diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 5053e10..b0f6b27 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2357,10 +2357,10 @@ index 0960199..aa51ab2 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..fc6d1d3 100644 +index d9fce57..612503a 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,100 @@ attribute sudodomain; +@@ -7,3 +7,105 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -2392,6 +2392,7 @@ index d9fce57..fc6d1d3 100644 +allow sudodomain self:unix_dgram_socket sendto; +allow sudodomain self:unix_stream_socket connectto; +allow sudodomain self:key manage_key_perms; ++allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_getattr_core_if(sudodomain) +kernel_link_key(sudodomain) @@ -2454,6 +2455,10 @@ index d9fce57..fc6d1d3 100644 +userdom_search_admin_dir(sudodomain) +userdom_manage_all_users_keys(sudodomain) + ++tunable_policy(`authlogin_yubikey',` ++ auth_manage_home_content(sudodomain) ++') ++ +optional_policy(` + dbus_system_bus_client(sudodomain) +') @@ -5844,7 +5849,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..1212440 100644 +index b31c054..5e37a40 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5922,7 +5927,7 @@ index b31c054..1212440 100644 /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -198,12 +212,22 @@ ifdef(`distro_debian',` +@@ -198,12 +212,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -5934,6 +5939,11 @@ index b31c054..1212440 100644 /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ++/var/named/chroot_sdb/dev -d gen_context(system_u:object_r:device_t,s0) ++/var/named/chroot_sdb/dev/null -c gen_context(system_u:object_r:null_device_t,s0) ++/var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0) ++/var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ++/ +/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0) ') + @@ -9214,7 +9224,7 @@ index cf04cb5..0b3704b 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..7a98631 100644 +index b876c48..9cbe36a 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9348,7 +9358,7 @@ index b876c48..7a98631 100644 # # /selinux # -@@ -178,25 +191,28 @@ ifdef(`distro_debian',` +@@ -178,25 +191,29 @@ ifdef(`distro_debian',` # # /srv # @@ -9367,6 +9377,7 @@ index b876c48..7a98631 100644 /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /tmp/lost\+found/.* <> ++/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) +/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) # @@ -9380,7 +9391,7 @@ index b876c48..7a98631 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +220,9 @@ ifdef(`distro_debian',` +@@ -204,15 +221,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9397,7 +9408,7 @@ index b876c48..7a98631 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +230,6 @@ ifdef(`distro_debian',` +@@ -220,8 +231,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9406,7 +9417,7 @@ index b876c48..7a98631 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +237,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +238,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9415,7 +9426,7 @@ index b876c48..7a98631 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +245,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +246,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9442,7 +9453,7 @@ index b876c48..7a98631 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +278,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +279,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9457,7 +9468,7 @@ index b876c48..7a98631 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +295,5 @@ ifdef(`distro_debian',` +@@ -271,3 +296,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -20526,7 +20537,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..c8df034 100644 +index 6d77e81..c175ba4 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -20542,7 +20553,7 @@ index 6d77e81..c8df034 100644 # this module should be named user, but that is # a compile error since user is a keyword. -@@ -12,12 +19,96 @@ role user_r; +@@ -12,12 +19,98 @@ role user_r; userdom_unpriv_user_template(user) @@ -20555,6 +20566,8 @@ index 6d77e81..c8df034 100644 +storage_read_scsi_generic(user_t) +storage_write_scsi_generic(user_t) + ++seutil_read_module_store(user_t) ++ +init_dbus_chat(user_t) +init_status(user_t) + @@ -20640,7 +20653,7 @@ index 6d77e81..c8df034 100644 ') optional_policy(` -@@ -25,6 +116,18 @@ optional_policy(` +@@ -25,6 +118,18 @@ optional_policy(` ') optional_policy(` @@ -20659,7 +20672,7 @@ index 6d77e81..c8df034 100644 vlock_run(user_t, user_r) ') -@@ -102,10 +205,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +207,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20670,7 +20683,7 @@ index 6d77e81..c8df034 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +227,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +229,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -20678,7 +20691,7 @@ index 6d77e81..c8df034 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +259,19 @@ ifndef(`distro_redhat',` +@@ -161,3 +261,19 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -26106,14 +26119,14 @@ index c6fdab7..af71c62 100644 sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 2479587..00d2700 100644 +index 2479587..077c9bc 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ -+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) @@ -26201,7 +26214,7 @@ index 2479587..00d2700 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..08c3e93 100644 +index 3efd5b6..0bd3a26 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -26787,7 +26800,7 @@ index 3efd5b6..08c3e93 100644 ') ######################################## -@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',` +@@ -1805,3 +2029,262 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -26990,6 +27003,26 @@ index 3efd5b6..08c3e93 100644 + read_files_pattern($1, auth_home_t, auth_home_t) +') + ++######################################## ++## ++## Read the authorization data in the user home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_home_content',` ++ ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, auth_home_t, auth_home_t) ++ manage_dirs_pattern($1, auth_home_t, auth_home_t) ++') + +######################################## +## @@ -27031,7 +27064,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..1a3d5b3 100644 +index 09b791d..73376ca 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -27047,7 +27080,7 @@ index 09b791d..1a3d5b3 100644 + +## +##

-+## Allow users to login using a yubikey server ++## Allow users to login using a yubikey OTP server or challenge response mode +##

+##
+gen_tunable(authlogin_yubikey, false) @@ -29621,7 +29654,7 @@ index 79a45f6..89b43aa 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..d1590ad 100644 +index 17eda24..56e006c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29834,7 +29867,7 @@ index 17eda24..d1590ad 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +246,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +246,53 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -29874,6 +29907,7 @@ index 17eda24..d1590ad 100644 +logging_send_audit_msgs(init_t) logging_rw_generic_logs(init_t) +logging_relabel_devlog_dev(init_t) ++logging_manage_audit_config(init_t) seutil_read_config(init_t) +seutil_read_module_store(init_t) @@ -29890,7 +29924,7 @@ index 17eda24..d1590ad 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +300,230 @@ ifdef(`distro_gentoo',` +@@ -186,29 +301,230 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -30129,7 +30163,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -216,7 +531,31 @@ optional_policy(` +@@ -216,7 +532,31 @@ optional_policy(` ') optional_policy(` @@ -30161,7 +30195,7 @@ index 17eda24..d1590ad 100644 ') ######################################## -@@ -225,9 +564,9 @@ optional_policy(` +@@ -225,9 +565,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30173,7 +30207,7 @@ index 17eda24..d1590ad 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30190,7 +30224,7 @@ index 17eda24..d1590ad 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30233,7 +30267,7 @@ index 17eda24..d1590ad 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30245,7 +30279,7 @@ index 17eda24..d1590ad 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +671,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +672,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30256,7 +30290,7 @@ index 17eda24..d1590ad 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +682,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +683,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30266,7 +30300,7 @@ index 17eda24..d1590ad 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +691,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +692,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30274,7 +30308,7 @@ index 17eda24..d1590ad 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30282,7 +30316,7 @@ index 17eda24..d1590ad 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +706,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +707,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30300,7 +30334,7 @@ index 17eda24..d1590ad 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +724,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +725,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30314,7 +30348,7 @@ index 17eda24..d1590ad 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +739,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +740,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30328,7 +30362,7 @@ index 17eda24..d1590ad 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +752,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +753,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30339,7 +30373,7 @@ index 17eda24..d1590ad 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +765,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +766,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30347,7 +30381,7 @@ index 17eda24..d1590ad 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +784,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +785,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30371,7 +30405,7 @@ index 17eda24..d1590ad 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +817,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +818,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30379,7 +30413,7 @@ index 17eda24..d1590ad 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +851,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +852,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30390,7 +30424,7 @@ index 17eda24..d1590ad 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +875,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +876,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30399,7 +30433,7 @@ index 17eda24..d1590ad 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +890,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +891,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30407,7 +30441,7 @@ index 17eda24..d1590ad 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +911,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +912,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30415,7 +30449,7 @@ index 17eda24..d1590ad 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +921,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +922,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30460,7 +30494,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -559,14 +966,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +967,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30492,7 +30526,7 @@ index 17eda24..d1590ad 100644 ') ') -@@ -577,6 +1001,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1002,39 @@ ifdef(`distro_suse',` ') ') @@ -30532,7 +30566,7 @@ index 17eda24..d1590ad 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1046,8 @@ optional_policy(` +@@ -589,6 +1047,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30541,7 +30575,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -610,6 +1069,7 @@ optional_policy(` +@@ -610,6 +1070,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30549,7 +30583,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -626,6 +1086,17 @@ optional_policy(` +@@ -626,6 +1087,17 @@ optional_policy(` ') optional_policy(` @@ -30567,7 +30601,7 @@ index 17eda24..d1590ad 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1113,13 @@ optional_policy(` +@@ -642,9 +1114,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30581,7 +30615,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -657,15 +1132,11 @@ optional_policy(` +@@ -657,15 +1133,11 @@ optional_policy(` ') optional_policy(` @@ -30599,7 +30633,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -686,6 +1157,15 @@ optional_policy(` +@@ -686,6 +1158,15 @@ optional_policy(` ') optional_policy(` @@ -30615,7 +30649,7 @@ index 17eda24..d1590ad 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1206,7 @@ optional_policy(` +@@ -726,6 +1207,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30623,7 +30657,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -743,7 +1224,13 @@ optional_policy(` +@@ -743,7 +1225,13 @@ optional_policy(` ') optional_policy(` @@ -30638,7 +30672,7 @@ index 17eda24..d1590ad 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1253,10 @@ optional_policy(` +@@ -766,6 +1254,10 @@ optional_policy(` ') optional_policy(` @@ -30649,7 +30683,7 @@ index 17eda24..d1590ad 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1266,20 @@ optional_policy(` +@@ -775,10 +1267,20 @@ optional_policy(` ') optional_policy(` @@ -30670,7 +30704,7 @@ index 17eda24..d1590ad 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1288,10 @@ optional_policy(` +@@ -787,6 +1289,10 @@ optional_policy(` ') optional_policy(` @@ -30681,7 +30715,7 @@ index 17eda24..d1590ad 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1313,6 @@ optional_policy(` +@@ -808,8 +1314,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30690,7 +30724,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -818,6 +1321,10 @@ optional_policy(` +@@ -818,6 +1322,10 @@ optional_policy(` ') optional_policy(` @@ -30701,7 +30735,7 @@ index 17eda24..d1590ad 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1334,12 @@ optional_policy(` +@@ -827,10 +1335,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30714,7 +30748,7 @@ index 17eda24..d1590ad 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1366,60 @@ optional_policy(` +@@ -857,21 +1367,60 @@ optional_policy(` ') optional_policy(` @@ -30776,7 +30810,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -887,6 +1435,10 @@ optional_policy(` +@@ -887,6 +1436,10 @@ optional_policy(` ') optional_policy(` @@ -30787,7 +30821,7 @@ index 17eda24..d1590ad 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1449,218 @@ optional_policy(` +@@ -897,3 +1450,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -31007,10 +31041,10 @@ index 17eda24..d1590ad 100644 + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..08589f8 100644 +index 662e79b..fc34e78 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,23 @@ +@@ -1,14 +1,24 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) @@ -31018,6 +31052,7 @@ index 662e79b..08589f8 100644 -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) +/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) ++/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) + +/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) @@ -31035,17 +31070,19 @@ index 662e79b..08589f8 100644 /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +35,24 @@ +@@ -26,16 +36,26 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) +/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) @@ -37456,7 +37493,7 @@ index 40edc18..a072ac2 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..f752c31 100644 +index 2cea692..77f307f 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -37784,7 +37821,7 @@ index 2cea692..f752c31 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +983,95 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -37873,6 +37910,26 @@ index 2cea692..f752c31 100644 +##
+## +# ++interface(`sysnet_manage_ifconfig_run',` ++ gen_require(` ++ type ifconfig_var_run_t; ++ ') ++ ++ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++') ++ ++######################################## ++## ++## Transition to sysnet ifconfig named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`sysnet_filetrans_named_content_ifconfig',` + gen_require(` + type ifconfig_var_run_t; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c10d55a..bc6b66b 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4921,10 +4921,10 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..1f527f5 100644 +index 6649962..6ae8921 100644 --- a/apache.te +++ b/apache.te -@@ -5,280 +5,325 @@ policy_module(apache, 2.7.2) +@@ -5,280 +5,331 @@ policy_module(apache, 2.7.2) # Declarations # @@ -4945,7 +4945,6 @@ index 6649962..1f527f5 100644 ## -gen_tunable(allow_httpd_anon_write, false) +gen_tunable(httpd_anon_write, false) -+ ## -##

@@ -5066,61 +5065,55 @@ index 6649962..1f527f5 100644 +##

+## Allow httpd to connect to memcache server +##

-+##
-+gen_tunable(httpd_can_network_memcache, false) -+ -+## -+##

-+## Allow httpd to act as a relay -+##

##
- gen_tunable(httpd_can_network_relay, false) +-gen_tunable(httpd_can_network_relay, false) ++gen_tunable(httpd_can_network_memcache, false) ## -##

-## Determine whether httpd daemon can -## connect to zabbix over the network. -##

-+##

-+## Allow http daemon to connect to zabbix -+##

++##

++## Allow httpd to act as a relay ++##

##
-gen_tunable(httpd_can_network_connect_zabbix, false) -+gen_tunable(httpd_can_connect_zabbix, false) ++gen_tunable(httpd_can_network_relay, false) ## -##

-## Determine whether httpd can send mail. -##

+##

-+## Allow http daemon to connect to mythtv ++## Allow http daemon to connect to zabbix +##

##
-gen_tunable(httpd_can_sendmail, false) -+gen_tunable(httpd_can_connect_mythtv, false) ++gen_tunable(httpd_can_connect_zabbix, false) ## -##

-## Determine whether httpd can communicate -## with avahi service via dbus. -##

-+##

-+## Allow http daemon to check spam -+##

++##

++## Allow http daemon to connect to mythtv ++##

##
-gen_tunable(httpd_dbus_avahi, false) -+gen_tunable(httpd_can_check_spam, false) ++gen_tunable(httpd_can_connect_mythtv, false) ## -##

-## Determine wether httpd can use support. -##

+##

-+## Allow http daemon to send mail ++## Allow http daemon to check spam +##

##
-gen_tunable(httpd_enable_cgi, false) -+gen_tunable(httpd_can_sendmail, false) ++gen_tunable(httpd_can_check_spam, false) ## -##

@@ -5128,11 +5121,11 @@ index 6649962..1f527f5 100644 -## FTP server by listening on the ftp port. -##

+##

-+## Allow Apache to communicate with avahi service via dbus ++## Allow http daemon to send mail +##

##
-gen_tunable(httpd_enable_ftp_server, false) -+gen_tunable(httpd_dbus_avahi, false) ++gen_tunable(httpd_can_sendmail, false) ## -##

@@ -5140,11 +5133,11 @@ index 6649962..1f527f5 100644 -## user home directories. -##

+##

-+## Allow httpd cgi support ++## Allow Apache to communicate with avahi service via dbus +##

##
-gen_tunable(httpd_enable_homedirs, false) -+gen_tunable(httpd_enable_cgi, false) ++gen_tunable(httpd_dbus_avahi, false) ## -##

@@ -5154,12 +5147,11 @@ index 6649962..1f527f5 100644 -## be labeled public_content_rw_t. -##

+##

-+## Allow httpd to act as a FTP server by -+## listening on the ftp port. ++## Allow Apache to communicate with sssd service via dbus +##

##
-gen_tunable(httpd_gpg_anon_write, false) -+gen_tunable(httpd_enable_ftp_server, false) ++gen_tunable(httpd_dbus_sssd, false) ## -##

@@ -5167,24 +5159,24 @@ index 6649962..1f527f5 100644 -## its temporary content. -##

+##

-+## Allow httpd to act as a FTP client -+## connecting to the ftp port and ephemeral ports ++## Allow httpd cgi support +##

##
-gen_tunable(httpd_tmp_exec, false) -+gen_tunable(httpd_can_connect_ftp, false) ++gen_tunable(httpd_enable_cgi, false) ## -##

-## Determine whether httpd scripts and -## modules can use execmem and execstack. -##

-+##

-+## Allow httpd to connect to the ldap port -+##

++##

++## Allow httpd to act as a FTP server by ++## listening on the ftp port. ++##

##
-gen_tunable(httpd_execmem, false) -+gen_tunable(httpd_can_connect_ldap, false) ++gen_tunable(httpd_enable_ftp_server, false) ## -##

@@ -5192,34 +5184,35 @@ index 6649962..1f527f5 100644 -## to port 80 for graceful shutdown. -##

+##

-+## Allow httpd to read home directories ++## Allow httpd to act as a FTP client ++## connecting to the ftp port and ephemeral ports +##

##
-gen_tunable(httpd_graceful_shutdown, false) -+gen_tunable(httpd_enable_homedirs, false) ++gen_tunable(httpd_can_connect_ftp, false) ## -##

-## Determine whether httpd can -## manage IPA content files. -##

-+##

-+## Allow httpd to read user content -+##

++##

++## Allow httpd to connect to the ldap port ++##

##
-gen_tunable(httpd_manage_ipa, false) -+gen_tunable(httpd_read_user_content, false) ++gen_tunable(httpd_can_connect_ldap, false) ## -##

-## Determine whether httpd can use mod_auth_ntlm_winbind. -##

+##

-+## Allow Apache to run in stickshift mode, not transition to passenger ++## Allow httpd to read home directories +##

##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false) -+gen_tunable(httpd_run_stickshift, false) ++gen_tunable(httpd_enable_homedirs, false) ## -##

@@ -5227,11 +5220,10 @@ index 6649962..1f527f5 100644 -## generic user home content files. -##

+##

-+## Allow Apache to query NS records ++## Allow httpd to read user content +##

##
--gen_tunable(httpd_read_user_content, false) -+gen_tunable(httpd_verify_dns, false) + gen_tunable(httpd_read_user_content, false) ## -##

@@ -5239,6 +5231,20 @@ index 6649962..1f527f5 100644 -## its resource limits. -##

+##

++## Allow Apache to run in stickshift mode, not transition to passenger ++##

++##
++gen_tunable(httpd_run_stickshift, false) ++ ++## ++##

++## Allow Apache to query NS records ++##

++##
++gen_tunable(httpd_verify_dns, false) ++ ++## ++##

+## Allow httpd daemon to change its resource limits +##

##
@@ -5398,7 +5404,7 @@ index 6649962..1f527f5 100644 type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) -@@ -286,15 +331,35 @@ init_script_file(httpd_initrc_exec_t) +@@ -286,15 +337,35 @@ init_script_file(httpd_initrc_exec_t) type httpd_keytab_t; files_type(httpd_keytab_t) @@ -5434,7 +5440,7 @@ index 6649962..1f527f5 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -302,10 +367,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -302,10 +373,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -5447,7 +5453,7 @@ index 6649962..1f527f5 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -314,9 +377,19 @@ role system_r types httpd_suexec_t; +@@ -314,9 +383,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5470,7 +5476,7 @@ index 6649962..1f527f5 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -324,14 +397,21 @@ files_tmp_file(httpd_tmp_t) +@@ -324,14 +403,21 @@ files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) @@ -5493,7 +5499,7 @@ index 6649962..1f527f5 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -346,33 +426,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -346,33 +432,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5544,7 +5550,7 @@ index 6649962..1f527f5 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -381,30 +468,38 @@ allow httpd_t self:shm create_shm_perms; +@@ -381,30 +474,38 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5588,7 +5594,7 @@ index 6649962..1f527f5 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,14 +513,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5610,7 +5616,7 @@ index 6649962..1f527f5 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +552,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +558,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5678,7 +5684,7 @@ index 6649962..1f527f5 100644 +fs_read_hugetlbfs_files(httpd_t) + +auth_use_nsswitch(httpd_t) -+ + +application_exec_all(httpd_t) + +# execute perl @@ -5687,7 +5693,7 @@ index 6649962..1f527f5 100644 + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) - ++ +files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -5848,7 +5854,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +728,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +734,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5908,7 +5914,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +780,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +786,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5999,7 +6005,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,66 +827,56 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +833,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6020,8 +6026,10 @@ index 6649962..1f527f5 100644 - userdom_use_user_terminals(httpd_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) --') -- ++ userdom_use_inherited_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_suexec_t) + ') + -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_cifs_dirs(httpd_t) @@ -6032,28 +6040,15 @@ index 6649962..1f527f5 100644 -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') -- --tunable_policy(`httpd_use_fusefs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_fusefs_dirs(httpd_t) -- fs_manage_fusefs_files(httpd_t) -- fs_read_fusefs_symlinks(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_suexec_t) - ') - --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) --') +optional_policy(` + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) --tunable_policy(`httpd_use_nfs',` +-tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_t) -- fs_manage_nfs_dirs(httpd_t) -- fs_manage_nfs_files(httpd_t) -- fs_manage_nfs_symlinks(httpd_t) +- fs_manage_fusefs_dirs(httpd_t) +- fs_manage_fusefs_files(httpd_t) +- fs_read_fusefs_symlinks(httpd_t) -') + tunable_policy(`httpd_serve_cobbler_files',` + cobbler_manage_lib_files(httpd_t) @@ -6062,22 +6057,27 @@ index 6649962..1f527f5 100644 + cobbler_search_lib(httpd_t) + ') --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_t) +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') - optional_policy(` -- calamaris_read_www_files(httpd_t) +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_nfs_dirs(httpd_t) +- fs_manage_nfs_files(httpd_t) +- fs_manage_nfs_symlinks(httpd_t) ++optional_policy(` + tunable_policy(`httpd_use_sasl',` + sasl_connect(httpd_t) + ') ') - optional_policy(` -- ccs_read_config(httpd_t) +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) ++optional_policy(` + # Support for ABRT retrace server + # mod_wsgi + abrt_manage_spool_retrace(httpd_t) @@ -6086,26 +6086,33 @@ index 6649962..1f527f5 100644 ') optional_policy(` +@@ -749,24 +886,32 @@ optional_policy(` + ') + + optional_policy(` - clamav_domtrans_clamscan(httpd_t) -+ calamaris_read_www_files(httpd_t) ++ cron_system_entry(httpd_t, httpd_exec_t) ') optional_policy(` - cobbler_read_config(httpd_t) - cobbler_read_lib_files(httpd_t) -+ ccs_read_config(httpd_t) ++ cvs_read_data(httpd_t) ') optional_policy(` -@@ -770,6 +892,23 @@ optional_policy(` +- cron_system_entry(httpd_t, httpd_exec_t) ++ daemontools_service_domain(httpd_t, httpd_exec_t) ') optional_policy(` +- cvs_read_data(httpd_t) + #needed by FreeIPA + dirsrv_stream_connect(httpd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- daemontools_service_domain(httpd_t, httpd_exec_t) + dirsrv_manage_config(httpd_t) + dirsrv_manage_log(httpd_t) + dirsrv_manage_var_run(httpd_t) @@ -6115,13 +6122,21 @@ index 6649962..1f527f5 100644 + dirsrvadmin_manage_config(httpd_t) + dirsrvadmin_manage_tmp(httpd_t) + dirsrvadmin_domtrans_unconfined_script_t(httpd_t) -+') -+ -+ optional_policy(` - dbus_system_bus_client(httpd_t) + ') + optional_policy(` +@@ -775,6 +920,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +925,55 @@ optional_policy(` + avahi_dbus_chat(httpd_t) + ') ++ ++ tunable_policy(`httpd_dbus_sssd', ++ sssd_dbus_chat(httpd_t) ++ ') + ') + + optional_policy(` +@@ -786,35 +935,55 @@ optional_policy(` ') optional_policy(` @@ -6190,7 +6205,7 @@ index 6649962..1f527f5 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +981,18 @@ optional_policy(` +@@ -822,8 +991,18 @@ optional_policy(` ') optional_policy(` @@ -6209,7 +6224,7 @@ index 6649962..1f527f5 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1001,7 @@ optional_policy(` +@@ -832,6 +1011,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6217,7 +6232,7 @@ index 6649962..1f527f5 100644 ') optional_policy(` -@@ -842,20 +1012,39 @@ optional_policy(` +@@ -842,20 +1022,39 @@ optional_policy(` ') optional_policy(` @@ -6263,7 +6278,7 @@ index 6649962..1f527f5 100644 ') optional_policy(` -@@ -863,19 +1052,35 @@ optional_policy(` +@@ -863,19 +1062,35 @@ optional_policy(` ') optional_policy(` @@ -6299,7 +6314,7 @@ index 6649962..1f527f5 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1088,173 @@ optional_policy(` +@@ -883,65 +1098,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6495,7 +6510,7 @@ index 6649962..1f527f5 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1263,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1273,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6650,7 +6665,7 @@ index 6649962..1f527f5 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1347,106 @@ optional_policy(` +@@ -1083,172 +1357,106 @@ optional_policy(` ') ') @@ -6887,7 +6902,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1454,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1464,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6984,7 +6999,7 @@ index 6649962..1f527f5 100644 ######################################## # -@@ -1321,8 +1529,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1539,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7001,7 +7016,7 @@ index 6649962..1f527f5 100644 ') ######################################## -@@ -1330,49 +1545,38 @@ optional_policy(` +@@ -1330,49 +1555,38 @@ optional_policy(` # User content local policy # @@ -7066,7 +7081,7 @@ index 6649962..1f527f5 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1586,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1596,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -9630,7 +9645,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..28c35c1 100644 +index 687d4c4..3c5a83a 100644 --- a/boinc.te +++ b/boinc.te @@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1) @@ -9820,17 +9835,19 @@ index 687d4c4..28c35c1 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -137,8 +151,7 @@ init_read_utmp(boinc_t) +@@ -137,8 +151,9 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) -miscfiles_read_fonts(boinc_t) -miscfiles_read_localization(boinc_t) ++modutils_dontaudit_exec_insmod(boinc_t) ++ +xserver_stream_connect(boinc_t) tunable_policy(`boinc_execmem',` allow boinc_t self:process { execstack execmem }; -@@ -148,48 +161,61 @@ optional_policy(` +@@ -148,48 +163,61 @@ optional_policy(` mta_send_mail(boinc_t) ') @@ -19416,10 +19433,10 @@ index f55c420..e9d64ab 100644 - -miscfiles_read_localization(dbskkd_t) diff --git a/dbus.fc b/dbus.fc -index dda905b..31f269b 100644 +index dda905b..ccd0ba9 100644 --- a/dbus.fc +++ b/dbus.fc -@@ -1,20 +1,26 @@ +@@ -1,20 +1,27 @@ -HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) +/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) @@ -19447,6 +19464,7 @@ index dda905b..31f269b 100644 -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) ++/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - @@ -19458,7 +19476,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..2d33fcd 100644 +index 62d22cb..2b84a85 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -20241,7 +20259,7 @@ index 62d22cb..2d33fcd 100644 ##
## ## -@@ -597,28 +571,32 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +571,49 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -20281,6 +20299,23 @@ index 62d22cb..2d33fcd 100644 - typeattribute $1 dbusd_unconfined; + dontaudit $1 system_bus_type:dbus send_msg; + dontaudit system_bus_type $1:dbus send_msg; ++') ++ ++####################################### ++## ++## Transition to dbus named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_filetrans_named_content_system',` ++ gen_require(` ++ type system_dbusd_var_lib_t; ++ ') ++ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') diff --git a/dbus.te b/dbus.te index c9998c8..8b8b691 100644 @@ -22774,7 +22809,7 @@ index 23ab808..84735a8 100644 +/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..e34a540 100644 +index 19aa0b8..b9895ba 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -22918,27 +22953,40 @@ index 19aa0b8..e34a540 100644 read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',` +@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',` ######################################## ## -## Create specified objects in specified -## directories with a type transition to -## the dnsmasq pid file type. -+## Transition to dnsmasq named content ++## Create dnsmasq pid directories. ## ## ## --## Domain allowed access. --## --## + ## Domain allowed access. + ## + ## -## -## -## Directory to transition on. -## -## -## --## ++# ++interface(`dnsmasq_read_state',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ps_process_pattern($1, dnsmasq_t) ++') ++ ++######################################## ++## ++## Transition to dnsmasq named content ++## ++## + ## -## The object class of the object being created. +## Domain allowed access. ## @@ -22986,7 +23034,7 @@ index 19aa0b8..e34a540 100644 ') ######################################## -@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',` +@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; @@ -23007,7 +23055,7 @@ index 19aa0b8..e34a540 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',` +@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',` files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) @@ -33800,10 +33848,10 @@ index 0000000..48d7322 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..d028154 +index 0000000..a2af18e --- /dev/null +++ b/ipa.if -@@ -0,0 +1,57 @@ +@@ -0,0 +1,76 @@ +## Policy for IPA services. + +######################################## @@ -33861,6 +33909,25 @@ index 0000000..d028154 + manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) +') + ++######################################## ++## ++## Allow domain to manage ipa lib files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_read_lib',` ++ gen_require(` ++ type ipa_var_lib_t; ++ ') ++ ++ read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++') ++ diff --git a/ipa.te b/ipa.te new file mode 100644 index 0000000..b60bc5f @@ -54477,7 +54544,7 @@ index af3c91e..6882a3f 100644 /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/ntp.if b/ntp.if -index e96a309..c6d1b01 100644 +index e96a309..2bacc3f 100644 --- a/ntp.if +++ b/ntp.if @@ -1,4 +1,4 @@ @@ -54644,7 +54711,7 @@ index e96a309..c6d1b01 100644 logging_list_logs($1) admin_pattern($1, ntpd_log_t) -@@ -186,5 +270,28 @@ interface(`ntp_admin',` +@@ -186,5 +270,30 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -54669,13 +54736,15 @@ index e96a309..c6d1b01 100644 +interface(`ntp_filetrans_named_content',` + gen_require(` + type ntp_conf_t; ++ type ntp_drift_t; + ') + + files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") + files_etc_filetrans($1, ntp_conf_t, dir, "ntp") ++ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod") ') diff --git a/ntp.te b/ntp.te -index f81b113..8d889d8 100644 +index f81b113..5c71385 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -54688,7 +54757,15 @@ index f81b113..8d889d8 100644 type ntp_conf_t; files_config_file(ntp_conf_t) -@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen }; + + manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) + manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) ++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod") + + allow ntpd_t ntp_conf_t:file read_file_perms; + +@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr_dir_perms; @@ -54699,7 +54776,7 @@ index f81b113..8d889d8 100644 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t) +@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -54723,7 +54800,7 @@ index f81b113..8d889d8 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t) +@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_runtime_files(ntpd_t) @@ -54740,7 +54817,7 @@ index f81b113..8d889d8 100644 auth_use_nsswitch(ntpd_t) -@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t) +@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -61927,10 +62004,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..22f672d +index 0000000..90c6736 --- /dev/null +++ b/pki.te -@@ -0,0 +1,274 @@ +@@ -0,0 +1,278 @@ +policy_module(pki,10.0.11) + +######################################## @@ -62078,6 +62155,10 @@ index 0000000..22f672d + hostname_exec(pki_tomcat_t) +') + ++optional_policy(` ++ ipa_read_lib(pki_tomcat_t) ++') ++ +####################################### +# +# tps local policy @@ -69301,23 +69382,21 @@ index 6643b49..1d2470f 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..98ad443 100644 +index d68e26d..94b9e8e 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,13 @@ +@@ -1,18 +1,10 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -+/usr/lib/systemd/system/puppet.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) -+/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) ++/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) - /usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -+/usr/bin/puppet -- gen_context(system_u:object_r:puppet_exec_t,s0) -+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) @@ -72595,10 +72674,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..c93b852 100644 +index 8644d8b..2ba5770 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,121 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,127 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -72643,7 +72722,7 @@ index 8644d8b..c93b852 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin }; ++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin }; +allow neutron_t self:process { setsched setrlimit }; +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; @@ -72656,37 +72735,39 @@ index 8644d8b..c93b852 100644 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +logging_log_filetrans(neutron_t, neutron_log_t, dir) -+ -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) -+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) -files_tmp_filetrans(quantum_t, quantum_tmp_t, file) -+can_exec(neutron_t, neutron_tmp_t) ++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) ++can_exec(neutron_t, neutron_tmp_t) + +-can_exec(quantum_t, quantum_tmp_t) +kernel_read_kernel_sysctls(neutron_t) +kernel_read_system_state(neutron_t) +kernel_read_network_state(neutron_t) +kernel_request_load_module(neutron_t) --can_exec(quantum_t, quantum_tmp_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -72694,82 +72775,86 @@ index 8644d8b..c93b852 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) -+corenet_tcp_bind_neutron_port(neutron_t) -+corenet_tcp_connect_keystone_port(neutron_t) -+corenet_tcp_connect_amqp_port(neutron_t) -+corenet_tcp_connect_mysqld_port(neutron_t) - -corenet_all_recvfrom_unlabeled(quantum_t) -corenet_all_recvfrom_netlabel(quantum_t) -corenet_tcp_sendrecv_generic_if(quantum_t) -corenet_tcp_sendrecv_generic_node(quantum_t) -corenet_tcp_sendrecv_all_ports(quantum_t) -corenet_tcp_bind_generic_node(quantum_t) -+domain_named_filetrans(neutron_t) ++corenet_tcp_bind_neutron_port(neutron_t) ++corenet_tcp_connect_keystone_port(neutron_t) ++corenet_tcp_connect_amqp_port(neutron_t) ++corenet_tcp_connect_mysqld_port(neutron_t) -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) ++domain_named_filetrans(neutron_t) + +-files_read_usr_files(quantum_t) +dev_read_sysfs(neutron_t) +dev_read_urand(neutron_t) +dev_mounton_sysfs(neutron_t) +dev_mount_sysfs_fs(neutron_t) - --files_read_usr_files(quantum_t) -+auth_use_nsswitch(neutron_t) ++dev_unmount_sysfs_fs(neutron_t) -auth_use_nsswitch(quantum_t) -+libs_exec_ldconfig(neutron_t) ++files_mounton_non_security(neutron_t) -libs_exec_ldconfig(quantum_t) -+logging_send_audit_msgs(neutron_t) -+logging_send_syslog_msg(neutron_t) ++auth_use_nsswitch(neutron_t) -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) -+sysnet_exec_ifconfig(neutron_t) -+sysnet_filetrans_named_content_ifconfig(neutron_t) ++libs_exec_ldconfig(neutron_t) -miscfiles_read_localization(quantum_t) -+optional_policy(` -+ brctl_domtrans(neutron_t) -+') ++logging_send_audit_msgs(neutron_t) ++logging_send_syslog_msg(neutron_t) -sysnet_domtrans_ifconfig(quantum_t) -+optional_policy(` -+ dnsmasq_domtrans(neutron_t) -+') ++sysnet_exec_ifconfig(neutron_t) ++sysnet_manage_ifconfig_run(neutron_t) ++sysnet_filetrans_named_content_ifconfig(neutron_t) optional_policy(` - brctl_domtrans(quantum_t) -+ iptables_domtrans(neutron_t) ++ brctl_domtrans(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ mysql_stream_connect(neutron_t) -+ mysql_read_config(neutron_t) ++ dnsmasq_domtrans(neutron_t) ++ dnsmasq_signal(neutron_t) ++ dnsmasq_read_state(neutron_t) ++') - mysql_tcp_connect(quantum_t) -+ mysql_tcp_connect(neutron_t) ++optional_policy(` ++ iptables_domtrans(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_config(neutron_t) + +- postgresql_tcp_connect(quantum_t) ++ mysql_tcp_connect(neutron_t) + ') ++ ++optional_policy(` + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + + postgresql_tcp_connect(neutron_t) +') - -- postgresql_tcp_connect(quantum_t) ++ +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) - ') ++') + +optional_policy(` + sudo_exec(neutron_t) @@ -84788,10 +84873,10 @@ index 0000000..89bc443 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..b12aada +index 0000000..62a9666 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,62 @@ +@@ -0,0 +1,63 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -84837,6 +84922,7 @@ index 0000000..b12aada +') + +kernel_dontaudit_read_system_state(sandbox_domain) ++kernel_dontaudit_getattr_core_if(sandbox_domain) + +corecmd_exec_all_executables(sandbox_domain) + @@ -98017,7 +98103,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..f50c3ff 100644 +index 9d4d8cb..a58e2dd 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -98029,7 +98115,7 @@ index 9d4d8cb..f50c3ff 100644 type varnishd_tmp_t; files_tmp_file(varnishd_tmp_t) -@@ -43,7 +43,7 @@ type varnishlog_var_run_t; +@@ -43,16 +43,16 @@ type varnishlog_var_run_t; files_pid_file(varnishlog_var_run_t) type varnishlog_log_t; @@ -98038,9 +98124,11 @@ index 9d4d8cb..f50c3ff 100644 ######################################## # -@@ -52,7 +52,7 @@ files_type(varnishlog_log_t) + # Local policy + # - allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; ++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown }; dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; diff --git a/selinux-policy.spec b/selinux-policy.spec index 617d83b..0f5906d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 42%{?dist} +Release: 43%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,24 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 4 2014 Miroslav Grepl 3.13.1-43 +- Add labels for /var/named/chroot_sdb/dev devices +- Add support for strongimcv +- Add additional fixes for yubikeys based on william@firstyear.id.au +- Allow init_t run /sbin/augenrules +- Remove dup decl for dev_unmount_sysfs_fs +- Allow unpriv SELinux user to use sandbox +- Fix ntp_filetrans_named_content for sntp-kod file +- Add httpd_dbus_sssd boolean +- Dontaudit exec insmod in boinc policy +- Add dbus_filetrans_named_content_system() +- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t +- varnishd wants chown capability +- update ntp_filetrans_named_content() interface +- Add additional fixes for neutron_t. #1083335 +- Dontaudit sandbox_t getattr on proc_kcore_t +- Allow pki_tomcat_t to read ipa lib files + * Tue Apr 1 2014 Miroslav Grepl 3.13.1-42 - Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t