diff --git a/permissivedomains.pp b/permissivedomains.pp index bf3d7ca..9cd25a8 100644 Binary files a/permissivedomains.pp and b/permissivedomains.pp differ diff --git a/permissivedomains.te b/permissivedomains.te index 30a3150..4bb16b4 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -13,3 +13,10 @@ optional_policy(` ') permissive docker_t; ') + +optional_policy(` + gen_require(` + type systemd_networkd_t; + ') + permissive systemd_networkd_t; +') diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 3f61fe1..d18bd1b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5841,7 +5841,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..341e29c 100644 +index b31c054..1212440 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5883,17 +5883,19 @@ index b31c054..341e29c 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +123,9 @@ +@@ -118,6 +123,11 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') +/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) ++/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) ++/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +137,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +139,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -5908,7 +5910,7 @@ index b31c054..341e29c 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,6 +182,8 @@ ifdef(`distro_suse', ` +@@ -172,6 +184,8 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -5917,7 +5919,7 @@ index b31c054..341e29c 100644 /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -198,12 +210,22 @@ ifdef(`distro_debian',` +@@ -198,12 +212,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -9209,7 +9211,7 @@ index cf04cb5..0b3704b 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..27f60c6 100644 +index b876c48..7a98631 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9264,7 +9266,7 @@ index b876c48..27f60c6 100644 +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) -+/etc/yum\.repos\.d/redhat\.repo -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) @@ -20436,7 +20438,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..849acef 100644 +index 6d77e81..8332fca 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -20444,7 +20446,7 @@ index 6d77e81..849acef 100644 +## +##

-+## Allow unprivledged user to create and transition to svirt domains. ++## Allow unprivileged user to create and transition to svirt domains. +##

+##
+gen_tunable(unprivuser_use_svirt, false) @@ -29519,7 +29521,7 @@ index 79a45f6..89b43aa 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..9f7264a 100644 +index 17eda24..d1590ad 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29788,7 +29790,7 @@ index 17eda24..9f7264a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +300,229 @@ ifdef(`distro_gentoo',` +@@ -186,29 +300,230 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -29980,6 +29982,7 @@ index 17eda24..9f7264a 100644 + optional_policy(` + ipsec_read_config(init_t) + ipsec_manage_pid(init_t) ++ ipsec_stream_connect(init_t) + ') + + optional_policy(` @@ -30026,7 +30029,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -216,7 +530,31 @@ optional_policy(` +@@ -216,7 +531,31 @@ optional_policy(` ') optional_policy(` @@ -30058,7 +30061,7 @@ index 17eda24..9f7264a 100644 ') ######################################## -@@ -225,9 +563,9 @@ optional_policy(` +@@ -225,9 +564,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30070,7 +30073,7 @@ index 17eda24..9f7264a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +596,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30087,7 +30090,7 @@ index 17eda24..9f7264a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +621,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30130,7 +30133,7 @@ index 17eda24..9f7264a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +658,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30142,7 +30145,7 @@ index 17eda24..9f7264a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +670,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +671,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30153,7 +30156,7 @@ index 17eda24..9f7264a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +681,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +682,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30163,7 +30166,7 @@ index 17eda24..9f7264a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +690,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +691,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30171,7 +30174,7 @@ index 17eda24..9f7264a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +697,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30179,7 +30182,7 @@ index 17eda24..9f7264a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +705,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +706,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30197,7 +30200,7 @@ index 17eda24..9f7264a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +723,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +724,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30211,7 +30214,7 @@ index 17eda24..9f7264a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +738,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +739,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30225,7 +30228,7 @@ index 17eda24..9f7264a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +751,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +752,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30236,7 +30239,7 @@ index 17eda24..9f7264a 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +764,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +765,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30244,7 +30247,7 @@ index 17eda24..9f7264a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +783,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +784,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30268,7 +30271,7 @@ index 17eda24..9f7264a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +816,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +817,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30276,7 +30279,7 @@ index 17eda24..9f7264a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +850,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +851,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30287,7 +30290,7 @@ index 17eda24..9f7264a 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +874,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +875,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30296,7 +30299,7 @@ index 17eda24..9f7264a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +889,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +890,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30304,7 +30307,7 @@ index 17eda24..9f7264a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +910,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +911,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30312,7 +30315,7 @@ index 17eda24..9f7264a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +920,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +921,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30357,7 +30360,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -559,14 +965,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +966,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30389,7 +30392,7 @@ index 17eda24..9f7264a 100644 ') ') -@@ -577,6 +1000,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1001,39 @@ ifdef(`distro_suse',` ') ') @@ -30429,7 +30432,7 @@ index 17eda24..9f7264a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1045,8 @@ optional_policy(` +@@ -589,6 +1046,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30438,7 +30441,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -610,6 +1068,7 @@ optional_policy(` +@@ -610,6 +1069,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30446,7 +30449,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -626,6 +1085,17 @@ optional_policy(` +@@ -626,6 +1086,17 @@ optional_policy(` ') optional_policy(` @@ -30464,7 +30467,7 @@ index 17eda24..9f7264a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1112,13 @@ optional_policy(` +@@ -642,9 +1113,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30478,7 +30481,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -657,15 +1131,11 @@ optional_policy(` +@@ -657,15 +1132,11 @@ optional_policy(` ') optional_policy(` @@ -30496,7 +30499,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -686,6 +1156,15 @@ optional_policy(` +@@ -686,6 +1157,15 @@ optional_policy(` ') optional_policy(` @@ -30512,7 +30515,7 @@ index 17eda24..9f7264a 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1205,7 @@ optional_policy(` +@@ -726,6 +1206,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30520,7 +30523,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -743,7 +1223,13 @@ optional_policy(` +@@ -743,7 +1224,13 @@ optional_policy(` ') optional_policy(` @@ -30535,7 +30538,7 @@ index 17eda24..9f7264a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1252,10 @@ optional_policy(` +@@ -766,6 +1253,10 @@ optional_policy(` ') optional_policy(` @@ -30546,7 +30549,7 @@ index 17eda24..9f7264a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1265,20 @@ optional_policy(` +@@ -775,10 +1266,20 @@ optional_policy(` ') optional_policy(` @@ -30567,7 +30570,7 @@ index 17eda24..9f7264a 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1287,10 @@ optional_policy(` +@@ -787,6 +1288,10 @@ optional_policy(` ') optional_policy(` @@ -30578,7 +30581,7 @@ index 17eda24..9f7264a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1312,6 @@ optional_policy(` +@@ -808,8 +1313,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30587,7 +30590,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -818,6 +1320,10 @@ optional_policy(` +@@ -818,6 +1321,10 @@ optional_policy(` ') optional_policy(` @@ -30598,7 +30601,7 @@ index 17eda24..9f7264a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1333,12 @@ optional_policy(` +@@ -827,10 +1334,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30611,7 +30614,7 @@ index 17eda24..9f7264a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1365,60 @@ optional_policy(` +@@ -857,21 +1366,60 @@ optional_policy(` ') optional_policy(` @@ -30673,7 +30676,7 @@ index 17eda24..9f7264a 100644 ') optional_policy(` -@@ -887,6 +1434,10 @@ optional_policy(` +@@ -887,6 +1435,10 @@ optional_policy(` ') optional_policy(` @@ -30684,7 +30687,7 @@ index 17eda24..9f7264a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1448,218 @@ optional_policy(` +@@ -897,3 +1449,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -33687,10 +33690,10 @@ index 6b91740..633e449 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..4e8728f 100644 +index 58bc27f..f887230 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -86,6 +86,28 @@ interface(`lvm_read_config',` +@@ -86,6 +86,50 @@ interface(`lvm_read_config',` ######################################## ## @@ -33716,10 +33719,32 @@ index 58bc27f..4e8728f 100644 + +######################################## +## ++## Read LVM configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`lvm_write_metadata',` ++ gen_require(` ++ type lvm_etc_t; ++ type lvm_metadata_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 lvm_etc_t:dir list_dir_perms; ++ write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) ++') ++ ++######################################## ++## ## Manage LVM configuration files. ## ## -@@ -123,3 +145,113 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +167,113 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -37250,10 +37275,10 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 40edc18..7cc0c8a 100644 +index 40edc18..a072ac2 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -17,16 +17,17 @@ ifdef(`distro_debian',` +@@ -17,22 +17,24 @@ ifdef(`distro_debian',` /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -37275,7 +37300,14 @@ index 40edc18..7cc0c8a 100644 /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) ifdef(`distro_redhat',` -@@ -55,6 +56,20 @@ ifdef(`distro_redhat',` + /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) + /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ++/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) + ') + + # +@@ -55,6 +57,20 @@ ifdef(`distro_redhat',` # # /usr # @@ -37296,7 +37328,7 @@ index 40edc18..7cc0c8a 100644 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # -@@ -77,3 +92,6 @@ ifdef(`distro_debian',` +@@ -77,3 +93,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') @@ -37304,7 +37336,7 @@ index 40edc18..7cc0c8a 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..9f54e7c 100644 +index 2cea692..f752c31 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -37444,15 +37476,18 @@ index 2cea692..9f54e7c 100644 ## Read network config files. ## ## -@@ -356,6 +451,7 @@ interface(`sysnet_read_config',` +@@ -355,7 +450,10 @@ interface(`sysnet_read_config',` + ') ifdef(`distro_redhat',` ++ files_search_pids($1) ++ init_search_pid_dirs($1) allow $1 net_conf_t:dir list_dir_perms; + allow $1 net_conf_t:lnk_file read_lnk_file_perms; read_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -440,6 +536,40 @@ interface(`sysnet_etc_filetrans_config',` +@@ -440,6 +538,40 @@ interface(`sysnet_etc_filetrans_config',` files_etc_filetrans($1, net_conf_t, file, $2) ') @@ -37493,15 +37528,53 @@ index 2cea692..9f54e7c 100644 ####################################### ## ## Create, read, write, and delete network config files. -@@ -463,6 +593,7 @@ interface(`sysnet_manage_config',` +@@ -463,12 +595,45 @@ interface(`sysnet_manage_config',` ') ifdef(`distro_redhat',` ++ files_search_pids($1) ++ init_search_pid_dirs($1) + allow $1 net_conf_t:dir list_dir_perms; manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -501,6 +632,7 @@ interface(`sysnet_delete_dhcpc_pid',` + + ####################################### + ## ++## Create, read, write, and delete network config dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_manage_config_dirs',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ allow $1 net_conf_t:dir manage_dir_perms; ++ ++ ifdef(`distro_debian',` ++ files_search_pids($1) ++ manage_dirs_pattern($1, net_conf_t, net_conf_t) ++ ') ++ ++ ifdef(`distro_redhat',` ++ files_search_pids($1) ++ init_search_pid_dirs($1) ++ allow $1 net_conf_t:dir list_dir_perms; ++ manage_dirs_pattern($1, net_conf_t, net_conf_t) ++ ') ++') ++ ++####################################### ++## + ## Read the dhcp client pid file. + ## + ## +@@ -501,6 +666,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -37509,7 +37582,7 @@ index 2cea692..9f54e7c 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -610,6 +742,25 @@ interface(`sysnet_signull_ifconfig',` +@@ -610,6 +776,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -37535,7 +37608,7 @@ index 2cea692..9f54e7c 100644 ## Read the DHCP configuration files. ## ## -@@ -626,6 +777,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -626,6 +811,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -37543,7 +37616,7 @@ index 2cea692..9f54e7c 100644 ') ######################################## -@@ -711,8 +863,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -711,8 +897,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -37552,7 +37625,7 @@ index 2cea692..9f54e7c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -720,8 +870,11 @@ interface(`sysnet_dns_name_resolve',` +@@ -720,8 +904,11 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) @@ -37564,7 +37637,7 @@ index 2cea692..9f54e7c 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +903,6 @@ interface(`sysnet_use_ldap',` +@@ -750,8 +937,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -37573,7 +37646,7 @@ index 2cea692..9f54e7c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -763,6 +914,9 @@ interface(`sysnet_use_ldap',` +@@ -763,6 +948,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -37583,7 +37656,7 @@ index 2cea692..9f54e7c 100644 ') ######################################## -@@ -784,7 +938,6 @@ interface(`sysnet_use_portmap',` +@@ -784,7 +972,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -37591,7 +37664,7 @@ index 2cea692..9f54e7c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +949,94 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +983,95 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -37667,6 +37740,7 @@ index 2cea692..9f54e7c 100644 + files_etc_filetrans($1, net_conf_t, file, "ethers") + files_etc_filetrans($1, net_conf_t, file, "yp.conf") + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") ++ init_pid_filetrans($1, net_conf_t, dir, "network") +') + +######################################## @@ -38071,10 +38145,10 @@ index a392fc4..b0a854f 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..e9f1096 +index 0000000..916c8ed --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,47 @@ +@@ -0,0 +1,49 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -38094,6 +38168,7 @@ index 0000000..e9f1096 + +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) +/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0) @@ -38108,6 +38183,7 @@ index 0000000..e9f1096 +/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) +/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0) +/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) ++/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + +/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) @@ -39570,10 +39646,10 @@ index 0000000..8bca1d7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..c9ea962 +index 0000000..d0651a8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,640 @@ +@@ -0,0 +1,673 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -39609,6 +39685,11 @@ index 0000000..c9ea962 +files_security_file(random_seed_t) +files_mountpoint(random_seed_t) + ++systemd_domain_template(systemd_networkd) ++ ++type systemd_networkd_unit_file_t; ++systemd_unit_file(systemd_networkd_unit_file_t) ++ +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + @@ -39790,6 +39871,34 @@ index 0000000..c9ea962 + +####################################### +# ++# systemd-networkd local policy ++# ++ ++allow systemd_networkd_t self:capability { net_admin }; ++ ++allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; ++allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; ++ ++kernel_dgram_send(systemd_networkd_t) ++ ++dev_read_sysfs(systemd_networkd_t) ++ ++sysnet_filetrans_named_content(systemd_networkd_t) ++sysnet_manage_config(systemd_networkd_t) ++sysnet_manage_config_dirs(systemd_networkd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(systemd_networkd_t) ++ dbus_connect_system_bus(systemd_networkd_t) ++') ++ ++optional_policy(` ++ udev_read_db(systemd_networkd_t) ++') ++ ++####################################### ++# +# Local policy +# + @@ -41594,7 +41703,7 @@ index db75976..e4eb903 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..771d5b9 100644 +index 9dc60c6..3cc8679 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -42272,7 +42381,7 @@ index 9dc60c6..771d5b9 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +726,124 @@ template(`userdom_common_user_template',` +@@ -546,93 +726,128 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -42367,6 +42476,10 @@ index 9dc60c6..771d5b9 100644 + evolution_alarm_dbus_chat($1_usertype) + ') + ++ optional_policy(` ++ firewalld_dbus_chat($1_usertype) ++ ') ++ + optional_policy(` + geoclue_dbus_chat($1_usertype) + ') @@ -42411,31 +42524,31 @@ index 9dc60c6..771d5b9 100644 - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) -+ ') -+ -+ optional_policy(` + lircd_stream_connect($1_usertype) ') optional_policy(` -@@ -642,23 +853,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +857,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -42464,7 +42577,7 @@ index 9dc60c6..771d5b9 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +880,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +884,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -42473,7 +42586,7 @@ index 9dc60c6..771d5b9 100644 ') optional_policy(` -@@ -680,9 +889,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +893,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -42486,7 +42599,7 @@ index 9dc60c6..771d5b9 100644 ') ') -@@ -693,32 +902,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +906,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -42496,31 +42609,27 @@ index 9dc60c6..771d5b9 100644 + + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ slrnpull_search_spool($1_usertype) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` @@ -42529,11 +42638,15 @@ index 9dc60c6..771d5b9 100644 - virt_home_filetrans_virt_content($1_t, dir, "isos") - virt_home_filetrans_svirt_home($1_t, dir, "qemu") - virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") ++ slrnpull_search_spool($1_usertype) ++ ') ++ ++ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') -@@ -743,17 +955,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +959,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -42553,9 +42666,7 @@ index 9dc60c6..771d5b9 100644 + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -42563,7 +42674,9 @@ index 9dc60c6..771d5b9 100644 + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -42571,7 +42684,7 @@ index 9dc60c6..771d5b9 100644 userdom_change_password_template($1) -@@ -761,83 +989,107 @@ template(`userdom_login_user_template', ` +@@ -761,83 +993,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -42715,7 +42828,7 @@ index 9dc60c6..771d5b9 100644 ') ####################################### -@@ -868,6 +1120,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1124,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -42728,7 +42841,7 @@ index 9dc60c6..771d5b9 100644 ############################## # # Local policy -@@ -907,53 +1165,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,57 +1169,141 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -42812,43 +42925,54 @@ index 9dc60c6..771d5b9 100644 optional_policy(` - cups_dbus_chat($1_t) + accountsd_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- gnome_role_template($1, $1_r, $1_t) +- wm_role_template($1, $1_r, $1_t) + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) -+ ') -+ + ') +- ') + +- optional_policy(` +- java_role($1_r, $1_t) +- ') + optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) + ') -+ + +- optional_policy(` +- setroubleshoot_dontaudit_stream_connect($1_t) +- ') +-') + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) + ') -+ + +-####################################### +-## + optional_policy(` + fprintd_dbus_chat($1_t) + ') + + optional_policy(` + realmd_dbus_chat($1_t) - ') - - optional_policy(` - gnome_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ gnome_role_template($1, $1_r, $1_t) + ') + + optional_policy(` - wm_role_template($1, $1_r, $1_t) - ') - ') - - optional_policy(` -- java_role($1_r, $1_t) ++ wm_role_template($1, $1_r, $1_t) ++ ') ++ ') ++ ++ optional_policy(` + policykit_role($1_r, $1_usertype) + ') + @@ -42863,11 +42987,11 @@ index 9dc60c6..771d5b9 100644 + + optional_policy(` + systemd_filetrans_home_content($1_usertype) - ') - - optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') ++ ') ++ ++ optional_policy(` ++ setroubleshoot_dontaudit_stream_connect($1_t) ++ ') + + optional_policy(` + udev_read_db($1_usertype) @@ -42876,10 +43000,14 @@ index 9dc60c6..771d5b9 100644 + optional_policy(` + xserver_xdm_ioctl_log($1_t) + ') - ') - - ####################################### -@@ -987,27 +1329,33 @@ template(`userdom_unpriv_user_template', ` ++') ++ ++####################################### ++## + ## The template for creating a unprivileged user roughly + ## equivalent to a regular linux user. + ## +@@ -987,27 +1333,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -42917,7 +43045,7 @@ index 9dc60c6..771d5b9 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1366,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1370,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -42988,7 +43116,7 @@ index 9dc60c6..771d5b9 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1428,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1432,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -42999,7 +43127,7 @@ index 9dc60c6..771d5b9 100644 ') ') -@@ -1079,7 +1466,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1470,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -43010,7 +43138,7 @@ index 9dc60c6..771d5b9 100644 ') ############################## -@@ -1095,6 +1484,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1488,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -43018,7 +43146,7 @@ index 9dc60c6..771d5b9 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1495,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1499,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -43035,7 +43163,7 @@ index 9dc60c6..771d5b9 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1512,7 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1516,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -43043,7 +43171,7 @@ index 9dc60c6..771d5b9 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1530,14 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1534,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -43058,7 +43186,7 @@ index 9dc60c6..771d5b9 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1548,38 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1552,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -43101,7 +43229,7 @@ index 9dc60c6..771d5b9 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1589,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1593,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -43110,7 +43238,7 @@ index 9dc60c6..771d5b9 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1598,17 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1602,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -43129,7 +43257,7 @@ index 9dc60c6..771d5b9 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1644,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1648,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -43138,7 +43266,7 @@ index 9dc60c6..771d5b9 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1654,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1658,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -43147,7 +43275,7 @@ index 9dc60c6..771d5b9 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1668,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1672,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -43159,7 +43287,7 @@ index 9dc60c6..771d5b9 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1682,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1686,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -43202,7 +43330,7 @@ index 9dc60c6..771d5b9 100644 ') optional_policy(` -@@ -1357,14 +1767,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1771,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -43221,7 +43349,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -1405,6 +1818,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1405,6 +1822,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -43273,7 +43401,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## Domain allowed access. -@@ -1509,11 +1967,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1971,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -43305,7 +43433,7 @@ index 9dc60c6..771d5b9 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2033,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2037,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -43320,7 +43448,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -1570,9 +2056,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2060,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -43332,7 +43460,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -1629,6 +2117,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1629,6 +2121,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -43375,7 +43503,7 @@ index 9dc60c6..771d5b9 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1708,6 +2232,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1708,6 +2236,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -43384,7 +43512,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -1741,10 +2267,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2271,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -43399,7 +43527,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -1769,7 +2297,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2301,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -43426,7 +43554,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -1779,53 +2325,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1779,53 +2329,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -43509,7 +43637,7 @@ index 9dc60c6..771d5b9 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1845,6 +2408,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1845,6 +2412,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -43535,7 +43663,7 @@ index 9dc60c6..771d5b9 100644 ## Mmap user home files. ## ## -@@ -1875,14 +2457,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1875,15 +2461,18 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -43551,39 +43679,48 @@ index 9dc60c6..771d5b9 100644 ######################################## ## +-## Do not audit attempts to read user home files. +## Do not audit attempts to getattr user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -1891,18 +2480,18 @@ interface(`userdom_read_user_home_content_files',` + ## + ## + # +-interface(`userdom_dontaudit_read_user_home_content_files',` +interface(`userdom_dontaudit_getattr_user_home_content',` -+ gen_require(` + gen_require(` +- type user_home_t; + attribute user_home_type; -+ ') -+ + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_type:dir getattr; + dontaudit $1 user_home_type:file getattr; -+') -+ -+######################################## -+## - ## Do not audit attempts to read user home files. + ') + + ######################################## + ## +-## Do not audit attempts to append user home files. ++## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2497,14 @@ interface(`userdom_read_user_home_content_files',` + ## +@@ -1910,17 +2499,39 @@ interface(`userdom_dontaudit_read_user_home_content_files',` + ## + ## # - interface(`userdom_dontaudit_read_user_home_content_files',` +-interface(`userdom_dontaudit_append_user_home_content_files',` ++interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` - type user_home_t; + attribute user_home_type; + type user_home_dir_t; ') -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; +- dontaudit $1 user_home_t:file append_file_perms; + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; @@ -43591,7 +43728,31 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -1938,7 +2545,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` + ## +-## Do not audit attempts to write user home files. ++## Do not audit attempts to append user home files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_append_user_home_content_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ dontaudit $1 user_home_t:file append_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to write user home files. + ## + ## + ## +@@ -1938,7 +2549,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -43600,7 +43761,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -1946,10 +2553,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2557,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -43613,7 +43774,7 @@ index 9dc60c6..771d5b9 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2564,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2568,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -43622,115 +43783,59 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -1966,35 +2572,35 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2576,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # -interface(`userdom_delete_user_home_content_files',` +interface(`userdom_delete_all_user_home_content_files',` - gen_require(` -- type user_home_t; ++ gen_require(` + attribute user_home_type; - ') - -- allow $1 user_home_t:file delete_file_perms; ++ ') ++ + allow $1 user_home_type:file delete_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to write user home files. ++') ++ ++######################################## ++## +## Delete sock files in a user home subdirectory. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`userdom_dontaudit_relabel_user_home_content_files',` ++## ++## ++# +interface(`userdom_delete_user_home_content_sock_files',` gen_require(` type user_home_t; ') -- dontaudit $1 user_home_t:file relabel_file_perms; +- allow $1 user_home_t:file delete_file_perms; + allow $1 user_home_t:sock_file delete_file_perms; - ') - - ######################################## - ## --## Read user home subdirectory symbolic links. -+## Delete all sock files in a user home subdirectory. - ## - ## - ## -@@ -2002,45 +2608,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` - ## - ## - # --interface(`userdom_read_user_home_content_symlinks',` -+interface(`userdom_delete_all_user_home_content_sock_files',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ attribute user_home_type; - ') - -- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- files_search_home($1) -+ allow $1 user_home_type:sock_file delete_file_perms; - ') - - ######################################## - ## --## Execute user home files. -+## Delete all files in a user home subdirectory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`userdom_exec_user_home_content_files',` -+interface(`userdom_delete_all_user_home_content',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ attribute user_home_type; - ') - -- files_search_home($1) -- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ allow $1 user_home_type:dir_file_class_set delete_file_perms; +') - -- tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1) ++ +######################################## +## -+## Do not audit attempts to write user home files. ++## Delete all sock files in a user home subdirectory. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`userdom_dontaudit_relabel_user_home_content_files',` ++interface(`userdom_delete_all_user_home_content_sock_files',` + gen_require(` -+ type user_home_t; - ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -+ dontaudit $1 user_home_t:file relabel_file_perms; ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:sock_file delete_file_perms; +') + +######################################## +## -+## Read user home subdirectory symbolic links. ++## Delete all files in a user home subdirectory. +## +## +## @@ -43738,42 +43843,51 @@ index 9dc60c6..771d5b9 100644 +## +## +# -+interface(`userdom_read_user_home_content_symlinks',` ++interface(`userdom_delete_all_user_home_content',` + gen_require(` -+ type user_home_dir_t, user_home_t; - ') ++ attribute user_home_type; ++ ') + ++ allow $1 user_home_type:dir_file_class_set delete_file_perms; + ') + + ######################################## +@@ -2007,8 +2671,7 @@ interface(`userdom_read_user_home_content_symlinks',` + type user_home_dir_t, user_home_t; + ') + +- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- files_search_home($1) + allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; ') ######################################## - ## -+## Execute user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_exec_user_home_content_files',` -+ gen_require(` +@@ -2024,20 +2687,14 @@ interface(`userdom_read_user_home_content_symlinks',` + # + interface(`userdom_exec_user_home_content_files',` + gen_require(` +- type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; -+ ') -+ -+ files_search_home($1) + ') + + files_search_home($1) +- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; -+ ') -+ -+######################################## -+## - ## Do not audit attempts to execute user home files. - ## - ## -@@ -2120,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',` + ') +-') + + ######################################## + ## +@@ -2120,7 +2777,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -43782,7 +43896,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -2128,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2785,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -43806,7 +43920,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -2148,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2803,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -43822,7 +43936,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -2390,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2390,11 +3045,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -43837,7 +43951,7 @@ index 9dc60c6..771d5b9 100644 files_search_tmp($1) ') -@@ -2414,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3069,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -43846,7 +43960,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -2661,6 +3312,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3316,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -43872,7 +43986,7 @@ index 9dc60c6..771d5b9 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3347,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3351,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -43888,7 +44002,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -2704,7 +3375,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3379,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -43897,7 +44011,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -2712,14 +3383,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3387,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -43932,7 +44046,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -2814,6 +3501,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3505,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -43957,7 +44071,7 @@ index 9dc60c6..771d5b9 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3537,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3541,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -44000,7 +44114,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -2856,14 +3573,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3577,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -44038,7 +44152,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -2882,8 +3618,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3622,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -44068,7 +44182,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -2955,69 +3710,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3714,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -44169,7 +44283,7 @@ index 9dc60c6..771d5b9 100644 ## ## ## -@@ -3025,12 +3779,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3783,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -44184,7 +44298,7 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -3094,7 +3848,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3852,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -44193,7 +44307,7 @@ index 9dc60c6..771d5b9 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +3864,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +3868,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -44227,93 +44341,75 @@ index 9dc60c6..771d5b9 100644 ') ######################################## -@@ -3214,7 +3952,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,31 +3956,49 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') - dontaudit $1 user_devpts_t:chr_file rw_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to open user ptys. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_open_user_ptys',` -+ gen_require(` -+ type user_devpts_t; -+ ') -+ -+ dontaudit $1 user_devpts_t:chr_file open; - ') - - ######################################## -@@ -3269,12 +4025,13 @@ interface(`userdom_write_user_tmp_files',` - type user_tmp_t; - ') - -- allow $1 user_tmp_t:file write_file_perms; -+ write_files_pattern($1, user_tmp_t, user_tmp_t) ') ######################################## ## --## Do not audit attempts to use user ttys. -+## Do not audit attempts to write users -+## temporary files. +-## Relabel files to unprivileged user pty types. ++## Do not audit attempts to open user ptys. ## ## ## -@@ -3282,31 +4039,107 @@ interface(`userdom_write_user_tmp_files',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`userdom_dontaudit_use_user_ttys',` -+interface(`userdom_dontaudit_write_user_tmp_files',` +-interface(`userdom_relabelto_user_ptys',` ++interface(`userdom_dontaudit_open_user_ptys',` gen_require(` -- type user_tty_device_t; -+ type user_tmp_t; + type user_devpts_t; ') -- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; -+ dontaudit $1 user_tmp_t:file write; +- allow $1 user_devpts_t:chr_file relabelto; ++ dontaudit $1 user_devpts_t:chr_file open; ') ######################################## ## --## Read the process state of all user domains. -+## Do not audit attempts to delete users -+## temporary files. +-## Do not audit attempts to relabel files from +-## user pty types. ++## Relabel files to unprivileged user pty types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabelto_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ allow $1 user_devpts_t:chr_file relabelto; ++') ++ ++######################################## ++## ++## Do not audit attempts to relabel files from ++## user pty types. ## ## ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_dontaudit_delete_user_tmp_files',` - gen_require(` -- attribute userdomain; -+ type user_tmp_t; +@@ -3269,7 +4029,83 @@ interface(`userdom_write_user_tmp_files',` + type user_tmp_t; ') -- read_files_pattern($1, userdomain, userdomain) -- kernel_search_proc($1) -+ dontaudit $1 user_tmp_t:file delete_file_perms; +- allow $1 user_tmp_t:file write_file_perms; ++ write_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## -+## Do not audit attempts to read/write users -+## temporary fifo files. ++## Do not audit attempts to write users ++## temporary files. +## +## +## @@ -44321,36 +44417,37 @@ index 9dc60c6..771d5b9 100644 +## +## +# -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` ++interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 user_tmp_t:file write; +') + +######################################## +## -+## Allow domain to read/write inherited users -+## fifo files. ++## Do not audit attempts to delete users ++## temporary files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_rw_inherited_user_pipes',` ++interface(`userdom_dontaudit_delete_user_tmp_files',` + gen_require(` -+ attribute userdomain; ++ type user_tmp_t; + ') + -+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 user_tmp_t:file delete_file_perms; +') + +######################################## +## -+## Do not audit attempts to use user ttys. ++## Do not audit attempts to read/write users ++## temporary fifo files. +## +## +## @@ -44358,17 +44455,18 @@ index 9dc60c6..771d5b9 100644 +## +## +# -+interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` -+ type user_tty_device_t; ++ type user_tmp_t; + ') + -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Read the process state of all user domains. ++## Allow domain to read/write inherited users ++## fifo files. +## +## +## @@ -44376,18 +44474,33 @@ index 9dc60c6..771d5b9 100644 +## +## +# -+interface(`userdom_read_all_users_state',` ++interface(`userdom_rw_inherited_user_pipes',` + gen_require(` + attribute userdomain; + ') + -+ read_files_pattern($1, userdomain, userdomain) -+ read_lnk_files_pattern($1,userdomain,userdomain) -+ kernel_search_proc($1) ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -3287,7 +4123,7 @@ interface(`userdom_dontaudit_use_user_ttys',` + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ') ######################################## -@@ -3382,6 +4215,42 @@ interface(`userdom_signal_all_users',` +@@ -3306,6 +4142,7 @@ interface(`userdom_read_all_users_state',` + ') + + read_files_pattern($1, userdomain, userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) + ') + +@@ -3382,6 +4219,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -44430,7 +44543,7 @@ index 9dc60c6..771d5b9 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4271,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4275,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -44455,7 +44568,7 @@ index 9dc60c6..771d5b9 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4322,1680 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4326,1680 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -44586,7 +44699,7 @@ index 9dc60c6..771d5b9 100644 + + dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir search_dir_perms; - ') ++') + +######################################## +## @@ -44643,7 +44756,7 @@ index 9dc60c6..771d5b9 100644 + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir search_dir_perms; -+') + ') + +######################################## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 68db24d..251d2bd 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -23461,19 +23461,28 @@ index 0000000..89401fe +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..75d51ed +index 0000000..412e818 --- /dev/null +++ b/docker.te -@@ -0,0 +1,240 @@ +@@ -0,0 +1,256 @@ +policy_module(docker, 1.0.0) + +######################################## +# +# Declarations +# ++ ++## ++##

++## Determine whether docker can ++## connect to all TCP ports. ++##

++##
++gen_tunable(docker_connect_any, false) ++ +## +##

-+## Allow docker to transition to unconfined conateiners ++## Allow docker to transition to unconfined containers. +##

+##
+gen_tunable(docker_transition_unconfined, false) @@ -23583,6 +23592,7 @@ index 0000000..75d51ed +corenet_tcp_sendrecv_generic_port(docker_t) +corenet_tcp_bind_all_ports(docker_t) +corenet_tcp_connect_http_port(docker_t) ++corenet_tcp_connect_commplex_main_port(docker_t) +corenet_udp_sendrecv_generic_if(docker_t) +corenet_udp_sendrecv_generic_node(docker_t) +corenet_udp_sendrecv_all_ports(docker_t) @@ -23701,6 +23711,12 @@ index 0000000..75d51ed + virt_mounton_sandbox_file(docker_t) +') + ++tunable_policy(`docker_connect_any',` ++ corenet_tcp_connect_all_ports(docker_t) ++ corenet_sendrecv_all_packets(docker_t) ++ corenet_tcp_sendrecv_all_ports(docker_t) ++') ++ +tunable_policy(`docker_transition_unconfined',` + unconfined_transition(docker_t, docker_share_t) + unconfined_transition(docker_t, docker_var_lib_t) @@ -59105,10 +59121,10 @@ index 0000000..d9296b1 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..fc9dd48 +index 0000000..d4c7e21 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,215 @@ +@@ -0,0 +1,232 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -59116,6 +59132,14 @@ index 0000000..fc9dd48 +# Declarations +# + ++ ++## ++##

++## Allow pcp to bind to all unreserved_ports ++##

++##
++gen_tunable(pcp_bind_all_unreserved_ports, false) ++ +attribute pcp_domain; + +pcp_domain_template(pmcd) @@ -59185,6 +59209,15 @@ index 0000000..fc9dd48 + +sysnet_read_config(pcp_domain) + ++tunable_policy(`pcp_bind_all_unreserved_ports',` ++ corenet_sendrecv_all_server_packets(pcp_pmcd_t) ++ corenet_sendrecv_all_server_packets(pcp_pmlogger_t) ++ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t) ++ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t) ++ ++') ++ ++ +######################################## +# +# pcp_pmcd local policy @@ -59572,7 +59605,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..b01f04d 100644 +index 608f454..100a122 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -59591,7 +59624,7 @@ index 608f454..b01f04d 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,318 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,319 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -59871,6 +59904,7 @@ index 608f454..b01f04d 100644 +optional_policy(` + lvm_domtrans(pegasus_openlmi_storage_t) + lvm_read_metadata(pegasus_openlmi_storage_t) ++ lvm_write_metadata(pegasus_openlmi_storage_t) +') + +optional_policy(` @@ -59915,7 +59949,7 @@ index 608f454..b01f04d 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +351,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -59946,7 +59980,7 @@ index 608f454..b01f04d 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +377,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -59979,7 +60013,7 @@ index 608f454..b01f04d 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +405,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -59991,7 +60025,7 @@ index 608f454..b01f04d 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +421,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -60027,7 +60061,7 @@ index 608f454..b01f04d 100644 ') optional_policy(` -@@ -151,16 +455,24 @@ optional_policy(` +@@ -151,16 +456,24 @@ optional_policy(` ') optional_policy(` @@ -60056,7 +60090,7 @@ index 608f454..b01f04d 100644 ') optional_policy(` -@@ -168,7 +480,7 @@ optional_policy(` +@@ -168,7 +481,7 @@ optional_policy(` ') optional_policy(` @@ -104778,7 +104812,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..eac3196 100644 +index 7f496c6..6a63c90 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -104865,17 +104899,17 @@ index 7f496c6..eac3196 100644 -allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms; +allow zabbix_t self:capability { dac_read_search dac_override }; -+ -+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) -+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) -+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) -+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv") -allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -logging_log_filetrans(zabbix_t, zabbix_log_t, file) ++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv") ++ +manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) @@ -104897,7 +104931,7 @@ index 7f496c6..eac3196 100644 corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t) -@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) +@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) corenet_sendrecv_http_client_packets(zabbix_t) corenet_tcp_connect_http_port(zabbix_t) corenet_tcp_sendrecv_http_port(zabbix_t) @@ -104920,8 +104954,12 @@ index 7f496c6..eac3196 100644 - zabbix_agent_tcp_connect(zabbix_t) ++logging_send_syslog_msg(zabbix_t) ++ tunable_policy(`zabbix_can_network',` -@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',` + corenet_sendrecv_all_client_packets(zabbix_t) + corenet_tcp_connect_all_ports(zabbix_t) +@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',` ') optional_policy(` @@ -104936,7 +104974,7 @@ index 7f496c6..eac3196 100644 ') optional_policy(` -@@ -125,6 +143,7 @@ optional_policy(` +@@ -125,6 +145,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -104944,7 +104982,7 @@ index 7f496c6..eac3196 100644 ') ######################################## -@@ -132,18 +151,7 @@ optional_policy(` +@@ -132,18 +153,7 @@ optional_policy(` # Agent local policy # @@ -104964,7 +105002,7 @@ index 7f496c6..eac3196 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) @@ -104983,7 +105021,7 @@ index 7f496c6..eac3196 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) @@ -105259,7 +105297,7 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index 3fded1c..5729b83 100644 +index 3fded1c..91ce270 100644 --- a/zarafa.te +++ b/zarafa.te @@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0) @@ -105268,7 +105306,7 @@ index 3fded1c..5729b83 100644 +## +##

-+## Allow zarafa domains to setrlimit/sys_rouserce. ++## Allow zarafa domains to setrlimit/sys_resource. +##

+##
+gen_tunable(zarafa_setrlimit, false) diff --git a/selinux-policy.spec b/selinux-policy.spec index 2315ee8..206c2e9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 12 2014 Miroslav Grepl 3.13.1-33 +- Allow init_t to stream connect to ipsec +- Add /usr/lib/systemd/systemd-networkd policy +- Add sysnet_manage_config_dirs() +- Add support for /var/run/systemd/network and labeled it as net_conf_t +- Allow unpriv SELinux users to dbus chat with firewalld +- Add lvm_write_metadata() +- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type +- Add support for /dev/vmcp and /dev/sclp +- Add docker_connect_any boolean +- Fix zabbix policy +- Allow zabbix to send system log msgs +- Allow pegasus_openlmi_storage_t to write lvm metadata +- Updated pcp_bind_all_unreserved_ports +- Allow numad to write scan_sleep_millisecs +- Turn on entropyd_use_audio boolean by default +- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. +- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo + * Mon Mar 10 2014 Miroslav Grepl 3.13.1-32 - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default