diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 11b68a1..0e35c26 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2367,7 +2367,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..fdd0567 100644 +index d555767..4165b4d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2653,13 +2653,13 @@ index d555767..fdd0567 100644 # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) -+ -+optional_policy(` -+ gnome_exec_keyringd(passwd_t) -+') optional_policy(` - nscd_run(passwd_t, passwd_roles) ++ gnome_exec_keyringd(passwd_t) ++') ++ ++optional_policy(` + #nscd_run(passwd_t, passwd_roles) + nscd_domtrans(passwd_t) ') @@ -2729,7 +2729,7 @@ index d555767..fdd0567 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -465,36 +513,35 @@ corecmd_exec_shell(useradd_t) +@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -2745,6 +2745,7 @@ index d555767..fdd0567 100644 files_relabel_etc_files(useradd_t) files_read_etc_runtime_files(useradd_t) +files_manage_etc_files(useradd_t) ++files_rw_var_lib_dirs(useradd_t) fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) @@ -2777,7 +2778,7 @@ index d555767..fdd0567 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -505,33 +552,36 @@ init_rw_utmp(useradd_t) +@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -2828,7 +2829,7 @@ index d555767..fdd0567 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +592,8 @@ optional_policy(` +@@ -542,7 +593,8 @@ optional_policy(` ') optional_policy(` @@ -2838,7 +2839,7 @@ index d555767..fdd0567 100644 ') optional_policy(` -@@ -550,6 +601,11 @@ optional_policy(` +@@ -550,6 +602,11 @@ optional_policy(` ') optional_policy(` @@ -2850,12 +2851,17 @@ index d555767..fdd0567 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +615,7 @@ optional_policy(` +@@ -559,3 +616,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') + +optional_policy(` ++ smsd_manage_lib_files(useradd_t) ++ smsd_manage_lib_dirs(useradd_t) ++') ++ ++optional_policy(` + stapserver_manage_lib(useradd_t) +') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if @@ -18190,7 +18196,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..b66bc2a 100644 +index 5da7870..8bd910a 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,67 @@ policy_module(staff, 2.3.1) @@ -18510,7 +18516,7 @@ index 5da7870..b66bc2a 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +363,20 @@ ifndef(`distro_redhat',` +@@ -176,3 +363,21 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -18529,6 +18535,7 @@ index 5da7870..b66bc2a 100644 + allow staff_t self:fifo_file relabelfrom; + dev_rw_kvm(staff_t) + virt_manage_images(staff_t) ++ virt_stream_connect_svirt(staff_t) + ') +') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if @@ -39203,7 +39210,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..b44b1c9 100644 +index 3c5dba7..df7407b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -41870,7 +41877,7 @@ index 3c5dba7..b44b1c9 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4197,1390 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -42687,13 +42694,10 @@ index 3c5dba7..b44b1c9 100644 +# +interface(`userdom_read_home_certs',` + gen_require(` -+ type home_cert_t; ++ attribute userdom_home_reader_certs_type; + ') + -+ userdom_search_user_home_content($1) -+ allow $1 home_cert_t:dir list_dir_perms; -+ read_files_pattern($1, home_cert_t, home_cert_t) -+ read_lnk_files_pattern($1, home_cert_t, home_cert_t) ++ typeattribute $1 userdom_home_reader_certs_type; +') + +######################################## @@ -43265,7 +43269,7 @@ index 3c5dba7..b44b1c9 100644 + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..9e23738 100644 +index e2b538b..2582882 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -43290,36 +43294,36 @@ index e2b538b..9e23738 100644 ## ##

-## Allow regular users direct mouse access +-##

+-## +-gen_tunable(user_direct_mouse, false) +- +-## +-##

+-## Allow users to read system messages. +## Allow user to r/w files on filesystems +## that do not have extended attributes (FAT, CDROM, FLOPPY) ##

## --gen_tunable(user_direct_mouse, false) +-gen_tunable(user_dmesg, false) +gen_tunable(selinuxuser_rw_noexattrfile, false) ## ##

--## Allow users to read system messages. +-## Allow user to r/w files on filesystems +-## that do not have extended attributes (FAT, CDROM, FLOPPY) +## Allow user music sharing ##

## --gen_tunable(user_dmesg, false) +-gen_tunable(user_rw_noexattrfile, false) +gen_tunable(selinuxuser_share_music, false) ## ##

--## Allow user to r/w files on filesystems --## that do not have extended attributes (FAT, CDROM, FLOPPY) +-## Allow w to display everyone +## Allow user to use ssh chroot environment. ##

## --gen_tunable(user_rw_noexattrfile, false) -- --## --##

--## Allow w to display everyone --##

--## -gen_tunable(user_ttyfile_stat, false) +gen_tunable(selinuxuser_use_ssh_chroot, false) @@ -43328,10 +43332,11 @@ index e2b538b..9e23738 100644 # all user domains attribute userdomain; -@@ -58,6 +52,23 @@ attribute unpriv_userdomain; +@@ -58,6 +52,24 @@ attribute unpriv_userdomain; attribute user_home_content_type; ++attribute userdom_home_reader_certs_type; +attribute userdom_home_reader_type; +attribute userdom_home_manager_type; +attribute userdom_filetrans_type; @@ -43352,7 +43357,7 @@ index e2b538b..9e23738 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +81,207 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +82,218 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -43436,6 +43441,17 @@ index e2b538b..9e23738 100644 + xserver_filetrans_home_content(userdomain) +') + ++ ++# rules for types which can read home certs ++allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; ++read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) ++read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) ++userdom_search_user_home_content(userdom_home_reader_certs_type) ++ ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_read_ecryptfs_files(userdom_home_reader_certs_type) ++') ++ +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(userdom_home_reader_type) + fs_read_nfs_files(userdom_home_reader_type) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index efe35c0..cf76426 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2756,10 +2756,10 @@ index 0000000..b334e9a + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..8f98c41 100644 +index 550a69e..53e5708 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,161 +1,189 @@ +@@ -1,161 +1,196 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -2796,6 +2796,7 @@ index 550a69e..8f98c41 100644 +/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) @@ -2814,6 +2815,7 @@ index 550a69e..8f98c41 100644 +/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) ++/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) -/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -2862,13 +2864,15 @@ index 550a69e..8f98c41 100644 -/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +- +-ifdef(`distro_suse',` +-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - --ifdef(`distro_suse',` --/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ++ +ifdef(`distro_suse', ` +/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -2958,6 +2962,8 @@ index 550a69e..8f98c41 100644 +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) -/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -2990,6 +2996,7 @@ index 550a69e..8f98c41 100644 +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -3008,6 +3015,7 @@ index 550a69e..8f98c41 100644 +/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) @@ -3087,7 +3095,7 @@ index 550a69e..8f98c41 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 83e899c..c0ece1b 100644 +index 83e899c..c5be77c 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3110,8 +3118,12 @@ index 83e899c..c0ece1b 100644 - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_suexec_t; -- ') -- ++ attribute httpd_exec_scripts, httpd_script_exec_type; ++ type httpd_t, httpd_suexec_t, httpd_log_t; ++ type httpd_sys_content_t; ++ attribute httpd_script_type, httpd_content_type; + ') + - ######################################## - # - # Declarations @@ -3128,12 +3140,6 @@ index 83e899c..c0ece1b 100644 - gen_tunable(allow_httpd_$1_script_anon_write, false) - - type httpd_$1_content_t, httpdcontent; # customizable -+ attribute httpd_exec_scripts, httpd_script_exec_type; -+ type httpd_t, httpd_suexec_t, httpd_log_t; -+ type httpd_sys_content_t; -+ attribute httpd_script_type, httpd_content_type; -+ ') -+ + #This type is for webpages + type httpd_$1_content_t; # customizable; + typeattribute httpd_$1_content_t httpd_content_type; @@ -3253,11 +3259,11 @@ index 83e899c..c0ece1b 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) ++ ++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; -+ + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) ') @@ -3388,7 +3394,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -241,27 +237,28 @@ interface(`apache_domtrans',` +@@ -241,27 +237,47 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -3415,6 +3421,25 @@ index 83e899c..c0ece1b 100644 - init_labeled_script_domtrans($1, httpd_initrc_exec_t) + can_exec($1, httpd_exec_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to execute apache suexec ++## in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_exec_suexec',` ++ gen_require(` ++ type httpd_suexec_exec_t; ++ ') ++ ++ can_exec($1, httpd_suexec_exec_t) ') ####################################### @@ -3424,7 +3449,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -279,7 +276,7 @@ interface(`apache_signal',` +@@ -279,7 +295,7 @@ interface(`apache_signal',` ######################################## ## @@ -3433,7 +3458,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -297,7 +294,7 @@ interface(`apache_signull',` +@@ -297,7 +313,7 @@ interface(`apache_signull',` ######################################## ## @@ -3442,7 +3467,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -315,8 +312,7 @@ interface(`apache_sigchld',` +@@ -315,8 +331,7 @@ interface(`apache_sigchld',` ######################################## ## @@ -3452,7 +3477,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -334,8 +330,8 @@ interface(`apache_use_fds',` +@@ -334,8 +349,8 @@ interface(`apache_use_fds',` ######################################## ## @@ -3463,7 +3488,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -348,13 +344,13 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +363,13 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -3480,7 +3505,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -372,8 +368,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -372,8 +387,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` ######################################## ## @@ -3491,7 +3516,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -391,8 +387,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +406,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -3501,7 +3526,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -417,7 +412,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +431,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -3511,7 +3536,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -435,7 +431,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +450,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -3521,7 +3546,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -453,7 +450,8 @@ interface(`apache_list_cache',` +@@ -453,7 +469,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -3531,7 +3556,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -471,7 +469,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +488,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -3541,7 +3566,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -489,7 +488,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +507,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -3551,7 +3576,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -507,49 +507,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +526,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -3614,7 +3639,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -570,8 +572,8 @@ interface(`apache_manage_config',` +@@ -570,8 +591,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -3625,7 +3650,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -608,16 +610,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +629,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -3667,7 +3692,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -639,7 +663,8 @@ interface(`apache_read_log',` +@@ -639,7 +682,8 @@ interface(`apache_read_log',` ######################################## ## @@ -3677,7 +3702,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -657,10 +682,29 @@ interface(`apache_append_log',` +@@ -657,10 +701,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -3709,7 +3734,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -678,8 +722,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +741,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -3720,7 +3745,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -698,47 +742,49 @@ interface(`apache_manage_log',` +@@ -698,47 +761,49 @@ interface(`apache_manage_log',` read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -3783,7 +3808,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -752,11 +798,13 @@ interface(`apache_list_modules',` +@@ -752,11 +817,13 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -3798,7 +3823,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -776,46 +824,63 @@ interface(`apache_exec_modules',` +@@ -776,46 +843,63 @@ interface(`apache_exec_modules',` ######################################## ## @@ -3879,7 +3904,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -829,13 +894,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +913,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -3896,7 +3921,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -844,6 +910,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +929,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -3904,21 +3929,23 @@ index 83e899c..c0ece1b 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +922,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +941,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') -######################################## +###################################### -+## + ## +-## Create, read, write, and delete +-## httpd system rw content. +## Allow the specified domain to read +## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +# +interface(`apache_read_sys_content_rw_files',` @@ -3950,17 +3977,15 @@ index 83e899c..c0ece1b 100644 +') + +###################################### - ## --## Create, read, write, and delete --## httpd system rw content. ++## +## Allow the specified domain to manage +## apache system content rw files. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## # -interface(`apache_manage_sys_rw_content',` @@ -4011,7 +4036,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -888,10 +1021,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1040,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4030,7 +4055,7 @@ index 83e899c..c0ece1b 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1041,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1060,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4042,7 +4067,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -941,7 +1080,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1099,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4051,7 +4076,7 @@ index 83e899c..c0ece1b 100644 ## to the specified role. ## ## -@@ -954,6 +1093,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1112,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4059,7 +4084,7 @@ index 83e899c..c0ece1b 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1106,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1125,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4069,7 +4094,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -979,12 +1120,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1139,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4085,7 +4110,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1002,7 +1144,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1163,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4094,7 +4119,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1015,13 +1157,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1176,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4109,7 +4134,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1041,7 +1182,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1201,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4118,7 +4143,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1059,8 +1200,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1219,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4128,7 +4153,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1070,13 +1210,22 @@ interface(`apache_search_sys_scripts',` +@@ -1070,13 +1229,22 @@ interface(`apache_search_sys_scripts',` ## # interface(`apache_manage_all_user_content',` @@ -4154,7 +4179,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1094,7 +1243,8 @@ interface(`apache_search_sys_script_state',` +@@ -1094,7 +1262,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4164,7 +4189,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1111,10 +1261,29 @@ interface(`apache_read_tmp_files',` +@@ -1111,10 +1280,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4196,7 +4221,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1127,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1127,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4205,7 +4230,7 @@ index 83e899c..c0ece1b 100644 ') ######################################## -@@ -1136,6 +1305,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1136,6 +1324,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4215,7 +4240,7 @@ index 83e899c..c0ece1b 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1165,8 +1337,30 @@ interface(`apache_cgi_domain',` +@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4248,7 +4273,7 @@ index 83e899c..c0ece1b 100644 ## ## ## -@@ -1183,18 +1377,19 @@ interface(`apache_cgi_domain',` +@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4277,7 +4302,7 @@ index 83e899c..c0ece1b 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1204,10 +1399,10 @@ interface(`apache_admin',` +@@ -1204,10 +1418,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4291,7 +4316,7 @@ index 83e899c..c0ece1b 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1218,9 +1413,129 @@ interface(`apache_admin',` +@@ -1218,9 +1432,129 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -9879,12 +9904,14 @@ index 2354e21..fb8c9ed 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 403af41..8f201ca 100644 +index 403af41..8da9f32 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -21,32 +21,40 @@ role certwatch_roles types certwatch_t; +@@ -20,33 +20,42 @@ role certwatch_roles types certwatch_t; + allow certwatch_t self:capability sys_nice; allow certwatch_t self:process { setsched getsched }; ++allow certwatch_t self:tcp_socket create_stream_socket_perms; +kernel_read_system_state(certwatch_t) + @@ -20976,7 +21003,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..93e583c 100644 +index a7bfaf0..5690e77 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -21226,7 +21253,7 @@ index a7bfaf0..93e583c 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +213,59 @@ optional_policy(` +@@ -221,46 +213,61 @@ optional_policy(` ######################################## # @@ -21257,7 +21284,8 @@ index a7bfaf0..93e583c 100644 +dovecot_stream_connect_auth(dovecot_auth_t) -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; -- ++corecmd_exec_bin(dovecot_auth_t) + -files_search_pids(dovecot_auth_t) -files_read_usr_files(dovecot_auth_t) -files_read_var_lib_files(dovecot_auth_t) @@ -21296,7 +21324,7 @@ index a7bfaf0..93e583c 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -272,14 +277,21 @@ optional_policy(` +@@ -272,14 +279,21 @@ optional_policy(` optional_policy(` postfix_manage_private_sockets(dovecot_auth_t) @@ -21319,7 +21347,7 @@ index a7bfaf0..93e583c 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +301,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +303,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -21378,7 +21406,7 @@ index a7bfaf0..93e583c 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +344,6 @@ optional_policy(` +@@ -326,5 +346,6 @@ optional_policy(` ') optional_policy(` @@ -28843,7 +28871,7 @@ index 1a35420..1d27695 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index 57304e4..e7080f8 100644 +index 57304e4..7edd3d4 100644 --- a/iscsi.te +++ b/iscsi.te @@ -9,8 +9,8 @@ type iscsid_t; @@ -28865,7 +28893,7 @@ index 57304e4..e7080f8 100644 allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; -@@ -64,11 +63,11 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) +@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) can_exec(iscsid_t, iscsid_exec_t) @@ -28873,12 +28901,13 @@ index 57304e4..e7080f8 100644 kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) kernel_setsched(iscsid_t) ++kernel_request_load_module(iscsid_t) -corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,10 +84,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,10 +85,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -28894,7 +28923,7 @@ index 57304e4..e7080f8 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) -@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t) +@@ -99,8 +102,6 @@ init_stream_connect_script(iscsid_t) logging_send_syslog_msg(iscsid_t) @@ -29170,7 +29199,7 @@ index 16b1666..01673a4 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index bb12c90..ff69343 100644 +index bb12c90..fb916e0 100644 --- a/jabber.te +++ b/jabber.te @@ -1,4 +1,4 @@ @@ -29179,7 +29208,7 @@ index bb12c90..ff69343 100644 ######################################## # -@@ -9,129 +9,130 @@ attribute jabberd_domain; +@@ -9,129 +9,131 @@ attribute jabberd_domain; jabber_domain_template(jabberd) jabber_domain_template(jabberd_router) @@ -29280,6 +29309,7 @@ index bb12c90..ff69343 100644 -manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_t) ++corenet_tcp_connect_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_router_port(jabberd_t) -allow jabberd_t jabberd_log_t:dir setattr_dir_perms; @@ -32232,6 +32262,18 @@ index 9725f1a..34aa63b 100644 seutil_sigchld_newrole(kudzu_t) ') +diff --git a/l2tp.fc b/l2tp.fc +index d5d1572..82267a7 100644 +--- a/l2tp.fc ++++ b/l2tp.fc +@@ -5,6 +5,7 @@ + /etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0) + + /usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0) + + /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) + /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/l2tp.if b/l2tp.if index 73e2803..562d25b 100644 --- a/l2tp.if @@ -51894,10 +51936,10 @@ index 0000000..0c167b7 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..8119448 +index 0000000..e1d3320 --- /dev/null +++ b/pki.if -@@ -0,0 +1,265 @@ +@@ -0,0 +1,272 @@ + +## policy for pki +######################################## @@ -51966,6 +52008,9 @@ index 0000000..8119448 + type $1_lock_t; + files_lock_file($1_lock_t) + ++ type $1_tmp_t; ++ files_tmpfs_file($1_tmp_t) ++ + ######################################## + # + # $1 local policy @@ -51996,6 +52041,10 @@ index 0000000..8119448 + manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t) + files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file }) + ++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) ++ + #talk to lunasa hsm + logging_send_syslog_msg($1_t) + @@ -52165,10 +52214,10 @@ index 0000000..8119448 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..352c7e4 +index 0000000..10eaddc --- /dev/null +++ b/pki.te -@@ -0,0 +1,282 @@ +@@ -0,0 +1,283 @@ +policy_module(pki,10.0.11) + +######################################## @@ -52438,6 +52487,7 @@ index 0000000..352c7e4 + apache_list_modules(pki_apache_domain) + apache_read_config(pki_apache_domain) + apache_exec(pki_apache_domain) ++ apache_exec_suexec(pki_apache_domain) + apache_entrypoint(pki_apache_domain) + + # should be started using a script which will execute httpd @@ -55128,7 +55178,7 @@ index 2e23946..589bbf2 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..fa32037 100644 +index 191a66f..c142af5 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -55772,7 +55822,7 @@ index 191a66f..fa32037 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +544,23 @@ optional_policy(` +@@ -621,17 +544,24 @@ optional_policy(` ####################################### # @@ -55780,6 +55830,7 @@ index 191a66f..fa32037 100644 +# Postfix postqueue local policy # ++allow postfix_postqueue_t self:capability2 block_suspend; +allow postfix_postqueue_t self:tcp_socket create; +allow postfix_postqueue_t self:udp_socket { create ioctl }; + @@ -55799,7 +55850,7 @@ index 191a66f..fa32037 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +576,77 @@ optional_policy(` +@@ -647,67 +577,77 @@ optional_policy(` ######################################## # @@ -55895,7 +55946,7 @@ index 191a66f..fa32037 100644 ') optional_policy(` -@@ -720,24 +659,27 @@ optional_policy(` +@@ -720,24 +660,27 @@ optional_policy(` ######################################## # @@ -55929,7 +55980,7 @@ index 191a66f..fa32037 100644 fs_getattr_all_dirs(postfix_smtpd_t) fs_getattr_all_fs(postfix_smtpd_t) -@@ -754,6 +696,7 @@ optional_policy(` +@@ -754,6 +697,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -55937,7 +55988,7 @@ index 191a66f..fa32037 100644 ') optional_policy(` -@@ -764,31 +707,99 @@ optional_policy(` +@@ -764,31 +708,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -57912,7 +57963,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index d447152..5940a04 100644 +index d447152..a911295 100644 --- a/procmail.te +++ b/procmail.te @@ -1,4 +1,4 @@ @@ -57947,7 +57998,7 @@ index d447152..5940a04 100644 allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,59 +44,72 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) +@@ -40,59 +44,76 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -57998,10 +58049,10 @@ index d447152..5940a04 100644 -logging_send_syslog_msg(procmail_t) +application_exec_all(procmail_t) -+ -+init_read_utmp(procmail_t) -miscfiles_read_localization(procmail_t) ++init_read_utmp(procmail_t) ++ +logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) @@ -58023,6 +58074,10 @@ index d447152..5940a04 100644 +userdom_manage_user_home_content_sockets(procmail_t) +userdom_filetrans_home_content(procmail_t) + ++userdom_manage_user_tmp_dirs(procmail_t) ++userdom_manage_user_tmp_files(procmail_t) ++userdom_manage_user_tmp_symlinks(procmail_t) ++ +# Execute user executables +userdom_exec_user_bin_files(procmail_t) + @@ -58047,7 +58102,7 @@ index d447152..5940a04 100644 ') optional_policy(` -@@ -100,12 +117,7 @@ optional_policy(` +@@ -100,12 +121,7 @@ optional_policy(` ') optional_policy(` @@ -58061,7 +58116,7 @@ index d447152..5940a04 100644 ') optional_policy(` -@@ -113,16 +125,17 @@ optional_policy(` +@@ -113,16 +129,17 @@ optional_policy(` ') optional_policy(` @@ -58084,7 +58139,7 @@ index d447152..5940a04 100644 ') optional_policy(` -@@ -131,6 +144,8 @@ optional_policy(` +@@ -131,6 +148,8 @@ optional_policy(` ') optional_policy(` @@ -76813,6 +76868,92 @@ index 0000000..92c3638 +logging_send_syslog_msg(smsd_t) + +sysnet_dns_name_resolve(smsd_t) +diff --git a/smstools.if b/smstools.if +index cbfe369..085ac13 100644 +--- a/smstools.if ++++ b/smstools.if +@@ -1,5 +1,81 @@ + ## Tools to send and receive short messages through GSM modems or mobile phones. + ++####################################### ++## ++## Search smsd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_search_lib',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ allow $1 smsd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++####################################### ++## ++## Read smsd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_read_lib_files',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) ++') ++ ++####################################### ++## ++## Manage smsd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_manage_lib_files',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) ++') ++ ++####################################### ++## ++## Manage smsd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_manage_lib_dirs',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t) ++') ++ + ######################################## + ## + ## All of the rules required to diff --git a/snmp.fc b/snmp.fc index c73fa24..408ff61 100644 --- a/snmp.fc @@ -82049,10 +82190,10 @@ index 0000000..601aea3 +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..bfcd2c7 +index 0000000..74cd27c --- /dev/null +++ b/thumb.if -@@ -0,0 +1,126 @@ +@@ -0,0 +1,129 @@ + +## policy for thumb + @@ -82104,6 +82245,9 @@ index 0000000..bfcd2c7 + + dontaudit thumb_t $1:dir list_dir_perms; + dontaudit thumb_t $1:file read_file_perms; ++ ++ allow thumb_t $1:shm rw_shm_perms; ++ allow thumb_t $1:sem create_sem_perms; +') + +######################################## @@ -82181,10 +82325,10 @@ index 0000000..bfcd2c7 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..4e9dc5e +index 0000000..780a62e --- /dev/null +++ b/thumb.te -@@ -0,0 +1,143 @@ +@@ -0,0 +1,144 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -82214,6 +82358,7 @@ index 0000000..4e9dc5e +# + +allow thumb_t self:process { setsched signal signull setrlimit }; ++dontaudit thumb_t self:capability sys_tty_config; + +tunable_policy(`deny_execmem',`',` + allow thumb_t self:process execmem; @@ -83222,7 +83367,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..ef6133e 100644 +index 7116181..8beef17 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -83235,7 +83380,7 @@ index 7116181..ef6133e 100644 type tuned_var_run_t; files_pid_file(tuned_var_run_t) -@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t) +@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t) # Local policy # @@ -83246,11 +83391,12 @@ index 7116181..ef6133e 100644 +allow tuned_t self:process { setsched signal }; allow tuned_t self:fifo_file rw_fifo_file_perms; +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow tuned_t self:netlink_socket create_socket_perms; +allow tuned_t self:udp_socket create_socket_perms; read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -@@ -41,10 +46,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) +@@ -41,10 +47,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -83267,7 +83413,7 @@ index 7116181..ef6133e 100644 manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -@@ -57,6 +64,7 @@ kernel_request_load_module(tuned_t) +@@ -57,6 +65,7 @@ kernel_request_load_module(tuned_t) kernel_rw_kernel_sysctl(tuned_t) kernel_rw_hotplug_sysctls(tuned_t) kernel_rw_vm_sysctls(tuned_t) @@ -83275,7 +83421,7 @@ index 7116181..ef6133e 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +72,52 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +73,52 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -84959,7 +85105,7 @@ index c30da4c..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..cd873d3 100644 +index 9dec06c..6e25af1 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -85166,7 +85312,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -177,161 +89,53 @@ interface(`virt_domtrans_qmf',` +@@ -177,142 +89,53 @@ interface(`virt_domtrans_qmf',` ## ## # @@ -85243,24 +85389,6 @@ index 9dec06c..cd873d3 100644 -######################################## -## -## Send generic signals to all virt domains. --## --## --## --## Domain allowed access. --## --## --# --interface(`virt_signal_all_virt_domains',` -- gen_require(` -- attribute virt_domain; -- ') -- -- allow $1 virt_domain:process signal; --') -- --######################################## --## --## Send kill signals to all virt domains. ## -## -## @@ -85268,26 +85396,45 @@ index 9dec06c..cd873d3 100644 -## ## # --interface(`virt_kill_all_virt_domains',` +-interface(`virt_signal_all_virt_domains',` +interface(`virt_domtrans_qmf',` gen_require(` - attribute virt_domain; + type virt_qmf_t, virt_qmf_exec_t; ') -- allow $1 virt_domain:process sigkill; +- allow $1 virt_domain:process signal; + corecmd_search_bin($1) + domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) ') ######################################## ## +-## Send kill signals to all virt domains. ++## Transition to virt_bridgehelper. + ## + ## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`virt_kill_all_virt_domains',` +- gen_require(` +- attribute virt_domain; +- ') +- +- allow $1 virt_domain:process sigkill; +-') +- +-######################################## + ## -## Execute svirt lxc domains in their -## domain, and allow the specified -## role that svirt lxc domain. -+## Transition to virt_bridgehelper. ++## Domain allowed to transition. ## - ## +-## -## -## Domain allowed to transition. -## @@ -85296,53 +85443,71 @@ index 9dec06c..cd873d3 100644 -## -## Role allowed access. -## --## + ## -# -interface(`virt_run_svirt_lxc_domain',` -- gen_require(` ++interface(`virt_domtrans_bridgehelper',` + gen_require(` - attribute svirt_lxc_domain; - attribute_role svirt_lxc_domain_roles; -- ') -- ++ type virt_bridgehelper_t, virt_bridgehelper_exec_t; + ') + - allow $1 svirt_lxc_domain:process { signal transition }; - roleattribute $2 svirt_lxc_domain_roles; - - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; --') -- --####################################### ++ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) + ') + + ####################################### ## -## Get attributes of virtd executable files. -+## Domain allowed to transition. ++## Connect to virt over a unix domain stream socket. ## --## --## --## Domain allowed access. --## + ## + ## +@@ -320,18 +143,18 @@ interface(`virt_run_svirt_lxc_domain',` + ## ## --# + # -interface(`virt_getattr_virtd_exec_files',` -+interface(`virt_domtrans_bridgehelper',` ++interface(`virt_stream_connect',` gen_require(` - type virtd_exec_t; -+ type virt_bridgehelper_t, virt_bridgehelper_exec_t; ++ type virtd_t, virt_var_run_t; ') - allow $1 virtd_exec_t:file getattr_file_perms; -+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') ####################################### ## -## Connect to virt with a unix -## domain stream socket. -+## Connect to virt over a unix domain stream socket. ++## Connect to svirt process over a unix domain stream socket. ## ## ## -@@ -350,7 +154,7 @@ interface(`virt_stream_connect',` +@@ -339,18 +162,17 @@ interface(`virt_getattr_virtd_exec_files',` + ## + ## + # +-interface(`virt_stream_connect',` ++interface(`virt_stream_connect_svirt',` + gen_require(` +- type virtd_t, virt_var_run_t; ++ type svirt_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ++ allow $1 svirt_t:unix_stream_socket connectto; + ') ######################################## ## @@ -85351,7 +85516,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -369,7 +173,7 @@ interface(`virt_attach_tun_iface',` +@@ -369,7 +191,7 @@ interface(`virt_attach_tun_iface',` ######################################## ## @@ -85360,7 +85525,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -383,7 +187,6 @@ interface(`virt_read_config',` +@@ -383,7 +205,6 @@ interface(`virt_read_config',` ') files_search_etc($1) @@ -85368,7 +85533,7 @@ index 9dec06c..cd873d3 100644 read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -391,8 +194,7 @@ interface(`virt_read_config',` +@@ -391,8 +212,7 @@ interface(`virt_read_config',` ######################################## ## @@ -85378,7 +85543,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -406,7 +208,6 @@ interface(`virt_manage_config',` +@@ -406,7 +226,6 @@ interface(`virt_manage_config',` ') files_search_etc($1) @@ -85386,7 +85551,7 @@ index 9dec06c..cd873d3 100644 manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -414,8 +215,7 @@ interface(`virt_manage_config',` +@@ -414,8 +233,7 @@ interface(`virt_manage_config',` ######################################## ## @@ -85396,7 +85561,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -450,8 +250,7 @@ interface(`virt_read_content',` +@@ -450,8 +268,7 @@ interface(`virt_read_content',` ######################################## ## @@ -85406,7 +85571,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -459,35 +258,17 @@ interface(`virt_read_content',` +@@ -459,35 +276,17 @@ interface(`virt_read_content',` ## ## # @@ -85445,7 +85610,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -495,53 +276,40 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +294,40 @@ interface(`virt_manage_virt_content',` ## ## # @@ -85512,7 +85677,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -549,67 +317,36 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,67 +335,36 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -85593,7 +85758,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -618,54 +355,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +373,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -85657,7 +85822,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -673,54 +392,38 @@ interface(`virt_home_filetrans',` +@@ -673,54 +410,38 @@ interface(`virt_home_filetrans',` ## ## # @@ -85724,7 +85889,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -728,52 +431,78 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +449,78 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # @@ -85822,7 +85987,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -781,19 +510,18 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +528,18 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -85847,7 +86012,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -801,18 +529,36 @@ interface(`virt_read_pid_files',` +@@ -801,18 +547,36 @@ interface(`virt_read_pid_files',` ## ## # @@ -85889,7 +86054,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -820,18 +566,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +584,17 @@ interface(`virt_manage_pid_files',` ## ## # @@ -85912,7 +86077,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -839,20 +584,18 @@ interface(`virt_search_lib',` +@@ -839,20 +602,18 @@ interface(`virt_search_lib',` ## ## # @@ -85937,7 +86102,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -860,115 +603,245 @@ interface(`virt_read_lib_files',` +@@ -860,115 +621,245 @@ interface(`virt_read_lib_files',` ## ## # @@ -86148,13 +86313,13 @@ index 9dec06c..cd873d3 100644 ## -## Domain allowed access. +## Domain allowed access -+## -+## + ## + ## +## +## +## The role to be allowed the sandbox domain. - ## - ## ++## ++## +## # -interface(`virt_append_log',` @@ -86220,7 +86385,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -976,18 +849,17 @@ interface(`virt_manage_log',` +@@ -976,18 +867,17 @@ interface(`virt_manage_log',` ## ## # @@ -86243,7 +86408,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -995,36 +867,35 @@ interface(`virt_search_images',` +@@ -995,36 +885,35 @@ interface(`virt_search_images',` ## ## # @@ -86299,7 +86464,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -1032,58 +903,57 @@ interface(`virt_read_images',` +@@ -1032,58 +921,57 @@ interface(`virt_read_images',` ## ## # @@ -86379,7 +86544,7 @@ index 9dec06c..cd873d3 100644 ## ## ## -@@ -1091,95 +961,168 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +979,168 @@ interface(`virt_manage_virt_cache',` ## ## # diff --git a/selinux-policy.spec b/selinux-policy.spec index a51744a..b5bdd7c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 37%{?dist} +Release: 38%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -530,6 +530,29 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 30 2013 Miroslav Grepl 3.12.1-38 +- Allow thumbnails to share memory with apps which run thumbnails +- Allow postfix-postqueue block_suspend +- Add lib interfaces for smsd +- Add support for nginx +- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t +- Allow pki apache domain to create own tmp files and execute httpd_suexec +- Allow procmail to manger user tmp files/dirs/lnk_files +- Add virt_stream_connect_svirt() interface +- Allow dovecot-auth to execute bin_t +- Allow iscsid to request that kernel load a kernel module +- Add labeling support for /var/lib/mod_security +- Allow iw running as tuned_t to create netlink socket +- Dontaudit sys_tty_config for thumb_t +- Add labeling for nm-l2tp-service +- Allow httpd running as certwatch_t to open tcp socket +- Allow useradd to manager smsd lib files +- Allow useradd_t to add homedirs in /var/lib +- Fix typo in userdomain.te +- Cleanup userdom_read_home_certs +- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t +- Allow staff to stream connect to svirt_t to make gnome-boxes working + * Fri Apr 26 2013 Miroslav Grepl 3.12.1-37 - Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t