diff --git a/policy-F16.patch b/policy-F16.patch index 3dbb7e8..a0439ac 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -965,11 +965,54 @@ index c4d8998..f808287 100644 xserver_unconfined(firstboot_t) + xserver_stream_connect(firstboot_t) ') +diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc +index c66934f..1aa1205 100644 +--- a/policy/modules/admin/kdump.fc ++++ b/policy/modules/admin/kdump.fc +@@ -1,5 +1,7 @@ + /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) + /etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) + ++/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ + /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) + /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if -index 4198ff5..df3f4d6 100644 +index 4198ff5..a296bfa 100644 --- a/policy/modules/admin/kdump.if +++ b/policy/modules/admin/kdump.if -@@ -56,6 +56,24 @@ interface(`kdump_read_config',` +@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',` + init_labeled_script_domtrans($1, kdump_initrc_exec_t) + ') + ++######################################## ++## ++## Execute kdump server in the kdump domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kdump_systemctl',` ++ gen_require(` ++ type kdump_unit_file_t; ++ type kdump_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 kdump_unit_file_t:file read_file_perms; ++ allow $1 kdump_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, kdump_t) ++') ++ + ##################################### + ## + ## Read kdump configuration file. +@@ -56,6 +80,24 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') @@ -994,6 +1037,20 @@ index 4198ff5..df3f4d6 100644 #################################### ## ## Manage kdump configuration file. +diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te +index b29d8e2..bcd9273 100644 +--- a/policy/modules/admin/kdump.te ++++ b/policy/modules/admin/kdump.te +@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t) + type kdump_initrc_exec_t; + init_script_file(kdump_initrc_exec_t) + ++type kdump_unit_file_t; ++systemd_unit_file(kdump_unit_file_t) ++ + ##################################### + # + # kdump local policy diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te index 9dd6880..4b7fa27 100644 --- a/policy/modules/admin/kismet.te @@ -1381,7 +1438,7 @@ index 75ee31d..a28ab46 100644 + allow $2 ncftool_t:process signal; +') diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te -index ec29391..41b58fd 100644 +index ec29391..b25d59a 100644 --- a/policy/modules/admin/ncftool.te +++ b/policy/modules/admin/ncftool.te @@ -18,9 +18,13 @@ role system_r types ncftool_t; @@ -1422,6 +1479,14 @@ index ec29391..41b58fd 100644 sysnet_read_dhcpc_pid(ncftool_t) sysnet_signal_dhcpc(ncftool_t) +@@ -66,6 +76,7 @@ optional_policy(` + + optional_policy(` + iptables_initrc_domtrans(ncftool_t) ++ iptables_systemctl(ncftool_t) + ') + + optional_policy(` diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 407078f..a818e14 100644 --- a/policy/modules/admin/netutils.fc @@ -1674,10 +1739,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..3008c85 +index 0000000..f95087c --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,236 @@ +@@ -0,0 +1,244 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -1914,6 +1979,14 @@ index 0000000..3008c85 + permissive glance_api_t; +') + ++optional_policy(` ++ gen_require(` ++ type thumb_t; ++ ') ++ ++ permissive thumb_t; ++') ++ diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -4644,10 +4717,10 @@ index 0000000..2bd5790 +') diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te new file mode 100644 -index 0000000..5e96d3d +index 0000000..86b640d --- /dev/null +++ b/policy/modules/apps/firewallgui.te -@@ -0,0 +1,71 @@ +@@ -0,0 +1,72 @@ +policy_module(firewallgui,1.0.0) + +######################################## @@ -4710,6 +4783,7 @@ index 0000000..5e96d3d +optional_policy(` + iptables_domtrans(firewallgui_t) + iptables_initrc_domtrans(firewallgui_t) ++ iptables_systemctl(firewallgui_t) +') + +optional_policy(` @@ -6996,7 +7070,7 @@ index 0000000..6d0c9e3 +') + diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te -index 2dde73a..e4ccac2 100644 +index 2dde73a..8ebd16b 100644 --- a/policy/modules/apps/kdumpgui.te +++ b/policy/modules/apps/kdumpgui.te @@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t) @@ -7021,6 +7095,14 @@ index 2dde73a..e4ccac2 100644 optional_policy(` consoletype_exec(kdumpgui_t) ') +@@ -58,6 +66,7 @@ optional_policy(` + optional_policy(` + kdump_manage_config(kdumpgui_t) + kdump_initrc_domtrans(kdumpgui_t) ++ kdump_systemctl(kdumpgui_t) + ') + + optional_policy(` diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if index b2e27ec..c324f94 100644 --- a/policy/modules/apps/livecd.if @@ -8262,7 +8344,7 @@ index 0000000..1925bd9 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..3700bcb +index 0000000..9bf1dd8 --- /dev/null +++ b/policy/modules/apps/nsplugin.te @@ -0,0 +1,338 @@ @@ -8557,24 +8639,24 @@ index 0000000..3700bcb + fs_getattr_nfs(nsplugin_t) + fs_manage_nfs_dirs(nsplugin_t) + fs_manage_nfs_files(nsplugin_t) -+ fs_read_nfs_symlinks(nsplugin_t) ++ fs_manage_nfs_symlinks(nsplugin_t) + fs_manage_nfs_named_pipes(nsplugin_t) + fs_manage_nfs_dirs(nsplugin_config_t) + fs_manage_nfs_files(nsplugin_config_t) + fs_manage_nfs_named_pipes(nsplugin_config_t) -+ fs_read_nfs_symlinks(nsplugin_config_t) ++ fs_manage_nfs_symlinks(nsplugin_config_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(nsplugin_t) + fs_manage_cifs_dirs(nsplugin_t) + fs_manage_cifs_files(nsplugin_t) -+ fs_read_cifs_symlinks(nsplugin_t) ++ fs_manage_cifs_symlinks(nsplugin_t) + fs_manage_cifs_named_pipes(nsplugin_t) + fs_manage_cifs_dirs(nsplugin_config_t) + fs_manage_cifs_files(nsplugin_config_t) + fs_manage_cifs_named_pipes(nsplugin_config_t) -+ fs_read_cifs_symlinks(nsplugin_config_t) ++ fs_manage_cifs_symlinks(nsplugin_config_t) +') + +domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) @@ -9178,7 +9260,7 @@ index 4c091ca..a58f123 100644 + +/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te -index f594e12..340c389 100644 +index f594e12..c4ee834 100644 --- a/policy/modules/apps/sambagui.te +++ b/policy/modules/apps/sambagui.te @@ -27,6 +27,7 @@ corecmd_exec_bin(sambagui_t) @@ -9189,6 +9271,14 @@ index f594e12..340c389 100644 files_read_etc_files(sambagui_t) files_search_var_lib(sambagui_t) files_read_usr_files(sambagui_t) +@@ -56,6 +57,7 @@ optional_policy(` + samba_manage_var_files(sambagui_t) + samba_read_secrets(sambagui_t) + samba_initrc_domtrans(sambagui_t) ++ samba_systemctl(sambagui_t) + samba_domtrans_smbd(sambagui_t) + samba_domtrans_nmbd(sambagui_t) + ') diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc new file mode 100644 index 0000000..6caef63 @@ -10769,6 +10859,149 @@ index 2533ea0..11187e0 100644 + + role unconfined_r types telepathy_domain; +') +diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc +new file mode 100644 +index 0000000..a4be758 +--- /dev/null ++++ b/policy/modules/apps/thumb.fc +@@ -0,0 +1,4 @@ ++ ++/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) +diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if +new file mode 100644 +index 0000000..b78aa77 +--- /dev/null ++++ b/policy/modules/apps/thumb.if +@@ -0,0 +1,79 @@ ++ ++## policy for thumb ++ ++ ++######################################## ++## ++## Transition to thumb. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`thumb_domtrans',` ++ gen_require(` ++ type thumb_t, thumb_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, thumb_exec_t, thumb_t) ++') ++ ++ ++######################################## ++## ++## Execute thumb in the thumb domain, and ++## allow the specified role the thumb domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the thumb domain. ++## ++## ++# ++interface(`thumb_run',` ++ gen_require(` ++ type thumb_t; ++ ') ++ ++ thumb_domtrans($1) ++ role $2 types thumb_t; ++ ++ allow $1 thumb_t:process signal; ++') ++ ++######################################## ++## ++## Role access for thumb ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`thumb_role',` ++ gen_require(` ++ type thumb_t; ++ ') ++ ++ role $1 types thumb_t; ++ ++ thumb_domtrans($2) ++ ++ ps_process_pattern($2, thumb_t) ++ allow $2 thumb_t:process signal; ++') ++ +diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te +new file mode 100644 +index 0000000..7eba136 +--- /dev/null ++++ b/policy/modules/apps/thumb.te +@@ -0,0 +1,42 @@ ++policy_module(thumb, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type thumb_t; ++type thumb_exec_t; ++application_domain(thumb_t, thumb_exec_t) ++role system_r types thumb_t; ++ ++type thumb_tmp_t; ++files_tmp_file(thumb_tmp_t) ++ ++######################################## ++# ++# thumb local policy ++# ++ ++allow thumb_t self:process { setsched signal setrlimit }; ++ ++allow thumb_t self:fifo_file manage_fifo_file_perms; ++allow thumb_t self:unix_stream_socket create_stream_socket_perms; ++ ++domain_use_interactive_fds(thumb_t) ++ ++kernel_read_system_state(thumb_t) ++ ++files_read_etc_files(thumb_t) ++files_read_usr_files(thumb_t) ++ ++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) ++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file) ++ ++miscfiles_read_fonts(thumb_t) ++miscfiles_read_localization(thumb_t) ++ ++userdom_read_user_tmp_files(thumb_t) ++userdom_read_user_home_content_files(thumb_t) ++userdom_dontaudit_write_user_tmp_files(thumb_t) ++userdom_use_inherited_user_ptys(thumb_t) diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index 11fe4f2..98bfbf3 100644 --- a/policy/modules/apps/tvtime.te @@ -12996,7 +13229,7 @@ index 35fed4f..49f27ca 100644 type $1_server_packet_t, packet_type, server_packet_type; declare_ports($1_port_t,shift($*))dnl diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 6cf8784..a9038b9 100644 +index 6cf8784..ff9dad6 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -20,6 +20,7 @@ @@ -13007,15 +13240,26 @@ index 6cf8784..a9038b9 100644 /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -57,6 +58,7 @@ +@@ -57,8 +58,10 @@ /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) ++/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -@@ -187,8 +189,6 @@ ifdef(`distro_suse', ` + /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +@@ -126,6 +129,7 @@ ifdef(`distro_suse', ` + /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) ++/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:wireless_device_t,s0) + /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) + /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) +@@ -187,8 +191,6 @@ ifdef(`distro_suse', ` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -13024,7 +13268,7 @@ index 6cf8784..a9038b9 100644 ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) -@@ -196,3 +196,8 @@ ifdef(`distro_redhat',` +@@ -196,3 +198,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -13034,7 +13278,7 @@ index 6cf8784..a9038b9 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..2429787 100644 +index f820f3b..aa0635f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -13434,6 +13678,15 @@ index f820f3b..2429787 100644 ## ## # +@@ -2932,7 +3168,7 @@ interface(`dev_dontaudit_write_mtrr',` + ') + + dontaudit $1 mtrr_device_t:file write; +- dontaudit $1 mtrr_device_t:chr_file write; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; + ') + + ######################################## @@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',` ######################################## @@ -13622,7 +13875,7 @@ index f820f3b..2429787 100644 ## Read and write VMWare devices. ## ## -@@ -4784,3 +5092,772 @@ interface(`dev_unconfined',` +@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -13835,6 +14088,16 @@ index f820f3b..2429787 100644 + filetrans_pattern($1, device_t, event_device_t, chr_file, "event7") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event8") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event9") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") @@ -14133,6 +14396,8 @@ index f820f3b..2429787 100644 + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949") ++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "cdc-wdm0") ++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "cdc-wdm1") + filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2") @@ -14235,6 +14500,16 @@ index f820f3b..2429787 100644 + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2") @@ -18484,10 +18759,10 @@ index 1700ef2..6b7eabb 100644 + dev_filetrans($1, removable_device_t, chr_file, "rio500") +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 7d45d15..6d27fb3 100644 +index 7d45d15..eeb5889 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -14,11 +14,11 @@ +@@ -14,11 +14,12 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) @@ -18496,18 +18771,19 @@ index 7d45d15..6d27fb3 100644 /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) +/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -@@ -41,3 +41,5 @@ ifdef(`distro_gentoo',` +@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 01dd2f1..ea0ff94 100644 +index 01dd2f1..7a8e118 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` @@ -18638,17 +18914,37 @@ index 01dd2f1..ea0ff94 100644 ## ## # -@@ -1240,7 +1302,8 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1240,7 +1302,28 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') - dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + init_dontaudit_use_fds($1) + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## ++## Read and write USB tty character ++## device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_use_usb_ttys',` ++ gen_require(` ++ type usbtty_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 usbtty_device_t:chr_file rw_chr_file_perms; ') ######################################## -@@ -1256,11 +1319,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1256,11 +1339,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -18662,7 +18958,7 @@ index 01dd2f1..ea0ff94 100644 ') ######################################## -@@ -1277,10 +1342,12 @@ interface(`term_getattr_all_ttys',` +@@ -1277,10 +1362,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -18675,7 +18971,7 @@ index 01dd2f1..ea0ff94 100644 ') ######################################## -@@ -1358,7 +1425,27 @@ interface(`term_use_all_ttys',` +@@ -1358,7 +1445,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -18704,7 +19000,7 @@ index 01dd2f1..ea0ff94 100644 ') ######################################## -@@ -1377,7 +1464,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1377,7 +1484,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -18713,7 +19009,7 @@ index 01dd2f1..ea0ff94 100644 ') ######################################## -@@ -1485,7 +1572,7 @@ interface(`term_use_all_user_ttys',` +@@ -1485,7 +1592,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -18722,7 +19018,7 @@ index 01dd2f1..ea0ff94 100644 ## ## # -@@ -1493,3 +1580,416 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1493,3 +1600,426 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -19117,6 +19413,16 @@ index 01dd2f1..ea0ff94 100644 + dev_filetrans($1, tty_device_t, chr_file, "ttySG7") + dev_filetrans($1, tty_device_t, chr_file, "ttySG8") + dev_filetrans($1, tty_device_t, chr_file, "ttySG9") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p0") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p1") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p2") @@ -22605,7 +22911,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..83dbd34 100644 +index 9e39aa5..8002a1f 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -22632,7 +22938,7 @@ index 9e39aa5..83dbd34 100644 /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) ++/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) + /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -22744,7 +23050,7 @@ index 9e39aa5..83dbd34 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..b963935 100644 +index 6480167..e12bbc0 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -23301,7 +23607,7 @@ index 6480167..b963935 100644 + type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; type httpd_suexec_tmp_t, httpd_tmp_t; - type httpd_initrc_exec_t; -+ type httpd_unit_t; ++ type httpd_unit_file_t; ') - allow $1 httpd_t:process { getattr ptrace signal_perms }; @@ -23341,7 +23647,7 @@ index 6480167..b963935 100644 admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) + -+ allow $1 httpd_unit_t:service all_service_perms; ++ allow $1 httpd_unit_file_t:service all_service_perms; + + ifdef(`TODO',` + apache_set_booleans($1, $2, $3, httpd_bool_t) @@ -23398,7 +23704,7 @@ index 6480167..b963935 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..fddb752 100644 +index 3136c6a..8596b90 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -23666,8 +23972,8 @@ index 3136c6a..fddb752 100644 type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) -+type httpd_unit_t; -+systemd_unit_file(httpd_unit_t) ++type httpd_unit_file_t; ++systemd_unit_file(httpd_unit_file_t) + type httpd_lock_t; files_lock_file(httpd_lock_t) @@ -24673,7 +24979,7 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..987245c 100644 +index b3b0176..8e66610 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -19,10 +19,11 @@ type asterisk_log_t; @@ -24713,7 +25019,7 @@ index b3b0176..987245c 100644 kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -108,6 +110,9 @@ corenet_tcp_bind_generic_port(asterisk_t) +@@ -108,14 +110,19 @@ corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) @@ -24723,7 +25029,9 @@ index b3b0176..987245c 100644 corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) -@@ -116,6 +121,7 @@ dev_rw_generic_usb_dev(asterisk_t) ++corenet_tcp_connect_jabber_client_port(asterisk_t) + + dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -24731,7 +25039,7 @@ index b3b0176..987245c 100644 dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) -@@ -125,6 +131,7 @@ files_search_spool(asterisk_t) +@@ -125,6 +132,7 @@ files_search_spool(asterisk_t) # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm # are labeled usr_t files_read_usr_files(asterisk_t) @@ -24739,7 +25047,7 @@ index b3b0176..987245c 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -141,6 +148,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -141,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -24877,11 +25185,55 @@ index a7a0e71..5352ef6 100644 seutil_sigchld_newrole(avahi_t) ') +diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc +index 59aa54f..f944a65 100644 +--- a/policy/modules/services/bind.fc ++++ b/policy/modules/services/bind.fc +@@ -5,6 +5,8 @@ + /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) + /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) + ++/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) ++ + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) + /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) + /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if -index 44a1e3d..7e9d2fb 100644 +index 44a1e3d..f5c476a 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if -@@ -186,7 +186,7 @@ interface(`bind_write_config',` +@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',` + + ######################################## + ## ++## Execute bind server in the bind domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bind_systemctl',` ++ gen_require(` ++ type named_unit_file_t; ++ type named_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 named_unit_file_t:file read_file_perms; ++ allow $1 named_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, named_t) ++') ++ ++######################################## ++## + ## Execute ndc in the ndc domain. + ## + ## +@@ -186,7 +210,7 @@ interface(`bind_write_config',` ') write_files_pattern($1, named_conf_t, named_conf_t) @@ -24890,7 +25242,7 @@ index 44a1e3d..7e9d2fb 100644 ') ######################################## -@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',` +@@ -266,7 +290,7 @@ interface(`bind_setattr_pid_dirs',` type named_var_run_t; ') @@ -24899,7 +25251,7 @@ index 44a1e3d..7e9d2fb 100644 ') ######################################## -@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',` +@@ -284,7 +308,7 @@ interface(`bind_setattr_zone_dirs',` type named_zone_t; ') @@ -24908,7 +25260,7 @@ index 44a1e3d..7e9d2fb 100644 ') ######################################## -@@ -308,6 +308,27 @@ interface(`bind_read_zone',` +@@ -308,6 +332,27 @@ interface(`bind_read_zone',` ######################################## ## @@ -24936,7 +25288,7 @@ index 44a1e3d..7e9d2fb 100644 ## Manage BIND zone files. ## ## -@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',` +@@ -359,10 +404,9 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -24950,7 +25302,7 @@ index 44a1e3d..7e9d2fb 100644 ') allow $1 named_t:process { ptrace signal_perms }; -@@ -391,8 +411,7 @@ interface(`bind_admin',` +@@ -391,9 +435,10 @@ interface(`bind_admin',` admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -24960,8 +25312,11 @@ index 44a1e3d..7e9d2fb 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) ++ ++ named_systemctl($1) + ') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..5f387b2 100644 +index 4deca04..8d81308 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -6,16 +6,24 @@ policy_module(bind, 1.11.0) @@ -25002,7 +25357,17 @@ index 4deca04..5f387b2 100644 files_mountpoint(named_conf_t) # for secondary zone files -@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +@@ -37,6 +45,9 @@ files_type(named_cache_t) + type named_initrc_exec_t; + init_script_file(named_initrc_exec_t) + ++type named_unit_file_t; ++systemd_unit_file(named_unit_file_t) ++ + type named_log_t; + logging_log_file(named_log_t) + +@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) @@ -25014,7 +25379,7 @@ index 4deca04..5f387b2 100644 # read zone files allow named_t named_zone_t:dir list_dir_perms; -@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t) +@@ -147,6 +159,10 @@ miscfiles_read_generic_certs(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) @@ -25025,7 +25390,7 @@ index 4deca04..5f387b2 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -198,18 +211,18 @@ allow ndc_t self:process { fork signal_perms }; +@@ -198,18 +214,18 @@ allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; allow ndc_t self:tcp_socket create_socket_perms; @@ -25047,7 +25412,7 @@ index 4deca04..5f387b2 100644 kernel_read_kernel_sysctls(ndc_t) corenet_all_recvfrom_unlabeled(ndc_t) -@@ -228,6 +241,8 @@ files_search_pids(ndc_t) +@@ -228,6 +244,8 @@ files_search_pids(ndc_t) fs_getattr_xattr_fs(ndc_t) @@ -25056,7 +25421,7 @@ index 4deca04..5f387b2 100644 init_use_fds(ndc_t) init_use_script_ptys(ndc_t) -@@ -235,24 +250,13 @@ logging_send_syslog_msg(ndc_t) +@@ -235,24 +253,13 @@ logging_send_syslog_msg(ndc_t) miscfiles_read_localization(ndc_t) @@ -26961,14 +27326,14 @@ index dad226c..7617c53 100644 miscfiles_read_localization(cgred_t) diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc -index fd8cd0b..3d61138 100644 +index fd8cd0b..45096d8 100644 --- a/policy/modules/services/chronyd.fc +++ b/policy/modules/services/chronyd.fc @@ -2,8 +2,12 @@ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) -+/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) ++/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) @@ -26978,7 +27343,7 @@ index fd8cd0b..3d61138 100644 +/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if -index 9a0da94..5383054 100644 +index 9a0da94..fecceac 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` @@ -27081,13 +27446,13 @@ index 9a0da94..5383054 100644 +interface(`chronyd_systemctl',` + gen_require(` + type chronyd_t; -+ type chronyd_unit_t; ++ type chronyd_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_search_unit_dirs($1) -+ allow $1 chronyd_unit_t:file read_file_perms; -+ allow $1 chronyd_unit_t:service all_service_perms; ++ allow $1 chronyd_unit_file_t:file read_file_perms; ++ allow $1 chronyd_unit_file_t:service all_service_perms; + + ps_process_pattern($1, chronyd_t) +') @@ -27173,7 +27538,7 @@ index 9a0da94..5383054 100644 + chronyd_systemctl($1) ') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te -index fa82327..4b32348 100644 +index fa82327..1a486b0 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t) @@ -27183,8 +27548,8 @@ index fa82327..4b32348 100644 +type chronyd_tmpfs_t; +files_tmpfs_file(chronyd_tmpfs_t) + -+type chronyd_unit_t; -+systemd_unit_file(chronyd_unit_t) ++type chronyd_unit_file_t; ++systemd_unit_file(chronyd_unit_file_t) + type chronyd_var_lib_t; files_type(chronyd_var_lib_t) @@ -27807,7 +28172,7 @@ index 116d60f..82306eb 100644 + ') ') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te -index 0258b48..8535cc6 100644 +index 0258b48..2607914 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0) @@ -27907,7 +28272,7 @@ index 0258b48..8535cc6 100644 corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) -@@ -65,26 +107,77 @@ corenet_tcp_bind_generic_node(cobblerd_t) +@@ -65,44 +107,110 @@ corenet_tcp_bind_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_if(cobblerd_t) corenet_tcp_sendrecv_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_port(cobblerd_t) @@ -27987,7 +28352,11 @@ index 0258b48..8535cc6 100644 optional_policy(` bind_read_config(cobblerd_t) bind_write_config(cobblerd_t) -@@ -95,6 +188,10 @@ optional_policy(` + bind_domtrans_ndc(cobblerd_t) + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) ++ bind_systemctl(cobblerd_t) + bind_manage_zone(cobblerd_t) ') optional_policy(` @@ -27997,20 +28366,26 @@ index 0258b48..8535cc6 100644 +optional_policy(` dhcpd_domtrans(cobblerd_t) dhcpd_initrc_domtrans(cobblerd_t) - ') -@@ -106,16 +203,32 @@ optional_policy(` ++ dhcpd_systemctl(cobblerd_t) ') optional_policy(` -+ gnome_dontaudit_search_config(cobblerd_t) + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) ++ dnsmasq_systemctl(cobblerd_t) +') + +optional_policy(` -+ puppet_domtrans_puppetca(cobblerd_t) ++ gnome_dontaudit_search_config(cobblerd_t) +') + +optional_policy(` - rpm_exec(cobblerd_t) ++ puppet_domtrans_puppetca(cobblerd_t) + ') + + optional_policy(` +@@ -110,12 +218,20 @@ optional_policy(` ') optional_policy(` @@ -28034,7 +28409,7 @@ index 0258b48..8535cc6 100644 ') ######################################## -@@ -124,5 +237,6 @@ optional_policy(` +@@ -124,5 +240,6 @@ optional_policy(` # apache_content_template(cobbler) @@ -28888,10 +29263,18 @@ index 13d2f63..861fad7 100644 ') diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc -index 2eefc08..34ab5ce 100644 +index 2eefc08..b0cdf28 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc -@@ -14,9 +14,10 @@ +@@ -2,6 +2,7 @@ + + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) ++/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0) + + /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) + /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) +@@ -14,9 +15,10 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -28903,14 +29286,14 @@ index 2eefc08..34ab5ce 100644 /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) -@@ -45,3 +46,5 @@ ifdef(`distro_suse', ` +@@ -45,3 +47,5 @@ ifdef(`distro_suse', ` /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if -index 35241ed..92acfae 100644 +index 35241ed..d972767 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -12,6 +12,11 @@ @@ -29125,7 +29508,38 @@ index 35241ed..92acfae 100644 ## ## ## -@@ -377,6 +386,47 @@ interface(`cron_read_pipes',` +@@ -322,6 +331,30 @@ interface(`cron_initrc_domtrans',` + + ######################################## + ## ++## Execute crond server in the crond domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cron_systemctl',` ++ gen_require(` ++ type crond_unit_file_t; ++ type crond_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 crond_unit_file_t:file read_file_perms; ++ allow $1 crond_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, crond_t) ++') ++ ++######################################## ++## + ## Inherit and use a file descriptor + ## from the cron daemon. + ## +@@ -377,6 +410,47 @@ interface(`cron_read_pipes',` ######################################## ## @@ -29173,7 +29587,7 @@ index 35241ed..92acfae 100644 ## Do not audit attempts to write cron daemon unnamed pipes. ## ## -@@ -390,6 +440,7 @@ interface(`cron_dontaudit_write_pipes',` +@@ -390,6 +464,7 @@ interface(`cron_dontaudit_write_pipes',` type crond_t; ') @@ -29181,7 +29595,7 @@ index 35241ed..92acfae 100644 dontaudit $1 crond_t:fifo_file write; ') -@@ -408,7 +459,43 @@ interface(`cron_rw_pipes',` +@@ -408,7 +483,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -29226,7 +29640,7 @@ index 35241ed..92acfae 100644 ') ######################################## -@@ -468,6 +555,25 @@ interface(`cron_search_spool',` +@@ -468,6 +579,25 @@ interface(`cron_search_spool',` ######################################## ## @@ -29252,7 +29666,7 @@ index 35241ed..92acfae 100644 ## Manage pid files used by cron ## ## -@@ -481,6 +587,7 @@ interface(`cron_manage_pid_files',` +@@ -481,6 +611,7 @@ interface(`cron_manage_pid_files',` type crond_var_run_t; ') @@ -29260,7 +29674,7 @@ index 35241ed..92acfae 100644 manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') -@@ -536,7 +643,7 @@ interface(`cron_write_system_job_pipes',` +@@ -536,7 +667,7 @@ interface(`cron_write_system_job_pipes',` type system_cronjob_t; ') @@ -29269,7 +29683,7 @@ index 35241ed..92acfae 100644 ') ######################################## -@@ -554,7 +661,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -554,7 +685,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -29278,7 +29692,7 @@ index 35241ed..92acfae 100644 ') ######################################## -@@ -587,11 +694,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -587,11 +718,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -29294,7 +29708,7 @@ index 35241ed..92acfae 100644 ') ######################################## -@@ -627,7 +737,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -627,7 +761,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -29343,7 +29757,7 @@ index 35241ed..92acfae 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..ee001c7 100644 +index f7583ab..86ea0ba 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -29390,8 +29804,13 @@ index f7583ab..ee001c7 100644 # var/log files type cron_log_t; -@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t) +@@ -61,11 +61,17 @@ domain_cron_exemption_source(crond_t) + type crond_initrc_exec_t; + init_script_file(crond_initrc_exec_t) ++type crond_unit_file_t; ++systemd_unit_file(crond_unit_file_t) ++ type crond_tmp_t; files_tmp_file(crond_tmp_t) +files_poly_parent(crond_tmp_t) @@ -29403,7 +29822,7 @@ index f7583ab..ee001c7 100644 type crontab_exec_t; application_executable_file(crontab_exec_t) -@@ -79,14 +82,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; +@@ -79,14 +85,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; @@ -29421,7 +29840,7 @@ index f7583ab..ee001c7 100644 type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) -@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t) +@@ -94,10 +102,6 @@ files_lock_file(system_cronjob_lock_t) type system_cronjob_tmp_t alias system_crond_tmp_t; files_tmp_file(system_cronjob_tmp_t) @@ -29432,7 +29851,7 @@ index f7583ab..ee001c7 100644 type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) -@@ -106,8 +107,20 @@ domain_cron_exemption_target(unconfined_cronjob_t) +@@ -106,8 +110,20 @@ domain_cron_exemption_target(unconfined_cronjob_t) type user_cron_spool_t, cron_spool_type; typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; @@ -29454,7 +29873,7 @@ index f7583ab..ee001c7 100644 ######################################## # -@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t) +@@ -115,7 +131,7 @@ ubac_constrained(user_cron_spool_t) # # Allow our crontab domain to unlink a user cron spool file. @@ -29463,7 +29882,7 @@ index f7583ab..ee001c7 100644 # Manipulate other users crontab. selinux_get_fs_mount(admin_crontab_t) -@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t) +@@ -125,7 +141,7 @@ selinux_compute_create_context(admin_crontab_t) selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) @@ -29472,7 +29891,7 @@ index f7583ab..ee001c7 100644 # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u allow admin_crontab_t self:process setfscreate; -@@ -136,9 +149,9 @@ tunable_policy(`fcron_crond', ` +@@ -136,9 +152,9 @@ tunable_policy(`fcron_crond', ` # Cron daemon local policy # @@ -29484,7 +29903,7 @@ index f7583ab..ee001c7 100644 allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; -@@ -187,12 +200,16 @@ fs_list_inotifyfs(crond_t) +@@ -187,12 +203,16 @@ fs_list_inotifyfs(crond_t) # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) @@ -29501,7 +29920,7 @@ index f7583ab..ee001c7 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -203,11 +220,17 @@ files_list_usr(crond_t) +@@ -203,11 +223,17 @@ files_list_usr(crond_t) files_search_var_lib(crond_t) files_search_default(crond_t) @@ -29519,7 +29938,7 @@ index f7583ab..ee001c7 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,8 +243,11 @@ miscfiles_read_localization(crond_t) +@@ -220,8 +246,11 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -29531,7 +29950,7 @@ index f7583ab..ee001c7 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -233,7 +259,7 @@ ifdef(`distro_debian',` +@@ -233,7 +262,7 @@ ifdef(`distro_debian',` ') ') @@ -29540,7 +29959,7 @@ index f7583ab..ee001c7 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -250,11 +276,30 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +279,30 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -29571,7 +29990,7 @@ index f7583ab..ee001c7 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +309,8 @@ optional_policy(` +@@ -264,6 +312,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -29580,7 +29999,7 @@ index f7583ab..ee001c7 100644 ') optional_policy(` -@@ -286,15 +333,26 @@ optional_policy(` +@@ -286,15 +336,26 @@ optional_policy(` ') optional_policy(` @@ -29607,7 +30026,7 @@ index f7583ab..ee001c7 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -306,10 +364,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +367,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -29628,7 +30047,7 @@ index f7583ab..ee001c7 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -329,6 +396,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +399,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -29636,7 +30055,7 @@ index f7583ab..ee001c7 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +408,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,9 +411,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -29651,7 +30070,7 @@ index f7583ab..ee001c7 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +437,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +440,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -29659,7 +30078,7 @@ index f7583ab..ee001c7 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +464,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +467,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -29667,7 +30086,7 @@ index f7583ab..ee001c7 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +487,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +490,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -29679,7 +30098,7 @@ index f7583ab..ee001c7 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +515,8 @@ optional_policy(` +@@ -439,6 +518,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -29688,7 +30107,7 @@ index f7583ab..ee001c7 100644 ') optional_policy(` -@@ -446,6 +524,14 @@ optional_policy(` +@@ -446,6 +527,14 @@ optional_policy(` ') optional_policy(` @@ -29703,7 +30122,7 @@ index f7583ab..ee001c7 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,15 +542,24 @@ optional_policy(` +@@ -456,15 +545,24 @@ optional_policy(` ') optional_policy(` @@ -29728,7 +30147,7 @@ index f7583ab..ee001c7 100644 ') optional_policy(` -@@ -480,7 +575,7 @@ optional_policy(` +@@ -480,7 +578,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -29737,7 +30156,7 @@ index f7583ab..ee001c7 100644 ') optional_policy(` -@@ -495,6 +590,7 @@ optional_policy(` +@@ -495,6 +593,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -29745,7 +30164,7 @@ index f7583ab..ee001c7 100644 ') optional_policy(` -@@ -502,7 +598,13 @@ optional_policy(` +@@ -502,7 +601,13 @@ optional_policy(` ') optional_policy(` @@ -29759,7 +30178,7 @@ index f7583ab..ee001c7 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +697,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +700,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -30061,10 +30480,10 @@ index 0000000..1c3a90b + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..e6042d9 +index 0000000..5a15b82 --- /dev/null +++ b/policy/modules/services/ctdbd.te -@@ -0,0 +1,113 @@ +@@ -0,0 +1,114 @@ +policy_module(ctdbd, 1.0.0) + +######################################## @@ -30173,6 +30592,7 @@ index 0000000..e6042d9 + samba_initrc_domtrans(ctdbd_t) + samba_domtrans_net(ctdbd_t) + samba_rw_var_files(ctdbd_t) ++ samba_systemctl(ctdbd_t) +') + +optional_policy(` @@ -30981,7 +31401,7 @@ index 1a1becd..d4357ec 100644 ') + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 1bff6ee..fbfc5db 100644 +index 1bff6ee..9540fee 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -31043,7 +31463,7 @@ index 1bff6ee..fbfc5db 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,6 +148,19 @@ optional_policy(` +@@ -141,6 +148,20 @@ optional_policy(` ') optional_policy(` @@ -31057,13 +31477,14 @@ index 1bff6ee..fbfc5db 100644 + +optional_policy(` + networkmanager_initrc_domtrans(system_dbusd_t) ++ networkmanager_systemctl(system_dbusd_t) +') + +optional_policy(` policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -151,12 +171,166 @@ optional_policy(` +@@ -151,12 +172,166 @@ optional_policy(` ') optional_policy(` @@ -31719,7 +32140,7 @@ index f706b99..13d3a35 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..544ab05 100644 +index f231f17..c5244c8 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -31870,7 +32291,7 @@ index f231f17..544ab05 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,6 +273,10 @@ optional_policy(` +@@ -235,7 +273,12 @@ optional_policy(` ') optional_policy(` @@ -31879,9 +32300,11 @@ index f231f17..544ab05 100644 + +optional_policy(` cron_initrc_domtrans(devicekit_power_t) ++ cron_systemctl(devicekit_power_t) ') -@@ -261,14 +303,21 @@ optional_policy(` + optional_policy(` +@@ -261,14 +304,21 @@ optional_policy(` ') optional_policy(` @@ -31904,7 +32327,7 @@ index f231f17..544ab05 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +325,30 @@ optional_policy(` +@@ -276,9 +326,30 @@ optional_policy(` ') optional_policy(` @@ -31936,12 +32359,14 @@ index f231f17..544ab05 100644 + xserver_stream_connect(devicekit_power_t) +') diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc -index 767e0c7..7956248 100644 +index 767e0c7..4fbde9d 100644 --- a/policy/modules/services/dhcp.fc +++ b/policy/modules/services/dhcp.fc -@@ -1,8 +1,8 @@ +@@ -1,8 +1,10 @@ -/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) ++ ++/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) @@ -31951,7 +32376,7 @@ index 767e0c7..7956248 100644 -/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if -index 5e2cea8..7e129ff 100644 +index 5e2cea8..7a18800 100644 --- a/policy/modules/services/dhcp.if +++ b/policy/modules/services/dhcp.if @@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` @@ -31963,7 +32388,38 @@ index 5e2cea8..7e129ff 100644 ') ######################################## -@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',` +@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',` + + ######################################## + ## ++## Execute dhcpd server in the dhcpd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dhcpd_systemctl',` ++ gen_require(` ++ type dhcpd_unit_file_t; ++ type dhcpd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 dhcpd_unit_file_t:file read_file_perms; ++ allow $1 dhcpd_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, dhcpd_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an dhcp environment + ## +@@ -77,7 +101,7 @@ interface(`dhcpd_initrc_domtrans',` # interface(`dhcpd_admin',` gen_require(` @@ -31972,11 +32428,28 @@ index 5e2cea8..7e129ff 100644 type dhcpd_var_run_t, dhcpd_initrc_exec_t; ') +@@ -96,4 +120,6 @@ interface(`dhcpd_admin',` + + files_list_pids($1) + admin_pattern($1, dhcpd_var_run_t) ++ ++ dhcpd_systemctl($1) + ') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te -index d4424ad..a809e38 100644 +index d4424ad..f90959a 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te -@@ -26,9 +26,9 @@ files_pid_file(dhcpd_var_run_t) +@@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) + type dhcpd_initrc_exec_t; + init_script_file(dhcpd_initrc_exec_t) + ++type dhcpd_unit_file_t; ++systemd_unit_file(dhcpd_unit_file_t) ++ + type dhcpd_state_t; + files_type(dhcpd_state_t) + +@@ -26,9 +29,9 @@ files_pid_file(dhcpd_var_run_t) # Local policy # @@ -31988,7 +32461,7 @@ index d4424ad..a809e38 100644 allow dhcpd_t self:fifo_file rw_fifo_file_perms; allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; -@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t) +@@ -73,6 +76,8 @@ corenet_tcp_connect_all_ports(dhcpd_t) corenet_sendrecv_dhcpd_server_packets(dhcpd_t) corenet_sendrecv_pxe_server_packets(dhcpd_t) corenet_sendrecv_all_client_packets(dhcpd_t) @@ -31997,7 +32470,7 @@ index d4424ad..a809e38 100644 dev_read_sysfs(dhcpd_t) dev_read_rand(dhcpd_t) -@@ -111,6 +113,10 @@ optional_policy(` +@@ -111,6 +116,10 @@ optional_policy(` ') optional_policy(` @@ -32806,10 +33279,17 @@ index dc1056c..bd60100 100644 + +/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc -index b886676..ad3210e 100644 +index b886676..ab3af9c 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc -@@ -6,7 +6,7 @@ +@@ -1,12 +1,14 @@ + /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) + /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + ++/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) ++ + /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) + /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -32819,10 +33299,41 @@ index b886676..ad3210e 100644 /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if -index 9bd812b..2385a2c 100644 +index 9bd812b..f3c2d82 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if -@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',` +@@ -41,6 +41,30 @@ interface(`dnsmasq_initrc_domtrans',` + + ######################################## + ## ++## Execute dnsmasq server in the dnsmasq domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dnsmasq_systemctl',` ++ gen_require(` ++ type dnsmasq_unit_file_t; ++ type dnsmasq_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 dnsmasq_unit_file_t:file read_file_perms; ++ allow $1 dnsmasq_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, dnsmasq_t) ++') ++ ++######################################## ++## + ## Send dnsmasq a signal + ## + ## +@@ -101,9 +125,9 @@ interface(`dnsmasq_kill',` ## Read dnsmasq config files. ## ## @@ -32834,7 +33345,7 @@ index 9bd812b..2385a2c 100644 ## # interface(`dnsmasq_read_config',` -@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',` +@@ -120,9 +144,9 @@ interface(`dnsmasq_read_config',` ## Write to dnsmasq config files. ## ## @@ -32846,7 +33357,7 @@ index 9bd812b..2385a2c 100644 ## # interface(`dnsmasq_write_config',` -@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',` +@@ -144,12 +168,12 @@ interface(`dnsmasq_write_config',` ## ## # @@ -32860,7 +33371,7 @@ index 9bd812b..2385a2c 100644 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -163,17 +163,80 @@ interface(`dnsmasq_delete_pid_files',` +@@ -163,17 +187,80 @@ interface(`dnsmasq_delete_pid_files',` ## ## # @@ -32942,11 +33453,28 @@ index 9bd812b..2385a2c 100644 ## All of the rules required to administrate ## an dnsmasq environment ## +@@ -208,4 +295,6 @@ interface(`dnsmasq_admin',` + + files_list_pids($1) + admin_pattern($1, dnsmasq_var_run_t) ++ ++ dnsmasq_systemctl($1) + ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..06021d4 100644 +index fdaeeba..8542225 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te -@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) + type dnsmasq_var_run_t; + files_pid_file(dnsmasq_var_run_t) + ++type dnsmasq_unit_file_t; ++systemd_unit_file(dnsmasq_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -48,11 +51,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) @@ -32961,7 +33489,7 @@ index fdaeeba..06021d4 100644 corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) -@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t) +@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t) miscfiles_read_localization(dnsmasq_t) @@ -32970,7 +33498,7 @@ index fdaeeba..06021d4 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -96,7 +100,20 @@ optional_policy(` +@@ -96,7 +103,20 @@ optional_policy(` ') optional_policy(` @@ -32991,7 +33519,7 @@ index fdaeeba..06021d4 100644 ') optional_policy(` -@@ -114,4 +131,5 @@ optional_policy(` +@@ -114,4 +134,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) @@ -34805,19 +35333,29 @@ index 7df52c7..899feaf 100644 + policykit_dbus_chat_auth(fprintd_t) ') diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc -index 69dcd2a..a9a9116 100644 +index 69dcd2a..80eefd3 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc -@@ -29,3 +29,4 @@ +@@ -6,6 +6,9 @@ + /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) + ++/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ + # + # /usr + # +@@ -29,3 +32,4 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if -index 9d3201b..748cac5 100644 +index 9d3201b..a8ad41e 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if -@@ -1,5 +1,43 @@ +@@ -1,5 +1,67 @@ ## File transfer protocol service +###################################### @@ -34858,11 +35396,42 @@ index 9d3201b..748cac5 100644 + init_labeled_script_domtrans($1, ftpd_initrc_exec_t) +') + ++######################################## ++## ++## Execute ftpd server in the ftpd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ftp_systemctl',` ++ gen_require(` ++ type ftpd_unit_file_t; ++ type ftpd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 ftpd_unit_file_t:file read_file_perms; ++ allow $1 ftpd_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, ftpd_t) ++') ++ ####################################### ## ## Allow domain dyntransition to sftpd_anon domain. +@@ -203,4 +265,6 @@ interface(`ftp_admin',` + + logging_list_logs($1) + admin_pattern($1, xferlog_t) ++ ++ ftp_systemctl($1) + ') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..3283e90 100644 +index 8a74a83..9a1355e 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -34894,7 +35463,17 @@ index 8a74a83..3283e90 100644 type anon_sftpd_t; typealias anon_sftpd_t alias sftpd_anon_t; domain_type(anon_sftpd_t) -@@ -115,6 +130,10 @@ ifdef(`enable_mcs',` +@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t) + type ftpd_initrc_exec_t; + init_script_file(ftpd_initrc_exec_t) + ++type ftpd_unit_file_t; ++systemd_unit_file(ftpd_unit_file_t) ++ + type ftpd_lock_t; + files_lock_file(ftpd_lock_t) + +@@ -115,6 +133,10 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) ') @@ -34905,7 +35484,7 @@ index 8a74a83..3283e90 100644 ######################################## # # anon-sftp local policy -@@ -122,6 +141,7 @@ ifdef(`enable_mcs',` +@@ -122,6 +144,7 @@ ifdef(`enable_mcs',` files_read_etc_files(anon_sftpd_t) @@ -34913,7 +35492,7 @@ index 8a74a83..3283e90 100644 miscfiles_read_public_files(anon_sftpd_t) tunable_policy(`sftpd_anon_write',` -@@ -133,7 +153,7 @@ tunable_policy(`sftpd_anon_write',` +@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',` # ftpd local policy # @@ -34922,7 +35501,7 @@ index 8a74a83..3283e90 100644 dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; -@@ -151,7 +171,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file) +@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file) manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) @@ -34930,7 +35509,7 @@ index 8a74a83..3283e90 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -163,13 +182,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file +@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) @@ -34946,7 +35525,7 @@ index 8a74a83..3283e90 100644 # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -@@ -219,6 +238,7 @@ auth_append_login_records(ftpd_t) +@@ -219,6 +241,7 @@ auth_append_login_records(ftpd_t) #kerberized ftp requires the following auth_write_login_records(ftpd_t) auth_rw_faillog(ftpd_t) @@ -34954,7 +35533,7 @@ index 8a74a83..3283e90 100644 init_rw_utmp(ftpd_t) -@@ -261,7 +281,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` +@@ -261,7 +284,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` tunable_policy(`allow_ftpd_full_access',` allow ftpd_t self:capability { dac_override dac_read_search }; @@ -34963,7 +35542,7 @@ index 8a74a83..3283e90 100644 ') tunable_policy(`ftp_home_dir',` -@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',` +@@ -270,10 +293,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -34981,7 +35560,7 @@ index 8a74a83..3283e90 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -309,6 +332,10 @@ optional_policy(` +@@ -309,6 +335,10 @@ optional_policy(` ') optional_policy(` @@ -34992,7 +35571,7 @@ index 8a74a83..3283e90 100644 selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) -@@ -316,6 +343,25 @@ optional_policy(` +@@ -316,6 +346,25 @@ optional_policy(` ') optional_policy(` @@ -35018,7 +35597,7 @@ index 8a74a83..3283e90 100644 inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -347,16 +393,17 @@ optional_policy(` +@@ -347,16 +396,17 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -35038,7 +35617,7 @@ index 8a74a83..3283e90 100644 ######################################## # -@@ -365,18 +412,33 @@ userdom_use_user_terminals(ftpdctl_t) +@@ -365,18 +415,33 @@ userdom_use_user_terminals(ftpdctl_t) files_read_etc_files(sftpd_t) @@ -35075,7 +35654,7 @@ index 8a74a83..3283e90 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -394,7 +456,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` +@@ -394,7 +459,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -38636,29 +39215,31 @@ index 0000000..4aac893 + +sysnet_dns_name_resolve(l2tpd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc -index c62f23e..92f3475 100644 +index c62f23e..f8a4301 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc -@@ -1,6 +1,8 @@ +@@ -1,6 +1,10 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + +/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++ ++/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -@@ -15,3 +17,4 @@ ifdef(`distro_debian',` +@@ -15,3 +19,4 @@ ifdef(`distro_debian',` /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if -index 3aa8fa7..8fa74c3 100644 +index 3aa8fa7..2a407cd 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if -@@ -1,5 +1,41 @@ +@@ -1,5 +1,65 @@ ## OpenLDAP directory server +####################################### @@ -38697,10 +39278,34 @@ index 3aa8fa7..8fa74c3 100644 + init_labeled_script_domtrans($1, slapd_initrc_exec_t) +') + ++######################################## ++## ++## Execute slapd server in the slapd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ldap_systemctl',` ++ gen_require(` ++ type slapd_unit_file_t; ++ type slapd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 slapd_unit_file_t:file read_file_perms; ++ allow $1 slapd_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, slapd_t) ++') ++ ######################################## ## ## Read the contents of the OpenLDAP -@@ -21,6 +57,25 @@ interface(`ldap_list_db',` +@@ -21,6 +81,25 @@ interface(`ldap_list_db',` ######################################## ## @@ -38726,7 +39331,7 @@ index 3aa8fa7..8fa74c3 100644 ## Read the OpenLDAP configuration files. ## ## -@@ -69,8 +124,7 @@ interface(`ldap_stream_connect',` +@@ -69,8 +148,7 @@ interface(`ldap_stream_connect',` ') files_search_pids($1) @@ -38736,7 +39341,7 @@ index 3aa8fa7..8fa74c3 100644 ') ######################################## -@@ -110,6 +164,7 @@ interface(`ldap_admin',` +@@ -110,6 +188,7 @@ interface(`ldap_admin',` admin_pattern($1, slapd_lock_t) @@ -38744,8 +39349,15 @@ index 3aa8fa7..8fa74c3 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) +@@ -117,4 +196,6 @@ interface(`ldap_admin',` + + files_list_pids($1) + admin_pattern($1, slapd_var_run_t) ++ ++ ldap_systemctl($1) + ') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te -index 64fd1ff..10c2d54 100644 +index 64fd1ff..211180e 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -38757,7 +39369,16 @@ index 64fd1ff..10c2d54 100644 type slapd_db_t; files_type(slapd_db_t) -@@ -27,9 +27,15 @@ files_lock_file(slapd_lock_t) +@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t) + type slapd_initrc_exec_t; + init_script_file(slapd_initrc_exec_t) + ++type slapd_unit_file_t; ++systemd_unit_file(slapd_unit_file_t) ++ + type slapd_lock_t; + files_lock_file(slapd_lock_t) + type slapd_replog_t; files_type(slapd_replog_t) @@ -38773,7 +39394,7 @@ index 64fd1ff..10c2d54 100644 type slapd_var_run_t; files_pid_file(slapd_var_run_t) -@@ -67,13 +73,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +@@ -67,13 +76,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -38844,7 +39465,7 @@ index 49e04e5..69db026 100644 /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te -index 6a78de1..a32fbe8 100644 +index 6a78de1..8db7d14 100644 --- a/policy/modules/services/lircd.te +++ b/policy/modules/services/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -38864,12 +39485,12 @@ index 6a78de1..a32fbe8 100644 allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:unix_dgram_socket create_socket_perms; allow lircd_t self:tcp_socket create_stream_socket_perms; -@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t) +@@ -44,18 +45,20 @@ corenet_tcp_bind_lirc_port(lircd_t) corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) -dev_read_generic_usb_dev(lircd_t) -+dev_rw_generic_usb_dev(lircd_t) ++dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right dev_read_mouse(lircd_t) dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) @@ -38881,6 +39502,12 @@ index 6a78de1..a32fbe8 100644 files_list_var(lircd_t) files_manage_generic_locks(lircd_t) files_read_all_locks(lircd_t) + + term_use_ptmx(lircd_t) ++term_use_usb_ttys(lircd_t) + + logging_send_syslog_msg(lircd_t) + diff --git a/policy/modules/services/lldpad.fc b/policy/modules/services/lldpad.fc new file mode 100644 index 0000000..83a4348 @@ -42691,10 +43318,10 @@ index 74da57f..b94bb3b 100644 /usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc -index 386543b..984eefc 100644 +index 386543b..47e1b41 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc -@@ -1,6 +1,13 @@ +@@ -1,6 +1,15 @@ /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -42706,10 +43333,12 @@ index 386543b..984eefc 100644 +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++ ++/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -@@ -16,7 +23,8 @@ +@@ -16,7 +25,8 @@ /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) @@ -42720,7 +43349,7 @@ index 386543b..984eefc 100644 /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if -index 2324d9e..eebf5a7 100644 +index 2324d9e..ac2e779 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` @@ -42736,7 +43365,38 @@ index 2324d9e..eebf5a7 100644 ## # interface(`networkmanager_attach_tun_iface',` -@@ -137,6 +137,28 @@ interface(`networkmanager_dbus_chat',` +@@ -116,6 +116,30 @@ interface(`networkmanager_initrc_domtrans',` + + ######################################## + ## ++## Execute NetworkManager server in the NetworkManager domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`networkmanager_systemctl',` ++ gen_require(` ++ type NetworkManager_unit_file_t; ++ type NetworkManager_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 NetworkManager_unit_file_t:file read_file_perms; ++ allow $1 NetworkManager_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, NetworkManager_t) ++') ++ ++######################################## ++## + ## Send and receive messages from + ## NetworkManager over dbus. + ## +@@ -137,6 +161,28 @@ interface(`networkmanager_dbus_chat',` ######################################## ## @@ -42765,7 +43425,7 @@ index 2324d9e..eebf5a7 100644 ## Send a generic signal to NetworkManager ## ## -@@ -191,3 +213,77 @@ interface(`networkmanager_read_pid_files',` +@@ -191,3 +237,77 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -42844,13 +43504,16 @@ index 2324d9e..eebf5a7 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..8785eef 100644 +index 0619395..c985b07 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te -@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) +@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) type NetworkManager_initrc_exec_t; init_script_file(NetworkManager_initrc_exec_t) ++type NetworkManager_unit_file_t; ++systemd_unit_file(NetworkManager_unit_file_t) ++ +type NetworkManager_etc_t; +files_config_file(NetworkManager_etc_t) + @@ -42860,7 +43523,7 @@ index 0619395..8785eef 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -35,16 +41,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -35,16 +44,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -42884,7 +43547,7 @@ index 0619395..8785eef 100644 allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -52,9 +63,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; +@@ -52,9 +66,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; can_exec(NetworkManager_t, NetworkManager_exec_t) @@ -42905,7 +43568,7 @@ index 0619395..8785eef 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -100,6 +122,7 @@ dev_read_rand(NetworkManager_t) +@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) @@ -42913,7 +43576,7 @@ index 0619395..8785eef 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,7 +136,7 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -42922,7 +43585,7 @@ index 0619395..8785eef 100644 files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) -@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t) +@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) @@ -42962,7 +43625,7 @@ index 0619395..8785eef 100644 ') optional_policy(` -@@ -172,14 +202,21 @@ optional_policy(` +@@ -172,14 +205,21 @@ optional_policy(` ') optional_policy(` @@ -42985,7 +43648,15 @@ index 0619395..8785eef 100644 ') ') -@@ -202,10 +239,25 @@ optional_policy(` +@@ -191,6 +231,7 @@ optional_policy(` + dnsmasq_kill(NetworkManager_t) + dnsmasq_signal(NetworkManager_t) + dnsmasq_signull(NetworkManager_t) ++ dnsmasq_systemctl(NetworkManager_t) + ') + + optional_policy(` +@@ -202,23 +243,45 @@ optional_policy(` ') optional_policy(` @@ -43011,19 +43682,35 @@ index 0619395..8785eef 100644 nscd_domtrans(NetworkManager_t) nscd_signal(NetworkManager_t) nscd_signull(NetworkManager_t) -@@ -219,6 +271,11 @@ optional_policy(` + nscd_kill(NetworkManager_t) + nscd_initrc_domtrans(NetworkManager_t) ++ nscd_systemctl(NetworkManager_t) ') optional_policy(` -+ modutils_domtrans_insmod(NetworkManager_t) + # Dispatcher starting and stoping ntp + ntp_initrc_domtrans(NetworkManager_t) ++ ntp_systemctl(NetworkManager_t) +') + +optional_policy(` ++ modutils_domtrans_insmod(NetworkManager_t) + ') + + optional_policy(` + openvpn_read_config(NetworkManager_t) openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -263,6 +320,7 @@ optional_policy(` +@@ -241,6 +304,7 @@ optional_policy(` + ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) + ppp_read_config(NetworkManager_t) ++ ppp_systemctl(NetworkManager_t) + ') + + optional_policy(` +@@ -263,6 +327,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -43032,7 +43719,7 @@ index 0619395..8785eef 100644 ######################################## diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc -index 15448d5..b6b42c1 100644 +index 15448d5..3587f6a 100644 --- a/policy/modules/services/nis.fc +++ b/policy/modules/services/nis.fc @@ -1,5 +1,5 @@ @@ -43059,12 +43746,12 @@ index 15448d5..b6b42c1 100644 /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) + -+/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0) -+/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_t,s0) -+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_t,s0) -+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_t,s0) ++/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0) ++/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) ++/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) ++/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..2de87de 100644 +index abe3f7f..9e96501 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -43132,14 +43819,14 @@ index abe3f7f..2de87de 100644 +# +interface(`nis_systemctl_ypbind',` + gen_require(` -+ type ypbind_unit_t; ++ type ypbind_unit_file_t; + type ypbind_t; + ') + + systemd_exec_systemctl($1) + systemd_search_unit_dirs($1) -+ allow $1 ypbind_unit_t:file read_file_perms; -+ allow $1 ypbind_unit_t:service all_service_perms; ++ allow $1 ypbind_unit_file_t:file read_file_perms; ++ allow $1 ypbind_unit_file_t:service all_service_perms; + + ps_process_pattern($1, ypbind_t) +') @@ -43156,14 +43843,14 @@ index abe3f7f..2de87de 100644 +# +interface(`nis_systemctl',` + gen_require(` -+ type nis_unit_t; ++ type nis_unit_file_t; + type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; + ') + + systemd_exec_systemctl($1) + systemd_search_unit_dirs($1) -+ allow $1 nis_unit_t:file read_file_perms; -+ allow $1 nis_unit_t:service all_service_perms; ++ allow $1 nis_unit_file_t:file read_file_perms; ++ allow $1 nis_unit_file_t:service all_service_perms; + + ps_process_pattern($1, ypbind_t) + ps_process_pattern($1, yppasswdd_t) @@ -43204,15 +43891,15 @@ index abe3f7f..2de87de 100644 + nis_systemctl($1) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..dccdc78 100644 +index 4876cae..eabed96 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t) type ypbind_var_run_t; files_pid_file(ypbind_var_run_t) -+type ypbind_unit_t; -+systemd_unit_file(ypbind_unit_t) ++type ypbind_unit_file_t; ++systemd_unit_file(ypbind_unit_file_t) + type yppasswdd_t; type yppasswdd_exec_t; @@ -43230,8 +43917,8 @@ index 4876cae..dccdc78 100644 type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) -+type nis_unit_t; -+systemd_unit_file(nis_unit_t) ++type nis_unit_file_t; ++systemd_unit_file(nis_unit_file_t) + ######################################## # @@ -43277,7 +43964,7 @@ index 4876cae..dccdc78 100644 allow ypserv_t self:unix_stream_socket create_stream_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if -index 85188dc..76f26dd 100644 +index 85188dc..891d4ab 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -116,7 +116,26 @@ interface(`nscd_socket_use',` @@ -43343,8 +44030,46 @@ index 85188dc..76f26dd 100644 # interface(`nscd_run',` gen_require(` +@@ -254,6 +277,30 @@ interface(`nscd_initrc_domtrans',` + + ######################################## + ## ++## Execute nscd server in the nscd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`nscd_systemctl',` ++ gen_require(` ++ type nscd_unit_file_t; ++ type nscd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 nscd_unit_file_t:file read_file_perms; ++ allow $1 nscd_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, nscd_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an nscd environment + ## +@@ -288,4 +335,6 @@ interface(`nscd_admin',` + + files_list_pids($1) + admin_pattern($1, nscd_var_run_t) ++ ++ nscd_systemctl($1) + ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te -index 7936e09..6b54db7 100644 +index 7936e09..812f966 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,9 +1,16 @@ @@ -43365,7 +44090,17 @@ index 7936e09..6b54db7 100644 ######################################## # # Declarations -@@ -30,7 +37,7 @@ logging_log_file(nscd_log_t) +@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t) + type nscd_initrc_exec_t; + init_script_file(nscd_initrc_exec_t) + ++type nscd_unit_file_t; ++systemd_unit_file(nscd_unit_file_t) ++ + type nscd_log_t; + logging_log_file(nscd_log_t) + +@@ -30,7 +40,7 @@ logging_log_file(nscd_log_t) # Local policy # @@ -43374,7 +44109,7 @@ index 7936e09..6b54db7 100644 dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; -@@ -47,9 +54,10 @@ allow nscd_t self:nscd { admin getstat }; +@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file manage_file_perms; logging_log_filetrans(nscd_t, nscd_log_t, file) @@ -43386,7 +44121,7 @@ index 7936e09..6b54db7 100644 corecmd_search_bin(nscd_t) can_exec(nscd_t, nscd_exec_t) -@@ -90,6 +98,7 @@ selinux_compute_create_context(nscd_t) +@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) @@ -43394,7 +44129,7 @@ index 7936e09..6b54db7 100644 files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -@@ -112,6 +121,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) +@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` @@ -43405,7 +44140,7 @@ index 7936e09..6b54db7 100644 cron_read_system_job_tmp_files(nscd_t) ') -@@ -127,3 +140,17 @@ optional_policy(` +@@ -127,3 +143,17 @@ optional_policy(` xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -43527,7 +44262,7 @@ index e79dccc..50202ef 100644 /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..4b93b29 100644 +index e80f8c0..c58528f 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',` @@ -43565,14 +44300,14 @@ index e80f8c0..4b93b29 100644 +# +interface(`ntp_systemctl',` + gen_require(` -+ type ntpd_unit_t; ++ type ntpd_unit_file_t; + type ntpd_t; + ') + + systemd_exec_systemctl($1) + systemd_search_unit_dirs($1) -+ allow $1 ntpd_unit_t:file read_file_perms; -+ allow $1 ntpd_unit_t:service all_service_perms; ++ allow $1 ntpd_unit_file_t:file read_file_perms; ++ allow $1 ntpd_unit_file_t:service all_service_perms; + + ps_process_pattern($1, ntpd_t) +') @@ -44698,10 +45433,10 @@ index 0000000..548d0a2 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..2321872 +index 0000000..9c4df9f --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,296 @@ +@@ -0,0 +1,299 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -44918,6 +45653,7 @@ index 0000000..2321872 +optional_policy(` + ftp_domtrans(piranha_pulse_t) + ftp_initrc_domtrans(piranha_pulse_t) ++ ftp_systemctl(piranha_pulse_t) +') + +optional_policy(` @@ -44925,6 +45661,7 @@ index 0000000..2321872 +') + +optional_policy(` ++ ldap_systemctl(piranha_pulse_t) + ldap_initrc_domtrans(piranha_pulse_t) + ldap_domtrans(piranha_pulse_t) +') @@ -44946,6 +45683,7 @@ index 0000000..2321872 + +optional_policy(` + samba_initrc_domtrans(piranha_pulse_t) ++ samba_systemctl(piranha_pulse_t) + samba_domtrans_smbd(piranha_pulse_t) + samba_domtrans_nmbd(piranha_pulse_t) + samba_manage_var_files(piranha_pulse_t) @@ -46844,10 +47582,17 @@ index db843e2..4389e81 100644 type postgrey_var_lib_t; files_type(postgrey_var_lib_t) diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc -index 2d82c6d..dd05493 100644 +index 2d82c6d..adf5731 100644 --- a/policy/modules/services/ppp.fc +++ b/policy/modules/services/ppp.fc -@@ -16,6 +16,7 @@ +@@ -11,11 +11,14 @@ + # Fix /etc/ppp {up,down} family scripts (see man pppd) + /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + ++/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ + /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) + # # /sbin # @@ -46855,7 +47600,7 @@ index 2d82c6d..dd05493 100644 /sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) # -@@ -34,5 +35,7 @@ +@@ -34,5 +37,7 @@ # Fix pptp sockets /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) @@ -46865,7 +47610,7 @@ index 2d82c6d..dd05493 100644 -/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if -index b524673..9d90fb3 100644 +index b524673..d3f932f 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -66,7 +66,6 @@ interface(`ppp_sigchld',` @@ -46904,7 +47649,38 @@ index b524673..9d90fb3 100644 allow $1 pppd_var_run_t:file manage_file_perms; ') -@@ -348,21 +348,27 @@ interface(`ppp_initrc_domtrans',` +@@ -340,6 +340,30 @@ interface(`ppp_initrc_domtrans',` + + ######################################## + ## ++## Execute pppd server in the pppd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ppp_systemctl',` ++ gen_require(` ++ type pppd_unit_file_t; ++ type pppd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 pppd_unit_file_t:file read_file_perms; ++ allow $1 pppd_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, pppd_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an ppp environment + ## +@@ -348,21 +372,27 @@ interface(`ppp_initrc_domtrans',` ## Domain allowed access. ## ## @@ -46937,7 +47713,7 @@ index b524673..9d90fb3 100644 ppp_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 pppd_initrc_exec_t system_r; -@@ -374,6 +380,7 @@ interface(`ppp_admin',` +@@ -374,6 +404,7 @@ interface(`ppp_admin',` logging_list_logs($1) admin_pattern($1, pppd_log_t) @@ -46945,7 +47721,7 @@ index b524673..9d90fb3 100644 admin_pattern($1, pppd_lock_t) files_list_etc($1) -@@ -386,9 +393,6 @@ interface(`ppp_admin',` +@@ -386,10 +417,9 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) @@ -46955,8 +47731,11 @@ index b524673..9d90fb3 100644 admin_pattern($1, pptp_log_t) admin_pattern($1, pptp_var_run_t) ++ ++ ppp_systemctl($1) + ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..0d51fe4 100644 +index 2af42e7..392bc4b 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -46982,7 +47761,17 @@ index 2af42e7..0d51fe4 100644 ## gen_tunable(pppd_for_user, false) -@@ -70,9 +70,9 @@ files_pid_file(pptp_var_run_t) +@@ -39,6 +39,9 @@ files_type(pppd_etc_rw_t) + type pppd_initrc_exec_t alias pppd_script_exec_t; + init_script_file(pppd_initrc_exec_t) + ++type pppd_unit_file_t; ++systemd_unit_file(pppd_unit_file_t) ++ + # pppd_secret_t is the type of the pap and chap password files + type pppd_secret_t; + files_type(pppd_secret_t) +@@ -70,9 +73,9 @@ files_pid_file(pptp_var_run_t) # PPPD Local policy # @@ -46994,7 +47783,7 @@ index 2af42e7..0d51fe4 100644 allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms; -@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms; +@@ -84,28 +87,29 @@ allow pppd_t self:packet_socket create_socket_perms; domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) @@ -47030,7 +47819,7 @@ index 2af42e7..0d51fe4 100644 allow pppd_t pptp_t:process signal; -@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t) +@@ -166,6 +170,8 @@ init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) @@ -47039,7 +47828,7 @@ index 2af42e7..0d51fe4 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -176,7 +179,7 @@ sysnet_exec_ifconfig(pppd_t) +@@ -176,7 +182,7 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -47048,7 +47837,7 @@ index 2af42e7..0d51fe4 100644 userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_search_user_home_dirs(pppd_t) -@@ -187,13 +190,15 @@ optional_policy(` +@@ -187,13 +193,15 @@ optional_policy(` ') optional_policy(` @@ -47065,7 +47854,7 @@ index 2af42e7..0d51fe4 100644 ') optional_policy(` -@@ -243,14 +248,17 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,14 +251,17 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -47571,7 +48360,7 @@ index 2f1e529..8c0b242 100644 /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if -index 2855a44..9bc56ee 100644 +index 2855a44..58bb459 100644 --- a/policy/modules/services/puppet.if +++ b/policy/modules/services/puppet.if @@ -8,6 +8,53 @@ @@ -47628,7 +48417,7 @@ index 2855a44..9bc56ee 100644 ################################################ ## ## Read / Write to Puppet temp files. Puppet uses -@@ -21,7 +68,7 @@ +@@ -21,11 +68,87 @@ ## ## # @@ -47637,8 +48426,9 @@ index 2855a44..9bc56ee 100644 gen_require(` type puppet_tmp_t; ') -@@ -29,3 +76,79 @@ interface(`puppet_rw_tmp', ` - allow $1 puppet_tmp_t:file rw_file_perms; + +- allow $1 puppet_tmp_t:file rw_file_perms; ++ allow $1 puppet_tmp_t:file rw_inherited_file_perms; files_search_tmp($1) ') + @@ -47718,7 +48508,7 @@ index 2855a44..9bc56ee 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..7041ad9 100644 +index 64c5f95..5f6e7b8 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -47774,7 +48564,18 @@ index 64c5f95..7041ad9 100644 ') optional_policy(` -@@ -162,7 +174,60 @@ optional_policy(` +@@ -144,6 +156,10 @@ optional_policy(` + ') + + optional_policy(` ++ mount_domtrans(puppet_t) ++') ++ ++optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) +@@ -162,7 +178,60 @@ optional_policy(` ######################################## # @@ -47836,7 +48637,7 @@ index 64c5f95..7041ad9 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -171,29 +236,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +@@ -171,29 +240,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; @@ -47875,7 +48676,7 @@ index 64c5f95..7041ad9 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +277,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +281,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -47891,11 +48692,11 @@ index 64c5f95..7041ad9 100644 +domain_obj_id_change_exemption(puppetmaster_t) + +files_read_usr_files(puppetmaster_t) -+ -+selinux_validate_context(puppetmaster_t) -files_read_etc_files(puppetmaster_t) -files_search_var_lib(puppetmaster_t) ++selinux_validate_context(puppetmaster_t) ++ +auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) @@ -47925,7 +48726,7 @@ index 64c5f95..7041ad9 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +327,9 @@ optional_policy(` +@@ -231,3 +331,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -49289,7 +50090,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..e605105 100644 +index 00fa514..bac3e66 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -49404,11 +50205,12 @@ index 00fa514..e605105 100644 fstools_domtrans(rgmanager_t) ') -@@ -140,6 +158,15 @@ optional_policy(` +@@ -140,6 +158,16 @@ optional_policy(` ') optional_policy(` + ldap_initrc_domtrans(rgmanager_t) ++ ldap_systemctl(rgmanager_t) + ldap_domtrans(rgmanager_t) +') + @@ -49420,11 +50222,20 @@ index 00fa514..e605105 100644 mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') +@@ -165,6 +193,8 @@ optional_policy(` + optional_policy(` + rpc_initrc_domtrans_nfsd(rgmanager_t) + rpc_initrc_domtrans_rpcd(rgmanager_t) ++ rpc_systemctl_nfsd(rgmanager_t) ++ rpc_systemctl_rpcd(rgmanager_t) + + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc -index c2ba53b..853eeb5 100644 +index c2ba53b..1f935bf 100644 --- a/policy/modules/services/rhcs.fc +++ b/policy/modules/services/rhcs.fc -@@ -1,14 +1,18 @@ +@@ -1,20 +1,25 @@ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) @@ -49443,6 +50254,13 @@ index c2ba53b..853eeb5 100644 /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) + /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) + + /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) + /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) + /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) + /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index de37806..a21e737 100644 --- a/policy/modules/services/rhcs.if @@ -51063,17 +51881,27 @@ index 779fa44..4bcaacc 100644 tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) ') diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc -index 5c70c0c..6842295 100644 +index 5c70c0c..f9f0f54 100644 --- a/policy/modules/services/rpc.fc +++ b/policy/modules/services/rpc.fc -@@ -29,3 +29,5 @@ +@@ -6,6 +6,9 @@ + /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + ++/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) ++/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) ++ + # + # /sbin + # +@@ -29,3 +32,5 @@ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + +/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if -index cda37bb..484e552 100644 +index cda37bb..41b106f 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -32,7 +32,11 @@ interface(`rpc_stub',` @@ -51107,7 +51935,38 @@ index cda37bb..484e552 100644 ') ######################################## -@@ -246,6 +250,32 @@ interface(`rpc_domtrans_rpcd',` +@@ -229,6 +233,30 @@ interface(`rpc_initrc_domtrans_nfsd',` + + ######################################## + ## ++## Execute nfsd server in the nfsd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rpc_systemctl_nfsd',` ++ gen_require(` ++ type nfsd_unit_file_t; ++ type nfsd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 nfsd_unit_file_t:file read_file_perms; ++ allow $1 nfsd_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, nfsd_t) ++') ++ ++######################################## ++## + ## Execute domain in rpcd domain. + ## + ## +@@ -246,6 +274,32 @@ interface(`rpc_domtrans_rpcd',` allow rpcd_t $1:process signal; ') @@ -51140,7 +51999,38 @@ index cda37bb..484e552 100644 ####################################### ## ## Execute domain in rpcd domain. -@@ -282,7 +312,7 @@ interface(`rpc_read_nfs_content',` +@@ -266,6 +320,30 @@ interface(`rpc_initrc_domtrans_rpcd',` + + ######################################## + ## ++## Execute rpcd server in the rpcd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rpc_systemctl_rpcd',` ++ gen_require(` ++ type rpcd_unit_file_t; ++ type rpcd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 rpcd_unit_file_t:file read_file_perms; ++ allow $1 rpcd_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, rpcd_t) ++') ++ ++######################################## ++## + ## Read NFS exported content. + ## + ## +@@ -282,7 +360,7 @@ interface(`rpc_read_nfs_content',` allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; @@ -51149,7 +52039,7 @@ index cda37bb..484e552 100644 ') ######################################## -@@ -375,7 +405,7 @@ interface(`rpc_search_nfs_state_data',` +@@ -375,7 +453,7 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) @@ -51158,14 +52048,14 @@ index cda37bb..484e552 100644 ') ######################################## -@@ -414,4 +444,5 @@ interface(`rpc_manage_nfs_state_data',` +@@ -414,4 +492,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..4bd5e3c 100644 +index b1468ed..372f918 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -51195,7 +52085,25 @@ index b1468ed..4bd5e3c 100644 ## gen_tunable(allow_nfsd_anon_write, false) -@@ -62,9 +62,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; +@@ -39,11 +39,17 @@ rpc_domain_template(rpcd) + type rpcd_initrc_exec_t; + init_script_file(rpcd_initrc_exec_t) + ++type rpcd_unit_file_t; ++systemd_unit_file(rpcd_unit_file_t) ++ + rpc_domain_template(nfsd) + + type nfsd_initrc_exec_t; + init_script_file(nfsd_initrc_exec_t) + ++type nfsd_unit_file_t; ++systemd_unit_file(nfsd_unit_file_t) ++ + type nfsd_rw_t; + files_type(nfsd_rw_t) + +@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; @@ -51208,7 +52116,7 @@ index b1468ed..4bd5e3c 100644 # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) -@@ -87,6 +88,7 @@ fs_read_rpc_files(rpcd_t) +@@ -87,6 +94,7 @@ fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) fs_rw_rpc_sockets(rpcd_t) fs_get_all_fs_quotas(rpcd_t) @@ -51216,7 +52124,7 @@ index b1468ed..4bd5e3c 100644 fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) -@@ -97,15 +99,26 @@ miscfiles_read_generic_certs(rpcd_t) +@@ -97,15 +105,26 @@ miscfiles_read_generic_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -51243,7 +52151,7 @@ index b1468ed..4bd5e3c 100644 ######################################## # # NFSD local policy -@@ -120,9 +133,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +@@ -120,9 +139,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -51258,7 +52166,7 @@ index b1468ed..4bd5e3c 100644 dev_dontaudit_getattr_all_blk_files(nfsd_t) dev_dontaudit_getattr_all_chr_files(nfsd_t) -@@ -148,6 +166,8 @@ storage_raw_read_removable_device(nfsd_t) +@@ -148,6 +172,8 @@ storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -51267,7 +52175,7 @@ index b1468ed..4bd5e3c 100644 # Write access to public_content_t and public_content_rw_t tunable_policy(`allow_nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) -@@ -158,7 +178,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -158,7 +184,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -51275,7 +52183,7 @@ index b1468ed..4bd5e3c 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -170,8 +189,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -170,8 +195,7 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -51285,7 +52193,7 @@ index b1468ed..4bd5e3c 100644 ') ######################################## -@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -181,7 +205,7 @@ tunable_policy(`nfs_export_all_ro',` allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; @@ -51294,7 +52202,7 @@ index b1468ed..4bd5e3c 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t) +@@ -199,6 +223,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -51302,7 +52210,7 @@ index b1468ed..4bd5e3c 100644 fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) -@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t) +@@ -210,14 +235,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -51319,7 +52227,7 @@ index b1468ed..4bd5e3c 100644 ') optional_policy(` -@@ -229,6 +248,10 @@ optional_policy(` +@@ -229,6 +254,10 @@ optional_policy(` ') optional_policy(` @@ -51701,10 +52609,19 @@ index a07b2f4..ee39810 100644 + +userdom_getattr_user_terminals(rwho_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc -index 69a6074..73db5ba 100644 +index 69a6074..c79b415 100644 --- a/policy/modules/services/samba.fc +++ b/policy/modules/services/samba.fc -@@ -51,3 +51,7 @@ +@@ -11,6 +11,8 @@ + /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) + /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) + ++/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0) ++ + # + # /usr + # +@@ -51,3 +53,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) @@ -51713,10 +52630,41 @@ index 69a6074..73db5ba 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..9e72970 100644 +index 82cb169..87d1eec 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if -@@ -79,6 +79,25 @@ interface(`samba_domtrans_net',` +@@ -60,6 +60,30 @@ interface(`samba_initrc_domtrans',` + + ######################################## + ## ++## Execute samba server in the samba domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_systemctl',` ++ gen_require(` ++ type samba_unit_file_t; ++ type smbd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 samba_unit_file_t:file read_file_perms; ++ allow $1 samba_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, smbd_t) ++') ++ ++######################################## ++## + ## Execute samba net in the samba_net domain. + ## + ## +@@ -79,6 +103,25 @@ interface(`samba_domtrans_net',` ######################################## ## @@ -51742,7 +52690,7 @@ index 82cb169..9e72970 100644 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -103,6 +122,51 @@ interface(`samba_run_net',` +@@ -103,6 +146,51 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -51794,7 +52742,7 @@ index 82cb169..9e72970 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -327,7 +391,6 @@ interface(`samba_search_var',` +@@ -327,7 +415,6 @@ interface(`samba_search_var',` type samba_var_t; ') @@ -51802,7 +52750,7 @@ index 82cb169..9e72970 100644 files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; ') -@@ -348,7 +411,6 @@ interface(`samba_read_var_files',` +@@ -348,7 +435,6 @@ interface(`samba_read_var_files',` type samba_var_t; ') @@ -51810,7 +52758,7 @@ index 82cb169..9e72970 100644 files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -388,7 +450,6 @@ interface(`samba_rw_var_files',` +@@ -388,7 +474,6 @@ interface(`samba_rw_var_files',` type samba_var_t; ') @@ -51818,7 +52766,7 @@ index 82cb169..9e72970 100644 files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -409,9 +470,9 @@ interface(`samba_manage_var_files',` +@@ -409,9 +494,9 @@ interface(`samba_manage_var_files',` type samba_var_t; ') @@ -51829,7 +52777,7 @@ index 82cb169..9e72970 100644 ') ######################################## -@@ -419,15 +480,14 @@ interface(`samba_manage_var_files',` +@@ -419,15 +504,14 @@ interface(`samba_manage_var_files',` ## Execute a domain transition to run smbcontrol. ## ## @@ -51848,7 +52796,7 @@ index 82cb169..9e72970 100644 ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -@@ -564,6 +624,7 @@ interface(`samba_domtrans_winbind_helper',` +@@ -564,6 +648,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -51856,7 +52804,7 @@ index 82cb169..9e72970 100644 ') ######################################## -@@ -644,6 +705,37 @@ interface(`samba_stream_connect_winbind',` +@@ -644,6 +729,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -51894,7 +52842,7 @@ index 82cb169..9e72970 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,21 +753,12 @@ interface(`samba_stream_connect_winbind',` +@@ -661,21 +777,12 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -51922,7 +52870,7 @@ index 82cb169..9e72970 100644 ') allow $1 smbd_t:process { ptrace signal_perms }; -@@ -684,6 +767,9 @@ interface(`samba_admin',` +@@ -684,6 +791,9 @@ interface(`samba_admin',` allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) @@ -51932,7 +52880,7 @@ index 82cb169..9e72970 100644 samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -709,9 +795,6 @@ interface(`samba_admin',` +@@ -709,9 +819,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -51942,17 +52890,29 @@ index 82cb169..9e72970 100644 admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +810,5 @@ interface(`samba_admin',` +@@ -727,4 +834,7 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ++ ++ samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..be3f853 100644 +index e30bb63..3bc774c 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te -@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) +@@ -85,6 +85,9 @@ files_config_file(samba_etc_t) + type samba_initrc_exec_t; + init_script_file(samba_initrc_exec_t) + ++type samba_unit_file_t; ++systemd_unit_file(samba_unit_file_t) ++ + type samba_log_t; + logging_log_file(samba_log_t) + +@@ -152,9 +155,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) type winbind_log_t; logging_log_file(winbind_log_t) @@ -51962,7 +52922,7 @@ index e30bb63..be3f853 100644 type winbind_var_run_t; files_pid_file(winbind_var_run_t) -@@ -215,7 +212,7 @@ miscfiles_read_localization(samba_net_t) +@@ -215,7 +215,7 @@ miscfiles_read_localization(samba_net_t) samba_read_var_files(samba_net_t) @@ -51971,7 +52931,7 @@ index e30bb63..be3f853 100644 userdom_list_user_home_dirs(samba_net_t) optional_policy(` -@@ -224,13 +221,14 @@ optional_policy(` +@@ -224,13 +224,14 @@ optional_policy(` optional_policy(` kerberos_use(samba_net_t) @@ -51987,7 +52947,7 @@ index e30bb63..be3f853 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -263,7 +261,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -263,7 +264,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -51996,7 +52956,7 @@ index e30bb63..be3f853 100644 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -@@ -279,7 +277,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -279,7 +280,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -52005,7 +52965,7 @@ index e30bb63..be3f853 100644 allow smbd_t swat_t:process signal; -@@ -323,15 +321,18 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,15 +324,18 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -52024,7 +52984,7 @@ index e30bb63..be3f853 100644 domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -343,6 +344,7 @@ files_read_usr_files(smbd_t) +@@ -343,6 +347,7 @@ files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) @@ -52032,7 +52992,7 @@ index e30bb63..be3f853 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -385,12 +387,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +390,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -52046,7 +53006,7 @@ index e30bb63..be3f853 100644 ') # Support Samba sharing of NFS mount points -@@ -410,6 +407,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -410,6 +410,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -52057,7 +53017,7 @@ index e30bb63..be3f853 100644 optional_policy(` cups_read_rw_config(smbd_t) -@@ -445,26 +446,25 @@ optional_policy(` +@@ -445,26 +449,25 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -52091,7 +53051,7 @@ index e30bb63..be3f853 100644 ######################################## # # nmbd Local policy -@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +487,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -52102,7 +53062,7 @@ index e30bb63..be3f853 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -560,13 +564,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -52120,7 +53080,7 @@ index e30bb63..be3f853 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -574,11 +575,13 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -574,11 +578,13 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -52135,7 +53095,7 @@ index e30bb63..be3f853 100644 ######################################## # -@@ -644,19 +647,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +650,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -52160,7 +53120,7 @@ index e30bb63..be3f853 100644 ######################################## # # SWAT Local policy -@@ -677,7 +682,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +685,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -52169,7 +53129,7 @@ index e30bb63..be3f853 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +697,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +700,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -52184,7 +53144,7 @@ index e30bb63..be3f853 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +717,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +720,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -52192,7 +53152,7 @@ index e30bb63..be3f853 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +762,8 @@ logging_search_logs(swat_t) +@@ -754,6 +765,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -52201,7 +53161,7 @@ index e30bb63..be3f853 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +816,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +819,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -52223,7 +53183,7 @@ index e30bb63..be3f853 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +844,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +847,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -52231,7 +53191,7 @@ index e30bb63..be3f853 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -904,7 +916,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +919,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -52240,7 +53200,7 @@ index e30bb63..be3f853 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +934,18 @@ optional_policy(` +@@ -922,6 +937,18 @@ optional_policy(` # optional_policy(` @@ -52259,7 +53219,7 @@ index e30bb63..be3f853 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +956,12 @@ optional_policy(` +@@ -932,9 +959,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -56534,10 +57494,10 @@ index 0000000..7647279 + diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te new file mode 100644 -index 0000000..9fb3ea7 +index 0000000..4fd2377 --- /dev/null +++ b/policy/modules/services/vdagent.te -@@ -0,0 +1,48 @@ +@@ -0,0 +1,54 @@ +policy_module(vdagent,1.0.0) + +######################################## @@ -56560,6 +57520,8 @@ index 0000000..9fb3ea7 +# vdagent local policy +# + ++dontaudit vdagent_t self:capability sys_admin; ++ +allow vdagent_t self:fifo_file rw_fifo_file_perms; +allow vdagent_t self:unix_stream_socket create_stream_socket_perms; + @@ -56573,6 +57535,10 @@ index 0000000..9fb3ea7 +logging_log_filetrans(vdagent_t, vdagent_log_t, { file }) + +dev_rw_input_dev(vdagent_t) ++dev_read_sysfs(vdagent_t) ++dev_dontaudit_write_mtrr(vdagent_t) ++ ++files_read_etc_files(vdagent_t) + +term_use_virtio_console(vdagent_t) + @@ -56685,7 +57651,7 @@ index 32a3c13..7baeb6f 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..55b5012 100644 +index 2124b6a..e14c78c 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -1,5 +1,6 @@ @@ -56697,12 +57663,13 @@ index 2124b6a..55b5012 100644 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +13,29 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +13,30 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virt_lxc_exec_t,s0) ++/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + ++/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -56721,7 +57688,7 @@ index 2124b6a..55b5012 100644 /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) -+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) ++/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + @@ -56731,7 +57698,7 @@ index 2124b6a..55b5012 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..72e3065 100644 +index 7c5d8d8..f2f49f2 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -13,39 +13,44 @@ @@ -57035,7 +58002,7 @@ index 7c5d8d8..72e3065 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 virtd_initrc_exec_t system_r; -@@ -515,4 +615,188 @@ interface(`virt_admin',` +@@ -515,4 +615,213 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -57043,7 +58010,7 @@ index 7c5d8d8..72e3065 100644 + virt_manage_images($1) + + allow $1 virt_domain:process { ptrace signal_perms }; -+') + ') + +######################################## +## @@ -57223,9 +58190,34 @@ index 7c5d8d8..72e3065 100644 + ') + + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; - ') ++') ++ ++######################################## ++## ++## Creates types and rules for a basic ++## virt_lxc process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`virt_lxc_domain_template',` ++ gen_require(` ++ attribute virt_lxc_domain; ++ ') ++ ++ type $1_t, virt_lxc_domain; ++ domain_type($1_t) ++ domain_user_exemption_target($1_t) ++ mls_rangetrans_target($1_t) ++ mcs_untrusted_proc($1_t) ++ role system_r types $1_t; ++') ++ diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..1eb165e 100644 +index 3eca020..e92db9c 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,74 @@ policy_module(virt, 1.4.0) @@ -57369,19 +58361,24 @@ index 3eca020..1eb165e 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -99,20 +130,29 @@ ifdef(`enable_mls',` +@@ -99,20 +130,34 @@ ifdef(`enable_mls',` ######################################## # +# Declarations +# ++attribute virt_lxc_domain; ++ ++type virtd_lxc_t; ++type virtd_lxc_exec_t; ++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + -+type virt_lxc_t; -+type virt_lxc_exec_t; -+init_system_domain(virt_lxc_t, virt_lxc_exec_t) ++type virtd_lxc_var_run_t; ++files_pid_file(virtd_lxc_var_run_t) + -+type virt_lxc_var_run_t; -+files_pid_file(virt_lxc_var_run_t) ++# virt lxc container files ++type virt_lxc_file_t; ++files_mountpoint(virt_lxc_file_t) + +######################################## +# @@ -57403,7 +58400,7 @@ index 3eca020..1eb165e 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -130,9 +170,13 @@ corenet_tcp_connect_all_ports(svirt_t) +@@ -130,9 +175,13 @@ corenet_tcp_connect_all_ports(svirt_t) dev_list_sysfs(svirt_t) @@ -57417,7 +58414,7 @@ index 3eca020..1eb165e 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +191,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +196,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -57433,7 +58430,7 @@ index 3eca020..1eb165e 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +208,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +213,28 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -57462,7 +58459,7 @@ index 3eca020..1eb165e 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +239,35 @@ optional_policy(` +@@ -174,21 +244,36 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -57481,6 +58478,7 @@ index 3eca020..1eb165e 100644 -allow virtd_t self:tun_socket create_socket_perms; +allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow virtd_t self:rawip_socket create_socket_perms; ++allow virtd_t self:packet_socket create_socket_perms; allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) @@ -57504,7 +58502,7 @@ index 3eca020..1eb165e 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +279,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +285,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -57522,14 +58520,14 @@ index 3eca020..1eb165e 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +303,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +309,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") -+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virt_lxc_t) ++manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) ++manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) ++filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) + kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -57538,7 +58536,7 @@ index 3eca020..1eb165e 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +331,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +337,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -57571,7 +58569,7 @@ index 3eca020..1eb165e 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +363,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +369,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -57590,14 +58588,14 @@ index 3eca020..1eb165e 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +398,29 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +404,29 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -57620,7 +58618,7 @@ index 3eca020..1eb165e 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +439,10 @@ optional_policy(` +@@ -313,6 +445,10 @@ optional_policy(` ') optional_policy(` @@ -57631,7 +58629,7 @@ index 3eca020..1eb165e 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,11 +459,17 @@ optional_policy(` +@@ -329,16 +465,23 @@ optional_policy(` ') optional_policy(` @@ -57649,7 +58647,13 @@ index 3eca020..1eb165e 100644 ') optional_policy(` -@@ -365,6 +501,12 @@ optional_policy(` + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) ++ iptables_systemctl(virtd_t) + + # Manages /etc/sysconfig/system-config-firewall + iptables_manage_config(virtd_t) +@@ -365,6 +508,12 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -57662,7 +58666,7 @@ index 3eca020..1eb165e 100644 ') optional_policy(` -@@ -394,20 +536,36 @@ optional_policy(` +@@ -394,20 +543,36 @@ optional_policy(` # virtual domains common policy # @@ -57701,7 +58705,7 @@ index 3eca020..1eb165e 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +576,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +583,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -57714,7 +58718,7 @@ index 3eca020..1eb165e 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +588,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +595,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -57727,7 +58731,7 @@ index 3eca020..1eb165e 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,14 +601,20 @@ files_search_all(virt_domain) +@@ -440,14 +608,20 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -57735,12 +58739,12 @@ index 3eca020..1eb165e 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -57751,7 +58755,7 @@ index 3eca020..1eb165e 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +624,188 @@ optional_policy(` +@@ -457,8 +631,256 @@ optional_policy(` ') optional_policy(` @@ -57875,71 +58879,139 @@ index 3eca020..1eb165e 100644 +# +# virt_lxc local policy +# -+allow virt_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin }; -+allow virt_lxc_t self:process { setsched getcap setcap signal_perms }; -+allow virt_lxc_t self:fifo_file rw_fifo_file_perms; -+allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms; -+allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms; -+allow virt_lxc_t self:packet_socket create_socket_perms; ++allow virtd_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin }; ++allow virtd_lxc_t self:process { setsched getcap setcap signal_perms }; ++allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; ++allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; ++allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms; ++allow virtd_lxc_t self:packet_socket create_socket_perms; + -+allow virt_lxc_t virt_image_type:dir mounton; ++allow virtd_lxc_t virt_image_type:dir mounton; + -+allow virt_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; ++allow virtd_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; + -+domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t) -+allow virtd_t virt_lxc_t:process { signal signull sigkill }; ++domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) ++allow virtd_t virtd_lxc_t:process { signal signull sigkill }; + -+manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+manage_sock_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+files_pid_filetrans(virt_lxc_t, virt_lxc_var_run_t, { file dir }) ++manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) ++manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) ++manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) ++files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) + -+kernel_read_network_state(virt_lxc_t) -+kernel_search_network_sysctl(virt_lxc_t) -+kernel_read_sysctl(virt_lxc_t) ++kernel_read_network_state(virtd_lxc_t) ++kernel_search_network_sysctl(virtd_lxc_t) ++kernel_read_sysctl(virtd_lxc_t) + -+dev_read_sysfs(virt_lxc_t) ++dev_read_sysfs(virtd_lxc_t) + -+domain_use_interactive_fds(virt_lxc_t) ++domain_use_interactive_fds(virtd_lxc_t) + -+files_read_etc_files(virt_lxc_t) -+files_mounton_all_mountpoints(virt_lxc_t) -+files_mount_all_file_type_fs(virt_lxc_t) -+files_unmount_all_file_type_fs(virt_lxc_t) -+files_list_isid_type_dirs(virt_lxc_t) ++files_read_etc_files(virtd_lxc_t) ++files_mounton_all_mountpoints(virtd_lxc_t) ++files_mount_all_file_type_fs(virtd_lxc_t) ++files_unmount_all_file_type_fs(virtd_lxc_t) ++files_list_isid_type_dirs(virtd_lxc_t) + -+fs_manage_tmpfs_dirs(virt_lxc_t) -+fs_manage_tmpfs_chr_files(virt_lxc_t) -+fs_manage_tmpfs_symlinks(virt_lxc_t) -+fs_manage_cgroup_dirs(virt_lxc_t) -+fs_rw_cgroup_files(virt_lxc_t) -+fs_remount_all_fs(virt_lxc_t) ++fs_manage_tmpfs_dirs(virtd_lxc_t) ++fs_manage_tmpfs_chr_files(virtd_lxc_t) ++fs_manage_tmpfs_symlinks(virtd_lxc_t) ++fs_manage_cgroup_dirs(virtd_lxc_t) ++fs_rw_cgroup_files(virtd_lxc_t) ++fs_remount_all_fs(virtd_lxc_t) + -+selinux_mount_fs(virt_lxc_t) -+selinux_unmount_fs(virt_lxc_t) ++selinux_mount_fs(virtd_lxc_t) ++selinux_unmount_fs(virtd_lxc_t) + -+term_use_generic_ptys(virt_lxc_t) -+term_use_ptmx(virt_lxc_t) ++term_use_generic_ptys(virtd_lxc_t) ++term_use_ptmx(virtd_lxc_t) + -+auth_use_nsswitch(virt_lxc_t) ++auth_use_nsswitch(virtd_lxc_t) + -+logging_send_syslog_msg(virt_lxc_t) ++logging_send_syslog_msg(virtd_lxc_t) + -+miscfiles_read_localization(virt_lxc_t) ++miscfiles_read_localization(virtd_lxc_t) + -+sysnet_domtrans_ifconfig(virt_lxc_t) ++sysnet_domtrans_ifconfig(virtd_lxc_t) + -+type lxc_t; -+domain_type(lxc_t); ++#optional_policy(` ++# unconfined_shell_domtrans(virtd_lxc_t) ++# unconfined_signal(virtd_t) ++#') + -+optional_policy(` -+ unconfined_domain(lxc_t) -+') ++######################################## ++# ++# virt_lxc_domain local policy ++# ++allow virtd_lxc_t virt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; ++allow virt_lxc_domain virtd_lxc_t:fd use; ++allow virt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms; ++dontaudit virt_lxc_domain virtd_lxc_t:unix_stream_socket { read write }; + -+optional_policy(` -+ unconfined_shell_domtrans(virt_lxc_t) -+ unconfined_signal(virtd_t) -+') ++allow virt_lxc_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; ++allow virt_lxc_domain self:fifo_file manage_file_perms; ++allow virt_lxc_domain self:sem create_sem_perms; ++allow virt_lxc_domain self:shm create_shm_perms; ++allow virt_lxc_domain self:msgq create_msgq_perms; ++allow virt_lxc_domain self:unix_stream_socket create_stream_socket_perms; ++allow virt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; ++dontaudit virt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++ ++manage_dirs_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t) ++manage_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t) ++manage_lnk_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t) ++manage_sock_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t) ++manage_fifo_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t) ++can_exec(virt_lxc_domain, virt_lxc_file_t) ++ ++kernel_getattr_proc(virt_lxc_domain) ++kernel_read_network_state(virt_lxc_domain) ++kernel_read_system_state(virt_lxc_domain) ++kernel_dontaudit_search_kernel_sysctl(virt_lxc_domain) ++ ++corecmd_exec_all_executables(virt_lxc_domain) ++ ++dev_read_urand(virt_lxc_domain) ++dev_dontaudit_read_rand(virt_lxc_domain) ++dev_read_sysfs(virt_lxc_domain) ++ ++files_dontaudit_list_all_mountpoints(virt_lxc_domain) ++files_entrypoint_all_files(virt_lxc_domain) ++files_read_config_files(virt_lxc_domain) ++files_read_usr_files(virt_lxc_domain) ++files_read_usr_symlinks(virt_lxc_domain) ++ ++fs_getattr_tmpfs(virt_lxc_domain) ++fs_getattr_xattr_fs(virt_lxc_domain) ++fs_list_inotifyfs(virt_lxc_domain) ++fs_dontaudit_getattr_xattr_fs(virt_lxc_domain) ++ ++auth_dontaudit_read_login_records(virt_lxc_domain) ++auth_dontaudit_write_login_records(virt_lxc_domain) ++auth_search_pam_console_data(virt_lxc_domain) ++ ++init_read_utmp(virt_lxc_domain) ++init_dontaudit_write_utmp(virt_lxc_domain) ++ ++libs_dontaudit_setattr_lib_files(virt_lxc_domain) ++ ++miscfiles_read_localization(virt_lxc_domain) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(virt_lxc_domain) ++ ++mta_dontaudit_read_spool_symlinks(virt_lxc_domain) ++ ++selinux_get_fs_mount(virt_lxc_domain) ++selinux_validate_context(virt_lxc_domain) ++selinux_compute_access_vector(virt_lxc_domain) ++selinux_compute_create_context(virt_lxc_domain) ++selinux_compute_relabel_context(virt_lxc_domain) ++selinux_compute_user_contexts(virt_lxc_domain) ++seutil_read_default_contexts(virt_lxc_domain) ++ ++miscfiles_read_fonts(virt_lxc_domain) ++ ++virt_lxc_domain_template(svirt_lxc) ++ ++corecmd_shell_spec_domtrans(virtd_lxc_t, svirt_lxc_t) diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc index 11533cc..4d81b99 100644 --- a/policy/modules/services/vnstatd.fc @@ -63001,7 +64073,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..1c92ab6 100644 +index 29a9565..53f3bfe 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -63291,31 +64363,31 @@ index 29a9565..1c92ab6 100644 +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) + ++optional_policy(` ++ lvm_rw_pipes(init_t) ++') ++ optional_policy(` - auth_rw_login_records(init_t) -+ lvm_rw_pipes(init_t) ++ consolekit_manage_log(init_t) ') optional_policy(` -+ consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) - ') - - optional_policy(` -- nscd_socket_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ') @@ -63875,7 +64947,7 @@ index 29a9565..1c92ab6 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1241,151 @@ optional_policy(` +@@ -854,3 +1241,160 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -63960,6 +65032,10 @@ index 29a9565..1c92ab6 100644 + nscd_socket_use(daemon) +') + ++optional_policy(` ++ puppet_rw_tmp(daemon) ++') ++ +allow direct_run_init daemon:process { noatsecure siginh rlimitinh }; + +allow initrc_t systemprocess:process siginh; @@ -64010,6 +65086,10 @@ index 29a9565..1c92ab6 100644 +') + +optional_policy(` ++ puppet_rw_tmp(systemprocess) ++') ++ ++optional_policy(` + xserver_dontaudit_append_xdm_home_files(systemprocess) +') + @@ -64027,6 +65107,7 @@ index 29a9565..1c92ab6 100644 +#ifdef(`enable_mls',` +# mls_rangetrans_target(systemprocess) +#') ++ diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index fb09b9e..e25c6b6 100644 --- a/policy/modules/system/ipsec.fc @@ -64239,19 +65320,21 @@ index 55a6cd8..fa17b89 100644 +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 05fb364..6b895d1 100644 +index 05fb364..c054118 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,7 +1,5 @@ +@@ -1,7 +1,7 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) ++ ++/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -@@ -12,8 +10,4 @@ +@@ -12,8 +12,4 @@ /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -64262,7 +65345,7 @@ index 05fb364..6b895d1 100644 -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index 7ba53db..5c94dfe 100644 +index 7ba53db..227887f 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,6 @@ interface(`iptables_domtrans',` @@ -64276,11 +65359,42 @@ index 7ba53db..5c94dfe 100644 ') ######################################## +@@ -92,6 +88,30 @@ interface(`iptables_initrc_domtrans',` + init_labeled_script_domtrans($1, iptables_initrc_exec_t) + ') + ++######################################## ++## ++## Execute iptables server in the iptables domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`iptables_systemctl',` ++ gen_require(` ++ type iptables_unit_file_t; ++ type iptables_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 iptables_unit_file_t:file read_file_perms; ++ allow $1 iptables_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, iptables_t) ++') ++ + ##################################### + ## + ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index f3e1b57..d6a93ac 100644 +index f3e1b57..d7fd7fb 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te -@@ -13,9 +13,6 @@ role system_r types iptables_t; +@@ -13,15 +13,15 @@ role system_r types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -64290,7 +65404,16 @@ index f3e1b57..d6a93ac 100644 type iptables_tmp_t; files_tmp_file(iptables_tmp_t) -@@ -34,8 +31,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; + type iptables_var_run_t; + files_pid_file(iptables_var_run_t) + ++type iptables_unit_file_t; ++systemd_unit_file(iptables_unit_file_t) ++ + ######################################## + # + # Iptables local policy +@@ -34,8 +34,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; @@ -64301,7 +65424,7 @@ index f3e1b57..d6a93ac 100644 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -46,6 +43,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; +@@ -46,6 +46,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) @@ -64309,7 +65432,7 @@ index f3e1b57..d6a93ac 100644 kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) -@@ -61,6 +59,9 @@ corenet_relabelto_all_packets(iptables_t) +@@ -61,6 +62,9 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -64319,7 +65442,7 @@ index f3e1b57..d6a93ac 100644 fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -69,11 +70,13 @@ fs_list_inotifyfs(iptables_t) +@@ -69,11 +73,13 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -64334,7 +65457,7 @@ index f3e1b57..d6a93ac 100644 auth_use_nsswitch(iptables_t) -@@ -82,6 +85,7 @@ init_use_script_ptys(iptables_t) +@@ -82,6 +88,7 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -64342,7 +65465,7 @@ index f3e1b57..d6a93ac 100644 logging_send_syslog_msg(iptables_t) -@@ -90,7 +94,7 @@ miscfiles_read_localization(iptables_t) +@@ -90,7 +97,7 @@ miscfiles_read_localization(iptables_t) sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) @@ -64351,7 +65474,7 @@ index f3e1b57..d6a93ac 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -99,6 +103,8 @@ ifdef(`hide_broken_symptoms',` +@@ -99,6 +106,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -64360,7 +65483,7 @@ index f3e1b57..d6a93ac 100644 ') optional_policy(` -@@ -121,6 +127,7 @@ optional_policy(` +@@ -121,6 +130,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -64368,7 +65491,7 @@ index f3e1b57..d6a93ac 100644 ') optional_policy(` -@@ -134,6 +141,7 @@ optional_policy(` +@@ -134,6 +144,7 @@ optional_policy(` optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) @@ -67561,7 +68684,7 @@ index 170e2c7..b85fc73 100644 + ') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..f2b7643 100644 +index 7ed9819..3ee9ea8 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -67832,17 +68955,17 @@ index 7ed9819..f2b7643 100644 -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -- --allow semanage_t policy_config_t:file rw_file_perms; +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --allow semanage_t semanage_tmp_t:dir manage_dir_perms; --allow semanage_t semanage_tmp_t:file manage_file_perms; --files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) +-allow semanage_t policy_config_t:file rw_file_perms; +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +-allow semanage_t semanage_tmp_t:dir manage_dir_perms; +-allow semanage_t semanage_tmp_t:file manage_file_perms; +-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) +- -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - @@ -67871,13 +68994,13 @@ index 7ed9819..f2b7643 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -- --locallogin_use_fds(semanage_t) -- --logging_send_syslog_msg(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) +-locallogin_use_fds(semanage_t) +- +-logging_send_syslog_msg(semanage_t) +- -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -67894,7 +69017,7 @@ index 7ed9819..f2b7643 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t) +@@ -482,6 +493,14 @@ seutil_manage_default_contexts(semanage_t) userdom_read_user_home_content_files(semanage_t) userdom_read_user_tmp_files(semanage_t) @@ -67909,17 +69032,7 @@ index 7ed9819..f2b7643 100644 ifdef(`distro_debian',` files_read_var_lib_files(semanage_t) files_read_var_lib_symlinks(semanage_t) - ') - -+optional_policy(` -+ setrans_initrc_domtrans(semanage_t) -+ domain_system_change_exemption(semanage_t) -+ consoletype_exec(semanage_t) -+') -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(semanage_t) +@@ -493,112 +512,60 @@ ifdef(`distro_ubuntu',` ') ') @@ -67972,23 +69085,23 @@ index 7ed9819..f2b7643 100644 -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - +- -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) -selinux_compute_relabel_context(setfiles_t) -selinux_compute_user_contexts(setfiles_t) ++init_dontaudit_use_fds(setsebool_t) + +-term_use_all_ttys(setfiles_t) +-term_use_all_ptys(setfiles_t) +-term_use_unallocated_ttys(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) --term_use_all_ttys(setfiles_t) --term_use_all_ptys(setfiles_t) --term_use_unallocated_ttys(setfiles_t) -- -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) - @@ -68366,7 +69479,7 @@ index ff80d0a..be800df 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..7e4782d 100644 +index 34d0ec5..767ccbd 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -68503,7 +69616,7 @@ index 34d0ec5..7e4782d 100644 ') optional_policy(` -@@ -192,7 +223,19 @@ optional_policy(` +@@ -192,17 +223,31 @@ optional_policy(` ') optional_policy(` @@ -68523,7 +69636,19 @@ index 34d0ec5..7e4782d 100644 ') optional_policy(` -@@ -213,6 +256,11 @@ optional_policy(` + nscd_initrc_domtrans(dhcpc_t) ++ nscd_systemctl(dhcpc_t) + nscd_domtrans(dhcpc_t) + nscd_read_pid(dhcpc_t) + ') + + optional_policy(` + ntp_initrc_domtrans(dhcpc_t) ++ ntp_systemctl(dhcpc_t) + ') + + optional_policy(` +@@ -213,6 +258,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -68535,7 +69660,7 @@ index 34d0ec5..7e4782d 100644 ') optional_policy(` -@@ -255,6 +303,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +305,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -68543,7 +69668,7 @@ index 34d0ec5..7e4782d 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +325,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +327,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -68555,7 +69680,7 @@ index 34d0ec5..7e4782d 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -301,11 +353,12 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +355,12 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -68570,7 +69695,7 @@ index 34d0ec5..7e4782d 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +367,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +369,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -68589,7 +69714,7 @@ index 34d0ec5..7e4782d 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +389,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +391,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -68604,7 +69729,7 @@ index 34d0ec5..7e4782d 100644 ') optional_policy(` -@@ -335,6 +405,18 @@ optional_policy(` +@@ -335,6 +407,18 @@ optional_policy(` ') optional_policy(` @@ -68623,7 +69748,7 @@ index 34d0ec5..7e4782d 100644 nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +438,9 @@ optional_policy(` +@@ -356,3 +440,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -68660,10 +69785,10 @@ index 0000000..9eaa38e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..25872de +index 0000000..46a3ec0 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,454 @@ +@@ -0,0 +1,456 @@ +## SELinux policy for systemd components + +####################################### @@ -68710,6 +69835,8 @@ index 0000000..25872de + + corecmd_search_bin($1) + can_exec($1, systemd_systemctl_exec_t) ++ ++ init_read_state($1) +') + +####################################### @@ -69120,10 +70247,10 @@ index 0000000..25872de + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0cb5eaa +index 0000000..c8a0e6f --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,372 @@ +@@ -0,0 +1,368 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -69262,10 +70389,6 @@ index 0000000..0cb5eaa +') + +optional_policy(` -+ nis_use_ypbind(systemd_logind_t) -+') -+ -+optional_policy(` + # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file + xserver_search_xdm_tmp_dirs(systemd_logind_t) +') @@ -70688,7 +71811,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..fe5913a 100644 +index 4b2878a..e548ede 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -71455,7 +72578,7 @@ index 4b2878a..fe5913a 100644 ') optional_policy(` -@@ -650,41 +798,50 @@ template(`userdom_common_user_template',` +@@ -650,40 +798,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -71512,12 +72635,14 @@ index 4b2878a..fe5913a 100644 optional_policy(` - usernetctl_run($1_t, $1_r) + slrnpull_search_spool($1_usertype) - ') ++ ') + ++ optional_policy(` ++ thumb_role($1_r, $1_usertype) + ') ') - ####################################### -@@ -712,13 +869,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +872,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -71531,7 +72656,9 @@ index 4b2878a..fe5913a 100644 - userdom_manage_tmpfs_role($1_r, $1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -71539,9 +72666,7 @@ index 4b2878a..fe5913a 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -71549,7 +72674,7 @@ index 4b2878a..fe5913a 100644 userdom_change_password_template($1) -@@ -736,72 +906,76 @@ template(`userdom_login_user_template', ` +@@ -736,72 +909,76 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -71620,46 +72745,46 @@ index 4b2878a..fe5913a 100644 - seutil_read_config($1_t) + seutil_read_config($1_usertype) -+ -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ kerberos_use($1_usertype) -+ kerberos_filetrans_home_content($1_usertype) ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ kerberos_use($1_usertype) ++ kerberos_filetrans_home_content($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ++ ') ++ ++ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -833,6 +1007,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -71669,7 +72794,7 @@ index 4b2878a..fe5913a 100644 ############################## # # Local policy -@@ -874,45 +1051,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -71799,7 +72924,7 @@ index 4b2878a..fe5913a 100644 ') ') -@@ -947,7 +1197,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -71808,7 +72933,7 @@ index 4b2878a..fe5913a 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1206,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -71826,7 +72951,7 @@ index 4b2878a..fe5913a 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1231,72 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1234,72 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -71861,9 +72986,11 @@ index 4b2878a..fe5913a 100644 + + optional_policy(` + cron_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + games_rw_data($1_usertype) + ') + @@ -71885,11 +73012,9 @@ index 4b2878a..fe5913a 100644 + + optional_policy(` + java_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + mono_role_template($1, $1_r, $1_t) + ') + @@ -71908,7 +73033,7 @@ index 4b2878a..fe5913a 100644 ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -71919,7 +73044,7 @@ index 4b2878a..fe5913a 100644 ') ') -@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -71928,7 +73053,7 @@ index 4b2878a..fe5913a 100644 ') ############################## -@@ -1066,6 +1370,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -71936,7 +73061,7 @@ index 4b2878a..fe5913a 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1379,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -71946,7 +73071,7 @@ index 4b2878a..fe5913a 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1396,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -71954,7 +73079,7 @@ index 4b2878a..fe5913a 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1414,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -71968,7 +73093,7 @@ index 4b2878a..fe5913a 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1431,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -72011,7 +73136,7 @@ index 4b2878a..fe5913a 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1472,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -72020,7 +73145,7 @@ index 4b2878a..fe5913a 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1533,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -72029,7 +73154,7 @@ index 4b2878a..fe5913a 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1547,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -72040,7 +73165,7 @@ index 4b2878a..fe5913a 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1560,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -72069,7 +73194,7 @@ index 4b2878a..fe5913a 100644 ') optional_policy(` -@@ -1251,12 +1588,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -72085,7 +73210,7 @@ index 4b2878a..fe5913a 100644 ') optional_policy(` -@@ -1279,54 +1616,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1619,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -72167,14 +73292,13 @@ index 4b2878a..fe5913a 100644 ## ## ## -@@ -1334,9 +1683,46 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,7 +1686,44 @@ interface(`userdom_setattr_user_ptys',` ## ## # -interface(`userdom_create_user_pty',` +interface(`userdom_attach_admin_tun_iface',` - gen_require(` -- type user_devpts_t; ++ gen_require(` + attribute admindomain; + ') + @@ -72211,12 +73335,10 @@ index 4b2878a..fe5913a 100644 +## +# +interface(`userdom_create_user_pty',` -+ gen_require(` -+ type user_devpts_t; + gen_require(` + type user_devpts_t; ') - - term_create_pty($1, user_devpts_t) -@@ -1395,6 +1781,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -72224,7 +73346,7 @@ index 4b2878a..fe5913a 100644 files_search_home($1) ') -@@ -1441,6 +1828,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1831,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -72239,7 +73361,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -1456,9 +1851,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -72251,7 +73373,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -1515,6 +1912,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -72294,7 +73416,7 @@ index 4b2878a..fe5913a 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2022,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -72303,7 +73425,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -1603,10 +2038,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -72318,7 +73440,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -1649,6 +2086,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -72362,7 +73484,7 @@ index 4b2878a..fe5913a 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2142,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -72388,7 +73510,7 @@ index 4b2878a..fe5913a 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2193,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2196,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -72421,7 +73543,7 @@ index 4b2878a..fe5913a 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2229,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2232,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -72439,7 +73561,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -1779,6 +2295,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2298,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -72500,7 +73622,7 @@ index 4b2878a..fe5913a 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2380,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2383,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -72510,7 +73632,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -1827,20 +2396,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2399,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -72535,7 +73657,7 @@ index 4b2878a..fe5913a 100644 ######################################## ## -@@ -1941,6 +2504,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2507,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -72560,7 +73682,7 @@ index 4b2878a..fe5913a 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2589,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2592,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -72569,7 +73691,7 @@ index 4b2878a..fe5913a 100644 files_search_home($1) ') -@@ -2039,7 +2620,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2623,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -72578,7 +73700,7 @@ index 4b2878a..fe5913a 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2182,7 +2763,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2766,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -72587,7 +73709,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -2390,7 +2971,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2974,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -72596,7 +73718,7 @@ index 4b2878a..fe5913a 100644 files_search_tmp($1) ') -@@ -2435,13 +3016,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3019,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -72612,7 +73734,7 @@ index 4b2878a..fe5913a 100644 ## ## ## -@@ -2462,26 +3044,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3047,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -72639,7 +73761,7 @@ index 4b2878a..fe5913a 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3134,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3137,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -72648,7 +73770,7 @@ index 4b2878a..fe5913a 100644 ## ## ## -@@ -2580,70 +3142,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3145,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -72816,7 +73938,7 @@ index 4b2878a..fe5913a 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2713,6 +3343,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,6 +3346,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -72841,7 +73963,7 @@ index 4b2878a..fe5913a 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2736,24 +3384,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3387,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -72866,7 +73988,7 @@ index 4b2878a..fe5913a 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3402,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3405,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -72892,7 +74014,7 @@ index 4b2878a..fe5913a 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3463,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3466,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -72901,7 +74023,7 @@ index 4b2878a..fe5913a 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3479,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3482,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -72935,7 +74057,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -2972,7 +3567,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3570,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -72944,7 +74066,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -3027,7 +3622,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3625,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -72991,7 +74113,7 @@ index 4b2878a..fe5913a 100644 ') ######################################## -@@ -3064,6 +3697,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3700,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -72999,7 +74121,7 @@ index 4b2878a..fe5913a 100644 kernel_search_proc($1) ') -@@ -3142,6 +3776,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3779,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -73024,7 +74146,7 @@ index 4b2878a..fe5913a 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3846,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3849,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ')