diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 6adc2cb..af6ad9b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8473,7 +8473,7 @@ index 6a1e4d1..57cc8d1 100644 + allow $1 domain:process transition; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..bcaf613 100644 +index cf04cb5..2b917b5 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8610,7 +8610,7 @@ index cf04cb5..bcaf613 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8887,6 +8887,7 @@ index cf04cb5..bcaf613 100644 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + +optional_policy(` ++ rpm_rw_script_inherited_pipes(domain) + rpm_use_fds(domain) + rpm_read_pipes(domain) + rpm_search_log(domain) @@ -20222,7 +20223,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..3448145 100644 +index 5fc0391..2d08ed2 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20235,15 +20236,15 @@ index 5fc0391..3448145 100644 +##

+## allow host key based authentication +##

- ## --gen_tunable(allow_ssh_keysign, false) ++## +gen_tunable(ssh_keysign, false) + +## +##

+## Allow ssh logins as sysadm_r:sysadm_t +##

-+## + ## +-gen_tunable(allow_ssh_keysign, false) +gen_tunable(ssh_sysadm_login, false) ## @@ -20379,8 +20380,12 @@ index 5fc0391..3448145 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t) +@@ -154,40 +175,46 @@ files_read_var_files(ssh_t) + logging_send_syslog_msg(ssh_t) + logging_read_generic_logs(ssh_t) ++term_use_ptmx(ssh_t) ++ auth_use_nsswitch(ssh_t) -miscfiles_read_localization(ssh_t) @@ -20441,7 +20446,7 @@ index 5fc0391..3448145 100644 ') optional_policy(` -@@ -195,6 +220,7 @@ optional_policy(` +@@ -195,6 +222,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -20449,7 +20454,7 @@ index 5fc0391..3448145 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -20457,7 +20462,7 @@ index 5fc0391..3448145 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +250,54 @@ optional_policy(` +@@ -223,33 +252,54 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -20521,7 +20526,7 @@ index 5fc0391..3448145 100644 ') optional_policy(` -@@ -257,11 +305,24 @@ optional_policy(` +@@ -257,11 +307,28 @@ optional_policy(` ') optional_policy(` @@ -20543,11 +20548,15 @@ index 5fc0391..3448145 100644 optional_policy(` - kerberos_keytab_template(sshd, sshd_t) ++ lvm_domtrans(sshd_t) ++') ++ ++optional_policy(` + nx_read_home_files(sshd_t) ') optional_policy(` -@@ -269,6 +330,10 @@ optional_policy(` +@@ -269,6 +336,10 @@ optional_policy(` ') optional_policy(` @@ -20558,7 +20567,7 @@ index 5fc0391..3448145 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +344,69 @@ optional_policy(` +@@ -279,13 +350,69 @@ optional_policy(` ') optional_policy(` @@ -20628,7 +20637,7 @@ index 5fc0391..3448145 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +415,26 @@ optional_policy(` +@@ -294,19 +421,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20656,7 +20665,7 @@ index 5fc0391..3448145 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20669,7 +20678,7 @@ index 5fc0391..3448145 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +465,138 @@ optional_policy(` +@@ -331,3 +471,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -20966,7 +20975,7 @@ index d1f64a0..8f50bb9 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..ba9536c 100644 +index 6bf0ecc..307cefc 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -21919,7 +21928,7 @@ index 6bf0ecc..ba9536c 100644 ') ######################################## -@@ -1284,10 +1654,622 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -22419,6 +22428,7 @@ index 6bf0ecc..ba9536c 100644 + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") @@ -22545,7 +22555,7 @@ index 6bf0ecc..ba9536c 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..027e384 100644 +index 2696452..0c869cb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22796,7 +22806,7 @@ index 2696452..027e384 100644 ') ######################################## -@@ -247,48 +321,83 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -22859,6 +22869,12 @@ index 2696452..027e384 100644 +userdom_use_inherited_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth") xserver_rw_xdm_tmp_files(xauth_t) @@ -22891,7 +22907,7 @@ index 2696452..027e384 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +408,109 @@ optional_policy(` +@@ -299,64 +414,109 @@ optional_policy(` # XDM Local policy # @@ -23011,7 +23027,7 @@ index 2696452..027e384 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +519,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -23043,7 +23059,7 @@ index 2696452..027e384 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +551,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +557,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23096,7 +23112,7 @@ index 2696452..027e384 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +603,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +609,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23125,7 +23141,7 @@ index 2696452..027e384 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +633,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +639,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23174,7 +23190,7 @@ index 2696452..027e384 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +680,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +686,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23325,7 +23341,7 @@ index 2696452..027e384 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +831,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +837,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23352,7 +23368,7 @@ index 2696452..027e384 100644 ') optional_policy(` -@@ -514,12 +858,56 @@ optional_policy(` +@@ -514,12 +864,56 @@ optional_policy(` ') optional_policy(` @@ -23409,7 +23425,7 @@ index 2696452..027e384 100644 hostname_exec(xdm_t) ') -@@ -537,28 +925,78 @@ optional_policy(` +@@ -537,28 +931,78 @@ optional_policy(` ') optional_policy(` @@ -23497,7 +23513,7 @@ index 2696452..027e384 100644 ') optional_policy(` -@@ -570,6 +1008,14 @@ optional_policy(` +@@ -570,6 +1014,14 @@ optional_policy(` ') optional_policy(` @@ -23512,7 +23528,7 @@ index 2696452..027e384 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1040,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1046,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23525,7 +23541,7 @@ index 2696452..027e384 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1057,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1063,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23541,7 +23557,7 @@ index 2696452..027e384 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1073,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1079,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23552,7 +23568,7 @@ index 2696452..027e384 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1088,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1094,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23574,7 +23590,7 @@ index 2696452..027e384 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1108,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1114,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23588,7 +23604,7 @@ index 2696452..027e384 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1134,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1140,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23620,7 +23636,7 @@ index 2696452..027e384 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1166,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1172,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23638,7 +23654,7 @@ index 2696452..027e384 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1189,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1195,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23662,7 +23678,7 @@ index 2696452..027e384 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1208,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1214,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23671,7 +23687,7 @@ index 2696452..027e384 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1252,44 @@ optional_policy(` +@@ -775,16 +1258,44 @@ optional_policy(` ') optional_policy(` @@ -23717,7 +23733,7 @@ index 2696452..027e384 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1298,10 @@ optional_policy(` +@@ -793,6 +1304,10 @@ optional_policy(` ') optional_policy(` @@ -23728,7 +23744,7 @@ index 2696452..027e384 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1317,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1323,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23742,7 +23758,7 @@ index 2696452..027e384 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1328,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1334,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23751,7 +23767,7 @@ index 2696452..027e384 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1341,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1347,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23786,7 +23802,7 @@ index 2696452..027e384 100644 ') optional_policy(` -@@ -902,7 +1406,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1412,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23795,7 +23811,7 @@ index 2696452..027e384 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1460,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1466,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23827,7 +23843,7 @@ index 2696452..027e384 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1506,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1512,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -28832,7 +28848,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..a0ba260 100644 +index 9e54bf9..323d9ec 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28944,7 +28960,7 @@ index 9e54bf9..a0ba260 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; +@@ -210,10 +223,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -28952,6 +28968,11 @@ index 9e54bf9..a0ba260 100644 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; +-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) ++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file }) + + # _realsetup needs to be able to cat /var/run/pluto.pid, + # run ps on that pid, and delete the file @@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -30664,7 +30685,7 @@ index 4e94884..9b82ed0 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..692b00d 100644 +index 39ea221..aae7b7d 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -30880,7 +30901,7 @@ index 39ea221..692b00d 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,22 +426,34 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -30910,12 +30931,15 @@ index 39ea221..692b00d 100644 +ifdef(`hide_broken_symptoms',` + kernel_rw_unix_dgram_sockets(syslogd_t) +') ++ ++corecmd_exec_bin(syslogd_t) ++corecmd_exec_shell(syslogd_t) -corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) corenet_udp_sendrecv_generic_node(syslogd_t) -@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +479,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -30943,7 +30967,7 @@ index 39ea221..692b00d 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +511,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -30963,7 +30987,7 @@ index 39ea221..692b00d 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +532,10 @@ init_use_fds(syslogd_t) +@@ -461,11 +535,10 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -30977,7 +31001,7 @@ index 39ea221..692b00d 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +572,36 @@ optional_policy(` +@@ -502,15 +575,40 @@ optional_policy(` ') optional_policy(` @@ -31004,6 +31028,10 @@ index 39ea221..692b00d 100644 ') optional_policy(` ++ psad_search_lib_files(syslogd_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(syslogd_t) + snmp_read_snmp_var_lib_files(syslogd_t) + snmp_dontaudit_write_snmp_var_lib_files(syslogd_t) @@ -31014,7 +31042,7 @@ index 39ea221..692b00d 100644 ') optional_policy(` -@@ -521,3 +612,26 @@ optional_policy(` +@@ -521,3 +619,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -31042,10 +31070,10 @@ index 39ea221..692b00d 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..7daaff3 100644 +index 879bb1e..5aa4eeb 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc -@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',` +@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',` /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) @@ -31062,6 +31090,7 @@ index 879bb1e..7daaff3 100644 # /sbin # +/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -31081,7 +31110,7 @@ index 879bb1e..7daaff3 100644 /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',` +@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',` # # /usr # @@ -31155,7 +31184,7 @@ index 879bb1e..7daaff3 100644 # # /var -@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',` +@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -32571,7 +32600,7 @@ index 4584457..e432df3 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..4e5bf09 100644 +index 6a50270..d941116 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -5,40 +5,58 @@ policy_module(mount, 1.15.1) @@ -32656,7 +32685,7 @@ index 6a50270..4e5bf09 100644 +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount") ++files_pid_filetrans(mount_t,mount_var_run_t,{ dir file }) +files_var_filetrans(mount_t,mount_var_run_t,dir) +dev_filetrans(mount_t, mount_var_run_t, dir) + @@ -34956,7 +34985,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..a5086e8 100644 +index b7686d5..7a9577f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -35183,7 +35212,7 @@ index b7686d5..a5086e8 100644 vmware_append_log(dhcpc_t) ') -@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +306,23 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -35193,6 +35222,8 @@ index b7686d5..a5086e8 100644 +allow ifconfig_t self:netlink_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; ++allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms }; ++ allow ifconfig_t self:tcp_socket { create ioctl }; +can_exec(ifconfig_t, ifconfig_exec_t) @@ -35205,7 +35236,7 @@ index b7686d5..a5086e8 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +332,29 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -35235,7 +35266,7 @@ index b7686d5..a5086e8 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +367,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -35263,7 +35294,7 @@ index b7686d5..a5086e8 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +391,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -35286,7 +35317,7 @@ index b7686d5..a5086e8 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +417,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -35300,7 +35331,7 @@ index b7686d5..a5086e8 100644 ') optional_policy(` -@@ -339,7 +428,15 @@ optional_policy(` +@@ -339,7 +430,15 @@ optional_policy(` ') optional_policy(` @@ -35317,7 +35348,7 @@ index b7686d5..a5086e8 100644 ') optional_policy(` -@@ -360,3 +457,13 @@ optional_policy(` +@@ -360,3 +459,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -38717,7 +38748,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..2bf0cab 100644 +index 3c5dba7..5dc956a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39279,7 +39310,7 @@ index 3c5dba7..2bf0cab 100644 ############################## # -@@ -501,41 +632,51 @@ template(`userdom_common_user_template',` +@@ -501,41 +632,52 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -39302,6 +39333,7 @@ index 3c5dba7..2bf0cab 100644 - kernel_read_device_sysctls($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) ++ kernel_stream_connect($1_usertype) - corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) @@ -39354,7 +39386,7 @@ index 3c5dba7..2bf0cab 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +687,120 @@ template(`userdom_common_user_template',` +@@ -546,93 +688,120 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -39513,7 +39545,7 @@ index 3c5dba7..2bf0cab 100644 ') optional_policy(` -@@ -642,23 +810,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +811,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -39542,7 +39574,7 @@ index 3c5dba7..2bf0cab 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +837,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +838,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -39551,7 +39583,7 @@ index 3c5dba7..2bf0cab 100644 ') optional_policy(` -@@ -680,9 +846,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +847,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39564,7 +39596,7 @@ index 3c5dba7..2bf0cab 100644 ') ') -@@ -693,32 +859,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +860,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39611,7 +39643,7 @@ index 3c5dba7..2bf0cab 100644 ') ') -@@ -743,17 +912,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +913,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -39649,7 +39681,7 @@ index 3c5dba7..2bf0cab 100644 userdom_change_password_template($1) -@@ -761,82 +946,99 @@ template(`userdom_login_user_template', ` +@@ -761,82 +947,99 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -39785,7 +39817,7 @@ index 3c5dba7..2bf0cab 100644 ') ') -@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -39798,7 +39830,7 @@ index 3c5dba7..2bf0cab 100644 ############################## # # Local policy -@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -39909,7 +39941,7 @@ index 3c5dba7..2bf0cab 100644 ') optional_policy(` -@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -39940,7 +39972,7 @@ index 3c5dba7..2bf0cab 100644 ') ####################################### -@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -39978,7 +40010,7 @@ index 3c5dba7..2bf0cab 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1308,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -40049,7 +40081,7 @@ index 3c5dba7..2bf0cab 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -40060,7 +40092,7 @@ index 3c5dba7..2bf0cab 100644 ') ') -@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -40069,7 +40101,7 @@ index 3c5dba7..2bf0cab 100644 ') ############################## -@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -40077,7 +40109,7 @@ index 3c5dba7..2bf0cab 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -40087,7 +40119,7 @@ index 3c5dba7..2bf0cab 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -40095,7 +40127,7 @@ index 3c5dba7..2bf0cab 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -40110,7 +40142,7 @@ index 3c5dba7..2bf0cab 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -40153,7 +40185,7 @@ index 3c5dba7..2bf0cab 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -40162,7 +40194,7 @@ index 3c5dba7..2bf0cab 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -40181,7 +40213,7 @@ index 3c5dba7..2bf0cab 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -40190,7 +40222,7 @@ index 3c5dba7..2bf0cab 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -40202,7 +40234,7 @@ index 3c5dba7..2bf0cab 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -40245,7 +40277,7 @@ index 3c5dba7..2bf0cab 100644 ') optional_policy(` -@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -40264,7 +40296,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -40316,7 +40348,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -40348,7 +40380,7 @@ index 3c5dba7..2bf0cab 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -40363,7 +40395,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -40375,7 +40407,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -40418,7 +40450,7 @@ index 3c5dba7..2bf0cab 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -40427,7 +40459,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -40442,7 +40474,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -40469,7 +40501,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -1782,53 +2274,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2275,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -40552,7 +40584,7 @@ index 3c5dba7..2bf0cab 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1848,6 +2357,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -40578,7 +40610,7 @@ index 3c5dba7..2bf0cab 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2406,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -40616,7 +40648,7 @@ index 3c5dba7..2bf0cab 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2446,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -40634,7 +40666,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -1941,7 +2494,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -40661,7 +40693,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -1951,17 +2522,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -40682,7 +40714,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -1969,12 +2538,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -40733,7 +40765,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -2010,8 +2615,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -40743,7 +40775,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -2027,21 +2631,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,21 +2632,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -40769,7 +40801,7 @@ index 3c5dba7..2bf0cab 100644 ######################################## ## ## Do not audit attempts to execute user home files. -@@ -2123,7 +2721,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -40778,7 +40810,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -2131,19 +2729,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -40802,7 +40834,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -2151,12 +2747,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -40818,7 +40850,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -2393,11 +2989,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -40833,7 +40865,7 @@ index 3c5dba7..2bf0cab 100644 files_search_tmp($1) ') -@@ -2417,7 +3013,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -40842,7 +40874,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -2664,6 +3260,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -40868,7 +40900,7 @@ index 3c5dba7..2bf0cab 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3295,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -40884,7 +40916,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -2707,7 +3323,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -40893,7 +40925,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -2715,14 +3331,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -40928,7 +40960,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -2817,6 +3449,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -40953,7 +40985,7 @@ index 3c5dba7..2bf0cab 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3485,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -40996,7 +41028,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -2859,14 +3521,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -41034,7 +41066,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -2885,8 +3566,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -41064,7 +41096,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -2958,69 +3658,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -41165,7 +41197,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -3028,12 +3727,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -41180,7 +41212,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -3097,7 +3796,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -41189,7 +41221,7 @@ index 3c5dba7..2bf0cab 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3812,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41223,7 +41255,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -3217,7 +3900,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41250,7 +41282,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -3272,7 +3973,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41316,7 +41348,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -3290,7 +4048,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41325,7 +41357,7 @@ index 3c5dba7..2bf0cab 100644 ') ######################################## -@@ -3309,6 +4067,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41333,7 +41365,7 @@ index 3c5dba7..2bf0cab 100644 kernel_search_proc($1) ') -@@ -3385,6 +4144,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41376,7 +41408,7 @@ index 3c5dba7..2bf0cab 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,7 +4200,7 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -41385,7 +41417,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -3413,17 +4208,17 @@ interface(`userdom_sigchld_all_users',` +@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',` ## ## # @@ -41406,7 +41438,7 @@ index 3c5dba7..2bf0cab 100644 ## ## ## -@@ -3431,11 +4226,1516 @@ interface(`userdom_create_all_users_keys',` +@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',` ## ## # diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e9e4180..eb18323 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3240,7 +3240,7 @@ index 550a69e..53e5708 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 83e899c..c5be77c 100644 +index 83e899c..fac6fe5 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3256,7 +3256,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -13,118 +13,100 @@ +@@ -13,118 +13,101 @@ # template(`apache_content_template',` gen_require(` @@ -3411,6 +3411,7 @@ index 83e899c..c5be77c 100644 - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) ++ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; ') ') @@ -3421,7 +3422,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -133,47 +115,61 @@ template(`apache_content_template',` +@@ -133,47 +116,61 @@ template(`apache_content_template',` ## ## ## @@ -3512,7 +3513,7 @@ index 83e899c..c5be77c 100644 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') -@@ -184,7 +180,7 @@ interface(`apache_role',` +@@ -184,7 +181,7 @@ interface(`apache_role',` ######################################## ## @@ -3521,7 +3522,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -204,7 +200,7 @@ interface(`apache_read_user_scripts',` +@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',` ######################################## ## @@ -3530,7 +3531,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -224,7 +220,7 @@ interface(`apache_read_user_content',` +@@ -224,7 +221,7 @@ interface(`apache_read_user_content',` ######################################## ## @@ -3539,7 +3540,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -241,27 +237,47 @@ interface(`apache_domtrans',` +@@ -241,27 +238,47 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -3594,7 +3595,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -279,7 +295,7 @@ interface(`apache_signal',` +@@ -279,7 +296,7 @@ interface(`apache_signal',` ######################################## ## @@ -3603,7 +3604,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -297,7 +313,7 @@ interface(`apache_signull',` +@@ -297,7 +314,7 @@ interface(`apache_signull',` ######################################## ## @@ -3612,7 +3613,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -315,8 +331,7 @@ interface(`apache_sigchld',` +@@ -315,8 +332,7 @@ interface(`apache_sigchld',` ######################################## ## @@ -3622,7 +3623,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -334,8 +349,8 @@ interface(`apache_use_fds',` +@@ -334,8 +350,8 @@ interface(`apache_use_fds',` ######################################## ## @@ -3633,7 +3634,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -348,13 +363,13 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -3650,7 +3651,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -372,8 +387,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` ######################################## ## @@ -3661,7 +3662,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -391,8 +406,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -3671,7 +3672,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -417,7 +431,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -3681,7 +3682,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -435,7 +450,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -3691,7 +3692,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -453,7 +469,8 @@ interface(`apache_list_cache',` +@@ -453,7 +470,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -3701,7 +3702,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -471,7 +488,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -3711,7 +3712,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -489,7 +507,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -3721,7 +3722,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -507,49 +526,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -3784,7 +3785,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -570,8 +591,8 @@ interface(`apache_manage_config',` +@@ -570,8 +592,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -3795,7 +3796,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -608,16 +629,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -3837,7 +3838,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -639,7 +682,8 @@ interface(`apache_read_log',` +@@ -639,7 +683,8 @@ interface(`apache_read_log',` ######################################## ## @@ -3847,7 +3848,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -657,10 +701,29 @@ interface(`apache_append_log',` +@@ -657,10 +702,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -3879,7 +3880,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -678,8 +741,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -3890,7 +3891,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -698,47 +761,49 @@ interface(`apache_manage_log',` +@@ -698,47 +762,49 @@ interface(`apache_manage_log',` read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -3953,7 +3954,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -752,11 +817,13 @@ interface(`apache_list_modules',` +@@ -752,11 +818,13 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -3968,7 +3969,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -776,46 +843,63 @@ interface(`apache_exec_modules',` +@@ -776,46 +844,63 @@ interface(`apache_exec_modules',` ######################################## ## @@ -4049,7 +4050,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -829,13 +913,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4066,7 +4067,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -844,6 +929,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4074,7 +4075,7 @@ index 83e899c..c5be77c 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +941,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -4181,7 +4182,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -888,10 +1040,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4200,7 +4201,7 @@ index 83e899c..c5be77c 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1060,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4212,7 +4213,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -941,7 +1099,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4221,7 +4222,7 @@ index 83e899c..c5be77c 100644 ## to the specified role. ## ## -@@ -954,6 +1112,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4229,7 +4230,7 @@ index 83e899c..c5be77c 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1125,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4239,7 +4240,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -979,12 +1139,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4255,7 +4256,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1002,7 +1163,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4264,7 +4265,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1015,13 +1176,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4279,7 +4280,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1041,7 +1201,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4288,7 +4289,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1059,8 +1219,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4298,7 +4299,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1070,13 +1229,22 @@ interface(`apache_search_sys_scripts',` +@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',` ## # interface(`apache_manage_all_user_content',` @@ -4324,7 +4325,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1094,7 +1262,8 @@ interface(`apache_search_sys_script_state',` +@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4334,7 +4335,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1111,10 +1280,29 @@ interface(`apache_read_tmp_files',` +@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4366,7 +4367,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1127,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4375,7 +4376,7 @@ index 83e899c..c5be77c 100644 ') ######################################## -@@ -1136,6 +1324,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4385,7 +4386,7 @@ index 83e899c..c5be77c 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',` +@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4418,7 +4419,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',` +@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4447,7 +4448,7 @@ index 83e899c..c5be77c 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1204,10 +1418,10 @@ interface(`apache_admin',` +@@ -1204,10 +1419,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4461,7 +4462,7 @@ index 83e899c..c5be77c 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1218,9 +1432,129 @@ interface(`apache_admin',` +@@ -1218,9 +1433,129 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -7156,6 +7157,19 @@ index 3590e2f..e1494bd 100644 ') optional_policy(` +diff --git a/apt.if b/apt.if +index e2414c4..970736b 100644 +--- a/apt.if ++++ b/apt.if +@@ -152,7 +152,7 @@ interface(`apt_read_cache',` + + files_search_var($1) + allow $1 apt_var_cache_t:dir list_dir_perms; +- dontaudit $1 apt_var_cache_t:dir write_dir_perms; ++ dontaudit $1 apt_var_cache_t:dir rw_dir_perms; + allow $1 apt_var_cache_t:file read_file_perms; + ') + diff --git a/apt.te b/apt.te index e2d8d52..d82403c 100644 --- a/apt.te @@ -7380,7 +7394,7 @@ index 7268a04..6ffd87d 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 5439f1c..0be374d 100644 +index 5439f1c..74c24a3 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; @@ -7402,7 +7416,7 @@ index 5439f1c..0be374d 100644 manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) - -+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file }) ++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file }) can_exec(asterisk_t, asterisk_exec_t) kernel_read_kernel_sysctls(asterisk_t) @@ -8357,7 +8371,7 @@ index 866a1e2..6c2dbe4 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 076ffee..d4fb2a4 100644 +index 076ffee..1672ca4 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -8390,7 +8404,18 @@ index 076ffee..d4fb2a4 100644 allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept listen }; -@@ -110,7 +114,6 @@ kernel_read_network_state(named_t) +@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) + + can_exec(named_t, named_exec_t) + +-append_files_pattern(named_t, named_log_t, named_log_t) +-create_files_pattern(named_t, named_log_t, named_log_t) +-setattr_files_pattern(named_t, named_log_t, named_log_t) ++manage_files_pattern(named_t, named_log_t, named_log_t) + logging_log_filetrans(named_t, named_log_t, file) + + manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +@@ -110,7 +112,6 @@ kernel_read_network_state(named_t) corecmd_search_bin(named_t) @@ -8398,7 +8423,7 @@ index 076ffee..d4fb2a4 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t) +@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t) dev_read_sysfs(named_t) dev_read_rand(named_t) dev_read_urand(named_t) @@ -8406,7 +8431,7 @@ index 076ffee..d4fb2a4 100644 domain_use_interactive_fds(named_t) -@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',` +@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -8422,7 +8447,7 @@ index 076ffee..d4fb2a4 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -183,6 +196,7 @@ optional_policy(` +@@ -183,6 +194,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(named, named_t) @@ -8430,7 +8455,7 @@ index 076ffee..d4fb2a4 100644 ') optional_policy(` -@@ -209,7 +223,8 @@ optional_policy(` +@@ -209,7 +221,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -8440,7 +8465,7 @@ index 076ffee..d4fb2a4 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -8452,7 +8477,7 @@ index 076ffee..d4fb2a4 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t) +@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -8648,10 +8673,10 @@ index bc5c984..63a4b1d 100644 + xserver_read_state_xdm(blueman_t) +') diff --git a/bluetooth.fc b/bluetooth.fc -index 2b9c7f3..63e4860 100644 +index 2b9c7f3..0086b95 100644 --- a/bluetooth.fc +++ b/bluetooth.fc -@@ -5,10 +5,13 @@ +@@ -5,10 +5,14 @@ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) @@ -8662,6 +8687,7 @@ index 2b9c7f3..63e4860 100644 /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0) ++/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) @@ -8782,7 +8808,7 @@ index c723a0a..3e8a553 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 6f09d24..9c48d18 100644 +index 6f09d24..b1ec892 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) @@ -8795,7 +8821,17 @@ index 6f09d24..9c48d18 100644 ######################################## # # Local policy -@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) +@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) + + manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) + manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file }) ++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) ++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file }) + + manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) + manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) can_exec(bluetooth_t, bluetooth_helper_exec_t) @@ -8822,7 +8858,7 @@ index 6f09d24..9c48d18 100644 dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) -@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t) +@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) @@ -8830,7 +8866,7 @@ index 6f09d24..9c48d18 100644 fs_getattr_all_fs(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t) -@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t) +@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t) logging_send_syslog_msg(bluetooth_t) @@ -8838,7 +8874,7 @@ index 6f09d24..9c48d18 100644 miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) -@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +@@ -130,8 +142,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) @@ -8851,7 +8887,7 @@ index 6f09d24..9c48d18 100644 optional_policy(` cups_dbus_chat(bluetooth_t) -@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t) +@@ -199,7 +215,6 @@ dev_read_urand(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t) files_read_etc_runtime_files(bluetooth_helper_t) @@ -12419,7 +12455,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..b2709d1 100644 +index 6471fa8..dbb3f45 100644 --- a/collectd.te +++ b/collectd.te @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) @@ -12437,16 +12473,17 @@ index 6471fa8..b2709d1 100644 ######################################## # # Local policy -@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal }; +@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; allow collectd_t self:unix_stream_socket { accept listen }; +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow collectd_t self:udp_socket create_socket_perms; ++allow collectd_t self:rawip_socket create_socket_perms; manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) +@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) files_pid_filetrans(collectd_t, collectd_var_run_t, file) @@ -12479,7 +12516,7 @@ index 6471fa8..b2709d1 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -19055,6 +19092,19 @@ index 2c2e7e1..493ab48 100644 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; +diff --git a/dcc.fc b/dcc.fc +index 62d3c4e..cef59a7 100644 +--- a/dcc.fc ++++ b/dcc.fc +@@ -10,6 +10,8 @@ + /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) + /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) + ++/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) ++ + /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) + /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) + /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) diff --git a/dcc.if b/dcc.if index a5c21e0..4639421 100644 --- a/dcc.if @@ -19068,7 +19118,7 @@ index a5c21e0..4639421 100644 stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te -index 15d908f..147dd14 100644 +index 15d908f..cecb0da 100644 --- a/dcc.te +++ b/dcc.te @@ -45,7 +45,7 @@ type dcc_var_t; @@ -19102,7 +19152,16 @@ index 15d908f..147dd14 100644 ######################################## # -@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) +@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid }; + + allow dcc_client_t dcc_client_map_t:file rw_file_perms; + ++domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t) ++ + manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) + manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) + files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) +@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) kernel_read_system_state(dcc_client_t) @@ -19115,7 +19174,7 @@ index 15d908f..147dd14 100644 files_read_etc_runtime_files(dcc_client_t) fs_getattr_all_fs(dcc_client_t) -@@ -131,12 +140,10 @@ auth_use_nsswitch(dcc_client_t) +@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t) logging_send_syslog_msg(dcc_client_t) @@ -19130,7 +19189,7 @@ index 15d908f..147dd14 100644 ') optional_policy(` -@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) +@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) kernel_read_system_state(dcc_dbclean_t) @@ -19152,7 +19211,7 @@ index 15d908f..147dd14 100644 ######################################## # -@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) +@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) kernel_read_system_state(dccd_t) kernel_read_kernel_sysctls(dccd_t) @@ -19160,7 +19219,7 @@ index 15d908f..147dd14 100644 corenet_all_recvfrom_netlabel(dccd_t) corenet_udp_sendrecv_generic_if(dccd_t) corenet_udp_sendrecv_generic_node(dccd_t) -@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t) +@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t) logging_send_syslog_msg(dccd_t) @@ -19169,7 +19228,7 @@ index 15d908f..147dd14 100644 userdom_dontaudit_use_unpriv_user_fds(dccd_t) userdom_dontaudit_search_user_home_dirs(dccd_t) -@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) +@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) kernel_read_system_state(dccifd_t) kernel_read_kernel_sysctls(dccifd_t) @@ -19181,7 +19240,7 @@ index 15d908f..147dd14 100644 dev_read_sysfs(dccifd_t) domain_use_interactive_fds(dccifd_t) -@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t) +@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t) logging_send_syslog_msg(dccifd_t) @@ -19190,7 +19249,7 @@ index 15d908f..147dd14 100644 userdom_dontaudit_use_unpriv_user_fds(dccifd_t) userdom_dontaudit_search_user_home_dirs(dccifd_t) -@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) +@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) kernel_read_system_state(dccm_t) kernel_read_kernel_sysctls(dccm_t) @@ -19202,7 +19261,7 @@ index 15d908f..147dd14 100644 dev_read_sysfs(dccm_t) domain_use_interactive_fds(dccm_t) -@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t) +@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t) logging_send_syslog_msg(dccm_t) @@ -22992,7 +23051,7 @@ index 6041113..ef3b449 100644 role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; diff --git a/exim.te b/exim.te -index 19325ce..5957aad 100644 +index 19325ce..b5c157f 100644 --- a/exim.te +++ b/exim.te @@ -49,7 +49,7 @@ type exim_log_t; @@ -23049,7 +23108,18 @@ index 19325ce..5957aad 100644 ') optional_policy(` -@@ -218,6 +216,7 @@ optional_policy(` +@@ -192,8 +190,9 @@ optional_policy(` + ') + + optional_policy(` +- mailman_read_data_files(exim_t) ++ mailman_manage_data_files(exim_t) + mailman_domtrans(exim_t) ++ mailman_read_log(exim_t) + ') + + optional_policy(` +@@ -218,6 +217,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -24146,7 +24216,7 @@ index c12c067..a415012 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index c81b6e8..fcb022d 100644 +index c81b6e8..34e1f1c 100644 --- a/fprintd.te +++ b/fprintd.te @@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t) @@ -24157,8 +24227,11 @@ index c81b6e8..fcb022d 100644 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t) +@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t) + + dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) ++dev_read_urand(fprintd_t) dev_rw_generic_usb_dev(fprintd_t) -files_read_usr_files(fprintd_t) @@ -24172,7 +24245,7 @@ index c81b6e8..fcb022d 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +51,13 @@ optional_policy(` +@@ -54,8 +52,13 @@ optional_policy(` ') ') @@ -24901,7 +24974,7 @@ index 9eacb2c..229782f 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index e0a4f46..79bc951 100644 +index e0a4f46..95cf77c 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) @@ -24935,7 +25008,7 @@ index e0a4f46..79bc951 100644 allow glance_domain self:fifo_file rw_fifo_file_perms; allow glance_domain self:unix_stream_socket create_stream_socket_perms; allow glance_domain self:tcp_socket { accept listen }; -@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) @@ -24954,6 +25027,7 @@ index e0a4f46..79bc951 100644 corecmd_exec_shell(glance_domain) dev_read_urand(glance_domain) ++dev_read_sysfs(glance_domain) -files_read_etc_files(glance_domain) -files_read_usr_files(glance_domain) @@ -24966,7 +25040,7 @@ index e0a4f46..79bc951 100644 sysnet_dns_name_resolve(glance_domain) ######################################## -@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm +@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) @@ -24981,7 +25055,7 @@ index e0a4f46..79bc951 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -29772,7 +29846,7 @@ index ca07a87..6ea129c 100644 + /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) diff --git a/iodine.if b/iodine.if -index a0bfbd0..6f5dbdf 100644 +index a0bfbd0..47f7c75 100644 --- a/iodine.if +++ b/iodine.if @@ -2,6 +2,30 @@ @@ -29794,7 +29868,7 @@ index a0bfbd0..6f5dbdf 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 iodined_unit_file_t:file read_file_perms; + allow $1 iodined_unit_file_t:service manage_service_perms; + @@ -35940,7 +36014,7 @@ index 108c0f1..a248501 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index 8eaf51b..3229e0f 100644 +index 8eaf51b..a057913 100644 --- a/mailman.te +++ b/mailman.te @@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) @@ -35985,7 +36059,7 @@ index 8eaf51b..3229e0f 100644 ######################################## # # CGI local policy -@@ -115,8 +112,9 @@ optional_policy(` +@@ -115,20 +112,23 @@ optional_policy(` # Mail local policy # @@ -35997,7 +36071,12 @@ index 8eaf51b..3229e0f 100644 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) + files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) + ++can_exec(mailman_mail_t, mailman_mail_exec_t) ++ + corenet_sendrecv_innd_client_packets(mailman_mail_t) + corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) @@ -36007,7 +36086,7 @@ index 8eaf51b..3229e0f 100644 dev_read_urand(mailman_mail_t) -@@ -142,6 +140,10 @@ optional_policy(` +@@ -142,6 +142,10 @@ optional_policy(` ') optional_policy(` @@ -36018,7 +36097,7 @@ index 8eaf51b..3229e0f 100644 cron_read_pipes(mailman_mail_t) ') -@@ -182,3 +184,9 @@ optional_policy(` +@@ -182,3 +186,9 @@ optional_policy(` optional_policy(` su_exec(mailman_queue_t) ') @@ -39137,7 +39216,7 @@ index 6194b80..3209b1c 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..2288b0e 100644 +index 6a306ee..2108bc7 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -39581,7 +39660,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -300,221 +324,183 @@ optional_policy(` +@@ -300,221 +324,184 @@ optional_policy(` ######################################## # @@ -39849,6 +39928,7 @@ index 6a306ee..2288b0e 100644 +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) +term_getattr_ptmx(mozilla_plugin_t) ++term_dontaudit_use_ptmx(mozilla_plugin_t) +userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) +userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -39904,7 +39984,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -523,36 +509,44 @@ optional_policy(` +@@ -523,36 +510,44 @@ optional_policy(` ') optional_policy(` @@ -39919,13 +39999,6 @@ index 6a306ee..2288b0e 100644 + dbus_session_bus_client(mozilla_plugin_t) + dbus_connect_session_bus(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) -+') -+ -+optional_policy(` -+ gnome_manage_config(mozilla_plugin_t) -+ gnome_read_usr_config(mozilla_plugin_t) -+ gnome_filetrans_home_content(mozilla_plugin_t) -+ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') optional_policy(` @@ -39933,6 +40006,13 @@ index 6a306ee..2288b0e 100644 - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") ++ gnome_manage_config(mozilla_plugin_t) ++ gnome_read_usr_config(mozilla_plugin_t) ++ gnome_filetrans_home_content(mozilla_plugin_t) ++ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) ') @@ -39962,7 +40042,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -560,7 +554,7 @@ optional_policy(` +@@ -560,7 +555,7 @@ optional_policy(` ') optional_policy(` @@ -39971,7 +40051,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -568,108 +562,126 @@ optional_policy(` +@@ -568,108 +563,128 @@ optional_policy(` ') optional_policy(` @@ -40000,12 +40080,12 @@ index 6a306ee..2288b0e 100644 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; -- ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) @@ -40077,6 +40157,8 @@ index 6a306ee..2288b0e 100644 fs_getattr_all_fs(mozilla_plugin_config_t) -fs_search_auto_mountpoints(mozilla_plugin_config_t) -fs_list_inotifyfs(mozilla_plugin_config_t) ++ ++term_dontaudit_use_ptmx(mozilla_plugin_config_t) auth_use_nsswitch(mozilla_plugin_config_t) @@ -46227,10 +46309,10 @@ index 0000000..02dc6dc +/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) diff --git a/nova.if b/nova.if new file mode 100644 -index 0000000..cf8f660 +index 0000000..28936b4 --- /dev/null +++ b/nova.if -@@ -0,0 +1,55 @@ +@@ -0,0 +1,57 @@ +## openstack-nova + +###################################### @@ -46285,13 +46367,15 @@ index 0000000..cf8f660 + + kernel_read_system_state(nova_$1_t) + ++ logging_send_syslog_msg(nova_$1_t) ++ +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..fc9f771 +index 0000000..d5b54e5 --- /dev/null +++ b/nova.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,320 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -46305,6 +46389,7 @@ index 0000000..fc9f771 +# + +attribute nova_domain; ++attribute nova_sudo_domain; + +nova_domain_template(ajax) +nova_domain_template(api) @@ -46318,6 +46403,12 @@ index 0000000..fc9f771 +nova_domain_template(vncproxy) +nova_domain_template(volume) + ++typeattribute nova_api_t nova_sudo_domain; ++typeattribute nova_cert_t nova_sudo_domain; ++typeattribute nova_console_t nova_sudo_domain; ++typeattribute nova_network_t nova_sudo_domain; ++typeattribute nova_volume_t nova_sudo_domain; ++ +type nova_log_t; +logging_log_file(nova_log_t) + @@ -46349,6 +46440,8 @@ index 0000000..fc9f771 +corenet_tcp_connect_amqp_port(nova_domain) +corenet_tcp_connect_mysqld_port(nova_domain) + ++kernel_read_network_state(nova_domain) ++ +corecmd_exec_bin(nova_domain) +corecmd_exec_shell(nova_domain) +corenet_tcp_connect_mysqld_port(nova_domain) @@ -46362,6 +46455,7 @@ index 0000000..fc9f771 + +optional_policy(` + sysnet_read_config(nova_domain) ++ sysnet_exec_ifconfig(nova_domain) +') + +###################################### @@ -46369,9 +46463,9 @@ index 0000000..fc9f771 +# nova ajax local policy +# + -+optional_policy(` -+ unconfined_domain(nova_ajax_t) -+') ++#optional_policy(` ++# unconfined_domain(nova_ajax_t) ++#') + +####################################### +# @@ -46400,15 +46494,6 @@ index 0000000..fc9f771 + +miscfiles_read_certs(nova_api_t) + -+ifdef(`hide_broken_symptoms',` -+ optional_policy(` -+ sudo_exec(nova_api_t) -+ allow nova_api_t self:capability { setuid sys_resource setgid }; -+ allow nova_api_t self:process { setsched setrlimit }; -+ logging_send_audit_msgs(nova_api_t) -+ ') -+') -+ +optional_policy(` + iptables_domtrans(nova_api_t) +') @@ -46417,9 +46502,9 @@ index 0000000..fc9f771 + ssh_exec_keygen(nova_api_t) +') + -+optional_policy(` -+ unconfined_domain(nova_api_t) -+') ++#optional_policy(` ++# unconfined_domain(nova_api_t) ++#') + +###################################### +# @@ -46478,9 +46563,9 @@ index 0000000..fc9f771 +# nova direct local policy +# + -+optional_policy(` -+ unconfined_domain(nova_direct_t) -+') ++#optional_policy(` ++# unconfined_domain(nova_direct_t) ++#') + +####################################### +# @@ -46520,15 +46605,6 @@ index 0000000..fc9f771 + +logging_send_syslog_msg(nova_network_t) + -+ifdef(`hide_broken_symptoms',` -+ optional_policy(` -+ sudo_exec(nova_network_t) -+ allow nova_network_t self:capability { setuid sys_resource setgid }; -+ allow nova_network_t self:process { setsched setrlimit }; -+ logging_send_audit_msgs(nova_network_t) -+ ') -+') -+ +optional_policy(` + brctl_domtrans(nova_network_t) +') @@ -46539,16 +46615,16 @@ index 0000000..fc9f771 +') + +optional_policy(` -+ iptables_domtrans(nova_network_t) ++ iptables_domtrans(nova_network_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(nova_network_t) +') + -+optional_policy(` -+ unconfined_domain(nova_network_t) -+') ++#optional_policy(` ++# unconfined_domain(nova_network_t) ++#') + +####################################### +# @@ -46572,18 +46648,18 @@ index 0000000..fc9f771 +allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; +allow nova_scheduler_t self:udp_socket create_socket_perms; + -+optional_policy(` -+ unconfined_domain(nova_scheduler_t) -+') ++#optional_policy(` ++# unconfined_domain(nova_scheduler_t) ++#') + +####################################### +# +# nova vncproxy local policy +# + -+optional_policy(` -+ unconfined_domain(nova_vncproxy_t) -+') ++#optional_policy(` ++# unconfined_domain(nova_vncproxy_t) ++#') + +####################################### +# @@ -46602,22 +46678,22 @@ index 0000000..fc9f771 + lvm_domtrans(nova_volume_t) +') + -+ifdef(`hide_broken_symptoms',` -+ require { -+ type sudo_exec_t; -+ } -+ -+ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans }; -+ -+ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write }; -+ allow nova_volume_t self:process { setsched setrlimit }; -+ -+ logging_send_audit_msgs(nova_volume_t) ++#optional_policy(` ++# unconfined_domain(nova_volume_t) ++#') + -+') ++####################################### ++# ++# nova sudo domain local policy ++# + -+optional_policy(` -+ unconfined_domain(nova_volume_t) ++ifdef(`hide_broken_symptoms',` ++ optional_policy(` ++ sudo_exec(nova_sudo_domain) ++ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write }; ++ allow nova_sudo_domain self:process { setsched setrlimit }; ++ logging_send_audit_msgs(nova_sudo_domain) ++ ') +') + diff --git a/nscd.fc b/nscd.fc @@ -51534,7 +51610,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..8a6fbc2 100644 +index 3270ff9..60a7af6 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -51551,7 +51627,22 @@ index 3270ff9..8a6fbc2 100644 ##

## Determine whether openvpn can ## read generic user home content files. -@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t) +@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3) + ## + gen_tunable(openvpn_enable_homedirs, false) + ++## ++##

++## Determine whether openvpn can ++## connect to the TCP network. ++##

++## ++gen_tunable(openvpn_can_network_connect, false) ++ + attribute_role openvpn_roles; + + type openvpn_t; +@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -51570,7 +51661,7 @@ index 3270ff9..8a6fbc2 100644 type openvpn_var_log_t; logging_log_file(openvpn_var_log_t) -@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t) +@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # @@ -51579,7 +51670,7 @@ index 3270ff9..8a6fbc2 100644 allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; -@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") @@ -51592,7 +51683,7 @@ index 3270ff9..8a6fbc2 100644 manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t) +@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -51600,8 +51691,11 @@ index 3270ff9..8a6fbc2 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t) +@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) + corenet_sendrecv_http_server_packets(openvpn_t) + corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) ++corenet_tcp_connect_squid_port(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_sendrecv_http_port(openvpn_t) - @@ -51614,7 +51708,7 @@ index 3270ff9..8a6fbc2 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t) auth_use_pam(openvpn_t) @@ -51642,7 +51736,18 @@ index 3270ff9..8a6fbc2 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -155,3 +180,27 @@ optional_policy(` +@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(openvpn_t) + ') + ++tunable_policy(`openvpn_can_network_connect',` ++ corenet_tcp_connect_all_ports(openvpn_t) ++') ++ + optional_policy(` + daemontools_service_domain(openvpn_t, openvpn_exec_t) + ') +@@ -155,3 +193,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -53116,7 +53221,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..ca01f2f 100644 +index 7bcf327..c850b64 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -53140,7 +53245,7 @@ index 7bcf327..ca01f2f 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,237 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,238 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -53173,8 +53278,8 @@ index 7bcf327..ca01f2f 100644 +allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms; +allow pegasus_openlmi_domain self:udp_socket create_socket_perms; + -+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) -+rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) + +corecmd_exec_bin(pegasus_openlmi_domain) +corecmd_exec_shell(pegasus_openlmi_domain) @@ -53309,6 +53414,7 @@ index 7bcf327..ca01f2f 100644 +# pegasus openlmi storage local policy +# + ++allow pegasus_openlmi_storage_t self:capability sys_admin; + +manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) @@ -53383,7 +53489,7 @@ index 7bcf327..ca01f2f 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +270,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +271,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -53414,7 +53520,7 @@ index 7bcf327..ca01f2f 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +296,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +297,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -53447,7 +53553,7 @@ index 7bcf327..ca01f2f 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +324,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +325,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -53455,7 +53561,7 @@ index 7bcf327..ca01f2f 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +339,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +340,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -53487,7 +53593,7 @@ index 7bcf327..ca01f2f 100644 ') optional_policy(` -@@ -151,16 +369,24 @@ optional_policy(` +@@ -151,16 +370,24 @@ optional_policy(` ') optional_policy(` @@ -53516,7 +53622,7 @@ index 7bcf327..ca01f2f 100644 ') optional_policy(` -@@ -168,7 +394,7 @@ optional_policy(` +@@ -168,7 +395,7 @@ optional_policy(` ') optional_policy(` @@ -56882,6 +56988,18 @@ index 316d53a..79b5c4f 100644 -miscfiles_read_localization(polipo_daemon) +userdom_home_manager(polipo_session_t) +diff --git a/portage.if b/portage.if +index 67e8c12..18b89d7 100644 +--- a/portage.if ++++ b/portage.if +@@ -67,6 +67,7 @@ interface(`portage_compile_domain',` + class dbus send_msg; + type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; + type portage_tmpfs_t; ++ type portage_sandbox_t; + ') + + allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; diff --git a/portage.te b/portage.te index a95fc4a..b9b5418 100644 --- a/portage.te @@ -60114,7 +60232,7 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index c0f047a..6f22887 100644 +index c0f047a..e04bdd6 100644 --- a/prelink.te +++ b/prelink.te @@ -1,4 +1,4 @@ @@ -60287,7 +60405,7 @@ index c0f047a..6f22887 100644 kernel_read_system_state(prelink_cron_system_t) -@@ -184,8 +168,11 @@ optional_policy(` +@@ -184,23 +168,36 @@ optional_policy(` dev_list_sysfs(prelink_cron_system_t) dev_read_sysfs(prelink_cron_system_t) @@ -60300,7 +60418,11 @@ index c0f047a..6f22887 100644 auth_use_nsswitch(prelink_cron_system_t) -@@ -196,11 +183,20 @@ optional_policy(` + init_telinit(prelink_cron_system_t) + init_exec(prelink_cron_system_t) ++ init_reload_services(prelink_cron_system_t) + + libs_exec_ld_so(prelink_cron_system_t) logging_search_logs(prelink_cron_system_t) @@ -61006,7 +61128,7 @@ index 0000000..96a0d9f +/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0) diff --git a/prosody.if b/prosody.if new file mode 100644 -index 0000000..8867237 +index 0000000..f1e1209 --- /dev/null +++ b/prosody.if @@ -0,0 +1,239 @@ @@ -61144,7 +61266,7 @@ index 0000000..8867237 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 prosody_unit_file_t:file read_file_perms; + allow $1 prosody_unit_file_t:service manage_service_perms; + @@ -61331,7 +61453,7 @@ index 0000000..4f6badd + +miscfiles_read_localization(prosody_t) diff --git a/psad.if b/psad.if -index d4dcf78..59ab964 100644 +index d4dcf78..3cce82e 100644 --- a/psad.if +++ b/psad.if @@ -93,9 +93,8 @@ interface(`psad_manage_config',` @@ -61401,7 +61523,7 @@ index d4dcf78..59ab964 100644 ## Read and write psad fifo files. ## ## -@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',` +@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',` ####################################### ## @@ -61425,10 +61547,29 @@ index d4dcf78..59ab964 100644 + +####################################### +## ++## Allow search to psad lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_search_lib_files',` ++ gen_require(` ++ type psad_t, psad_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) ++') ++ ++####################################### ++## ## Read and write psad temporary files. ## ## -@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',` +@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; @@ -66060,7 +66201,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..7054723 100644 +index 3698b51..8c4ba04 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -66118,7 +66259,7 @@ index 3698b51..7054723 100644 corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -66139,6 +66280,8 @@ index 3698b51..7054723 100644 +fs_getattr_all_dirs(rabbitmq_beam_t) +fs_getattr_cgroup(rabbitmq_beam_t) + ++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t) ++ +dev_read_sysfs(rabbitmq_beam_t) +dev_read_urand(rabbitmq_beam_t) @@ -66165,7 +66308,7 @@ index 3698b51..7054723 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -66554,7 +66697,7 @@ index 951db7f..7736755 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..1e9ad6b 100644 +index 2c1730b..0bf7d02 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; @@ -66635,7 +66778,7 @@ index 2c1730b..1e9ad6b 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -66653,10 +66796,11 @@ index 2c1730b..1e9ad6b 100644 -miscfiles_read_localization(mdadm_t) +systemd_exec_systemctl(mdadm_t) ++systemd_start_systemd_services(mdadm_t) userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -97,9 +122,17 @@ optional_policy(` +@@ -97,9 +123,17 @@ optional_policy(` ') optional_policy(` @@ -72250,7 +72394,7 @@ index ebe91fc..6392cad 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..84f2fd7 100644 +index 0628d50..3031a82 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -72385,10 +72529,28 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',` +@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',` ######################################## ## ++## Read and write an unnamed RPM script pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_rw_script_inherited_pipes',` ++ gen_require(` ++ type rpm_t; ++ ') ++ ++ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## +## dontaudit read and write an leaked file descriptors +## +## @@ -72428,7 +72590,7 @@ index 0628d50..84f2fd7 100644 ## Send and receive messages from ## rpm over dbus. ## -@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',` +@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',` ######################################## ## ## Send and receive messages from @@ -72437,7 +72599,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',` +@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',` ######################################## ## @@ -72446,7 +72608,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -263,7 +304,8 @@ interface(`rpm_search_log',` +@@ -263,7 +322,8 @@ interface(`rpm_search_log',` ##################################### ## @@ -72456,17 +72618,19 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -276,14 +318,30 @@ interface(`rpm_append_log',` +@@ -276,14 +336,30 @@ interface(`rpm_append_log',` type rpm_log_t; ') - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rpm log files. +## Create, read, write, and delete the RPM log. +## +## @@ -72481,17 +72645,15 @@ index 0628d50..84f2fd7 100644 + ') + + read_files_pattern($1, rpm_log_t, rpm_log_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## rpm log files. ++') ++ ++######################################## ++## +## Create, read, write, and delete the RPM log. ## ## ## -@@ -302,7 +360,7 @@ interface(`rpm_manage_log',` +@@ -302,7 +378,7 @@ interface(`rpm_manage_log',` ######################################## ## @@ -72500,7 +72662,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -72511,7 +72673,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -72528,7 +72690,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -72546,7 +72708,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -72562,7 +72724,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -72571,7 +72733,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -420,8 +482,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +500,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -72581,7 +72743,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -72590,7 +72752,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -459,11 +520,12 @@ interface(`rpm_read_db',` +@@ -459,11 +538,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -72604,7 +72766,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -482,8 +544,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +562,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -72614,7 +72776,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -503,8 +564,28 @@ interface(`rpm_manage_db',` +@@ -503,8 +582,28 @@ interface(`rpm_manage_db',` ######################################## ## @@ -72644,7 +72806,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -517,7 +598,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -72653,7 +72815,7 @@ index 0628d50..84f2fd7 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +624,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -72663,7 +72825,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -563,8 +643,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -72673,7 +72835,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -573,94 +652,72 @@ interface(`rpm_manage_pid_files',` +@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -72767,16 +72929,16 @@ index 0628d50..84f2fd7 100644 - allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rpm_t rpm_script_t }) -- ++ typeattribute $1 rpm_transition_domain; ++ allow $1 rpm_script_t:process transition; + - init_labeled_script_domtrans($1, rpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpm_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, rpm_file_t) -+ typeattribute $1 rpm_transition_domain; -+ allow $1 rpm_script_t:process transition; - +- - files_list_var($1) - admin_pattern($1, rpm_cache_t) - @@ -81193,10 +81355,28 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index 703efa3..de313d7 100644 +index 703efa3..e3580b2 100644 --- a/sosreport.te +++ b/sosreport.te -@@ -70,7 +70,6 @@ files_list_all(sosreport_t) +@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull }; + allow sosreport_t self:fifo_file rw_fifo_file_perms; + allow sosreport_t self:tcp_socket { accept listen }; + allow sosreport_t self:unix_stream_socket { accept listen }; ++allow sosreport_t self:rawip_socket create_socket_perms; ++allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) + manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t) + dev_read_urand(sosreport_t) + dev_read_raw_memory(sosreport_t) + dev_read_sysfs(sosreport_t) ++dev_getattr_all_chr_files(sosreport_t) ++dev_getattr_all_blk_files(sosreport_t) + + domain_getattr_all_domains(sosreport_t) + domain_read_all_domains_state(sosreport_t) +@@ -70,7 +74,6 @@ files_list_all(sosreport_t) files_read_config_files(sosreport_t) files_read_generic_tmp_files(sosreport_t) files_read_non_auth_files(sosreport_t) @@ -81204,10 +81384,19 @@ index 703efa3..de313d7 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t) +@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t) + files_etc_filetrans_etc_runtime(sosreport_t, file) + + fs_getattr_all_fs(sosreport_t) ++fs_getattr_all_dirs(sosreport_t) + fs_list_inotifyfs(sosreport_t) + storage_dontaudit_read_fixed_disk(sosreport_t) storage_dontaudit_read_removable_device(sosreport_t) ++term_getattr_pty_fs(sosreport_t) ++term_getattr_all_ptys(sosreport_t) ++ +# some config files do not have configfile attribute +# sosreport needs to read various files on system +files_read_non_security_files(sosreport_t) @@ -81215,7 +81404,10 @@ index 703efa3..de313d7 100644 auth_use_nsswitch(sosreport_t) init_domtrans_script(sosreport_t) -@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t) ++init_getattr_initctl(sosreport_t) + + libs_domtrans_ldconfig(sosreport_t) + logging_read_all_logs(sosreport_t) logging_send_syslog_msg(sosreport_t) @@ -81226,7 +81418,18 @@ index 703efa3..de313d7 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -111,6 +113,11 @@ optional_policy(` +@@ -103,6 +114,10 @@ optional_policy(` + ') + + optional_policy(` ++ brctl_domtrans(sosreport_t) ++') ++ ++optional_policy(` + cups_stream_connect(sosreport_t) + ') + +@@ -111,6 +126,11 @@ optional_policy(` ') optional_policy(` @@ -84006,10 +84209,10 @@ index 0000000..015c2c9 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..39f1ca1 +index 0000000..2d5942c --- /dev/null +++ b/swift.te -@@ -0,0 +1,53 @@ +@@ -0,0 +1,61 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -84035,7 +84238,10 @@ index 0000000..39f1ca1 +# swift local policy +# + ++allow swift_t self:process signal; ++ +allow swift_t self:fifo_file rw_fifo_file_perms; ++allow swift_t self:tcp_socket create_stream_socket_perms; +allow swift_t self:unix_stream_socket create_stream_socket_perms; +allow swift_t self:unix_dgram_socket create_socket_perms; + @@ -84051,6 +84257,7 @@ index 0000000..39f1ca1 + +kernel_dgram_send(swift_t) +kernel_read_system_state(swift_t) ++kernel_read_network_state(swift_t) + +corecmd_exec_shell(swift_t) + @@ -84058,11 +84265,15 @@ index 0000000..39f1ca1 + +domain_use_interactive_fds(swift_t) + ++files_dontaudit_search_home(swift_t) ++ +auth_use_nsswitch(swift_t) + +libs_exec_ldconfig(swift_t) + +logging_send_syslog_msg(swift_t) ++ ++userdom_dontaudit_search_user_home_dirs(swift_t) diff --git a/swift_alias.fc b/swift_alias.fc new file mode 100644 index 0000000..b7db254 @@ -84141,7 +84352,7 @@ index c9824cb..1973f71 100644 userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te -index c8b80b2..f041061 100644 +index c8b80b2..c81d332 100644 --- a/sysstat.te +++ b/sysstat.te @@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co @@ -84163,8 +84374,12 @@ index c8b80b2..f041061 100644 corecmd_exec_bin(sysstat_t) dev_read_sysfs(sysstat_t) -@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t) - fs_getattr_xattr_fs(sysstat_t) +@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t) + files_search_var(sysstat_t) + files_read_etc_runtime_files(sysstat_t) + +-fs_getattr_xattr_fs(sysstat_t) ++fs_getattr_all_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) +storage_getattr_fixed_disk_dev(sysstat_t) @@ -84481,7 +84696,7 @@ index c7de0cf..9813503 100644 +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if -index 42946bc..3d30062 100644 +index 42946bc..741f2f4 100644 --- a/telepathy.if +++ b/telepathy.if @@ -2,45 +2,39 @@ @@ -84561,7 +84776,7 @@ index 42946bc..3d30062 100644 type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; -@@ -63,91 +62,79 @@ template(`telepathy_role_template',` +@@ -63,91 +62,84 @@ template(`telepathy_role_template',` type telepathy_mission_control_exec_t, telepathy_salut_exec_t; type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; type telepathy_msn_exec_t; @@ -84667,11 +84882,15 @@ index 42946bc..3d30062 100644 ## -## +## - ## Domain allowed access. - ## - ## - # --interface(`telepathy_gabble_dbus_chat',` ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`telepathy_gabble_stream_connect_to', ` + gen_require(` + type telepathy_gabble_t; @@ -84687,15 +84906,16 @@ index 42946bc..3d30062 100644 +## +## +## -+## Domain allowed access. -+## -+## -+# + ## Domain allowed access. + ## + ## + # +-interface(`telepathy_gabble_dbus_chat',` +interface(`telepathy_gabble_dbus_chat', ` gen_require(` type telepathy_gabble_t; class dbus send_msg; -@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',` +@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',` ######################################## ## @@ -84708,7 +84928,7 @@ index 42946bc..3d30062 100644 ## Domain allowed access. ## ## -@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',` +@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',` ') kernel_search_proc($1) @@ -84726,7 +84946,7 @@ index 42946bc..3d30062 100644 ## ## ## -@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',` +@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',` ## ## # @@ -84749,7 +84969,7 @@ index 42946bc..3d30062 100644 ## ## ## -@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',` +@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',` ## ## # @@ -87915,7 +88135,7 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 8840be6..285680c 100644 +index 8840be6..d2c7596 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles; @@ -87935,7 +88155,15 @@ index 8840be6..285680c 100644 ######################################## # # Local policy -@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) +@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t) + allow usbmuxd_t self:capability { kill setgid setuid }; + allow usbmuxd_t self:process { signal signull }; + allow usbmuxd_t self:fifo_file rw_fifo_file_perms; ++allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) + manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) auth_use_nsswitch(usbmuxd_t) @@ -89035,10 +89263,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..898ce74 100644 +index c30da4c..b81eaa0 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,87 @@ +@@ -1,52 +1,86 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -89091,7 +89319,6 @@ index c30da4c..898ce74 100644 /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) -+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) @@ -89107,14 +89334,14 @@ index c30da4c..898ce74 100644 -/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +- +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) --/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -- -/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -90853,7 +91080,7 @@ index 9dec06c..bdba959 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..cd628f9 100644 +index 1f22fba..65dbdd3 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -92210,7 +92437,7 @@ index 1f22fba..cd628f9 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1037,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1037,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -92218,48 +92445,53 @@ index 1f22fba..cd628f9 100644 + selinux_mount_fs(virtd_lxc_t) selinux_unmount_fs(virtd_lxc_t) --selinux_get_enforce_mode(virtd_lxc_t) --selinux_get_fs_mount(virtd_lxc_t) --selinux_validate_context(virtd_lxc_t) --selinux_compute_access_vector(virtd_lxc_t) --selinux_compute_create_context(virtd_lxc_t) --selinux_compute_relabel_context(virtd_lxc_t) --selinux_compute_user_contexts(virtd_lxc_t) +seutil_read_config(virtd_lxc_t) ++ ++term_use_generic_ptys(virtd_lxc_t) ++term_use_ptmx(virtd_lxc_t) ++term_relabel_pty_fs(virtd_lxc_t) ++ ++auth_use_nsswitch(virtd_lxc_t) ++ ++logging_send_syslog_msg(virtd_lxc_t) ++ ++seutil_domtrans_setfiles(virtd_lxc_t) ++seutil_read_default_contexts(virtd_lxc_t) ++ + selinux_get_enforce_mode(virtd_lxc_t) + selinux_get_fs_mount(virtd_lxc_t) + selinux_validate_context(virtd_lxc_t) +@@ -965,29 +1062,33 @@ selinux_compute_create_context(virtd_lxc_t) + selinux_compute_relabel_context(virtd_lxc_t) + selinux_compute_user_contexts(virtd_lxc_t) - term_use_generic_ptys(virtd_lxc_t) - term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1051,39 @@ auth_use_nsswitch(virtd_lxc_t) +-term_use_generic_ptys(virtd_lxc_t) +-term_use_ptmx(virtd_lxc_t) +-term_relabel_pty_fs(virtd_lxc_t) ++sysnet_exec_ifconfig(virtd_lxc_t) - logging_send_syslog_msg(virtd_lxc_t) +-auth_use_nsswitch(virtd_lxc_t) ++userdom_read_admin_home_files(virtd_lxc_t) --miscfiles_read_localization(virtd_lxc_t) -- - seutil_domtrans_setfiles(virtd_lxc_t) --seutil_read_config(virtd_lxc_t) - seutil_read_default_contexts(virtd_lxc_t) +-logging_send_syslog_msg(virtd_lxc_t) ++optional_policy(` ++ dbus_system_bus_client(virtd_lxc_t) ++ init_dbus_chat(virtd_lxc_t) ++') --sysnet_domtrans_ifconfig(virtd_lxc_t) -+selinux_get_enforce_mode(virtd_lxc_t) -+selinux_get_fs_mount(virtd_lxc_t) -+selinux_validate_context(virtd_lxc_t) -+selinux_compute_access_vector(virtd_lxc_t) -+selinux_compute_create_context(virtd_lxc_t) -+selinux_compute_relabel_context(virtd_lxc_t) -+selinux_compute_user_contexts(virtd_lxc_t) -+ -+sysnet_exec_ifconfig(virtd_lxc_t) -+ -+userdom_read_admin_home_files(virtd_lxc_t) -+ +-miscfiles_read_localization(virtd_lxc_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-seutil_domtrans_setfiles(virtd_lxc_t) +-seutil_read_config(virtd_lxc_t) +-seutil_read_default_contexts(virtd_lxc_t) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -92273,11 +92505,11 @@ index 1f22fba..cd628f9 100644 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +allow svirt_lxc_domain self:key manage_key_perms; -+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit }; ++allow svirt_lxc_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1091,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1096,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -92304,7 +92536,7 @@ index 1f22fba..cd628f9 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1109,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1114,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -92324,7 +92556,7 @@ index 1f22fba..cd628f9 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1128,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1133,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -92351,11 +92583,12 @@ index 1f22fba..cd628f9 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1153,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1158,94 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -miscfiles_read_localization(svirt_lxc_domain) ++miscfiles_dontaudit_access_check_cert(svirt_lxc_domain) miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) miscfiles_read_fonts(svirt_lxc_domain) +miscfiles_read_hwdata(svirt_lxc_domain) @@ -92491,7 +92724,7 @@ index 1f22fba..cd628f9 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1252,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1258,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -92506,7 +92739,7 @@ index 1f22fba..cd628f9 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1270,8 @@ optional_policy(` +@@ -1183,9 +1276,8 @@ optional_policy(` ######################################## # @@ -92517,7 +92750,7 @@ index 1f22fba..cd628f9 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1284,121 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1290,120 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -92640,7 +92873,6 @@ index 1f22fba..cd628f9 100644 + userdom_transition(virtd_t) + userdom_transition(virtd_lxc_t) +') -+ diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -93063,10 +93295,20 @@ index 9329eae..824e86f 100644 - seutil_use_newrole_fds(vpnc_t) -') diff --git a/watchdog.te b/watchdog.te -index 29f79e8..c58abd5 100644 +index 29f79e8..9e403ee 100644 --- a/watchdog.te +++ b/watchdog.te -@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t) +@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms; + allow watchdog_t self:tcp_socket { accept listen }; + + allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(watchdog_t, watchdog_log_t, file) ++manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) ++logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file}) + + manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) + files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) +@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t) domain_signal_all_domains(watchdog_t) domain_kill_all_domains(watchdog_t) @@ -93074,7 +93316,7 @@ index 29f79e8..c58abd5 100644 files_manage_etc_runtime_files(watchdog_t) files_etc_filetrans_etc_runtime(watchdog_t, file) -@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t) +@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t) logging_send_syslog_msg(watchdog_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1d7d795..1d44ca8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 70%{?dist} +Release: 71%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -538,6 +538,39 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Aug 21 2013 Miroslav Grepl 3.12.1-71 +- Allow boinc to connect to @/tmp/.X11-unix/X0 +- Allow beam.smp to connect to tcp/5984 +- Allow named to manage own log files +- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t +- Add virt_transition_userdomain boolean decl +- Allow httpd_t to sendto unix_dgram sockets on its children +- Allow nova domains to execute ifconfig +- bluetooth wants to create fifo_files in /tmp +- exim needs to be able to manage mailman data +- Allow sysstat to getattr on all file systems +- Looks like bluetoothd has moved +- Allow collectd to send ping packets +- Allow svirt_lxc domains to getpgid +- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff +- Allow frpintd_t to read /dev/urandom +- Allow asterisk_t to create sock_file in /var/run +- Allow usbmuxd to use netlink_kobject +- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket +- More cleanup of svirt_lxc policy +- virtd_lxc_t now talks to dbus +- Dontaudit leaked ptmx_t +- Allow processes to use inherited fifo files +- Allow openvpn_t to connect to squid ports +- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() +- Allow ssh_t to use /dev/ptmx +- Make sure /run/pluto dir is created with correct labeling +- Allow syslog to run shell and bin_t commands +- Allow ip to relabel tun_sockets +- Allow mount to create directories in files under /run +- Allow processes to use inherited fifo files +- Allow user roles to connect to the journal socket + * Thu Aug 8 2013 Miroslav Grepl 3.12.1-70 - selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak