diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4e0fbde..11b68a1 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -16759,7 +16759,7 @@ index 54f1827..409df4f 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..6fb69e7 100644 +index 1700ef2..f8f6456 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -16880,7 +16880,7 @@ index 1700ef2..6fb69e7 100644 ######################################## ## ## Allow the caller to directly read -@@ -808,3 +891,369 @@ interface(`storage_unconfined',` +@@ -808,3 +891,400 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -17249,6 +17249,37 @@ index 1700ef2..6fb69e7 100644 + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") + dev_filetrans($1, removable_device_t, chr_file, "rio500") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19") ++ +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index 7d45d15..22c9cfe 100644 @@ -31822,7 +31853,7 @@ index 39ea221..4dd92d4 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..e2a9f15 100644 +index 879bb1e..7daaff3 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -23,28 +23,34 @@ ifdef(`distro_gentoo',` @@ -31861,12 +31892,14 @@ index 879bb1e..e2a9f15 100644 /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',` +@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',` # # /usr # -/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) -/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/systemd/generator/lvm.* gen_context(system_u:object_r:lvm_unit_file_t,s0) ++ +/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) +/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -31933,7 +31966,7 @@ index 879bb1e..e2a9f15 100644 # # /var -@@ -97,5 +164,8 @@ ifdef(`distro_gentoo',` +@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -32042,7 +32075,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..df70cac 100644 +index e8c59a5..5c935e3 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -32064,7 +32097,17 @@ index e8c59a5..df70cac 100644 type lvm_lock_t; files_lock_file(lvm_lock_t) -@@ -49,15 +52,19 @@ files_tmp_file(lvm_tmp_t) +@@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t) + type lvm_tmp_t; + files_tmp_file(lvm_tmp_t) + ++type lvm_unit_file_t; ++systemd_unit_file(lvm_unit_file_t) ++ + ######################################## + # + # Cluster LVM daemon local policy +@@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t) allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; allow clvmd_t self:process { signal_perms setsched }; @@ -32086,7 +32129,7 @@ index e8c59a5..df70cac 100644 read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) -@@ -71,7 +78,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) +@@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) corecmd_exec_shell(clvmd_t) corecmd_getattr_bin_files(clvmd_t) @@ -32094,7 +32137,7 @@ index e8c59a5..df70cac 100644 corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_generic_if(clvmd_t) corenet_udp_sendrecv_generic_if(clvmd_t) -@@ -120,9 +126,7 @@ init_dontaudit_getattr_initctl(clvmd_t) +@@ -120,9 +129,7 @@ init_dontaudit_getattr_initctl(clvmd_t) logging_send_syslog_msg(clvmd_t) @@ -32104,7 +32147,7 @@ index e8c59a5..df70cac 100644 seutil_sigchld_newrole(clvmd_t) seutil_read_config(clvmd_t) seutil_read_file_contexts(clvmd_t) -@@ -141,6 +145,11 @@ ifdef(`distro_redhat',` +@@ -141,6 +148,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -32116,7 +32159,7 @@ index e8c59a5..df70cac 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -32124,7 +32167,17 @@ index e8c59a5..df70cac 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -191,10 +201,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -179,6 +192,9 @@ allow lvm_t self:sem create_sem_perms; + allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; + ++allow lvm_t lvm_unit_file_t:file manage_file_perms; ++systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file) ++ + manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) + manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) + files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) +@@ -191,10 +207,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -32137,7 +32190,7 @@ index e8c59a5..df70cac 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +214,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,8 +220,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -32149,7 +32202,7 @@ index e8c59a5..df70cac 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +234,7 @@ kernel_read_kernel_sysctls(lvm_t) +@@ -220,6 +240,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -32157,7 +32210,7 @@ index e8c59a5..df70cac 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +245,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +251,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -32172,7 +32225,7 @@ index e8c59a5..df70cac 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +269,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -32180,7 +32233,7 @@ index e8c59a5..df70cac 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +273,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +279,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -32203,7 +32256,7 @@ index e8c59a5..df70cac 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +313,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -32212,7 +32265,7 @@ index e8c59a5..df70cac 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +315,22 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +321,22 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -32236,7 +32289,7 @@ index e8c59a5..df70cac 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +342,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +348,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -32248,7 +32301,7 @@ index e8c59a5..df70cac 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +367,26 @@ optional_policy(` +@@ -333,14 +373,26 @@ optional_policy(` ') optional_policy(` @@ -33737,7 +33790,7 @@ index cbbda4a..8dcc346 100644 +userdom_use_inherited_user_terminals(netlabel_mgmt_t) + diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc -index d43f3b1..c4182e8 100644 +index d43f3b1..f958391 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -6,13 +6,14 @@ @@ -33758,7 +33811,7 @@ index d43f3b1..c4182e8 100644 # # /root -@@ -35,12 +36,14 @@ +@@ -35,19 +36,26 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) @@ -33774,7 +33827,11 @@ index d43f3b1..c4182e8 100644 # # /var/lib -@@ -51,3 +54,7 @@ + # + /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0) ++/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) + + # # /var/run # /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) @@ -35926,10 +35983,10 @@ index 0000000..4e12420 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..5894afb +index 0000000..2e5b822 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1159 @@ +@@ -0,0 +1,1195 @@ +## SELinux policy for systemd components + +###################################### @@ -36775,6 +36832,42 @@ index 0000000..5894afb + allow $1 hostname_etc_t:file read_file_perms; +') + ++####################################### ++## ++## Create objects in /run/systemd/generator directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`systemd_unit_file_filetrans',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ files_search_pids($1) ++ filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4) ++') ++ +######################################## +## +## Transition to systemd named content diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index cc76d7e..efe35c0 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4426,7 +4426,7 @@ index 83e899c..c0ece1b 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..c2a14a5 100644 +index 1a82e29..cb872c5 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,360 @@ @@ -5476,7 +5476,7 @@ index 1a82e29..c2a14a5 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +799,42 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +799,38 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5495,11 +5495,10 @@ index 1a82e29..c2a14a5 100644 +# are dontaudited here. tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_t) +-',` +- userdom_dontaudit_use_user_terminals(httpd_t) + userdom_use_inherited_user_terminals(httpd_t) + userdom_use_inherited_user_terminals(httpd_suexec_t) - ',` - userdom_dontaudit_use_user_terminals(httpd_t) -+ userdom_dontaudit_use_user_terminals(httpd_suexec_t) ') -tunable_policy(`httpd_use_cifs',` @@ -5519,7 +5518,7 @@ index 1a82e29..c2a14a5 100644 - fs_manage_fusefs_files(httpd_t) - fs_read_fusefs_symlinks(httpd_t) -') - +- -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` - fs_exec_fusefs_files(httpd_t) -') @@ -5551,7 +5550,7 @@ index 1a82e29..c2a14a5 100644 ') optional_policy(` -@@ -743,14 +845,6 @@ optional_policy(` +@@ -743,14 +841,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5566,7 +5565,7 @@ index 1a82e29..c2a14a5 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +859,23 @@ optional_policy(` +@@ -765,6 +855,23 @@ optional_policy(` ') optional_policy(` @@ -5590,7 +5589,7 @@ index 1a82e29..c2a14a5 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +892,42 @@ optional_policy(` +@@ -781,34 +888,42 @@ optional_policy(` ') optional_policy(` @@ -5644,7 +5643,7 @@ index 1a82e29..c2a14a5 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +935,18 @@ optional_policy(` +@@ -816,8 +931,18 @@ optional_policy(` ') optional_policy(` @@ -5663,7 +5662,7 @@ index 1a82e29..c2a14a5 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +955,7 @@ optional_policy(` +@@ -826,6 +951,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5671,7 +5670,7 @@ index 1a82e29..c2a14a5 100644 ') optional_policy(` -@@ -836,20 +966,38 @@ optional_policy(` +@@ -836,20 +962,38 @@ optional_policy(` ') optional_policy(` @@ -5716,7 +5715,7 @@ index 1a82e29..c2a14a5 100644 ') optional_policy(` -@@ -857,6 +1005,16 @@ optional_policy(` +@@ -857,6 +1001,16 @@ optional_policy(` ') optional_policy(` @@ -5733,7 +5732,7 @@ index 1a82e29..c2a14a5 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,6 +1023,7 @@ optional_policy(` +@@ -865,6 +1019,7 @@ optional_policy(` ') optional_policy(` @@ -5741,7 +5740,7 @@ index 1a82e29..c2a14a5 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -877,65 +1036,166 @@ optional_policy(` +@@ -877,65 +1032,166 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5930,7 +5929,7 @@ index 1a82e29..c2a14a5 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1204,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1200,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6085,7 +6084,7 @@ index 1a82e29..c2a14a5 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1288,104 @@ optional_policy(` +@@ -1077,172 +1284,104 @@ optional_policy(` ') ') @@ -6321,7 +6320,7 @@ index 1a82e29..c2a14a5 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1393,70 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1389,70 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6415,7 +6414,7 @@ index 1a82e29..c2a14a5 100644 ######################################## # -@@ -1315,8 +1464,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1460,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6432,7 +6431,7 @@ index 1a82e29..c2a14a5 100644 ') ######################################## -@@ -1324,49 +1480,36 @@ optional_policy(` +@@ -1324,49 +1476,36 @@ optional_policy(` # User content local policy # @@ -6496,7 +6495,7 @@ index 1a82e29..c2a14a5 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1519,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1515,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -10168,7 +10167,7 @@ index 0000000..88107d7 +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) diff --git a/chrome.if b/chrome.if new file mode 100644 -index 0000000..efebae7 +index 0000000..36bd6be --- /dev/null +++ b/chrome.if @@ -0,0 +1,134 @@ @@ -10258,7 +10257,7 @@ index 0000000..efebae7 + + allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; -+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write }; ++ allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write }; + dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; + allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write }; + allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; @@ -16253,7 +16252,7 @@ index 06da9a0..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..fb69e2c 100644 +index 9f34c2e..c861b5b 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16577,7 +16576,7 @@ index 9f34c2e..fb69e2c 100644 ') ######################################## -@@ -345,11 +381,9 @@ optional_policy(` +@@ -345,12 +381,11 @@ optional_policy(` # Configuration daemon local policy # @@ -16589,9 +16588,11 @@ index 9f34c2e..fb69e2c 100644 -allow cupsd_config_t self:tcp_socket { accept listen }; +allow cupsd_config_t self:process { getsched }; ++domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t) allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run + +@@ -375,18 +410,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -16611,7 +16612,7 @@ index 9f34c2e..fb69e2c 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +427,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -16632,7 +16633,7 @@ index 9f34c2e..fb69e2c 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +444,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -16644,7 +16645,7 @@ index 9f34c2e..fb69e2c 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +470,12 @@ optional_policy(` +@@ -452,9 +471,12 @@ optional_policy(` ') optional_policy(` @@ -16658,7 +16659,7 @@ index 9f34c2e..fb69e2c 100644 ') optional_policy(` -@@ -490,10 +511,6 @@ optional_policy(` +@@ -490,10 +512,6 @@ optional_policy(` # Lpd local policy # @@ -16669,7 +16670,7 @@ index 9f34c2e..fb69e2c 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +529,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -16702,7 +16703,7 @@ index 9f34c2e..fb69e2c 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +554,6 @@ optional_policy(` +@@ -546,7 +555,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -16710,7 +16711,7 @@ index 9f34c2e..fb69e2c 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +570,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -16727,8 +16728,11 @@ index 9f34c2e..fb69e2c 100644 - userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) - userdom_home_filetrans_user_home_dir(cups_pdf_t) -@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',` +-userdom_home_filetrans_user_home_dir(cups_pdf_t) ++userdom_filetrans_home_content(cups_pdf_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(cups_pdf_t) fs_manage_nfs_files(cups_pdf_t) ') @@ -16859,7 +16863,7 @@ index 9f34c2e..fb69e2c 100644 ######################################## # -@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +614,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -16867,7 +16871,7 @@ index 9f34c2e..fb69e2c 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +623,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -16881,7 +16885,7 @@ index 9f34c2e..fb69e2c 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +635,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -55124,7 +55128,7 @@ index 2e23946..589bbf2 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..7bb7d5b 100644 +index 191a66f..fa32037 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -55933,7 +55937,7 @@ index 191a66f..7bb7d5b 100644 ') optional_policy(` -@@ -764,31 +707,100 @@ optional_policy(` +@@ -764,31 +707,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -55969,9 +55973,9 @@ index 191a66f..7bb7d5b 100644 userdom_manage_user_home_dirs(postfix_virtual_t) -userdom_manage_user_home_content_dirs(postfix_virtual_t) -userdom_manage_user_home_content_files(postfix_virtual_t) -+userdom_manage_user_home_content(postfix_virtual_t) - userdom_home_filetrans_user_home_dir(postfix_virtual_t) +-userdom_home_filetrans_user_home_dir(postfix_virtual_t) -userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir }) ++userdom_manage_user_home_content(postfix_virtual_t) +userdom_filetrans_home_content(postfix_virtual_t) + +######################################## @@ -75305,7 +75309,7 @@ index 3a9a70b..039b0c8 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..a7c3d7c 100644 +index 49b12ae..a89828e 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -75394,7 +75398,7 @@ index 49b12ae..a7c3d7c 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -79,13 +85,13 @@ dev_getattr_mtrr_dev(setroubleshootd_t) +@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) domain_signull_all_domains(setroubleshootd_t) @@ -75402,14 +75406,7 @@ index 49b12ae..a7c3d7c 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) - files_getattr_all_sockets(setroubleshootd_t) - files_read_all_symlinks(setroubleshootd_t) - files_read_mnt_files(setroubleshootd_t) -+files_read_var_lib_files(setroubleshootd_t) - - fs_getattr_all_dirs(setroubleshootd_t) - fs_getattr_all_files(setroubleshootd_t) -@@ -107,27 +113,24 @@ init_read_utmp(setroubleshootd_t) +@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -75442,7 +75439,7 @@ index 49b12ae..a7c3d7c 100644 ') optional_policy(` -@@ -135,10 +138,18 @@ optional_policy(` +@@ -135,10 +137,18 @@ optional_policy(` ') optional_policy(` @@ -75461,7 +75458,7 @@ index 49b12ae..a7c3d7c 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -148,15 +159,17 @@ optional_policy(` +@@ -148,15 +158,17 @@ optional_policy(` ######################################## # @@ -75480,7 +75477,7 @@ index 49b12ae..a7c3d7c 100644 setroubleshoot_stream_connect(setroubleshoot_fixit_t) kernel_read_system_state(setroubleshoot_fixit_t) -@@ -165,9 +178,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) corecmd_getattr_all_executables(setroubleshoot_fixit_t) @@ -75495,7 +75492,7 @@ index 49b12ae..a7c3d7c 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index e7cdbae..a51744a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 35%{?dist} +Release: 37%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -530,6 +530,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 26 2013 Miroslav Grepl 3.12.1-37 +- Allow lvm to create its own unit files +- Label /var/lib/sepolgen as selinux_config_t +- Add filetrans rules for tw devices +- Add transition from cupsd_config_t to cupsd_t + +* Wed Apr 24 2013 Miroslav Grepl 3.12.1-36 +- Add filetrans rules for tw devices +- Cleanup bad transition lines + * Tue Apr 23 2013 Miroslav Grepl 3.12.1-35 - Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working