diff --git a/container-selinux.tgz b/container-selinux.tgz index 3b80c6c..9a77d66 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a08c614..2127ca6 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -12724,7 +12724,7 @@ index b876c48ad..2e591a538 100644 + +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76ad..74a6d0a54 100644 +index f962f76ad..b36aea185 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13112,7 +13112,7 @@ index f962f76ad..74a6d0a54 100644 ## Read all files. ## ## -@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',` +@@ -683,129 +960,261 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -13125,7 +13125,7 @@ index f962f76ad..74a6d0a54 100644 ## -## Read all directories on the filesystem, except -## the listed exceptions. -+## Read/Write all inherited non-security files. ++## Map all non-security files. ## ## ## @@ -13141,21 +13141,21 @@ index f962f76ad..74a6d0a54 100644 +## # -interface(`files_read_all_dirs_except',` -+interface(`files_rw_inherited_non_security_files',` ++interface(`files_map_non_security_files',` gen_require(` - attribute file_type; + attribute non_security_file_type; ') - allow $1 { file_type $2 }:dir list_dir_perms; -+ allow $1 non_security_file_type:file { read write }; ++ allow $1 non_security_file_type:file map; ') ######################################## ## -## Read all files on the filesystem, except -## the listed exceptions. -+## Manage all non-security files. ++## Read/Write all inherited non-security files. ## ## ## @@ -13171,22 +13171,21 @@ index f962f76ad..74a6d0a54 100644 +## # -interface(`files_read_all_files_except',` -+interface(`files_manage_non_security_files',` ++interface(`files_rw_inherited_non_security_files',` gen_require(` - attribute file_type; + attribute non_security_file_type; ') - read_files_pattern($1, { file_type $2 }, { file_type $2 }) -+ manage_files_pattern($1, non_security_file_type, non_security_file_type) -+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ++ allow $1 non_security_file_type:file { read write }; ') ######################################## ## -## Read all symbolic links on the filesystem, except -## the listed exceptions. -+## Relabel all non-security files. ++## Manage all non-security files. ## ## ## @@ -13202,13 +13201,37 @@ index f962f76ad..74a6d0a54 100644 +## # -interface(`files_read_all_symlinks_except',` -+interface(`files_relabel_non_security_files',` ++interface(`files_manage_non_security_files',` gen_require(` - attribute file_type; + attribute non_security_file_type; ') - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ manage_files_pattern($1, non_security_file_type, non_security_file_type) ++ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) + ') + + ######################################## + ## +-## Get the attributes of all symbolic links. ++## Relabel all non-security files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_getattr_all_symlinks',` ++interface(`files_relabel_non_security_files',` + gen_require(` +- attribute file_type; ++ attribute non_security_file_type; + ') + +- getattr_lnk_files_pattern($1, file_type, file_type) + relabel_files_pattern($1, non_security_file_type, non_security_file_type) + allow $1 { non_security_file_type }:dir list_dir_perms; + relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) @@ -13225,47 +13248,45 @@ index f962f76ad..74a6d0a54 100644 ######################################## ## --## Get the attributes of all symbolic links. +-## Do not audit attempts to get the attributes +-## of all symbolic links. +## Search all base file dirs. ## ## ## -@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_getattr_all_symlinks',` +-interface(`files_dontaudit_getattr_all_symlinks',` +interface(`files_search_base_file_types',` gen_require(` - attribute file_type; + attribute base_file_type; ') -- getattr_lnk_files_pattern($1, file_type, file_type) +- dontaudit $1 file_type:lnk_file getattr; + allow $1 base_file_type:dir search_dir_perms; ') ######################################## ## --## Do not audit attempts to get the attributes --## of all symbolic links. +-## Do not audit attempts to read all symbolic links. +## Relabel all base file types. ## ## ## -## Domain to not audit. +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_symlinks',` ++## ++## ++# +interface(`files_relabel_base_file_types',` - gen_require(` -- attribute file_type; ++ gen_require(` + attribute base_file_type; - ') - -- dontaudit $1 file_type:lnk_file getattr; ++ ') ++ + allow $1 base_file_type:dir list_dir_perms; + relabel_dirs_pattern($1, base_file_type , base_file_type ) + relabel_files_pattern($1, base_file_type , base_file_type ) @@ -13274,17 +13295,15 @@ index f962f76ad..74a6d0a54 100644 + relabel_sock_files_pattern($1, base_file_type , base_file_type ) + relabel_blk_files_pattern($1, base_file_type , base_file_type ) + relabel_chr_files_pattern($1, base_file_type , base_file_type ) - ') - - ######################################## - ## --## Do not audit attempts to read all symbolic links. ++') ++ ++######################################## ++## +## Read all directories on the filesystem, except +## the listed exceptions. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. +## +## @@ -13400,7 +13419,7 @@ index f962f76ad..74a6d0a54 100644 ## ## # -@@ -953,6 +1343,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1362,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -13426,7 +13445,7 @@ index f962f76ad..74a6d0a54 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1400,44 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1419,44 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -13471,7 +13490,7 @@ index f962f76ad..74a6d0a54 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',` +@@ -1073,13 +1539,12 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -13488,7 +13507,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',` +@@ -1140,6 +1605,8 @@ interface(`files_manage_all_files',` # satisfy the assertions: seutil_create_bin_policy($1) files_manage_kernel_modules($1) @@ -13497,7 +13516,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -1182,24 +1630,6 @@ interface(`files_list_all',` +@@ -1182,24 +1649,6 @@ interface(`files_list_all',` ######################################## ## @@ -13522,7 +13541,7 @@ index f962f76ad..74a6d0a54 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',` +@@ -1444,8 +1893,8 @@ interface(`files_relabel_non_auth_files',` relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -13533,7 +13552,7 @@ index f962f76ad..74a6d0a54 100644 ') ############################################# -@@ -1601,6 +2031,24 @@ interface(`files_setattr_all_mountpoints',` +@@ -1601,6 +2050,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## @@ -13558,7 +13577,7 @@ index f962f76ad..74a6d0a54 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1691,6 +2139,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1691,6 +2158,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -13583,7 +13602,7 @@ index f962f76ad..74a6d0a54 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1703,104 +2169,233 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1703,81 +2188,210 @@ interface(`files_dontaudit_write_all_mountpoints',` gen_require(` attribute mountpoint; ') @@ -13681,32 +13700,17 @@ index f962f76ad..74a6d0a54 100644 -## The type of the object to be created. -## -## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_root_filetrans',` ++# +interface(`files_rmdir_all_dirs',` - gen_require(` -- type root_t; ++ gen_require(` + attribute file_type; - ') - -- filetrans_pattern($1, root_t, $2, $3, $4) ++ ') ++ + allow $1 file_type:dir rmdir; - ') - - ######################################## - ## --## Do not audit attempts to read files in --## the root directory. ++') ++ ++######################################## ++## +## Write all file type directories. +## +## @@ -13831,33 +13835,10 @@ index f962f76ad..74a6d0a54 100644 +## The type of the object to be created. +## +## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_root_filetrans',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ filetrans_pattern($1, root_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Do not audit attempts to read files in -+## the root directory. - ## - ## + ## ## -@@ -1892,25 +2487,25 @@ interface(`files_delete_root_dir_entry',` + ## The object class of the object being created. +@@ -1892,25 +2506,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -13889,7 +13870,7 @@ index f962f76ad..74a6d0a54 100644 ## ## ## -@@ -1923,7 +2518,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2537,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -13898,7 +13879,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -1946,6 +2541,42 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2560,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -13941,7 +13922,7 @@ index f962f76ad..74a6d0a54 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2812,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2831,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -13966,7 +13947,7 @@ index f962f76ad..74a6d0a54 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2557,6 +3206,24 @@ interface(`files_read_default_pipes',` +@@ -2557,6 +3225,24 @@ interface(`files_read_default_pipes',` ######################################## ## @@ -13991,7 +13972,7 @@ index f962f76ad..74a6d0a54 100644 ## Search the contents of /etc directories. ## ## -@@ -2645,6 +3312,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3331,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -14016,7 +13997,7 @@ index f962f76ad..74a6d0a54 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3401,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3420,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -14024,7 +14005,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -2724,7 +3410,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3429,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -14033,7 +14014,7 @@ index f962f76ad..74a6d0a54 100644 ## ## # -@@ -2780,6 +3466,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3485,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -14059,7 +14040,7 @@ index f962f76ad..74a6d0a54 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3503,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3522,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -14084,7 +14065,7 @@ index f962f76ad..74a6d0a54 100644 ## Execute generic files in /etc. ## ## -@@ -2963,26 +3686,8 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3705,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -14106,14 +14087,10 @@ index f962f76ad..74a6d0a54 100644 - -######################################## -## --## Read files in /etc that are dynamically --## created on boot, such as mtab. -+## Read files in /etc that are dynamically -+## created on boot, such as mtab. + ## Read files in /etc that are dynamically + ## created on boot, such as mtab. ## - ## - ##

-@@ -3021,9 +3726,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3745,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ##

@@ -14124,7 +14101,7 @@ index f962f76ad..74a6d0a54 100644 ## ## ## -@@ -3031,18 +3734,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3753,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -14146,7 +14123,7 @@ index f962f76ad..74a6d0a54 100644 ## ## ## -@@ -3060,6 +3762,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3781,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -14173,7 +14150,7 @@ index f962f76ad..74a6d0a54 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3799,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3818,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -14181,7 +14158,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3098,6 +3821,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3840,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -14189,7 +14166,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3142,10 +3866,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3885,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -14240,7 +14217,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3161,10 +3923,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3942,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -14253,7 +14230,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3180,10 +3942,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3961,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -14266,7 +14243,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3199,10 +3961,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3980,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -14279,7 +14256,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3218,10 +3980,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3999,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -14348,7 +14325,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3237,10 +4055,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +4074,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -14361,7 +14338,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3256,10 +4074,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +4093,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -14393,7 +14370,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3275,10 +4112,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +4131,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -14406,7 +14383,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3294,10 +4131,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +4150,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -14419,7 +14396,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3313,10 +4150,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4169,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -14432,7 +14409,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3332,10 +4169,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4188,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -14445,7 +14422,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3351,10 +4188,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4207,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -14458,7 +14435,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3370,10 +4207,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4226,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -14471,7 +14448,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3389,10 +4226,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4245,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -14484,7 +14461,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3408,10 +4245,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4264,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -14497,7 +14474,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3427,10 +4264,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4283,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -14510,7 +14487,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3446,10 +4283,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4302,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -14523,7 +14500,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3465,10 +4302,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4321,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -14555,7 +14532,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3484,10 +4340,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4359,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -14568,7 +14545,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3503,10 +4359,29 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4378,29 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -14600,7 +14577,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3552,6 +4427,27 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3552,6 +4446,27 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## @@ -14628,7 +14605,7 @@ index f962f76ad..74a6d0a54 100644 ## Search home directories root (/home). ## ## -@@ -3814,20 +4710,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4729,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -14672,7 +14649,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -3921,6 +4835,45 @@ interface(`files_read_mnt_symlinks',` +@@ -3921,6 +4854,45 @@ interface(`files_read_mnt_symlinks',` read_lnk_files_pattern($1, mnt_t, mnt_t) ') @@ -14718,7 +14695,7 @@ index f962f76ad..74a6d0a54 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -4012,6 +4965,7 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4984,7 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) @@ -14726,7 +14703,7 @@ index f962f76ad..74a6d0a54 100644 ') ######################################## -@@ -4217,48 +5171,235 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,174 +5190,292 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -14798,18 +14775,26 @@ index f962f76ad..74a6d0a54 100644 -## Do not audit attempts to get the -## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t, usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir getattr; + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -14830,28 +14815,40 @@ index f962f76ad..74a6d0a54 100644 + filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") + filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") + filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- allow $1 tmp_t:dir search_dir_perms; + relabelto_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. +## +## @@ -14926,8 +14923,8 @@ index f962f76ad..74a6d0a54 100644 +##################################### +## +## File name transition for system db files in /var/lib. -+## -+## + ## + ## +## +## Domain allowed access. +## @@ -14949,121 +14946,206 @@ index f962f76ad..74a6d0a54 100644 +## temporary directory (/tmp). +## +## -+## + ## +-## Domain to not audit. +## Type of the file to associate. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_search_tmp',` +interface(`files_associate_tmp',` -+ gen_require(` -+ type tmp_t; -+ ') -+ + gen_require(` + type tmp_t; + ') + +- dontaudit $1 tmp_t:dir search_dir_perms; + allow $1 tmp_t:filesystem associate; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Type of the file to associate. -+## -+## -+# + ## + ## + # +-interface(`files_list_tmp',` +interface(`files_associate_rootfs',` -+ gen_require(` + gen_require(` +- type tmp_t; + type root_t; -+ ') -+ + ') + +- allow $1 tmp_t:dir list_dir_perms; + allow $1 root_t:filesystem associate; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit listing of the tmp directory (/tmp). +## Get the attributes of the tmp directory (/tmp). ## ## ## -@@ -4266,6 +5407,45 @@ interface(`files_getattr_tmp_dirs',` +-## Domain not to audit. ++## Domain allowed access. ## ## # +-interface(`files_dontaudit_list_tmp',` +interface(`files_getattr_tmp_dirs',` -+ gen_require(` -+ type tmp_t; -+ ') -+ + gen_require(` + type tmp_t; + ') + +- dontaudit $1 tmp_t:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Remove entries from the tmp directory. +## Do not audit attempts to check the +## access on tmp files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_delete_tmp_dir_entry',` +interface(`files_dontaudit_access_check_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + type etc_t; -+ ') -+ + ') + +- allow $1 tmp_t:dir del_entry_dir_perms; + dontaudit $1 tmp_t:dir_file_class_set audit_access; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read files in the tmp directory (/tmp). +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# - interface(`files_dontaudit_getattr_tmp_dirs',` + ## + ## + # +-interface(`files_read_generic_tmp_files',` ++interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; -@@ -4289,6 +5469,8 @@ interface(`files_search_tmp',` + ') + +- read_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir getattr; + ') + + ######################################## + ## +-## Manage temporary directories in /tmp. ++## Search the tmp directory (/tmp). + ## + ## + ## +@@ -4392,35 +5483,37 @@ interface(`files_read_generic_tmp_files',` + ## + ## + # +-interface(`files_manage_generic_tmp_dirs',` ++interface(`files_search_tmp',` + gen_require(` type tmp_t; ') +- manage_dirs_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir search_dir_perms; ++ allow $1 tmp_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Manage temporary files and directories in /tmp. ++## Do not audit attempts to search the tmp directory (/tmp). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_generic_tmp_files',` ++interface(`files_dontaudit_search_tmp',` + gen_require(` + type tmp_t; + ') + +- manage_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5507,7 @@ interface(`files_list_tmp',` + ######################################## + ## +-## Read symbolic links in the tmp directory (/tmp). ++## Read the tmp directory (/tmp). + ## + ## + ## +@@ -4428,35 +5521,55 @@ interface(`files_manage_generic_tmp_files',` + ## + ## + # +-interface(`files_read_generic_tmp_symlinks',` ++interface(`files_list_tmp',` + gen_require(` type tmp_t; ') -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5517,7 @@ interface(`files_list_tmp',` + ######################################## + ## +-## Read and write generic named sockets in the tmp directory (/tmp). ++## Do not audit listing of the tmp directory (/tmp). ## ## ## --## Domain not to audit. +-## Domain allowed access. +## Domain to not audit. ## ## # -@@ -4346,6 +5529,25 @@ interface(`files_dontaudit_list_tmp',` - dontaudit $1 tmp_t:dir list_dir_perms; - ') +-interface(`files_rw_generic_tmp_sockets',` ++interface(`files_dontaudit_list_tmp',` + gen_require(` + type tmp_t; + ') +- rw_sock_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir list_dir_perms; ++') ++ +####################################### +## +## Allow read and write to the tmp directory (/tmp). @@ -15081,25 +15163,85 @@ index f962f76ad..74a6d0a54 100644 + + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; -+') -+ + ') + ######################################## ## - ## Remove entries from the tmp directory. -@@ -4361,6 +5563,7 @@ interface(`files_delete_tmp_dir_entry',` - type tmp_t; +-## Set the attributes of all tmp directories. ++## Remove entries from the tmp directory. + ## + ## + ## +@@ -4464,17 +5577,18 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_delete_tmp_dir_entry',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; ') +- allow $1 tmpfile:dir { search_dir_perms setattr }; + files_search_tmp($1) - allow $1 tmp_t:dir del_entry_dir_perms; ++ allow $1 tmp_t:dir del_entry_dir_perms; + ') + + ######################################## + ## +-## List all tmp directories. ++## Read files in the tmp directory (/tmp). + ## + ## + ## +@@ -4482,59 +5596,61 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_read_generic_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ read_files_pattern($1, tmp_t, tmp_t) ') -@@ -4402,6 +5605,32 @@ interface(`files_manage_generic_tmp_dirs',` + ######################################## + ## +-## Relabel to and from all temporary +-## directory types. ++## Manage temporary directories in /tmp. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` ++interface(`files_manage_generic_tmp_dirs',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) ++ manage_dirs_pattern($1, tmp_t, tmp_t) + ') ######################################## ## +-## Do not audit attempts to get the attributes +-## of all tmp files. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -15108,91 +15250,1902 @@ index f962f76ad..74a6d0a54 100644 +## This is added to support java policy. +##

+## -+## -+## + ## + ## +-## Domain not to audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` +interface(`files_execmod_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ + gen_require(` + attribute tmpfile; + ') + +- dontaudit $1 tmpfile:file getattr; + allow $1 tmpfile:file execmod; -+') -+ -+######################################## -+## - ## Manage temporary files and directories in /tmp. + ') + + ######################################## + ## +-## Allow attempts to get the attributes +-## of all tmp files. ++## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5685,42 @@ interface(`files_rw_generic_tmp_sockets',` + ## +@@ -4542,58 +5658,53 @@ interface(`files_dontaudit_getattr_all_tmp_files',` + ## + ## + # +-interface(`files_getattr_all_tmp_files',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:file getattr; ++ manage_files_pattern($1, tmp_t, tmp_t) + ') ######################################## ## -+## Relabel a dir from the type used in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabelfrom_tmp_dirs',` -+ gen_require(` +-## Relabel to and from all temporary +-## file types. ++## Read symbolic links in the tmp directory (/tmp). + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` +- attribute tmpfile; +- type var_t; + type tmp_t; -+ ') -+ -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## -+## Relabel a file from the type used in /tmp. -+## -+## -+## + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Read and write generic named sockets in the tmp directory (/tmp). + ## + ## + ## +-## Domain not to audit. +## Domain allowed access. -+## -+## -+# -+interface(`files_relabelfrom_tmp_files',` -+ gen_require(` + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_rw_generic_tmp_sockets',` + gen_require(` +- attribute tmpfile; + type tmp_t; -+ ') -+ -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## - ## Set the attributes of all tmp directories. + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ rw_sock_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Read all tmp files. ++## Relabel a dir from the type used in /tmp. ## ## -@@ -4474,6 +5739,60 @@ interface(`files_setattr_all_tmp_dirs',` + ## +@@ -4601,51 +5712,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` + ## + ## + # +-interface(`files_read_all_tmp_files',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- read_files_pattern($1, tmpfile, tmpfile) ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) + ') ######################################## ## -+## Allow caller to read inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_inherited_tmp_files',` +-## Create an object in the tmp directories, with a private +-## type using a type transition. ++## Relabel a file from the type used in /tmp. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_tmp_filetrans',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` + type tmp_t; + ') + +- filetrans_pattern($1, tmp_t, $2, $3, $4) ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Delete the contents of /tmp. ++## Set the attributes of all tmp directories. + ## + ## + ## +@@ -4653,22 +5748,17 @@ interface(`files_tmp_filetrans',` + ## + ## + # +-interface(`files_purge_tmp',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` + attribute tmpfile; + ') + +- allow $1 tmpfile:dir list_dir_perms; +- delete_dirs_pattern($1, tmpfile, tmpfile) +- delete_files_pattern($1, tmpfile, tmpfile) +- delete_lnk_files_pattern($1, tmpfile, tmpfile) +- delete_fifo_files_pattern($1, tmpfile, tmpfile) +- delete_sock_files_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:dir { search_dir_perms setattr }; + ') + + ######################################## + ## +-## Set the attributes of the /usr directory. ++## Allow caller to read inherited tmp files. + ## + ## + ## +@@ -4676,17 +5766,17 @@ interface(`files_purge_tmp',` + ## + ## + # +-interface(`files_setattr_usr_dirs',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir setattr; ++ allow $1 tmpfile:file { append open read_inherited_file_perms }; + ') + + ######################################## + ## +-## Search the content of /usr. ++## Allow caller to append inherited tmp files. + ## + ## + ## +@@ -4694,18 +5784,17 @@ interface(`files_setattr_usr_dirs',` + ## + ## + # +-interface(`files_search_usr',` ++interface(`files_append_inherited_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir search_dir_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; + ') + + ######################################## + ## +-## List the contents of generic +-## directories in /usr. ++## Allow caller to read and write inherited tmp files. + ## + ## + ## +@@ -4713,54 +5802,58 @@ interface(`files_search_usr',` + ## + ## + # +-interface(`files_list_usr',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir list_dir_perms; ++ allow $1 tmpfile:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Do not audit write of /usr dirs ++## List all tmp directories. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_write_usr_dirs',` ++interface(`files_list_all_tmp',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- dontaudit $1 usr_t:dir write; ++ allow $1 tmpfile:dir list_dir_perms; + ') + + ######################################## + ## +-## Add and remove entries from /usr directories. ++## Relabel to and from all temporary ++## directory types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_rw_usr_dirs',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; + ') + +- allow $1 usr_t:dir rw_dir_perms; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Do not audit attempts to add and remove +-## entries from /usr directories. ++## Do not audit attempts to get the attributes ++## of all tmp files. + ## + ## + ## +@@ -4768,17 +5861,18 @@ interface(`files_rw_usr_dirs',` + ## + ## + # +-interface(`files_dontaudit_rw_usr_dirs',` ++interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- dontaudit $1 usr_t:dir rw_dir_perms; ++ dontaudit $1 tmpfile:file getattr; + ') + + ######################################## + ## +-## Delete generic directories in /usr in the caller domain. ++## Allow attempts to get the attributes ++## of all tmp files. + ## + ## + ## +@@ -4786,111 +5880,96 @@ interface(`files_dontaudit_rw_usr_dirs',` + ## + ## + # +-interface(`files_delete_usr_dirs',` ++interface(`files_getattr_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- delete_dirs_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file getattr; + ') + + ######################################## + ## +-## Delete generic files in /usr in the caller domain. ++## Relabel to and from all temporary ++## file types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_delete_usr_files',` ++interface(`files_relabel_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; + ') + +- delete_files_pattern($1, usr_t, usr_t) ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Get the attributes of files in /usr. ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_getattr_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- getattr_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:sock_file getattr; + ') + + ######################################## + ## +-## Read generic files in /usr. ++## Read all tmp files. + ## +-## +-##

+-## Allow the specified domain to read generic +-## files in /usr. These files are various program +-## files that do not have more specific SELinux types. +-## Some examples of these files are: +-##

+-##
    +-##
  • /usr/include/*
    • +-##
  • /usr/share/doc/*
    • +-##
  • /usr/share/info/*
    • +-##
+-##

+-## Generally, it is safe for many domains to have +-## this access. +-##

+-## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_usr_files',` ++interface(`files_read_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir list_dir_perms; +- read_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ read_files_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Execute generic programs in /usr in the caller domain. ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_exec_usr_files',` ++interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir list_dir_perms; +- exec_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## dontaudit write of /usr files ++## Do allow attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +@@ -4898,35 +5977,51 @@ interface(`files_exec_usr_files',` + ## + ## + # +-interface(`files_dontaudit_write_usr_files',` ++interface(`files_rw_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- dontaudit $1 usr_t:file write; ++ allow $1 tmpfile:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete files in the /usr directory. ++## Create an object in the tmp directories, with a private ++## type using a type transition. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_usr_files',` ++interface(`files_tmp_filetrans',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') + +- manage_files_pattern($1, usr_t, usr_t) ++ filetrans_pattern($1, tmp_t, $2, $3, $4) + ') + + ######################################## + ## +-## Relabel a file to the type used in /usr. ++## Delete the contents of /tmp. + ## + ## + ## +@@ -4934,17 +6029,32 @@ interface(`files_manage_usr_files',` + ## + ## + # +-interface(`files_relabelto_usr_files',` ++interface(`files_purge_tmp',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- relabelto_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:dir list_dir_perms; ++ delete_dirs_pattern($1, tmpfile, tmpfile) ++ delete_files_pattern($1, tmpfile, tmpfile) ++ delete_lnk_files_pattern($1, tmpfile, tmpfile) ++ delete_fifo_files_pattern($1, tmpfile, tmpfile) ++ delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) + ') + + ######################################## + ## +-## Relabel a file from the type used in /usr. ++## Set the attributes of the /usr directory. + ## + ## + ## +@@ -4952,17 +6062,17 @@ interface(`files_relabelto_usr_files',` + ## + ## + # +-interface(`files_relabelfrom_usr_files',` ++interface(`files_setattr_usr_dirs',` + gen_require(` + type usr_t; + ') + +- relabelfrom_files_pattern($1, usr_t, usr_t) ++ allow $1 usr_t:dir setattr; + ') + + ######################################## + ## +-## Read symbolic links in /usr. ++## Search the content of /usr. + ## + ## + ## +@@ -4970,50 +6080,36 @@ interface(`files_relabelfrom_usr_files',` + ## + ## + # +-interface(`files_read_usr_symlinks',` ++interface(`files_search_usr',` + gen_require(` + type usr_t; + ') + +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 usr_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create objects in the /usr directory ++## List the contents of generic ++## directories in /usr. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_usr_filetrans',` ++interface(`files_list_usr',` + gen_require(` + type usr_t; + ') + +- filetrans_pattern($1, usr_t, $2, $3, $4) ++ allow $1 usr_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search /usr/src. ++## Do not audit write of /usr dirs + ## + ## + ## +@@ -5021,17 +6117,17 @@ interface(`files_usr_filetrans',` + ## + ## + # +-interface(`files_dontaudit_search_src',` ++interface(`files_dontaudit_write_usr_dirs',` + gen_require(` +- type src_t; ++ type usr_t; + ') + +- dontaudit $1 src_t:dir search_dir_perms; ++ dontaudit $1 usr_t:dir write; + ') + + ######################################## + ## +-## Get the attributes of files in /usr/src. ++## Add and remove entries from /usr directories. + ## + ## + ## +@@ -5039,41 +6135,36 @@ interface(`files_dontaudit_search_src',` + ## + ## + # +-interface(`files_getattr_usr_src_files',` ++interface(`files_rw_usr_dirs',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; + ') + +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) ++ allow $1 usr_t:dir rw_dir_perms; + ') + + ######################################## + ## +-## Read files in /usr/src. ++## Do not audit attempts to add and remove ++## entries from /usr directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_usr_src_files',` ++interface(`files_dontaudit_rw_usr_dirs',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; + ') + +- allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; ++ dontaudit $1 usr_t:dir rw_dir_perms; + ') + + ######################################## + ## +-## Execute programs in /usr/src in the caller domain. ++## Delete generic directories in /usr in the caller domain. + ## + ## + ## +@@ -5081,19 +6172,17 @@ interface(`files_read_usr_src_files',` + ## + ## + # +-interface(`files_exec_usr_src_files',` ++interface(`files_delete_usr_dirs',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; + ') + +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) ++ delete_dirs_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Install a system.map into the /boot directory. ++## Delete generic files in /usr in the caller domain. + ## + ## + ## +@@ -5101,18 +6190,17 @@ interface(`files_exec_usr_src_files',` + ## + ## + # +-interface(`files_create_kernel_symbol_table',` ++interface(`files_delete_usr_files',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; + ') + +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ delete_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Read system.map in the /boot directory. ++## Map files in /usr in the caller domain. + ## + ## + ## +@@ -5120,18 +6208,17 @@ interface(`files_create_kernel_symbol_table',` + ## + ## + # +-interface(`files_read_kernel_symbol_table',` ++interface(`files_mmap_usr_files',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; + ') + +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) ++ allow $1 usr_t:file map; + ') + + ######################################## + ## +-## Delete a system.map in the /boot directory. ++## Get the attributes of files in /usr. + ## + ## + ## +@@ -5139,54 +6226,55 @@ interface(`files_read_kernel_symbol_table',` + ## + ## + # +-interface(`files_delete_kernel_symbol_table',` ++interface(`files_getattr_usr_files',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; + ') + +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) ++ getattr_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Search the contents of /var. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`files_search_var',` +- gen_require(` +- type var_t; +- ') +- +- allow $1 var_t:dir search_dir_perms; +-') +- +-######################################## +-## +-## Do not audit attempts to write to /var. ++## Read generic files in /usr. + ## ++## ++##

++## Allow the specified domain to read generic ++## files in /usr. These files are various program ++## files that do not have more specific SELinux types. ++## Some examples of these files are: ++##

++##
    ++##
  • /usr/include/*
    • ++##
  • /usr/share/doc/*
    • ++##
  • /usr/share/info/*
    • ++##
++##

++## Generally, it is safe for many domains to have ++## this access. ++##

++## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_write_var_dirs',` ++interface(`files_read_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- dontaudit $1 var_t:dir write; ++ allow $1 usr_t:dir list_dir_perms; ++ read_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Allow attempts to write to /var.dirs ++## Execute generic programs in /usr in the caller domain. + ## + ## + ## +@@ -5194,18 +6282,19 @@ interface(`files_dontaudit_write_var_dirs',` + ## + ## + # +-interface(`files_write_var_dirs',` ++interface(`files_exec_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- allow $1 var_t:dir write; ++ allow $1 usr_t:dir list_dir_perms; ++ exec_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Do not audit attempts to search +-## the contents of /var. ++## dontaudit write of /usr files + ## + ## + ## +@@ -5213,17 +6302,17 @@ interface(`files_write_var_dirs',` + ## + ## + # +-interface(`files_dontaudit_search_var',` ++interface(`files_dontaudit_write_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- dontaudit $1 var_t:dir search_dir_perms; ++ dontaudit $1 usr_t:file write; + ') + + ######################################## + ## +-## List the contents of /var. ++## Create, read, write, and delete files in the /usr directory. + ## + ## + ## +@@ -5231,18 +6320,17 @@ interface(`files_dontaudit_search_var',` + ## + ## + # +-interface(`files_list_var',` ++interface(`files_manage_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- allow $1 var_t:dir list_dir_perms; ++ manage_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Create, read, write, and delete directories +-## in the /var directory. ++## Relabel a file to the type used in /usr. + ## + ## + ## +@@ -5250,17 +6338,17 @@ interface(`files_list_var',` + ## + ## + # +-interface(`files_manage_var_dirs',` ++interface(`files_relabelto_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- allow $1 var_t:dir manage_dir_perms; ++ relabelto_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Read files in the /var directory. ++## Relabel a file from the type used in /usr. + ## + ## + ## +@@ -5268,17 +6356,17 @@ interface(`files_manage_var_dirs',` + ## + ## + # +-interface(`files_read_var_files',` ++interface(`files_relabelfrom_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- read_files_pattern($1, var_t, var_t) ++ relabelfrom_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Append files in the /var directory. ++## Read symbolic links in /usr. + ## + ## + ## +@@ -5286,36 +6374,50 @@ interface(`files_read_var_files',` + ## + ## + # +-interface(`files_append_var_files',` ++interface(`files_read_usr_symlinks',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- append_files_pattern($1, var_t, var_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Read and write files in the /var directory. ++## Create objects in the /usr directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_rw_var_files',` ++interface(`files_usr_filetrans',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- rw_files_pattern($1, var_t, var_t) ++ filetrans_pattern($1, usr_t, $2, $3, $4) + ') + + ######################################## + ## +-## Do not audit attempts to read and write +-## files in the /var directory. ++## Do not audit attempts to search /usr/src. + ## + ## + ## +@@ -5323,17 +6425,17 @@ interface(`files_rw_var_files',` + ## + ## + # +-interface(`files_dontaudit_rw_var_files',` ++interface(`files_dontaudit_search_src',` + gen_require(` +- type var_t; ++ type src_t; + ') + +- dontaudit $1 var_t:file rw_file_perms; ++ dontaudit $1 src_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete files in the /var directory. ++## Get the attributes of files in /usr/src. + ## + ## + ## +@@ -5341,17 +6443,20 @@ interface(`files_dontaudit_rw_var_files',` + ## + ## + # +-interface(`files_manage_var_files',` ++interface(`files_getattr_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_files_pattern($1, var_t, var_t) ++ getattr_files_pattern($1, src_t, src_t) ++ ++ # /usr/src/linux symlink: ++ read_lnk_files_pattern($1, usr_t, src_t) + ') + + ######################################## + ## +-## Read symbolic links in the /var directory. ++## Read files in /usr/src. + ## + ## + ## +@@ -5359,18 +6464,20 @@ interface(`files_manage_var_files',` + ## + ## + # +-interface(`files_read_var_symlinks',` ++interface(`files_read_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- read_lnk_files_pattern($1, var_t, var_t) ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete symbolic +-## links in the /var directory. ++## Execute programs in /usr/src in the caller domain. + ## + ## + ## +@@ -5378,50 +6485,75 @@ interface(`files_read_var_symlinks',` + ## + ## + # +-interface(`files_manage_var_symlinks',` ++interface(`files_exec_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_lnk_files_pattern($1, var_t, var_t) ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) + ') + + ######################################## + ## +-## Create objects in the /var directory ++## Install a system.map into the /boot directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## ++# ++interface(`files_create_kernel_symbol_table',` ++ gen_require(` ++ type boot_t, system_map_t; ++ ') ++ ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++') ++ ++######################################## ++## ++## Dontaudit getattr attempts on the system.map file ++## ++## + ## +-## The object class. ++## Domain to not audit. + ## + ## +-## ++# ++interface(`files_dontaduit_getattr_kernel_symbol_table',` ++ gen_require(` ++ type system_map_t; ++ ') ++ ++ dontaudit $1 system_map_t:file getattr; ++') ++ ++######################################## ++## ++## Read system.map in the /boot directory. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`files_var_filetrans',` ++interface(`files_read_kernel_symbol_table',` + gen_require(` +- type var_t; ++ type boot_t, system_map_t; + ') + +- filetrans_pattern($1, var_t, $2, $3, $4) ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) + ') + + ######################################## + ## +-## Get the attributes of the /var/lib directory. ++## Delete a system.map in the /boot directory. + ## + ## + ## +@@ -5429,69 +6561,54 @@ interface(`files_var_filetrans',` + ## + ## + # +-interface(`files_getattr_var_lib_dirs',` ++interface(`files_delete_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- getattr_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) + ') + + ######################################## + ## +-## Search the /var/lib directory. ++## Search the contents of /var. + ## +-## +-##

+-## Search the /var/lib directory. This is +-## necessary to access files or directories under +-## /var/lib that have a private type. For example, a +-## domain accessing a private library file in the +-## /var/lib directory: +-##

+-##

+-## allow mydomain_t mylibfile_t:file read_file_perms; +-## files_search_var_lib(mydomain_t) +-##

+-## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_search_var_lib',` ++interface(`files_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- search_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 var_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## contents of /var/lib. ++## Do not audit attempts to write to /var. + ## + ## + ## + ## Domain to not audit. + ## + ## +-## + # +-interface(`files_dontaudit_search_var_lib',` ++interface(`files_dontaudit_write_var_dirs',` + gen_require(` +- type var_lib_t; ++ type var_t; + ') + +- dontaudit $1 var_lib_t:dir search_dir_perms; ++ dontaudit $1 var_t:dir write; + ') + + ######################################## + ## +-## List the contents of the /var/lib directory. ++## Allow attempts to write to /var.dirs + ## + ## + ## +@@ -5499,88 +6616,73 @@ interface(`files_dontaudit_search_var_lib',` + ## + ## + # +-interface(`files_list_var_lib',` ++interface(`files_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- list_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 var_t:dir write; + ') + +-########################################### ++######################################## + ## +-## Read-write /var/lib directories ++## Do not audit attempts to search ++## the contents of /var. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_rw_var_lib_dirs',` ++interface(`files_dontaudit_search_var',` + gen_require(` +- type var_lib_t; ++ type var_t; + ') + +- rw_dirs_pattern($1, var_lib_t, var_lib_t) ++ dontaudit $1 var_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create objects in the /var/lib directory ++## List the contents of /var. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_var_lib_filetrans',` ++interface(`files_list_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_lib_t, $2, $3, $4) ++ allow $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Read generic files in /var/lib. ++## Do not audit listing of the var directory (/var). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_var_lib_files',` ++interface(`files_dontaudit_list_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_lib_t:dir list_dir_perms; +- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ dontaudit $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Read generic symbolic links in /var/lib ++## Create, read, write, and delete directories ++## in the /var directory. + ## + ## + ## +@@ -5588,21 +6690,17 @@ interface(`files_read_var_lib_files',` + ## + ## + # +-interface(`files_read_var_lib_symlinks',` ++interface(`files_manage_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ allow $1 var_t:dir manage_dir_perms; + ') + +-# cjp: the next two interfaces really need to be fixed +-# in some way. They really neeed their own types. +- + ######################################## + ## +-## Create, read, write, and delete the +-## pseudorandom number generator seed. ++## Read files in the /var directory. + ## + ## + ## +@@ -5610,19 +6708,17 @@ interface(`files_read_var_lib_symlinks',` + ## + ## + # +-interface(`files_manage_urandom_seed',` ++interface(`files_read_var_files',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ read_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Allow domain to manage mount tables +-## necessary for rpcd, nfsd, etc. ++## Append files in the /var directory. + ## + ## + ## +@@ -5630,18 +6726,17 @@ interface(`files_manage_urandom_seed',` + ## + ## + # +-interface(`files_manage_mounttab',` ++interface(`files_append_var_files',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ append_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Set the attributes of the generic lock directories. ++## Read and write files in the /var directory. + ## + ## + ## +@@ -5649,56 +6744,54 @@ interface(`files_manage_mounttab',` + ## + ## + # +-interface(`files_setattr_lock_dirs',` ++interface(`files_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ rw_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Search the locks directory (/var/lock). ++## Do not audit attempts to read and write ++## files in the /var directory. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_search_locks',` ++interface(`files_dontaudit_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_lock_t) ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## locks directory (/var/lock). ++## Create, read, write, and delete files in the /var directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_locks',` ++interface(`files_manage_var_files',` + gen_require(` +- type var_lock_t; ++ type var_t; + ') + +- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_lock_t:dir search_dir_perms; ++ manage_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## List generic lock directories. ++## Read symbolic links in the /var directory. + ## + ## + ## +@@ -5706,19 +6799,18 @@ interface(`files_dontaudit_search_locks',` + ## + ## + # +-interface(`files_list_locks',` ++interface(`files_read_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ read_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Add and remove entries in the /var/lock +-## directories. ++## Create, read, write, and delete symbolic ++## links in the /var directory. + ## + ## + ## +@@ -5726,60 +6818,68 @@ interface(`files_list_locks',` + ## + ## + # +-interface(`files_rw_lock_dirs',` ++interface(`files_manage_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- rw_dirs_pattern($1, var_t, var_lock_t) ++ manage_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create lock directories ++## Create objects in the /var directory + ## + ## +-## +-## Domain allowed access ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. + ## + ## + # +-interface(`files_create_lock_dirs',` ++interface(`files_var_filetrans',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- create_dirs_pattern($1, var_lock_t, var_lock_t) ++ filetrans_pattern($1, var_t, $2, $3, $4) + ') + ++ + ######################################## + ## +-## Relabel to and from all lock directory types. ++## Relabel dirs in the /var directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_lock_dirs',` ++interface(`files_relabel_var_dirs',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t; + ') +- +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- relabel_dirs_pattern($1, lockfile, lockfile) ++ allow $1 var_t:dir relabel_dir_perms; + ') + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Get the attributes of the /var/lib directory. + ## + ## + ## +@@ -5787,84 +6887,87 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_getattr_var_lib_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) ++ getattr_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Delete generic lock files. ++## Search the /var/lib directory. + ## ++## ++##

++## Search the /var/lib directory. This is ++## necessary to access files or directories under ++## /var/lib that have a private type. For example, a ++## domain accessing a private library file in the ++## /var/lib directory: ++##

++##

++## allow mydomain_t mylibfile_t:file read_file_perms; ++## files_search_var_lib(mydomain_t) ++##

++## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_delete_generic_locks',` ++interface(`files_search_var_lib',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ search_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## lock files. ++## Do not audit attempts to search the ++## contents of /var/lib. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## ++## + # +-interface(`files_manage_generic_locks',` ++interface(`files_dontaudit_search_var_lib',` + gen_require(` +- type var_t, var_lock_t; ++ type var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) ++ dontaudit $1 var_lib_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Delete all lock files. ++## List the contents of the /var/lib directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_locks',` ++interface(`files_list_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, lockfile, lockfile) ++ list_dirs_pattern($1, var_t, var_lib_t) + ') + +-######################################## ++########################################### + ## +-## Read all lock files. ++## Read-write /var/lib directories + ## + ## + ## +@@ -5872,22 +6975,17 @@ interface(`files_delete_all_locks',` + ## + ## + # +-interface(`files_read_all_locks',` ++interface(`files_rw_var_lib_dirs',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) ++ rw_dirs_pattern($1, var_lib_t, var_lib_t) + ') + + ######################################## + ## +-## manage all lock files. ++## Create directories in /var/lib + ## + ## + ## +@@ -5895,37 +6993,32 @@ interface(`files_read_all_locks',` + ## + ## + # +-interface(`files_manage_all_locks',` ++interface(`files_create_var_lib_dirs',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) ++ allow $1 var_lib_t:dir { create rw_dir_perms }; + ') + ++ + ######################################## + ## +-## Create an object in the locks directory, with a private +-## type using a type transition. ++## Create objects in the /var/lib directory + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + ## +-## The type of the object to be created. ++## The type of the object to be created + ## + ## +-## ++## + ## +-## The object class of the object being created. ++## The object class. + ## + ## + ## +@@ -5934,20 +7027,1283 @@ interface(`files_manage_all_locks',` + ## + ## + # +-interface(`files_lock_filetrans',` ++interface(`files_var_lib_filetrans',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) ++ filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of the /var/run directory. ++## Read generic files in /var/lib. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_var_lib_files',` + gen_require(` -+ attribute tmpfile; ++ type var_t, var_lib_t; + ') + -+ allow $1 tmpfile:file { append open read_inherited_file_perms }; ++ allow $1 var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) +') + +######################################## +## -+## Allow caller to append inherited tmp files. ++## Read generic symbolic links in /var/lib +## +## +## @@ -15200,17 +17153,18 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_append_inherited_tmp_files',` ++interface(`files_read_var_lib_symlinks',` + gen_require(` -+ attribute tmpfile; ++ type var_t, var_lib_t; + ') + -+ allow $1 tmpfile:file append_inherited_file_perms; ++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) +') + +######################################## +## -+## Allow caller to read and write inherited tmp files. ++## manage generic symbolic links ++## in the /var/lib directory. +## +## +## @@ -15218,127 +17172,96 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_manage_var_lib_symlinks',` + gen_require(` -+ attribute tmpfile; ++ type var_lib_t; + ') + -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) +') + ++# cjp: the next two interfaces really need to be fixed ++# in some way. They really neeed their own types. ++ +######################################## +## - ## List all tmp directories. - ## - ## -@@ -4519,7 +5838,7 @@ interface(`files_relabel_all_tmp_dirs',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -4579,7 +5898,7 @@ interface(`files_relabel_all_tmp_files',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -4611,20 +5930,58 @@ interface(`files_read_all_tmp_files',` - - ######################################## - ## --## Create an object in the tmp directories, with a private --## type using a type transition. -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## The type of the object to be created. -+## Domain to not audit. - ## - ## --## ++## Create, read, write, and delete the ++## pseudorandom number generator seed. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+interface(`files_dontaudit_tmp_file_leaks',` ++interface(`files_manage_urandom_seed',` + gen_require(` -+ attribute tmpfile; ++ type var_t, var_lib_t; + ') + -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) +') + ++ +######################################## +## -+## Do allow attempts to read or write -+## all leaked tmpfiles files. ++## Relabel to dirs in the /var/lib directory. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_rw_tmp_file_leaks',` ++interface(`files_relabelto_var_lib_dirs',` + gen_require(` -+ attribute tmpfile; ++ type var_lib_t; + ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 var_lib_t:dir relabelto; +') + ++ +######################################## +## -+## Create an object in the tmp directories, with a private -+## type using a type transition. ++## Relabel dirs in the /var/lib directory. +## +## +## +## Domain allowed access. +## +## -+## ++# ++interface(`files_relabel_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ allow $1 var_lib_t:dir relabel_dir_perms; ++') ++ ++######################################## ++## ++## Allow domain to manage mount tables ++## necessary for rpcd, nfsd, etc. ++## ++## +## -+## The type of the object to be created. ++## Domain allowed access. +## +## -+## - ## - ## The object class of the object being created. - ## -@@ -4664,6 +6021,16 @@ interface(`files_purge_tmp',` - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) - ') - - ######################################## -@@ -4814,6 +6181,24 @@ interface(`files_delete_usr_files',` - - ######################################## - ## -+## Map files in /usr in the caller domain. ++# ++interface(`files_manage_mounttab',` ++ gen_require(` ++ type var_t, var_lib_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++######################################## ++## ++## List generic lock directories. +## +## +## @@ -15346,49 +17269,39 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_mmap_usr_files',` ++interface(`files_list_locks',` + gen_require(` -+ type usr_t; ++ type var_t, var_lock_t; + ') + -+ allow $1 usr_t:file map; ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## - ## Get the attributes of files in /usr. - ## - ## -@@ -5112,6 +6497,24 @@ interface(`files_create_kernel_symbol_table',` - - ######################################## - ## -+## Dontaudit getattr attempts on the system.map file ++## Search the locks directory (/var/lock). +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaduit_getattr_kernel_symbol_table',` ++interface(`files_search_locks',` + gen_require(` -+ type system_map_t; ++ type var_t, var_lock_t; + ') + -+ dontaudit $1 system_map_t:file getattr; ++ files_search_pids($1) ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## - ## Read system.map in the /boot directory. - ## - ## -@@ -5241,6 +6644,24 @@ interface(`files_list_var',` - - ######################################## - ## -+## Do not audit listing of the var directory (/var). ++## Do not audit attempts to search the ++## locks directory (/var/lock). +## +## +## @@ -15396,36 +17309,37 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_dontaudit_list_var',` ++interface(`files_dontaudit_search_locks',` + gen_require(` -+ type var_t; ++ type var_lock_t; + ') + -+ dontaudit $1 var_t:dir list_dir_perms; ++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_lock_t:dir search_dir_perms; +') + +######################################## +## - ## Create, read, write, and delete directories - ## in the /var directory. - ## -@@ -5328,7 +6749,7 @@ interface(`files_dontaudit_rw_var_files',` - type var_t; - ') - -- dontaudit $1 var_t:file rw_file_perms; -+ dontaudit $1 var_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -5419,6 +6840,24 @@ interface(`files_var_filetrans',` - filetrans_pattern($1, var_t, $2, $3, $4) - ') - ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') + +######################################## +## -+## Relabel dirs in the /var directory. ++## Set the attributes of the /var/lock directory. +## +## +## @@ -15433,21 +17347,18 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_relabel_var_dirs',` ++interface(`files_setattr_lock_dirs',` + gen_require(` -+ type var_t; ++ type var_lock_t; + ') -+ allow $1 var_t:dir relabel_dir_perms; ++ ++ allow $1 var_lock_t:dir setattr; +') + - ######################################## - ## - ## Get the attributes of the /var/lib directory. -@@ -5527,6 +6966,25 @@ interface(`files_rw_var_lib_dirs',` - - ######################################## - ## -+## Create directories in /var/lib ++######################################## ++## ++## Add and remove entries in the /var/lock ++## directories. +## +## +## @@ -15455,28 +17366,38 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_create_var_lib_dirs',` ++interface(`files_rw_lock_dirs',` + gen_require(` -+ type var_lib_t; ++ type var_t, var_lock_t; + ') + -+ allow $1 var_lib_t:dir { create rw_dir_perms }; ++ files_search_locks($1) ++ rw_dirs_pattern($1, var_t, var_lock_t) +') + -+ +######################################## +## - ## Create objects in the /var/lib directory - ## - ## -@@ -5596,6 +7054,25 @@ interface(`files_read_var_lib_symlinks',` - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - ++## Create lock directories ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_create_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ create_dirs_pattern($1, var_lock_t, var_lock_t) ++') ++ +######################################## +## -+## manage generic symbolic links -+## in the /var/lib directory. ++## Relabel to and from all lock directory types. +## +## +## @@ -15484,25 +17405,41 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_manage_var_lib_symlinks',` ++interface(`files_relabel_all_lock_dirs',` + gen_require(` -+ type var_lib_t; ++ attribute lockfile; ++ type var_t, var_lock_t; + ') + -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_dirs_pattern($1, lockfile, lockfile) +') + - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. - -@@ -5619,6 +7096,42 @@ interface(`files_manage_urandom_seed',` - manage_files_pattern($1, var_lib_t, var_lib_t) - ') - ++######################################## ++## ++## Relabel to and from all lock file types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_lock_files',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) ++') + +######################################## +## -+## Relabel to dirs in the /var/lib directory. ++## Get the attributes of generic lock files. +## +## +## @@ -15510,17 +17447,39 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_relabelto_var_lib_dirs',` ++interface(`files_getattr_generic_locks',` + gen_require(` -+ type var_lib_t; ++ type var_t, var_lock_t; + ') -+ allow $1 var_lib_t:dir relabelto; ++ ++ files_search_locks($1) ++ allow $1 var_lock_t:dir list_dir_perms; ++ getattr_files_pattern($1, var_lock_t, var_lock_t) +') + ++######################################## ++## ++## Delete generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) ++') + +######################################## +## -+## Relabel dirs in the /var/lib directory. ++## Create, read, write, and delete generic ++## lock files. +## +## +## @@ -15528,139 +17487,62 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_relabel_var_lib_dirs',` ++interface(`files_manage_generic_locks',` + gen_require(` -+ type var_lib_t; ++ type var_t, var_lock_t; + ') -+ allow $1 var_lib_t:dir relabel_dir_perms; -+') + - ######################################## - ## - ## Allow domain to manage mount tables -@@ -5641,7 +7154,7 @@ interface(`files_manage_mounttab',` - - ######################################## - ## --## Set the attributes of the generic lock directories. -+## List generic lock directories. - ## - ## - ## -@@ -5649,12 +7162,13 @@ interface(`files_manage_mounttab',` - ## - ## - # --interface(`files_setattr_lock_dirs',` -+interface(`files_list_locks',` - gen_require(` - type var_t, var_lock_t; - ') - -- setattr_dirs_pattern($1, var_t, var_lock_t) + files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) - ') - - ######################################## -@@ -5672,6 +7186,7 @@ interface(`files_search_locks',` - type var_t, var_lock_t; - ') - -+ files_search_pids($1) - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) - ') -@@ -5698,7 +7213,26 @@ interface(`files_dontaudit_search_locks',` - - ######################################## - ## --## List generic lock directories. -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). ++ manage_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Delete all lock files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## ++## +# -+interface(`files_dontaudit_rw_inherited_locks',` ++interface(`files_delete_all_locks',` + gen_require(` -+ type var_lock_t; ++ attribute lockfile; ++ type var_t, var_lock_t; + ') + -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ delete_files_pattern($1, lockfile, lockfile) +') + +######################################## +## -+## Set the attributes of the /var/lock directory. - ## - ## - ## -@@ -5706,13 +7240,12 @@ interface(`files_dontaudit_search_locks',` - ## - ## - # --interface(`files_list_locks',` -+interface(`files_setattr_lock_dirs',` - gen_require(` -- type var_t, var_lock_t; -+ type var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_lock_t:dir setattr; - ') - - ######################################## -@@ -5731,7 +7264,7 @@ interface(`files_rw_lock_dirs',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - rw_dirs_pattern($1, var_t, var_lock_t) - ') - -@@ -5764,7 +7297,6 @@ interface(`files_create_lock_dirs',` - ## Domain allowed access. - ## - ## --## - # - interface(`files_relabel_all_lock_dirs',` - gen_require(` -@@ -5779,7 +7311,7 @@ interface(`files_relabel_all_lock_dirs',` - - ######################################## - ## --## Get the attributes of generic lock files. -+## Relabel to and from all lock file types. - ## - ## - ## -@@ -5787,13 +7319,33 @@ interface(`files_relabel_all_lock_dirs',` - ## - ## - # --interface(`files_getattr_generic_locks',` -+interface(`files_relabel_all_lock_files',` - gen_require(` ++## Read all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_locks',` ++ gen_require(` + attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_files_pattern($1, lockfile, lockfile) ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 lockfile:dir list_dir_perms; ++ read_files_pattern($1, lockfile, lockfile) ++ read_lnk_files_pattern($1, lockfile, lockfile) +') + +######################################## +## -+## Get the attributes of generic lock files. ++## manage all lock files. +## +## +## @@ -15668,92 +17550,113 @@ index f962f76ad..74a6d0a54 100644 +## +## +# -+interface(`files_getattr_generic_locks',` ++interface(`files_manage_all_locks',` + gen_require(` ++ attribute lockfile; + type var_t, var_lock_t; + ') + + files_search_locks($1) - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) - ') -@@ -5809,13 +7361,12 @@ interface(`files_getattr_generic_locks',` - ## - # - interface(`files_delete_generic_locks',` -- gen_require(` -+ gen_require(` - type var_t, var_lock_t; -- ') -+ ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) - ') - - ######################################## -@@ -5834,9 +7385,7 @@ interface(`files_manage_generic_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) - manage_files_pattern($1, var_lock_t, var_lock_t) - ') - -@@ -5878,8 +7427,7 @@ interface(`files_read_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7449,7 @@ interface(`files_manage_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7486,7 @@ interface(`files_lock_filetrans',` - type var_t, var_lock_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ manage_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, lockfile, lockfile) ++ manage_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Create an object in the locks directory, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_lock_filetrans',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ + files_search_locks($1) - filetrans_pattern($1, var_lock_t, $2, $3, $4) - ') - -@@ -5979,7 +7525,7 @@ interface(`files_setattr_pid_dirs',` - type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ filetrans_pattern($1, var_lock_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir getattr; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ + files_search_pids($1) - allow $1 var_run_t:dir setattr; - ') - -@@ -5999,10 +7545,48 @@ interface(`files_search_pids',` - type var_t, var_run_t; - ') - ++ allow $1 var_run_t:dir setattr; ++') ++ ++######################################## ++## ++## Search the contents of runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ + allow $1 var_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) - ') - ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_run_t) ++') ++ +###################################### +## +## Add and remove entries from pid directories. @@ -15791,59 +17694,60 @@ index f962f76ad..74a6d0a54 100644 + allow $1 var_run_t:dir create_dir_perms; +') + - ######################################## - ## - ## Do not audit attempts to search -@@ -6025,42 +7609,79 @@ interface(`files_dontaudit_search_pids',` - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). ++######################################## ++## ++## Do not audit attempts to search ++## the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_pids',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## +## Do not audit attempts to search +## the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_pids',` ++## ++## ++# +interface(`files_dontaudit_search_all_pids',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) ++ ') ++ + dontaudit $1 pidfile:dir search_dir_perms; - ') - - ######################################## - ## --## Read generic process ID files. ++') ++ ++######################################## ++## +## Allow search the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_read_generic_pids',` ++## ++## ++# +interface(`files_search_all_pids',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) ++ ') ++ + allow $1 pidfile:dir search_dir_perms; +') + @@ -15885,30 +17789,113 @@ index f962f76ad..74a6d0a54 100644 + files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) - ') - - ######################################## -@@ -6078,7 +7699,7 @@ interface(`files_write_generic_pid_pipes',` - type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## ++## Write named generic process ID pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_pipes',` ++ gen_require(` ++ type var_run_t; ++ ') ++ + files_search_pids($1) - allow $1 var_run_t:fifo_file write; - ') - -@@ -6140,7 +7761,6 @@ interface(`files_pid_filetrans',` - ') - - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) - ') - -@@ -6169,6 +7789,24 @@ interface(`files_pid_filetrans_lock_dir',` - - ######################################## - ## ++ allow $1 var_run_t:fifo_file write; ++') ++ ++######################################## ++## ++## Create an object in the process ID directory, with a private type. ++## ++## ++##

++## Create an object in the process ID directory (e.g., /var/run) ++## with a private type. Typically this is used for creating ++## private PID files in /var/run with the private type instead ++## of the general PID file type. To accomplish this goal, ++## either the program must be SELinux-aware, or use this interface. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_pid_file()
    • ++##
++##

++## Example usage with a domain that can create and ++## write its PID file with a private PID file type in the ++## /var/run directory: ++##

++##

++## type mypidfile_t; ++## files_pid_file(mypidfile_t) ++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ++## files_pid_filetrans(mydomain_t, mypidfile_t, file) ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++## ++# ++interface(`files_pid_filetrans',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_run_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Create a generic lock directory within the run directories ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_pid_filetrans_lock_dir',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ files_pid_filetrans($1, var_lock_t, dir, $2) ++') ++ ++######################################## ++## +## rw generic pid files inherited from another process +## +## @@ -15927,319 +17914,300 @@ index f962f76ad..74a6d0a54 100644 + +######################################## +## - ## Read and write generic process ID files. - ## - ## -@@ -6182,7 +7820,7 @@ interface(`files_rw_generic_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++## Read and write generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ + files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) - ') -@@ -6249,55 +7887,43 @@ interface(`files_dontaudit_ioctl_all_pids',` - - ######################################## - ## --## Read all process ID files. ++ list_dirs_pattern($1, var_t, var_run_t) ++ rw_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of ++## daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to write to daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file write; ++') ++ ++######################################## ++## ++## Do not audit attempts to ioctl daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_ioctl_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file ioctl; ++') ++ ++######################################## ++## +## Relable all pid directories - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_read_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_dirs',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + relabel_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Delete all process IDs. ++') ++ ++######################################## ++## +## Delete all pid sockets - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_delete_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. ++') ++ ++######################################## ++## +## Create all pid sockets - ## - ## - ## -@@ -6305,42 +7931,35 @@ interface(`files_delete_all_pids',` - ## - ## - # --interface(`files_delete_all_pid_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_create_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++') ++ ++######################################## ++## +## Create all pid named pipes - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` ++## ++## ++# +interface(`files_create_all_pid_pipes',` - gen_require(` - attribute pidfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:fifo_file create_fifo_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. ++') ++ ++######################################## ++## +## Delete all pid named pipes - ## - ## - ## -@@ -6348,18 +7967,18 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_pipes',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + allow $1 pidfile:fifo_file delete_fifo_file_perms; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). ++') ++ ++######################################## ++## +## manage all pidfile directories +## in the /var/run directory. - ## - ## - ## -@@ -6367,37 +7986,40 @@ interface(`files_mounton_all_poly_members',` - ## - ## - # --interface(`files_search_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_all_pid_dirs',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- search_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + manage_dirs_pattern($1,pidfile,pidfile) - ') - ++') + - ######################################## - ## --## Do not audit attempts to search generic --## spool directories. ++ ++######################################## ++## +## Read all process ID files. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## ++## ++## +## - # --interface(`files_dontaudit_search_spool',` ++# +interface(`files_read_all_pids',` - gen_require(` -- type var_spool_t; ++ gen_require(` + attribute pidfile; + type var_t; - ') - -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. ++ ') ++ ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## +## Relable all pid files - ## - ## - ## -@@ -6405,18 +8027,17 @@ interface(`files_dontaudit_search_spool',` - ## - ## - # --interface(`files_list_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + relabel_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). ++') ++ ++######################################## ++## +## Execute generic programs in /var/run in the caller domain. - ## - ## - ## -@@ -6424,18 +8045,18 @@ interface(`files_list_spool',` - ## - ## - # --interface(`files_manage_generic_spool_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_exec_generic_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + exec_files_pattern($1, var_run_t, var_run_t) - ') - - ######################################## - ## --## Read generic spool files. ++') ++ ++######################################## ++## +## Write all sockets +## in the /var/run directory. - ## - ## - ## -@@ -6443,19 +8064,18 @@ interface(`files_manage_generic_spool_dirs',` - ## - ## - # --interface(`files_read_generic_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_write_all_pid_sockets',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + allow $1 pidfile:sock_file write_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. ++') ++ ++######################################## ++## +## manage all pidfiles +## in the /var/run directory. - ## - ## - ## -@@ -6463,55 +8083,62 @@ interface(`files_read_generic_spool',` - ## - ## - # --interface(`files_manage_generic_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_all_pids',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + manage_files_pattern($1,pidfile,pidfile) - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. ++') ++ ++######################################## ++## +## Mount filesystems on all polyinstantiation +## member directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`files_mounton_all_poly_members',` + gen_require(` @@ -16254,100 +18222,53 @@ index f962f76ad..74a6d0a54 100644 +## Delete all process IDs. +## +## - ## --## The name of the object being created. ++## +## Domain allowed access. - ## - ## ++## ++## +## - # --interface(`files_spool_filetrans',` ++# +interface(`files_delete_all_pids',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; - ') - ++ ') ++ + files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Delete all process ID directories. - ## - ## - ## -@@ -6519,64 +8146,963 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_dirs',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -- -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Make the specified type a file +## used for spool files. - ## --## ++## +## +##

+## Make the specified type usable for spool files. @@ -16375,22 +18296,18 @@ index f962f76ad..74a6d0a54 100644 +##

+## +## - ## --## Domain allowed access. ++## +## Type of the file to be used as a +## spool file. - ## - ## ++## ++## +## - # --interface(`files_unconfined',` ++# +interface(`files_spool_file',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + attribute spoolfile; - ') - -- typeattribute $1 files_unconfined_type; ++ ') ++ + files_type($1) + typeattribute $1 spoolfile; +') @@ -16475,109 +18392,138 @@ index f962f76ad..74a6d0a54 100644 +## +## Do not audit attempts to search generic +## spool directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -5955,18 +8311,18 @@ interface(`files_lock_filetrans',` + ## + ## + # +-interface(`files_dontaudit_getattr_pid_dirs',` +interface(`files_dontaudit_search_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_spool_t; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; + dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set the attributes of the /var/run directory. +## List the contents of generic spool +## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5974,19 +8330,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## + ## + # +-interface(`files_setattr_pid_dirs',` +interface(`files_list_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; + list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of runtime process +-## ID directories (/var/run). +## Create, read, write, and delete generic +## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5994,39 +8349,38 @@ interface(`files_setattr_pid_dirs',` + ## + ## + # +-interface(`files_search_pids',` +interface(`files_manage_generic_spool_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search +-## the /var/run directory. +## Read generic spool files. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_search_pids',` +interface(`files_read_generic_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; + list_dirs_pattern($1, var_t, var_spool_t) + read_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). +## Create, read, write, and delete generic +## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6034,38 +8388,55 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` +interface(`files_manage_generic_spool',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic process ID files. +## Create objects in the spool directory +## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## Type to which the created node will be transitioned. @@ -16594,33 +18540,43 @@ index f962f76ad..74a6d0a54 100644 +## The name of the object being created. +## +## -+# + # +-interface(`files_read_generic_pids',` +interface(`files_spool_filetrans',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write named generic process ID pipes +## Allow access to manage all polyinstantiated +## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6073,43 +8444,75 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_polyinstantiate_all',` -+ gen_require(` + gen_require(` +- type var_run_t; + attribute polydir, polymember, polyparent; + type poly_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + # Need to give access to /selinux/member + selinux_compute_member($1) + @@ -16657,10 +18613,11 @@ index f962f76ad..74a6d0a54 100644 + corecmd_exec_bin($1) + seutil_domtrans_setfiles($1) + ') -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Unconfined access to files. +## +## @@ -16680,17 +18637,40 @@ index f962f76ad..74a6d0a54 100644 +######################################## +## +## Create a core files in / -+## -+## -+##

+ ##

+ ## + ##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

+-##

+-## Related interfaces: +-##

+-##
    +-##
  • files_pid_file()
    • +-##
+-##

+-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

+-##

+-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +## Create a core file in /, -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## + ##

+ ## + ## +@@ -6117,14 +8520,82 @@ interface(`files_write_generic_pid_pipes',` + ## Domain allowed access. + ## + ## +-## +## +# +interface(`files_manage_root_files',` @@ -16731,12 +18711,14 @@ index f962f76ad..74a6d0a54 100644 +## type transition. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## -+## -+## + ## + ## + ## + ## +-## The object class of the object being created. +## The class of the object being created. +## +## @@ -16767,14 +18749,16 @@ index f962f76ad..74a6d0a54 100644 +## +## +## The class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# + ## + ## + ## +@@ -6132,65 +8603,92 @@ interface(`files_write_generic_pid_pipes',` + ## The name of the object being created. + ## + ## +-## + # +-interface(`files_pid_filetrans',` +interface(`files_filetrans_lib',` + gen_require(` + type lib_t, lib_t; @@ -16814,292 +18798,399 @@ index f962f76ad..74a6d0a54 100644 +## +# +interface(`files_dontaudit_getattr_tmpfs_files',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + attribute tmpfsfile; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_run_t, $2, $3, $4) + allow $1 tmpfsfile:file getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create a generic lock directory within the run directories +## Allow delete all tmpfs files. -+## -+## -+## + ## + ## +-## +-## Domain allowed access +-## +-## +-## + ## +-## The name of the object being created. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_pid_filetrans_lock_dir',` +interface(`files_delete_tmpfs_files',` -+ gen_require(` + gen_require(` +- type var_lock_t; + attribute tmpfsfile; -+ ') -+ + ') + +- files_pid_filetrans($1, var_lock_t, dir, $2) + allow $1 tmpfsfile:file delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write generic process ID files. +## Allow read write all tmpfs files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_rw_generic_pids',` +interface(`files_rw_tmpfs_files',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + attribute tmpfsfile; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) + allow $1 tmpfsfile:file { read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. +## Do not audit attempts to read security files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6198,19 +8696,17 @@ interface(`files_rw_generic_pids',` + ## + ## + # +-interface(`files_dontaudit_getattr_all_pids',` +interface(`files_dontaudit_read_security_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute security_file_type; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file getattr; + dontaudit $1 security_file_type:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to write to daemon runtime data files. +## Do not audit attempts to search security files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6218,18 +8714,17 @@ interface(`files_dontaudit_getattr_all_pids',` + ## + ## + # +-interface(`files_dontaudit_write_all_pids',` +interface(`files_dontaudit_search_security_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute security_file_type; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file write; + dontaudit $1 security_file_type:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to ioctl daemon runtime data files. +## Do not audit attempts to read security dirs -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6237,41 +8732,43 @@ interface(`files_dontaudit_write_all_pids',` + ## + ## + # +-interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_list_security_dirs',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute security_file_type; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file ioctl; + dontaudit $1 security_file_type:dir list_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read all process ID files. +## rw any files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +## +## Object type. +## +## -+# + # +-interface(`files_read_all_pids',` +interface(`files_rw_all_inherited_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## Allow any file point to be the entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# + ## + ## + ## +@@ -6280,67 +8777,56 @@ interface(`files_read_all_pids',` + ## + ## + # +-interface(`files_delete_all_pids',` +interface(`files_entrypoint_all_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; + type unlabeled_t; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 {file_type -unlabeled_t} :file entrypoint; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Do not audit attempts to rw inherited file perms +## of non security files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_dontaudit_all_non_security_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Do not audit attempts to read or write +## all leaked files. -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_dontaudit_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute file_type; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Allow domain to create_file_ass all types -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6348,37 +8834,37 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_create_as_is_all_files',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute file_type; + class kernel_service create_files_as; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 file_type:kernel_service create_files_as; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## Do not audit attempts to check the +## access on all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_search_spool',` +interface(`files_dontaudit_all_access_check',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute file_type; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set audit_access; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. +## Do not audit attempts to write to all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6386,132 +8872,227 @@ interface(`files_search_spool',` + ## + ## + # +-interface(`files_dontaudit_search_spool',` +interface(`files_dontaudit_write_all_files',` -+ gen_require(` + gen_require(` +- type var_spool_t; + attribute file_type; -+ ') -+ + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; + dontaudit $1 file_type:dir_file_class_set write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Allow domain to delete to all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_list_spool',` +interface(`files_delete_all_non_security_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Allow domain to delete to all dirs -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_delete_all_non_security_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Transition named content in the var_run_t directory -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type etc_t; + type mnt_t; + type usr_t; @@ -17108,8 +19199,10 @@ index f962f76ad..74a6d0a54 100644 + type var_run_t; + type var_lock_t; + type tmp_t; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -17149,13 +19242,16 @@ index f962f76ad..74a6d0a54 100644 + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") + files_var_filetrans($1, etc_runtime_t, file, ".updated") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Make the specified type a +## base file. -+## + ## +-## +## +##

+## Identify file type as base file type. Tools will use this attribute, @@ -17163,35 +19259,46 @@ index f962f76ad..74a6d0a54 100644 +##

+## +## -+## + ## +-## Domain allowed access. +## Type to be used as a base files. -+## -+## + ## + ## +## -+# + # +-interface(`files_manage_generic_spool',` +interface(`files_base_file',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + files_type($1) + typeattribute $1 base_file_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Make the specified type a +## base read only file. -+## + ## +-## +## +##

+## Make the specified type readable for all domains. +##

+## +## -+## + ## +-## Domain allowed access. +## Type to be used as a base read only files. -+## -+## + ## + ## +-## +## +# +interface(`files_ro_base_file',` @@ -17207,10 +19314,12 @@ index f962f76ad..74a6d0a54 100644 +## Read all ro base files. +## +## -+## + ## +-## Type to which the created node will be transitioned. +## Domain allowed access. -+## -+## + ## + ## +-## +## +# +interface(`files_read_all_base_ro_files',` @@ -17228,10 +19337,13 @@ index f962f76ad..74a6d0a54 100644 +## Execute all base ro files. +## +## -+## + ## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +## Domain allowed access. -+## -+## + ## + ## +-## +## +# +interface(`files_exec_all_base_ro_files',` @@ -17248,52 +19360,102 @@ index f962f76ad..74a6d0a54 100644 +## any file. +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_spool_filetrans',` +interface(`files_config_all_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + allow $1 file_type:service all_service_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Get the status of etc_t files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6519,53 +9100,17 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` +interface(`files_status_etc',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + type etc_t; -+ ') -+ + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') + allow $1 etc_t:service status; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Dontaudit Mount a modules_object_t -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6573,10 +9118,10 @@ interface(`files_polyinstantiate_all',` + ## + ## + # +-interface(`files_unconfined',` +interface(`files_dontaudit_mounton_modules_object',` -+ gen_require(` + gen_require(` +- attribute files_unconfined_type; + type modules_object_t; -+ ') -+ + ') + +- typeattribute $1 files_unconfined_type; + allow $1 modules_object_t:dir mounton; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te @@ -32854,7 +35016,7 @@ index 6bf0ecc2d..a6b6087eb 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..676215ff3 100644 +index 8b403774f..1d0aeba01 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -33317,7 +35479,7 @@ index 8b403774f..676215ff3 100644 +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) -allow xdm_t xserver_t:process signal; -+allow xdm_t xserver_t:process { signal signull }; ++allow xdm_t xserver_t:process { getattr signal signull }; allow xdm_t xserver_t:unix_stream_socket connectto; +allow xdm_t xserver_t:unix_dgram_socket sendto; @@ -34237,7 +36399,7 @@ index 8b403774f..676215ff3 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1589,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1589,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -34303,6 +36465,8 @@ index 8b403774f..676215ff3 100644 + +allow xserver_t x_userdomain:shm rw_shm_perms; + ++allow x_userdomain xserver_t:unix_dgram_socket sendto; ++ +allow x_userdomain user_fonts_t:dir list_dir_perms; +allow x_userdomain user_fonts_t:file read_file_perms; +allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms; @@ -38767,7 +40931,7 @@ index 79a45f62e..0244681f0 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..5bff55bd3 100644 +index 17eda2480..c60c4d8e0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -39406,7 +41570,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -216,7 +655,35 @@ optional_policy(` +@@ -216,7 +655,36 @@ optional_policy(` ') optional_policy(` @@ -39440,10 +41604,11 @@ index 17eda2480..5bff55bd3 100644 + domain_named_filetrans(init_t) + unconfined_server_domtrans(init_t) + unconfined_server_noatsecure(init_t) ++ unconfined_server_create_tcp_sockets(init_t) ') ######################################## -@@ -225,9 +692,9 @@ optional_policy(` +@@ -225,9 +693,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -39455,7 +41620,7 @@ index 17eda2480..5bff55bd3 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +725,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +726,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -39472,7 +41637,7 @@ index 17eda2480..5bff55bd3 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +750,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +751,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -39515,7 +41680,7 @@ index 17eda2480..5bff55bd3 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +787,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +788,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -39527,7 +41692,7 @@ index 17eda2480..5bff55bd3 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +799,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +800,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -39538,7 +41703,7 @@ index 17eda2480..5bff55bd3 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +810,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +811,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -39548,7 +41713,7 @@ index 17eda2480..5bff55bd3 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +819,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +820,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -39556,7 +41721,7 @@ index 17eda2480..5bff55bd3 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +826,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +827,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -39564,7 +41729,7 @@ index 17eda2480..5bff55bd3 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +834,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +835,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -39582,7 +41747,7 @@ index 17eda2480..5bff55bd3 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +852,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +853,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -39596,7 +41761,7 @@ index 17eda2480..5bff55bd3 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +867,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +868,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -39610,7 +41775,7 @@ index 17eda2480..5bff55bd3 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +880,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +881,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -39621,7 +41786,7 @@ index 17eda2480..5bff55bd3 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +893,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +894,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -39629,7 +41794,7 @@ index 17eda2480..5bff55bd3 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +912,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +913,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -39653,7 +41818,7 @@ index 17eda2480..5bff55bd3 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +945,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +946,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -39661,7 +41826,7 @@ index 17eda2480..5bff55bd3 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +979,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +980,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -39672,7 +41837,7 @@ index 17eda2480..5bff55bd3 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +1003,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +1004,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -39681,7 +41846,7 @@ index 17eda2480..5bff55bd3 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +1018,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +1019,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -39689,7 +41854,7 @@ index 17eda2480..5bff55bd3 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1039,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1040,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -39697,7 +41862,7 @@ index 17eda2480..5bff55bd3 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1049,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1050,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -39742,7 +41907,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -559,14 +1094,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1095,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -39774,7 +41939,7 @@ index 17eda2480..5bff55bd3 100644 ') ') -@@ -577,6 +1129,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1130,39 @@ ifdef(`distro_suse',` ') ') @@ -39814,7 +41979,7 @@ index 17eda2480..5bff55bd3 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1174,8 @@ optional_policy(` +@@ -589,6 +1175,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -39823,7 +41988,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -610,6 +1197,7 @@ optional_policy(` +@@ -610,6 +1198,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -39831,7 +41996,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -626,6 +1214,17 @@ optional_policy(` +@@ -626,6 +1215,17 @@ optional_policy(` ') optional_policy(` @@ -39849,7 +42014,7 @@ index 17eda2480..5bff55bd3 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1241,13 @@ optional_policy(` +@@ -642,9 +1242,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -39863,7 +42028,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -657,15 +1260,11 @@ optional_policy(` +@@ -657,15 +1261,11 @@ optional_policy(` ') optional_policy(` @@ -39881,7 +42046,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -686,6 +1285,15 @@ optional_policy(` +@@ -686,6 +1286,15 @@ optional_policy(` ') optional_policy(` @@ -39897,7 +42062,7 @@ index 17eda2480..5bff55bd3 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1334,7 @@ optional_policy(` +@@ -726,6 +1335,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -39905,7 +42070,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -743,7 +1352,13 @@ optional_policy(` +@@ -743,7 +1353,13 @@ optional_policy(` ') optional_policy(` @@ -39920,7 +42085,7 @@ index 17eda2480..5bff55bd3 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1381,10 @@ optional_policy(` +@@ -766,6 +1382,10 @@ optional_policy(` ') optional_policy(` @@ -39931,7 +42096,7 @@ index 17eda2480..5bff55bd3 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1394,20 @@ optional_policy(` +@@ -775,10 +1395,20 @@ optional_policy(` ') optional_policy(` @@ -39952,7 +42117,7 @@ index 17eda2480..5bff55bd3 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1416,10 @@ optional_policy(` +@@ -787,6 +1417,10 @@ optional_policy(` ') optional_policy(` @@ -39963,7 +42128,7 @@ index 17eda2480..5bff55bd3 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1441,6 @@ optional_policy(` +@@ -808,8 +1442,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39972,7 +42137,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -818,6 +1449,10 @@ optional_policy(` +@@ -818,6 +1450,10 @@ optional_policy(` ') optional_policy(` @@ -39983,7 +42148,7 @@ index 17eda2480..5bff55bd3 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1462,12 @@ optional_policy(` +@@ -827,10 +1463,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39996,7 +42161,7 @@ index 17eda2480..5bff55bd3 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1494,63 @@ optional_policy(` +@@ -857,21 +1495,63 @@ optional_policy(` ') optional_policy(` @@ -40061,7 +42226,7 @@ index 17eda2480..5bff55bd3 100644 ') optional_policy(` -@@ -887,6 +1566,10 @@ optional_policy(` +@@ -887,6 +1567,10 @@ optional_policy(` ') optional_policy(` @@ -40072,7 +42237,7 @@ index 17eda2480..5bff55bd3 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1580,218 @@ optional_policy(` +@@ -897,3 +1581,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48083,7 +50248,7 @@ index 40edc18ab..be7317733 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692c0..853ddefe4 100644 +index 2cea692c0..9c68d9b24 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -48510,7 +50675,7 @@ index 2cea692c0..853ddefe4 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1057,162 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1057,168 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -48574,6 +50739,7 @@ index 2cea692c0..853ddefe4 100644 +interface(`sysnet_filetrans_named_content',` + gen_require(` + type net_conf_t; ++ type systemd_resolved_var_run_t; + ') + + files_etc_filetrans($1, net_conf_t, file, "resolv.conf") @@ -48598,6 +50764,11 @@ index 2cea692c0..853ddefe4 100644 + networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") + networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") + ') ++ ++ optional_policy(` ++ sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf") ++ sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp") ++ ') +') + +######################################## @@ -52763,7 +54934,7 @@ index 0abaf8432..8b34dbc09 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 5ca20a97d..43bb011b3 100644 +index 5ca20a97d..7ffd0e0e3 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ @@ -52875,7 +55046,7 @@ index 5ca20a97d..43bb011b3 100644 ') ######################################## -@@ -175,258 +185,12 @@ interface(`unconfined_alias_domain',` +@@ -175,204 +185,12 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` @@ -53072,36 +55243,44 @@ index 5ca20a97d..43bb011b3 100644 - ') - - allow $1 unconfined_t:process signull; --') -- --######################################## --## ++ refpolicywarn(`$0() has been deprecated.') + ') + + ######################################## + ## -## Send generic signals to the unconfined domain. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to unconfined_server with a unix socket. + ## + ## + ## +@@ -380,17 +198,19 @@ interface(`unconfined_signull',` + ## + ## + # -interface(`unconfined_signal',` -- gen_require(` ++interface(`unconfined_server_stream_connect',` + gen_require(` - type unconfined_t; -- ') -- ++ type unconfined_service_t; + ') + - allow $1 unconfined_t:process signal; --') -- --######################################## --## ++ files_search_pids($1) ++ files_write_generic_pid_pipes($1) ++ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; + ') + + ######################################## + ## -## Read unconfined domain unnamed pipes. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to unconfined_server with a unix socket. + ## + ## + ## +@@ -398,120 +218,17 @@ interface(`unconfined_signal',` + ## + ## + # -interface(`unconfined_read_pipes',` - gen_require(` - type unconfined_t; @@ -53126,20 +55305,18 @@ index 5ca20a97d..43bb011b3 100644 - ') - - dontaudit $1 unconfined_t:fifo_file read; -+ refpolicywarn(`$0() has been deprecated.') - ') - - ######################################## - ## +-') +- +-######################################## +-## -## Read and write unconfined domain unnamed pipes. -+## Connect to unconfined_server with a unix socket. - ## - ## - ## -@@ -434,84 +198,19 @@ interface(`unconfined_dontaudit_read_pipes',` - ## - ## - # +-## +-## +-## +-## Domain allowed access. +-## +-## +-# -interface(`unconfined_rw_pipes',` - gen_require(` - type unconfined_t; @@ -53208,79 +55385,77 @@ index 5ca20a97d..43bb011b3 100644 -## -# -interface(`unconfined_dontaudit_rw_tcp_sockets',` -+interface(`unconfined_server_stream_connect',` ++interface(`unconfined_server_domtrans',` gen_require(` - type unconfined_t; + type unconfined_service_t; ') - dontaudit $1 unconfined_t:tcp_socket { read write }; -+ files_search_pids($1) -+ files_write_generic_pid_pipes($1) -+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; ++ corecmd_bin_domtrans($1, unconfined_service_t) ') ######################################## ## -## Create keys for the unconfined domain. -+## Connect to unconfined_server with a unix socket. ++## Allow caller domain to dbus chat unconfined_server. ## ## ## -@@ -519,17 +218,17 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',` +@@ -519,17 +236,19 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',` ## ## # -interface(`unconfined_create_keys',` -+interface(`unconfined_server_domtrans',` ++interface(`unconfined_server_dbus_chat',` gen_require(` - type unconfined_t; + type unconfined_service_t; ++ class dbus send_msg; ') - allow $1 unconfined_t:key create; -+ corecmd_bin_domtrans($1, unconfined_service_t) ++ allow $1 unconfined_service_t:dbus send_msg; ++ allow unconfined_service_t $1:dbus send_msg; ') ######################################## ## -## Send messages to the unconfined domain over dbus. -+## Allow caller domain to dbus chat unconfined_server. ++## Send signull to unconfined_service_t. ## ## ## -@@ -537,19 +236,19 @@ interface(`unconfined_create_keys',` +@@ -537,19 +256,17 @@ interface(`unconfined_create_keys',` ## ## # -interface(`unconfined_dbus_send',` -+interface(`unconfined_server_dbus_chat',` ++interface(`unconfined_server_signull',` gen_require(` - type unconfined_t; - class dbus send_msg; + type unconfined_service_t; -+ class dbus send_msg; ') - allow $1 unconfined_t:dbus send_msg; -+ allow $1 unconfined_service_t:dbus send_msg; -+ allow unconfined_service_t $1:dbus send_msg; ++ allow $1 unconfined_service_t:process signull; ') ######################################## ## -## Send and receive messages from -## unconfined_t over dbus. -+## Send signull to unconfined_service_t. ++## Allow noatsecure. ## ## ## -@@ -557,20 +256,17 @@ interface(`unconfined_dbus_send',` +@@ -557,20 +274,17 @@ interface(`unconfined_dbus_send',` ## ## # -interface(`unconfined_dbus_chat',` -+interface(`unconfined_server_signull',` ++interface(`unconfined_server_noatsecure',` gen_require(` - type unconfined_t; - class dbus send_msg; @@ -53289,23 +55464,23 @@ index 5ca20a97d..43bb011b3 100644 - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; -+ allow $1 unconfined_service_t:process signull; ++ allow $1 unconfined_service_t:process { noatsecure }; ') ######################################## ## -## Connect to the the unconfined DBUS -## for service (acquire_svc). -+## Allow noatsecure. ++## Create unconfined_service_t TCP sockets. ## ## ## -@@ -578,11 +274,10 @@ interface(`unconfined_dbus_chat',` +@@ -578,11 +292,10 @@ interface(`unconfined_dbus_chat',` ## ## # -interface(`unconfined_dbus_connect',` -+interface(`unconfined_server_noatsecure',` ++interface(`unconfined_server_create_tcp_sockets',` gen_require(` - type unconfined_t; - class dbus acquire_svc; @@ -53313,7 +55488,7 @@ index 5ca20a97d..43bb011b3 100644 ') - allow $1 unconfined_t:dbus acquire_svc; -+ allow $1 unconfined_service_t:process { noatsecure }; ++ allow $1 unconfined_service_t:tcp_socket create_stream_socket_perms; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 5fe902db3..52a051d8a 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index aa773fb..ce3ef55 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2331,7 +2331,7 @@ index 7f4dfbca3..e5c9f45b8 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c7d..96bbc0825 100644 +index 519051c7d..48d816150 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2425,7 +2425,12 @@ index 519051c7d..96bbc0825 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -130,6 +145,7 @@ fs_list_all(amanda_t) +@@ -126,10 +141,12 @@ files_getattr_all_sockets(amanda_t) + + fs_getattr_xattr_fs(amanda_t) + fs_list_all(amanda_t) ++fs_getattr_tmpfs(amanda_t) + storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) @@ -2433,7 +2438,7 @@ index 519051c7d..96bbc0825 100644 auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -@@ -141,7 +157,7 @@ logging_send_syslog_msg(amanda_t) +@@ -141,7 +158,7 @@ logging_send_syslog_msg(amanda_t) # Recover local policy # @@ -2442,7 +2447,7 @@ index 519051c7d..96bbc0825 100644 allow amanda_recover_t self:process { sigkill sigstop signal }; allow amanda_recover_t self:fifo_file rw_fifo_file_perms; allow amanda_recover_t self:unix_stream_socket create_socket_perms; -@@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +187,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2450,7 +2455,7 @@ index 519051c7d..96bbc0825 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +211,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -5635,7 +5640,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..1df48fb13 100644 +index 6649962b6..c45ca1fb1 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -7895,39 +7900,47 @@ index 6649962b6..1df48fb13 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t) +@@ -1384,36 +1684,109 @@ domain_use_interactive_fds(httpd_passwd_t) - domain_use_interactive_fds(httpd_passwd_t) - -+ auth_use_nsswitch(httpd_passwd_t) -miscfiles_read_generic_certs(httpd_passwd_t) -miscfiles_read_localization(httpd_passwd_t) -+miscfiles_read_certs(httpd_passwd_t) ++init_dontaudit_read_state(httpd_passwd_t) -######################################## -# -# GPG local policy -# ++miscfiles_read_certs(httpd_passwd_t) + +-allow httpd_gpg_t self:process setrlimit; +systemd_manage_passwd_run(httpd_passwd_t) +systemd_manage_passwd_run(httpd_t) +#systemd_passwd_agent_dev_template(httpd) --allow httpd_gpg_t self:process setrlimit; +-allow httpd_gpg_t httpd_t:fd use; +-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; +-allow httpd_gpg_t httpd_t:process sigchld; +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; -+ + +-dev_read_rand(httpd_gpg_t) +-dev_read_urand(httpd_gpg_t) +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type) +corecmd_shell_entry_type(httpd_script_type) -+ + +-files_read_usr_files(httpd_gpg_t) +allow httpd_script_type self:fifo_file rw_file_perms; +allow httpd_script_type self:unix_stream_socket connectto; -+ + +-miscfiles_read_localization(httpd_gpg_t) +allow httpd_script_type httpd_t:fifo_file write; +# apache should set close-on-exec +apache_dontaudit_leaks(httpd_script_type) -+ + +-tunable_policy(`httpd_gpg_anon_write',` +- miscfiles_manage_public_files(httpd_gpg_t) +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t) +logging_search_logs(httpd_script_type) + @@ -7955,29 +7968,20 @@ index 6649962b6..1df48fb13 100644 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; +allow httpd_t httpd_script_type:process { signal sigkill sigstop signull }; +allow httpd_t httpd_script_exec_type:dir list_dir_perms; - --allow httpd_gpg_t httpd_t:fd use; --allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; --allow httpd_gpg_t httpd_t:process sigchld; ++ +allow httpd_script_type self:process { setsched signal_perms }; +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; +allow httpd_script_type self:unix_dgram_socket create_socket_perms; +allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms; - --dev_read_rand(httpd_gpg_t) --dev_read_urand(httpd_gpg_t) ++ +allow httpd_script_type httpd_t:fd use; +allow httpd_script_type httpd_t:process sigchld; - --files_read_usr_files(httpd_gpg_t) ++ +dontaudit httpd_script_type httpd_t:tcp_socket { read write }; +dontaudit httpd_script_type httpd_t:unix_stream_socket { read write }; - --miscfiles_read_localization(httpd_gpg_t) ++ +fs_getattr_xattr_fs(httpd_script_type) - --tunable_policy(`httpd_gpg_anon_write',` -- miscfiles_manage_public_files(httpd_gpg_t) ++ +files_read_etc_runtime_files(httpd_script_type) + +libs_read_lib_files(httpd_script_type) @@ -12617,10 +12621,10 @@ index 008f8ef26..144c0740a 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287ce..73104ec93 100644 +index 550b287ce..36c9f99b1 100644 --- a/certmonger.te +++ b/certmonger.te -@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t) +@@ -18,18 +18,29 @@ files_type(certmonger_var_lib_t) type certmonger_var_run_t; files_pid_file(certmonger_var_run_t) @@ -12630,6 +12634,9 @@ index 550b287ce..73104ec93 100644 +type certmonger_unit_file_t; +systemd_unit_file(certmonger_unit_file_t) + ++type certmonger_tmp_t; ++files_tmp_file(certmonger_tmp_t) ++ ######################################## # # Local policy @@ -12651,15 +12658,21 @@ index 550b287ce..73104ec93 100644 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) +@@ -39,8 +50,13 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) + manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) + files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) ++manage_dirs_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t) ++manage_files_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t) ++files_tmp_filetrans(certmonger_t, certmonger_tmp_t, { file dir }) ++ kernel_read_kernel_sysctls(certmonger_t) kernel_read_system_state(certmonger_t) +kernel_read_network_state(certmonger_t) corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t) -@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) +@@ -49,17 +65,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) @@ -12687,7 +12700,7 @@ index 550b287ce..73104ec93 100644 fs_search_cgroup_dirs(certmonger_t) -@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t) +@@ -68,18 +93,24 @@ auth_rw_cache(certmonger_t) init_getattr_all_script_files(certmonger_t) @@ -12716,7 +12729,7 @@ index 550b287ce..73104ec93 100644 ') optional_policy(` -@@ -92,11 +116,74 @@ optional_policy(` +@@ -92,11 +123,74 @@ optional_policy(` ') optional_policy(` @@ -32849,7 +32862,7 @@ index 1e29af196..6c64f55c3 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index dc49c715e..e25890c3d 100644 +index dc49c715e..43f79d6de 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -32934,7 +32947,7 @@ index dc49c715e..e25890c3d 100644 ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` -@@ -215,48 +218,53 @@ tunable_policy(`git_system_use_nfs',` +@@ -215,48 +218,54 @@ tunable_policy(`git_system_use_nfs',` # CGI policy # @@ -32951,6 +32964,7 @@ index dc49c715e..e25890c3d 100644 +read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +files_search_var_lib(git_script_t) +allow git_script_t git_sys_content_t:file map; ++allow git_script_t git_user_content_t:file map; -auth_use_nsswitch(httpd_git_script_t) +auth_use_nsswitch(git_script_t) @@ -33010,7 +33024,7 @@ index dc49c715e..e25890c3d 100644 ') ######################################## -@@ -266,12 +274,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -266,12 +275,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -51743,10 +51757,10 @@ index 000000000..394bc4658 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/mock.if b/mock.if new file mode 100644 -index 000000000..f5b98e6de +index 000000000..4807174c8 --- /dev/null +++ b/mock.if -@@ -0,0 +1,311 @@ +@@ -0,0 +1,312 @@ +## policy for mock + +######################################## @@ -51804,6 +51818,7 @@ index 000000000..f5b98e6de + files_search_var_lib($1) + list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) + read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++ read_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## @@ -57636,7 +57651,7 @@ index b744fe35e..cb0e2af61 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b70870816..e2a5280c3 100644 +index b70870816..19e70e27c 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -57697,16 +57712,18 @@ index b70870816..e2a5280c3 100644 dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { accept connectto listen }; -@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +@@ -117,8 +116,9 @@ files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) + manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) ++allow munin_t munin_var_lib_t:file map; -read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) +rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t) +@@ -134,7 +134,6 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) @@ -57714,7 +57731,7 @@ index b70870816..e2a5280c3 100644 corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_generic_node(munin_t) -@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t) +@@ -157,7 +156,6 @@ domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) files_read_etc_runtime_files(munin_t) @@ -57722,7 +57739,7 @@ index b70870816..e2a5280c3 100644 files_list_spool(munin_t) fs_getattr_all_fs(munin_t) -@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t) +@@ -169,7 +167,6 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) @@ -57730,7 +57747,7 @@ index b70870816..e2a5280c3 100644 miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) -@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t) +@@ -177,13 +174,6 @@ sysnet_exec_ifconfig(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) @@ -57744,7 +57761,7 @@ index b70870816..e2a5280c3 100644 optional_policy(` cron_system_entry(munin_t, munin_exec_t) -@@ -217,7 +206,6 @@ optional_policy(` +@@ -217,7 +207,6 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -57752,10 +57769,12 @@ index b70870816..e2a5280c3 100644 ') optional_policy(` -@@ -246,21 +234,25 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; +@@ -246,21 +235,27 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) ++auth_use_nsswitch(disk_munin_plugin_t) ++ +kernel_read_fs_sysctls(disk_munin_plugin_t) + corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) @@ -57782,7 +57801,7 @@ index b70870816..e2a5280c3 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -272,34 +264,50 @@ optional_policy(` +@@ -272,34 +267,53 @@ optional_policy(` fstools_exec(disk_munin_plugin_t) ') @@ -57804,7 +57823,10 @@ index b70870816..e2a5280c3 100644 rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) ++auth_use_nsswitch(mail_munin_plugin_t) ++ +kernel_read_net_sysctls(mail_munin_plugin_t) ++kernel_read_network_state(mail_munin_plugin_t) + dev_read_urand(mail_munin_plugin_t) @@ -57838,7 +57860,16 @@ index b70870816..e2a5280c3 100644 ') optional_policy(` -@@ -339,7 +347,7 @@ dev_read_rand(services_munin_plugin_t) +@@ -311,6 +325,8 @@ optional_policy(` + # Selinux local policy + # + ++auth_use_nsswitch(selinux_munin_plugin_t) ++ + selinux_get_enforce_mode(selinux_munin_plugin_t) + + ################################### +@@ -339,7 +355,7 @@ dev_read_rand(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t) optional_policy(` @@ -57847,7 +57878,7 @@ index b70870816..e2a5280c3 100644 ') optional_policy(` -@@ -348,6 +356,10 @@ optional_policy(` +@@ -348,6 +364,10 @@ optional_policy(` ') optional_policy(` @@ -57858,7 +57889,7 @@ index b70870816..e2a5280c3 100644 lpd_exec_lpr(services_munin_plugin_t) ') -@@ -361,7 +373,11 @@ optional_policy(` +@@ -361,7 +381,11 @@ optional_policy(` ') optional_policy(` @@ -57871,7 +57902,7 @@ index b70870816..e2a5280c3 100644 ') optional_policy(` -@@ -393,6 +409,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -393,6 +417,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -57879,7 +57910,7 @@ index b70870816..e2a5280c3 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +438,33 @@ optional_policy(` +@@ -421,3 +446,33 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -57908,7 +57939,7 @@ index b70870816..e2a5280c3 100644 + +files_search_var_lib(munin_script_t) + -+auth_read_passwd(munin_script_t) ++auth_use_nsswitch(munin_script_t) + +optional_policy(` + apache_search_sys_content(munin_t) @@ -94607,7 +94638,7 @@ index ebe91fc70..6ba4338cb 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b22507..79518530e 100644 +index ef3b22507..b7bd65539 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -94886,7 +94917,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -302,7 +398,32 @@ interface(`rpm_manage_log',` +@@ -302,7 +398,33 @@ interface(`rpm_manage_log',` ######################################## ## @@ -94912,6 +94943,7 @@ index ef3b22507..79518530e 100644 + files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") + files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") + files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") ++ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpmrebuilddb") +') + +######################################## @@ -94920,7 +94952,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +442,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -94931,7 +94963,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +457,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -94948,7 +94980,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +478,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -94966,7 +94998,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +498,34 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -95002,7 +95034,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +545,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -95011,7 +95043,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -420,8 +565,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +566,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -95021,7 +95053,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +587,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -95030,7 +95062,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -459,11 +603,13 @@ interface(`rpm_read_db',` +@@ -459,11 +604,13 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -95045,7 +95077,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -482,8 +628,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +629,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -95055,7 +95087,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -499,12 +644,33 @@ interface(`rpm_manage_db',` +@@ -499,12 +645,33 @@ interface(`rpm_manage_db',` files_search_var_lib($1) manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -95090,7 +95122,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -517,9 +683,10 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,9 +684,10 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -95102,7 +95134,7 @@ index ef3b22507..79518530e 100644 ') ##################################### -@@ -543,8 +710,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +711,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -95112,7 +95144,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -563,8 +729,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +730,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -95122,7 +95154,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -573,43 +738,54 @@ interface(`rpm_manage_pid_files',` +@@ -573,43 +739,54 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -95194,7 +95226,7 @@ index ef3b22507..79518530e 100644 ## ## ## -@@ -617,22 +793,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` +@@ -617,22 +794,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` ## ## ## @@ -95263,7 +95295,7 @@ index ef3b22507..79518530e 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) -@@ -641,9 +852,6 @@ interface(`rpm_admin',` +@@ -641,9 +853,6 @@ interface(`rpm_admin',` admin_pattern($1, rpm_file_t) @@ -97896,7 +97928,7 @@ index 50d07fb2e..a15cd5b6b 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441e7..0f95635dd 100644 +index 2b7c441e7..1bfd11b61 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -98194,7 +98226,7 @@ index 2b7c441e7..0f95635dd 100644 ') optional_policy(` -@@ -249,46 +261,59 @@ optional_policy(` +@@ -249,47 +261,61 @@ optional_policy(` ') optional_policy(` @@ -98265,9 +98297,11 @@ index 2b7c441e7..0f95635dd 100644 +manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t) +manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) ++allow smbd_t samba_share_t:file { map }; allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -297,66 +322,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t) + manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -297,66 +323,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -98366,7 +98400,7 @@ index 2b7c441e7..0f95635dd 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) -@@ -366,44 +399,53 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +400,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -98432,7 +98466,7 @@ index 2b7c441e7..0f95635dd 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +461,16 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +462,16 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -98459,7 +98493,7 @@ index 2b7c441e7..0f95635dd 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +479,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +480,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -98467,7 +98501,7 @@ index 2b7c441e7..0f95635dd 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,15 +487,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,15 +488,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -98487,7 +98521,7 @@ index 2b7c441e7..0f95635dd 100644 ') optional_policy(` -@@ -466,6 +500,7 @@ optional_policy(` +@@ -466,6 +501,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -98495,7 +98529,7 @@ index 2b7c441e7..0f95635dd 100644 ') optional_policy(` -@@ -474,11 +509,31 @@ optional_policy(` +@@ -474,11 +510,31 @@ optional_policy(` ') optional_policy(` @@ -98527,7 +98561,7 @@ index 2b7c441e7..0f95635dd 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +543,10 @@ optional_policy(` +@@ -488,6 +544,10 @@ optional_policy(` ') optional_policy(` @@ -98538,7 +98572,7 @@ index 2b7c441e7..0f95635dd 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,12 +558,53 @@ optional_policy(` +@@ -499,12 +559,53 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -98593,7 +98627,7 @@ index 2b7c441e7..0f95635dd 100644 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow nmbd_t self:fd use; allow nmbd_t self:fifo_file rw_fifo_file_perms; -@@ -512,9 +612,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +613,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -98608,7 +98642,7 @@ index 2b7c441e7..0f95635dd 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +628,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +629,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -98634,7 +98668,7 @@ index 2b7c441e7..0f95635dd 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +646,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +647,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -98703,7 +98737,7 @@ index 2b7c441e7..0f95635dd 100644 ') optional_policy(` -@@ -606,18 +696,29 @@ optional_policy(` +@@ -606,18 +697,29 @@ optional_policy(` ######################################## # @@ -98739,7 +98773,7 @@ index 2b7c441e7..0f95635dd 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,39 +728,38 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +729,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -98791,7 +98825,7 @@ index 2b7c441e7..0f95635dd 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +768,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +769,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -98827,7 +98861,7 @@ index 2b7c441e7..0f95635dd 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +795,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +796,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -98920,7 +98954,7 @@ index 2b7c441e7..0f95635dd 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +874,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +875,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -98944,7 +98978,7 @@ index 2b7c441e7..0f95635dd 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +888,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +889,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -98987,7 +99021,7 @@ index 2b7c441e7..0f95635dd 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +918,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +919,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -99001,7 +99035,7 @@ index 2b7c441e7..0f95635dd 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +941,20 @@ optional_policy(` +@@ -840,17 +942,20 @@ optional_policy(` # Winbind local policy # @@ -99028,7 +99062,7 @@ index 2b7c441e7..0f95635dd 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +964,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +965,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -99039,7 +99073,7 @@ index 2b7c441e7..0f95635dd 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -870,41 +972,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) +@@ -870,41 +973,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) files_var_filetrans(winbind_t, samba_var_t, dir, "samba") @@ -99098,7 +99132,7 @@ index 2b7c441e7..0f95635dd 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1019,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1020,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -99157,7 +99191,7 @@ index 2b7c441e7..0f95635dd 100644 ') optional_policy(` -@@ -959,31 +1080,36 @@ optional_policy(` +@@ -959,31 +1081,36 @@ optional_policy(` # Winbind helper local policy # @@ -99201,7 +99235,7 @@ index 2b7c441e7..0f95635dd 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1123,38 @@ optional_policy(` +@@ -997,25 +1124,38 @@ optional_policy(` ######################################## # @@ -102451,7 +102485,7 @@ index 35ad2a733..afdc7da29 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b413..debacc88b 100644 +index 12700b413..e28f69e3e 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; @@ -102594,7 +102628,18 @@ index 12700b413..debacc88b 100644 ') optional_policy(` -@@ -164,6 +171,10 @@ optional_policy(` +@@ -143,6 +150,10 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_bus_client(sendmail_t) ++') ++ ++optional_policy(` + dovecot_write_inherited_tmp_files(sendmail_t) + ') + +@@ -164,6 +175,10 @@ optional_policy(` ') optional_policy(` @@ -102605,7 +102650,7 @@ index 12700b413..debacc88b 100644 milter_stream_connect_all(sendmail_t) ') -@@ -172,6 +183,11 @@ optional_policy(` +@@ -172,6 +187,11 @@ optional_policy(` ') optional_policy(` @@ -102617,7 +102662,7 @@ index 12700b413..debacc88b 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -193,6 +209,10 @@ optional_policy(` +@@ -193,6 +213,10 @@ optional_policy(` ') optional_policy(` @@ -102628,7 +102673,7 @@ index 12700b413..debacc88b 100644 udev_read_db(sendmail_t) ') -@@ -206,8 +226,6 @@ optional_policy(` +@@ -206,8 +230,6 @@ optional_policy(` # optional_policy(` @@ -104096,7 +104141,7 @@ index e0644b5cf..ea347ccd5 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9cf6582d2..d0be162c8 100644 +index 9cf6582d2..97d1e6d7c 100644 --- a/smartmon.te +++ b/smartmon.te @@ -38,7 +38,7 @@ ifdef(`enable_mls',` @@ -104108,7 +104153,7 @@ index 9cf6582d2..d0be162c8 100644 dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -@@ -58,23 +58,31 @@ kernel_read_network_state(fsdaemon_t) +@@ -58,23 +58,32 @@ kernel_read_network_state(fsdaemon_t) kernel_read_software_raid_state(fsdaemon_t) kernel_read_system_state(fsdaemon_t) @@ -104123,6 +104168,7 @@ index 9cf6582d2..d0be162c8 100644 + dev_read_sysfs(fsdaemon_t) dev_read_urand(fsdaemon_t) ++dev_read_nvme(fsdaemon_t) domain_use_interactive_fds(fsdaemon_t) @@ -104142,7 +104188,7 @@ index 9cf6582d2..d0be162c8 100644 storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) -@@ -83,7 +91,9 @@ storage_write_scsi_generic(fsdaemon_t) +@@ -83,7 +92,9 @@ storage_write_scsi_generic(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t) @@ -104153,7 +104199,7 @@ index 9cf6582d2..d0be162c8 100644 init_read_utmp(fsdaemon_t) -@@ -92,12 +102,13 @@ libs_exec_lib_files(fsdaemon_t) +@@ -92,12 +103,14 @@ libs_exec_lib_files(fsdaemon_t) logging_send_syslog_msg(fsdaemon_t) @@ -104164,11 +104210,12 @@ index 9cf6582d2..d0be162c8 100644 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) userdom_dontaudit_search_user_home_dirs(fsdaemon_t) ++userdom_dontaudit_manage_admin_dir(fsdaemon_t) +userdom_use_user_terminals(fsdaemon_t) tunable_policy(`smartmon_3ware',` allow fsdaemon_t self:process setfscreate; -@@ -116,9 +127,9 @@ optional_policy(` +@@ -116,9 +129,9 @@ optional_policy(` ') optional_policy(` @@ -112077,10 +112124,10 @@ index 000000000..d371f62f6 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 000000000..6c04973ea +index 000000000..a82cab79b --- /dev/null +++ b/thumb.te -@@ -0,0 +1,176 @@ +@@ -0,0 +1,177 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -112169,6 +112216,7 @@ index 000000000..6c04973ea +domain_dontaudit_read_all_domains_state(thumb_t) + +files_read_non_security_files(thumb_t) ++files_map_non_security_files(thumb_t) + +fs_getattr_all_fs(thumb_t) +fs_read_dos_files(thumb_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9f49a3e..68e0e8d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 308%{?dist} +Release: 309%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,27 @@ exit 0 %endif %changelog +* Fri Jan 05 2018 Lukas Vrabec - 3.13.1-309 +- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy +- Allow git_script_t to mmap git_user_content_t files BZ(1530937) +- Allow certmonger domain to create temp files BZ(1530795) +- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563) +- Allow fsdaemon_t to read nvme devices BZ(1530018) +- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030) +- Update munin plugin policy BZ(1528471) +- Allow sendmail_t domain to be system dbusd client BZ(1478735) +- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645) +- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313) +- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672) +- Allow thumb_t to mmap non security files BZ(1517393) +- Allow smbd_t to mmap files with label samba_share_t BZ(1530453) +- Fix broken sysnet_filetrans_named_content() interface +- Allow init_t to create tcp sockets for unconfined services BZ(1366968) +- Allow xdm_t to getattr on xserver_t process files BZ(1506116) +- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297) +- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967) +- Add interface files_map_non_security_files() + * Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308 - Make working SELinux sandbox with Wayland. BZ(1474082) - Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)