stream_connect_svirt',` ++interface(`virt_attach_tun_iface',` gen_require(` - type virtd_t, virt_var_run_t; -+ type svirt_t; ++ type virtd_t; ') - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) -+ allow $1 svirt_t:unix_stream_socket connectto; ++ allow $1 virtd_t:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; ') ######################################## ## -## Attach to virt tun devices. -+## Allow domain to attach to virt TUN devices ++## Allow domain to attach to virt sandbox TUN devices ## ## ## -@@ -369,7 +209,7 @@ interface(`virt_attach_tun_iface',` +@@ -358,18 +217,18 @@ interface(`virt_stream_connect',` + ## + ## + # +-interface(`virt_attach_tun_iface',` ++interface(`virt_attach_sandbox_tun_iface',` + gen_require(` +- type virtd_t; ++ attribute svirt_sandbox_domain; + ') + +- allow $1 virtd_t:tun_socket relabelfrom; ++ allow $1 svirt_sandbox_domain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; + ') ######################################## ## @@ -105051,7 +105133,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -383,7 +223,6 @@ interface(`virt_read_config',` +@@ -383,7 +242,6 @@ interface(`virt_read_config',` ') files_search_etc($1) @@ -105059,7 +105141,7 @@ index facdee8..aacee65 100644 read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -391,8 +230,7 @@ interface(`virt_read_config',` +@@ -391,8 +249,7 @@ interface(`virt_read_config',` ######################################## ## @@ -105069,7 +105151,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -406,7 +244,6 @@ interface(`virt_manage_config',` +@@ -406,7 +263,6 @@ interface(`virt_manage_config',` ') files_search_etc($1) @@ -105077,7 +105159,7 @@ index facdee8..aacee65 100644 manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -414,8 +251,25 @@ interface(`virt_manage_config',` +@@ -414,8 +270,25 @@ interface(`virt_manage_config',` ######################################## ## @@ -105105,7 +105187,15 @@ index facdee8..aacee65 100644 ## ## ## -@@ -450,8 +304,7 @@ interface(`virt_read_content',` +@@ -434,6 +307,7 @@ interface(`virt_read_content',` + read_files_pattern($1, virt_content_t, virt_content_t) + read_lnk_files_pattern($1, virt_content_t, virt_content_t) + read_blk_files_pattern($1, virt_content_t, virt_content_t) ++ read_chr_files_pattern($1, virt_content_t, virt_content_t) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) +@@ -450,8 +324,7 @@ interface(`virt_read_content',` ######################################## ## @@ -105115,7 +105205,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -459,35 +312,17 @@ interface(`virt_read_content',` +@@ -459,35 +332,17 @@ interface(`virt_read_content',` ## ## # @@ -105154,7 +105244,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +350,37 @@ interface(`virt_manage_virt_content',` ## ## # @@ -105218,7 +105308,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,34 +388,21 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -105261,7 +105351,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',` +@@ -584,32 +410,36 @@ interface(`virt_manage_svirt_home_content',` ## ## # @@ -105310,7 +105400,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +448,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -105374,7 +105464,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',` +@@ -673,54 +485,38 @@ interface(`virt_home_filetrans',` ## ## # @@ -105441,7 +105531,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +524,58 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # @@ -105522,7 +105612,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +583,19 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -105548,7 +105638,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',` +@@ -801,18 +603,18 @@ interface(`virt_read_pid_files',` ## ## # @@ -105572,7 +105662,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +622,18 @@ interface(`virt_manage_pid_files',` ## ## # @@ -105596,7 +105686,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -839,20 +621,73 @@ interface(`virt_search_lib',` +@@ -839,20 +641,73 @@ interface(`virt_search_lib',` ## ## # @@ -105675,7 +105765,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -860,94 +695,267 @@ interface(`virt_read_lib_files',` +@@ -860,94 +715,267 @@ interface(`virt_read_lib_files',` ## ## # @@ -105738,10 +105828,12 @@ index facdee8..aacee65 100644 + manage_dirs_pattern($1, virt_image_t, virt_image_t) + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. +## Execute virt server in the virt domain. +## +## @@ -105762,12 +105854,10 @@ index facdee8..aacee65 100644 + allow $1 virtd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, virtd_t) - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. ++') ++ ++######################################## ++## +## Ptrace the svirt domain +## +## @@ -105787,12 +105877,13 @@ index facdee8..aacee65 100644 +####################################### +## +## Execute Sandbox Files -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`virt_exec_sandbox_files',` + gen_require(` @@ -105805,13 +105896,14 @@ index facdee8..aacee65 100644 +####################################### +## +## Manage Sandbox Files - ## - ## ++## ++## ## - ## Domain allowed access. +-## The type of the object to be created. ++## Domain allowed access. ## ## --## +-## +# +interface(`virt_manage_sandbox_files',` + gen_require(` @@ -105832,11 +105924,11 @@ index facdee8..aacee65 100644 +## +## ## --## The type of the object to be created. +-## The object class of the object being created. +## Domain allowed access. ## ## --## +-## +# +interface(`virt_relabel_sandbox_filesystem',` + gen_require(` @@ -105852,14 +105944,16 @@ index facdee8..aacee65 100644 +## +## ## --## The object class of the object being created. +-## The name of the object being created. +## Domain allowed access. ## ## --## -+# +-## + # +-interface(`virt_pid_filetrans',` +interface(`virt_mounton_sandbox_file',` -+ gen_require(` + gen_require(` +- type virt_var_run_t; + type svirt_sandbox_file_t; + ') + @@ -105871,17 +105965,13 @@ index facdee8..aacee65 100644 +## Connect to virt over a unix domain stream socket. +## +## - ## --## The name of the object being created. ++## +## Domain allowed access. - ## - ## --## - # --interface(`virt_pid_filetrans',` ++## ++## ++# +interface(`virt_stream_connect_sandbox',` - gen_require(` -- type virt_var_run_t; ++ gen_require(` + attribute svirt_sandbox_domain; + type svirt_sandbox_file_t; ') @@ -105972,7 +106062,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -955,20 +963,17 @@ interface(`virt_append_log',` +@@ -955,20 +983,17 @@ interface(`virt_append_log',` ## ## # @@ -105997,7 +106087,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -976,18 +981,17 @@ interface(`virt_manage_log',` +@@ -976,18 +1001,17 @@ interface(`virt_manage_log',` ## ## # @@ -106020,7 +106110,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -995,36 +999,35 @@ interface(`virt_search_images',` +@@ -995,36 +1019,35 @@ interface(`virt_search_images',` ## ## # @@ -106076,7 +106166,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -1032,20 +1035,17 @@ interface(`virt_read_images',` +@@ -1032,20 +1055,17 @@ interface(`virt_read_images',` ## ## # @@ -106101,7 +106191,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -1053,15 +1053,57 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1073,57 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -106164,7 +106254,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -1069,21 +1111,28 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1131,28 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -106201,7 +106291,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -1091,36 +1140,188 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1160,188 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -106408,7 +106498,7 @@ index facdee8..aacee65 100644 ## ## ## -@@ -1136,50 +1337,53 @@ interface(`virt_manage_images',` +@@ -1136,50 +1357,53 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -106497,7 +106587,7 @@ index facdee8..aacee65 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..2a9e44c 100644 +index f03dcf5..a687bea 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -107296,7 +107386,7 @@ index f03dcf5..2a9e44c 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +458,25 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +458,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -107306,6 +107396,7 @@ index f03dcf5..2a9e44c 100644 +domain_signull_all_domains(virtd_t) -files_read_usr_files(virtd_t) ++files_list_all_mountpoints(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_read_kernel_modules(virtd_t) @@ -107326,7 +107417,7 @@ index f03dcf5..2a9e44c 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +509,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +510,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -107346,7 +107437,7 @@ index f03dcf5..2a9e44c 100644 selinux_validate_context(virtd_t) -@@ -620,18 +531,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +532,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -107383,7 +107474,7 @@ index f03dcf5..2a9e44c 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +559,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +560,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -107392,7 +107483,7 @@ index f03dcf5..2a9e44c 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +584,12 @@ optional_policy(` +@@ -665,20 +585,12 @@ optional_policy(` ') optional_policy(` @@ -107413,7 +107504,7 @@ index f03dcf5..2a9e44c 100644 ') optional_policy(` -@@ -691,20 +602,26 @@ optional_policy(` +@@ -691,20 +603,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -107447,7 +107538,7 @@ index f03dcf5..2a9e44c 100644 ') optional_policy(` -@@ -712,11 +629,18 @@ optional_policy(` +@@ -712,11 +630,18 @@ optional_policy(` ') optional_policy(` @@ -107466,7 +107557,7 @@ index f03dcf5..2a9e44c 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +651,18 @@ optional_policy(` +@@ -727,10 +652,18 @@ optional_policy(` ') optional_policy(` @@ -107485,7 +107576,7 @@ index f03dcf5..2a9e44c 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +678,277 @@ optional_policy(` +@@ -746,44 +679,277 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -107586,7 +107677,7 @@ index f03dcf5..2a9e44c 100644 -can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -107633,7 +107724,7 @@ index f03dcf5..2a9e44c 100644 +miscfiles_read_generic_certs(virt_domain) + +storage_raw_read_removable_device(virt_domain) - ++ +sysnet_read_config(virt_domain) + +term_use_all_inherited_terms(virt_domain) @@ -107785,7 +107876,7 @@ index f03dcf5..2a9e44c 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +959,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +960,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -107812,7 +107903,7 @@ index f03dcf5..2a9e44c 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +979,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +980,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -107829,10 +107920,10 @@ index f03dcf5..2a9e44c 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -107846,7 +107937,7 @@ index f03dcf5..2a9e44c 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1016,20 @@ optional_policy(` +@@ -856,14 +1017,20 @@ optional_policy(` ') optional_policy(` @@ -107868,7 +107959,7 @@ index f03dcf5..2a9e44c 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1054,65 @@ optional_policy(` +@@ -888,49 +1055,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -107952,7 +108043,7 @@ index f03dcf5..2a9e44c 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1124,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1125,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -107972,7 +108063,7 @@ index f03dcf5..2a9e44c 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1145,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1146,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -107996,7 +108087,7 @@ index f03dcf5..2a9e44c 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1170,318 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1171,320 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -108012,21 +108103,21 @@ index f03dcf5..2a9e44c 100644 +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) -+ + +-miscfiles_read_localization(virtd_lxc_t) + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') --miscfiles_read_localization(virtd_lxc_t) -+optional_policy(` -+ docker_exec_lib(virtd_lxc_t) -+') - -seutil_domtrans_setfiles(virtd_lxc_t) -seutil_read_config(virtd_lxc_t) -seutil_read_default_contexts(virtd_lxc_t) +optional_policy(` ++ docker_exec_lib(virtd_lxc_t) ++') ++ ++optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -108060,88 +108151,6 @@ index f03dcf5..2a9e44c 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') -+ -+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; -+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; -+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; -+ -+allow svirt_sandbox_domain virtd_lxc_t:process sigchld; -+allow svirt_sandbox_domain virtd_lxc_t:fd use; -+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -+ -+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto }; -+ -+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; -+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; -+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; -+ -+kernel_getattr_proc(svirt_sandbox_domain) -+kernel_list_all_proc(svirt_sandbox_domain) -+kernel_read_all_sysctls(svirt_sandbox_domain) -+kernel_read_net_sysctls(svirt_sandbox_domain) -+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) -+kernel_dontaudit_access_check_proc(svirt_sandbox_domain) -+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) -+ -+corecmd_exec_all_executables(svirt_sandbox_domain) -+ -+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) -+files_dontaudit_getattr_all_files(svirt_sandbox_domain) -+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) -+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) -+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) -+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) -+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) -+files_entrypoint_all_files(svirt_sandbox_domain) -+files_list_var(svirt_sandbox_domain) -+files_list_var_lib(svirt_sandbox_domain) -+files_search_all(svirt_sandbox_domain) -+files_read_config_files(svirt_sandbox_domain) -+files_read_usr_symlinks(svirt_sandbox_domain) -+files_search_locks(svirt_sandbox_domain) -+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) -+ -+fs_getattr_all_fs(svirt_sandbox_domain) -+fs_list_inotifyfs(svirt_sandbox_domain) -+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) -+fs_read_fusefs_files(svirt_sandbox_domain) -+fs_read_hugetlbfs_files(svirt_sandbox_domain) -+ -+auth_dontaudit_read_passwd(svirt_sandbox_domain) -+auth_dontaudit_read_login_records(svirt_sandbox_domain) -+auth_dontaudit_write_login_records(svirt_sandbox_domain) -+auth_search_pam_console_data(svirt_sandbox_domain) -+ -+clock_read_adjtime(svirt_sandbox_domain) -+ -+init_read_utmp(svirt_sandbox_domain) -+init_dontaudit_write_utmp(svirt_sandbox_domain) -+ -+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) -+ -+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) -+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) -+miscfiles_read_fonts(svirt_sandbox_domain) -+miscfiles_read_hwdata(svirt_sandbox_domain) -+ -+systemd_read_unit_files(svirt_sandbox_domain) -+ -+userdom_use_inherited_user_terminals(svirt_sandbox_domain) -+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) -+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -108225,24 +108234,108 @@ index f03dcf5..2a9e44c 100644 -miscfiles_read_fonts(svirt_lxc_domain) - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+optional_policy(` -+ docker_read_share_files(svirt_sandbox_domain) -+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+ docker_use_ptys(svirt_sandbox_domain) -+') ++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; ++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; ++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; + -+optional_policy(` -+ gear_read_pid_files(svirt_sandbox_domain) -+') ++allow svirt_sandbox_domain virtd_lxc_t:process sigchld; ++allow svirt_sandbox_domain virtd_lxc_t:fd use; ++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; ++ ++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto }; ++ ++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; ++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; ++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; ++ ++kernel_getattr_proc(svirt_sandbox_domain) ++kernel_list_all_proc(svirt_sandbox_domain) ++kernel_read_all_sysctls(svirt_sandbox_domain) ++kernel_read_net_sysctls(svirt_sandbox_domain) ++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) ++kernel_dontaudit_access_check_proc(svirt_sandbox_domain) ++kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) ++kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain) ++ ++corecmd_exec_all_executables(svirt_sandbox_domain) ++ ++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) ++files_dontaudit_getattr_all_files(svirt_sandbox_domain) ++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) ++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) ++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) ++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) ++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) ++files_entrypoint_all_files(svirt_sandbox_domain) ++files_list_var(svirt_sandbox_domain) ++files_list_var_lib(svirt_sandbox_domain) ++files_search_all(svirt_sandbox_domain) ++files_read_config_files(svirt_sandbox_domain) ++files_read_usr_symlinks(svirt_sandbox_domain) ++files_search_locks(svirt_sandbox_domain) ++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) ++ ++fs_getattr_all_fs(svirt_sandbox_domain) ++fs_list_inotifyfs(svirt_sandbox_domain) ++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) ++fs_read_fusefs_files(svirt_sandbox_domain) ++fs_read_hugetlbfs_files(svirt_sandbox_domain) ++fs_read_tmpfs_symlinks(svirt_sandbox_domain) ++ ++auth_dontaudit_read_passwd(svirt_sandbox_domain) ++auth_dontaudit_read_login_records(svirt_sandbox_domain) ++auth_dontaudit_write_login_records(svirt_sandbox_domain) ++auth_search_pam_console_data(svirt_sandbox_domain) ++ ++clock_read_adjtime(svirt_sandbox_domain) ++ ++init_read_utmp(svirt_sandbox_domain) ++init_dontaudit_write_utmp(svirt_sandbox_domain) ++ ++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) ++ ++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) ++miscfiles_read_fonts(svirt_sandbox_domain) ++miscfiles_read_hwdata(svirt_sandbox_domain) ++ ++systemd_read_unit_files(svirt_sandbox_domain) ++ ++userdom_use_inherited_user_terminals(svirt_sandbox_domain) ++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) ++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) ++ docker_read_share_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ docker_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ gear_read_pid_files(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') ++ ++optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') + @@ -108302,6 +108395,11 @@ index f03dcf5..2a9e44c 100644 +tunable_policy(`virt_sandbox_use_mknod',` + allow svirt_lxc_net_t self:capability mknod; +') ++ ++tunable_policy(`virt_sandbox_use_all_caps',` ++ allow svirt_lxc_net_t self:capability all_capability_perms; ++ allow svirt_lxc_net_t self:capability2 all_capability2_perms; ++') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -108313,11 +108411,6 @@ index f03dcf5..2a9e44c 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_all_caps',` -+ allow svirt_lxc_net_t self:capability all_capability_perms; -+ allow svirt_lxc_net_t self:capability2 all_capability2_perms; -+') -+ +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -108407,12 +108500,12 @@ index f03dcf5..2a9e44c 100644 + +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) @@ -108453,7 +108546,7 @@ index f03dcf5..2a9e44c 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1494,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1497,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -108468,7 +108561,7 @@ index f03dcf5..2a9e44c 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1512,8 @@ optional_policy(` +@@ -1192,9 +1515,8 @@ optional_policy(` ######################################## # @@ -108479,7 +108572,7 @@ index f03dcf5..2a9e44c 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1526,233 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1529,238 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -108578,6 +108671,7 @@ index f03dcf5..2a9e44c 100644 + +optional_policy(` + devicekit_manage_pid_files(virt_qemu_ga_t) ++ devicekit_read_log_files(virt_qemu_ga_t) +') + +optional_policy(` @@ -108585,6 +108679,10 @@ index f03dcf5..2a9e44c 100644 +') + +optional_policy(` ++ rpm_dbus_chat(virt_qemu_ga_t) ++') ++ ++optional_policy(` + shutdown_domtrans(virt_qemu_ga_t) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index ab8bb91..34ddf2f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 104%{?dist} +Release: 106%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -605,6 +605,28 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jan 29 2015 Lukas Vrabec 3.13.1-106 +- Allow docker to attach to the sandbox and user domains tun devices +- Allow pingd to read /dev/urandom. BZ(1181831) +- Allow virtd to list all mountpoints +- Allow sblim-sfcb to search images +- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. +- Call correct macro in virt_read_content(). +- Dontaudit couchdb search in gconf_home_t. BZ(1177717) +- Allow docker_t to changes it rlimit +- Allow neutron to read rpm DB. +- Allow radius to connect/bind radsec ports +- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log. +- Add devicekit_read_log_files(). +- Allow virt_qemu_ga to dbus chat with rpm. +- Allow netutils chown capability to make tcpdump working with -w. +- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t. +- journald now reads the netlink audit socket +- Add auditing support for ipsec. + +* Thu Jan 29 2015 Lukas Vrabec 3.13.1-105 +- Bump release + * Thu Jan 15 2015 Lukas Vrabec 3.13.1-104 - remove duplicate filename transition rules. - Call proper interface in sosreport.te.