diff --git a/container-selinux.tgz b/container-selinux.tgz index 5ebf455..cda4d57 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index adcd569..58c9c24 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -15497,7 +15497,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..d651a7d 100644 +index 8416beb..19d5bea 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15850,10 +15850,31 @@ index 8416beb..d651a7d 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1582,6 +1800,24 @@ interface(`fs_manage_configfs_files',` +@@ -1580,6 +1798,43 @@ interface(`fs_manage_configfs_files',` + manage_files_pattern($1, configfs_t, configfs_t) + ') - ######################################## - ## ++####################################### ++## ++## Create, read, write, and delete files ++## on a configfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_configfs_lnk_files',` ++ gen_require(` ++ type configfs_t; ++ ') ++ ++ manage_lnk_files_pattern($1, configfs_t, configfs_t) ++') ++ ++######################################## ++## +## Unmount a configfs filesystem +## +## @@ -15870,12 +15891,10 @@ index 8416beb..d651a7d 100644 + allow $1 configfs_t:filesystem unmount; +') + -+######################################## -+## + ######################################## + ## ## Mount a DOS filesystem, such as - ## FAT32 or NTFS. - ## -@@ -1793,63 +2029,70 @@ interface(`fs_read_eventpollfs',` +@@ -1793,63 +2048,70 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -15971,7 +15990,7 @@ index 8416beb..d651a7d 100644 ## on a FUSEFS filesystem. ## ## -@@ -1859,18 +2102,19 @@ interface(`fs_mounton_fusefs',` +@@ -1859,18 +2121,19 @@ interface(`fs_mounton_fusefs',` ## ## # @@ -15996,7 +16015,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -1878,135 +2122,835 @@ interface(`fs_search_fusefs',` +@@ -1878,49 +2141,240 @@ interface(`fs_search_fusefs',` ## ## # @@ -16058,50 +16077,33 @@ index 8416beb..d651a7d 100644 gen_require(` - type fusefs_t; + type ecryptfs_t; - ') -- -- dontaudit $1 fusefs_t:dir manage_dir_perms; ++ ') + dontaudit $1 ecryptfs_t:file append; - ') - - ######################################## - ## --## Read, a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Manage symbolic links on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_read_fusefs_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_manage_ecryptfs_symlinks',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type ecryptfs_t; - ') - -- read_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) - ') - - ######################################## - ## --## Execute files on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Execute a file on a FUSE filesystem +## in the specified domain. - ## --## --## --## Domain allowed access. --## --## --## --# --interface(`fs_exec_fusefs_files',` -- gen_require(` ++## +## +##

+## Execute a file on a FUSE filesystem @@ -16269,13 +16271,14 @@ index 8416beb..d651a7d 100644 +interface(`fs_dontaudit_manage_fusefs_dirs',` + gen_require(` + type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+##

+ ') + + dontaudit $1 fusefs_t:dir manage_dir_perms; +@@ -1928,105 +2382,652 @@ interface(`fs_dontaudit_manage_fusefs_dirs',` + + ######################################## + ## +-## Read, a FUSEFS filesystem. +## Read, a FUSEFS filesystem. +## +## @@ -16364,10 +16367,9 @@ index 8416beb..d651a7d 100644 +# +interface(`fs_manage_fusefs_files',` + gen_require(` - type fusefs_t; - ') - -- exec_files_pattern($1, fusefs_t, fusefs_t) ++ type fusefs_t; ++ ') ++ + manage_files_pattern($1, fusefs_t, fusefs_t) +') + @@ -16804,12 +16806,10 @@ index 8416beb..d651a7d 100644 + ') + + dontaudit $1 inotifyfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Create an object in a hugetlbfs filesystem, with a private +## type using a type transition. ## @@ -16835,96 +16835,97 @@ index 8416beb..d651a7d 100644 +## +## # --interface(`fs_manage_fusefs_files',` +-interface(`fs_read_fusefs_files',` +interface(`fs_hugetlbfs_filetrans',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') -- manage_files_pattern($1, fusefs_t, fusefs_t) +- read_files_pattern($1, fusefs_t, fusefs_t) + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ') ######################################## ## --## Do not audit attempts to create, --## read, write, and delete files --## on a FUSEFS filesystem. +-## Execute files on a FUSEFS filesystem. +## Mount an iso9660 filesystem, which +## is usually used on CDs. ## ## ## --## Domain to not audit. -+## Domain allowed access. + ## Domain allowed access. ## ## +-## # --interface(`fs_dontaudit_manage_fusefs_files',` +-interface(`fs_exec_fusefs_files',` +interface(`fs_mount_iso9660_fs',` gen_require(` - type fusefs_t; + type iso9660_t; ') -- dontaudit $1 fusefs_t:file manage_file_perms; +- exec_files_pattern($1, fusefs_t, fusefs_t) + allow $1 iso9660_t:filesystem mount; ') ######################################## ## --## Read symbolic links on a FUSEFS filesystem. +-## Create, read, write, and delete files +-## on a FUSEFS filesystem. +## Remount an iso9660 filesystem, which +## is usually used on CDs. This allows +## some mount options to be changed. ## ## ## -@@ -2014,19 +2958,18 @@ interface(`fs_dontaudit_manage_fusefs_files',` + ## Domain allowed access. ## ## +-## # --interface(`fs_read_fusefs_symlinks',` +-interface(`fs_manage_fusefs_files',` +interface(`fs_remount_iso9660_fs',` gen_require(` - type fusefs_t; + type iso9660_t; ') -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) +- manage_files_pattern($1, fusefs_t, fusefs_t) + allow $1 iso9660_t:filesystem remount; ') ######################################## ## --## Get the attributes of an hugetlbfs --## filesystem. +-## Do not audit attempts to create, +-## read, write, and delete files +-## on a FUSEFS filesystem. +## Unmount an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2034,35 +2977,38 @@ interface(`fs_read_fusefs_symlinks',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`fs_getattr_hugetlbfs',` +-interface(`fs_dontaudit_manage_fusefs_files',` +interface(`fs_unmount_iso9660_fs',` gen_require(` -- type hugetlbfs_t; +- type fusefs_t; + type iso9660_t; ') -- allow $1 hugetlbfs_t:filesystem getattr; +- dontaudit $1 fusefs_t:file manage_file_perms; + allow $1 iso9660_t:filesystem unmount; ') ######################################## ## --## List hugetlbfs. +-## Read symbolic links on a FUSEFS filesystem. +## Get the attributes of an iso9660 +## filesystem, which is usually used on CDs. ## @@ -16935,61 +16936,63 @@ index 8416beb..d651a7d 100644 ## +## # --interface(`fs_list_hugetlbfs',` +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_getattr_iso9660_fs',` gen_require(` -- type hugetlbfs_t; +- type fusefs_t; + type iso9660_t; ') -- allow $1 hugetlbfs_t:dir list_dir_perms; +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 iso9660_t:filesystem getattr; ') ######################################## ## --## Manage hugetlbfs dirs. +-## Get the attributes of an hugetlbfs +-## filesystem. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2070,17 +3016,19 @@ interface(`fs_list_hugetlbfs',` +@@ -2034,17 +3035,19 @@ interface(`fs_read_fusefs_symlinks',` ## ## # --interface(`fs_manage_hugetlbfs_dirs',` +-interface(`fs_getattr_hugetlbfs',` +interface(`fs_getattr_iso9660_files',` gen_require(` - type hugetlbfs_t; + type iso9660_t; ') -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:filesystem getattr; + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; ') ######################################## ## --## Read and write hugetlbfs files. +-## List hugetlbfs. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2088,35 +3036,38 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2052,17 +3055,20 @@ interface(`fs_getattr_hugetlbfs',` ## ## # --interface(`fs_rw_hugetlbfs_files',` +-interface(`fs_list_hugetlbfs',` +interface(`fs_read_iso9660_files',` gen_require(` - type hugetlbfs_t; + type iso9660_t; ') -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 iso9660_t:dir list_dir_perms; + read_files_pattern($1, iso9660_t, iso9660_t) + read_lnk_files_pattern($1, iso9660_t, iso9660_t) @@ -16998,151 +17001,158 @@ index 8416beb..d651a7d 100644 + ######################################## ## --## Allow the type to associate to hugetlbfs filesystems. +-## Manage hugetlbfs dirs. +## Mount kdbus filesystems. ## --## -+## + ## ## --## The type of the object to be associated. -+## Domain allowed access. +@@ -2070,17 +3076,17 @@ interface(`fs_list_hugetlbfs',` ## ## # --interface(`fs_associate_hugetlbfs',` +-interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_mount_kdbus', ` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ') -- allow $1 hugetlbfs_t:filesystem associate; +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 kdbusfs_t:filesystem mount; ') ######################################## ## --## Search inotifyfs filesystem. +-## Read and write hugetlbfs files. +## Remount kdbus filesystems. ## ## ## -@@ -2124,17 +3075,17 @@ interface(`fs_associate_hugetlbfs',` +@@ -2088,35 +3094,35 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # --interface(`fs_search_inotifyfs',` +-interface(`fs_rw_hugetlbfs_files',` +interface(`fs_remount_kdbus', ` gen_require(` -- type inotifyfs_t; +- type hugetlbfs_t; + type kdbusfs_t; ') -- allow $1 inotifyfs_t:dir search_dir_perms; +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 kdbusfs_t:filesystem remount; ') ######################################## ## --## List inotifyfs filesystem. +-## Allow the type to associate to hugetlbfs filesystems. +## Unmount kdbus filesystems. ## - ## +-## ++## ## -@@ -2142,71 +3093,134 @@ interface(`fs_search_inotifyfs',` +-## The type of the object to be associated. ++## Domain allowed access. ## ## # --interface(`fs_list_inotifyfs',` +-interface(`fs_associate_hugetlbfs',` +interface(`fs_unmount_kdbus', ` gen_require(` -- type inotifyfs_t; +- type hugetlbfs_t; + type kdbusfs_t; ') -- allow $1 inotifyfs_t:dir list_dir_perms; +- allow $1 hugetlbfs_t:filesystem associate; + allow $1 kdbusfs_t:filesystem unmount; ') ######################################## ## --## Dontaudit List inotifyfs filesystem. +-## Search inotifyfs filesystem. +## Get attributes of kdbus filesystems. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -2124,17 +3130,17 @@ interface(`fs_associate_hugetlbfs',` ## ## # --interface(`fs_dontaudit_list_inotifyfs',` +-interface(`fs_search_inotifyfs',` +interface(`fs_getattr_kdbus',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') -- dontaudit $1 inotifyfs_t:dir list_dir_perms; +- allow $1 inotifyfs_t:dir search_dir_perms; + allow $1 kdbusfs_t:filesystem getattr; ') ######################################## ## --## Create an object in a hugetlbfs filesystem, with a private --## type using a type transition. +-## List inotifyfs filesystem. +## Search kdbusfs directories. ## ## ## - ## Domain allowed access. +@@ -2142,71 +3148,118 @@ interface(`fs_search_inotifyfs',` ## ## --## -+# + # +-interface(`fs_list_inotifyfs',` +interface(`fs_search_kdbus_dirs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type kdbusfs_t; + -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir list_dir_perms; + search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. +## Relabel kdbusfs directories. -+## -+## + ## + ## ## --## The type of the object to be created. +-## Domain to not audit. +## Domain allowed access. ## ## --## -+# + # +-interface(`fs_dontaudit_list_inotifyfs',` +interface(`fs_relabel_kdbus_dirs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type cgroup_t; + -+ ') -+ + ') + +- dontaudit $1 inotifyfs_t:dir list_dir_perms; + relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. +## List kdbusfs directories. -+## -+## + ## + ## ## --## The object class of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## --## +-## +-## +-## The type of the object to be created. +-## +# +interface(`fs_list_kdbus_dirs',` + gen_require(` @@ -17162,7 +17172,8 @@ index 8416beb..d651a7d 100644 +## +## Domain to not audit. +## -+## + ## +-## +# +interface(`fs_dontaudit_search_kdbus_dirs', ` + gen_require(` @@ -17179,21 +17190,44 @@ index 8416beb..d651a7d 100644 +## +## ## +-## The object class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`fs_delete_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## ++## Manage kdbusfs directories. ++## ++## + ## -## The name of the object being created. +## Domain allowed access. ## ## # -interface(`fs_hugetlbfs_filetrans',` -+interface(`fs_delete_kdbus_dirs', ` ++interface(`fs_manage_kdbus_dirs',` gen_require(` - type hugetlbfs_t; +- ') + type kdbusfs_t; - ') - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17202,24 +17236,25 @@ index 8416beb..d651a7d 100644 ## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -+## Manage kdbusfs directories. ++## Read kdbusfs files. ## ## ## -@@ -2214,19 +3228,19 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3267,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # -interface(`fs_mount_iso9660_fs',` -+interface(`fs_manage_kdbus_dirs',` ++interface(`fs_read_kdbus_files',` gen_require(` - type iso9660_t; -- ') -+ type kdbusfs_t; ++ type cgroup_t; ++ + ') - allow $1 iso9660_t:filesystem mount; -+ ') -+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17229,25 +17264,23 @@ index 8416beb..d651a7d 100644 -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -+## Read kdbusfs files. ++## Write kdbusfs files. ##
## ## -@@ -2234,18 +3248,21 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3289,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # -interface(`fs_remount_iso9660_fs',` -+interface(`fs_read_kdbus_files',` ++interface(`fs_write_kdbus_files', ` gen_require(` - type iso9660_t; -+ type cgroup_t; -+ ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem remount; -+ read_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17256,23 +17289,25 @@ index 8416beb..d651a7d 100644 ## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -+## Write kdbusfs files. ++## Read and write kdbusfs files. ## ## ## -@@ -2253,38 +3270,61 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3309,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # -interface(`fs_unmount_iso9660_fs',` -+interface(`fs_write_kdbus_files', ` ++interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; ++ ') - allow $1 iso9660_t:filesystem unmount; -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17281,59 +17316,38 @@ index 8416beb..d651a7d 100644 ## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -+## Read and write kdbusfs files. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`fs_getattr_iso9660_fs',` -+interface(`fs_rw_kdbus_files',` ++interface(`fs_dontaudit_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; -+ ') - allow $1 iso9660_t:filesystem getattr; -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Do not audit attempts to open, -+## get attributes, read and write -+## cgroup files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_rw_kdbus_files',` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ dontaudit $1 kdbusfs_t:file rw_file_perms; -+') -+ -+######################################## -+## +## Manage kdbusfs files. ## ## ## -@@ -2292,19 +3332,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3351,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -17361,7 +17375,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -2312,16 +3354,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3373,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -17382,7 +17396,7 @@ index 8416beb..d651a7d 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3439,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3458,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -17407,7 +17421,7 @@ index 8416beb..d651a7d 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3544,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3563,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -17415,7 +17429,7 @@ index 8416beb..d651a7d 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3583,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3602,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -17423,7 +17437,7 @@ index 8416beb..d651a7d 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3610,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3629,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -17468,7 +17482,7 @@ index 8416beb..d651a7d 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3668,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3687,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -17477,7 +17491,7 @@ index 8416beb..d651a7d 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3688,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3707,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -17520,7 +17534,7 @@ index 8416beb..d651a7d 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3738,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3757,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -17529,7 +17543,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -2627,7 +3762,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3781,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -17538,7 +17552,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -2719,6 +3854,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3873,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -17604,7 +17618,7 @@ index 8416beb..d651a7d 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3935,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3954,7 @@ interface(`fs_search_removable',` ## ## ## @@ -17613,7 +17627,7 @@ index 8416beb..d651a7d 100644 ## ## # -@@ -2777,7 +3971,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3990,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -17622,7 +17636,7 @@ index 8416beb..d651a7d 100644 ## ## # -@@ -2970,6 +4164,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4183,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -17630,7 +17644,7 @@ index 8416beb..d651a7d 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4205,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4224,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -17638,7 +17652,7 @@ index 8416beb..d651a7d 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4246,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4265,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -17646,7 +17660,7 @@ index 8416beb..d651a7d 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4334,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4353,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -17671,7 +17685,7 @@ index 8416beb..d651a7d 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3255,17 +4470,182 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,17 +4489,182 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -17858,7 +17872,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3273,12 +4653,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4672,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -17873,7 +17887,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -3301,6 +4681,24 @@ interface(`fs_associate_ramfs',` +@@ -3301,6 +4700,24 @@ interface(`fs_associate_ramfs',` ######################################## ## @@ -17898,7 +17912,7 @@ index 8416beb..d651a7d 100644 ## Mount a RAM filesystem. ## ## -@@ -3392,7 +4790,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4809,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -17907,7 +17921,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3429,7 +4827,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4846,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -17916,7 +17930,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3447,7 +4845,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4864,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -17925,7 +17939,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3779,6 +5177,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5196,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -17950,7 +17964,7 @@ index 8416beb..d651a7d 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5231,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5250,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -17975,7 +17989,7 @@ index 8416beb..d651a7d 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5342,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5361,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -17984,7 +17998,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3916,17 +5350,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5369,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -18005,7 +18019,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3934,17 +5368,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5387,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -18026,7 +18040,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3952,17 +5386,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5405,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -18066,7 +18080,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3970,31 +5423,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5442,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -18122,7 +18136,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -4057,23 +5527,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5546,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -18299,7 +18313,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4081,18 +5698,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5717,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -18322,7 +18336,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4100,54 +5717,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5736,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -18389,7 +18403,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4155,17 +5771,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5790,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -18411,7 +18425,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4173,17 +5790,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5809,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -18433,7 +18447,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4191,37 +5809,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5828,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -18479,7 +18493,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4229,18 +5846,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5865,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -18501,7 +18515,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4248,18 +5865,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5884,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -18525,7 +18539,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4267,32 +5885,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5904,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -18564,7 +18578,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -4407,6 +6024,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6043,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -18590,7 +18604,7 @@ index 8416beb..d651a7d 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6139,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6158,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -18599,7 +18613,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -4549,7 +6187,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6206,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -18608,7 +18622,7 @@ index 8416beb..d651a7d 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6234,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6253,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -18635,7 +18649,7 @@ index 8416beb..d651a7d 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6329,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6348,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -18661,7 +18675,7 @@ index 8416beb..d651a7d 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6589,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6608,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3e40862..9f9f119 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -27883,6 +27883,127 @@ index ef62363..0841716 100644 +optional_policy(` + procmail_domtrans(dspam_t) +') +diff --git a/ejabberd.fc b/ejabberd.fc +new file mode 100644 +index 0000000..e797d62 +--- /dev/null ++++ b/ejabberd.fc +@@ -0,0 +1,7 @@ ++/usr/bin/ejabberdctl -- gen_context(system_u:object_r:ejabberd_exec_t,s0) ++ ++/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:ejabberd_unit_t,s0) ++ ++/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_lib_t,s0) ++ ++/var/log/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_log_t,s0) +diff --git a/ejabberd.if b/ejabberd.if +new file mode 100644 +index 0000000..91ef4a4 +--- /dev/null ++++ b/ejabberd.if +@@ -0,0 +1,34 @@ ++## ejabberd is a Free and Open Source distributed fault-tolerant: Jabber/XMPP server. ++######################################## ++## ++## All of the rules required to ++## administrate an ejabberd environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ejabberd_admin',` ++ gen_require(` ++ type ejabberd_t, ejabberd_exec_t; ++ type ejabberd_var_lib_t, ejabberd_var_log_t; ++ ') ++ ++ admin_process_pattern($1, ejabberd_t) ++ ++ init_startstop_service($1, $2, ejabberd_t, ejabberd_initrc_exec_t, ejabberd_unit_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, ejabberd_var_lib_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, ejabberd_var_log_t) ++') +diff --git a/ejabberd.te b/ejabberd.te +new file mode 100644 +index 0000000..4498b11 +--- /dev/null ++++ b/ejabberd.te +@@ -0,0 +1,62 @@ ++policy_module(ejabberd,0.0) ++ ++ ++######################################## ++# ++# Declarations ++# ++ ++# Private type declarations ++type ejabberd_t; ++type ejabberd_exec_t; ++init_daemon_domain(ejabberd_t, ejabberd_exec_t) ++ ++type ejabberd_unit_t; ++systemd_unit_file(ejabberd_unit_t) ++ ++type ejabberd_var_lib_t; ++files_type(ejabberd_var_lib_t) ++ ++type ejabberd_var_log_t; ++logging_log_file(ejabberd_var_log_t) ++ ++ ++# What will we allow ++allow ejabberd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write }; ++allow ejabberd_t self:udp_socket { bind connect create getattr getopt read setopt write }; ++allow ejabberd_t self:unix_dgram_socket { connect create getopt setopt write }; ++ ++auth_use_nsswitch(ejabberd_t) ++ ++corecmd_exec_bin(ejabberd_t) ++corecmd_exec_shell(ejabberd_t) ++ ++corenet_tcp_bind_epmd_port(ejabberd_t) ++corenet_tcp_bind_generic_node(ejabberd_t) ++corenet_tcp_bind_generic_port(ejabberd_t) ++corenet_tcp_bind_jabber_client_port(ejabberd_t) ++corenet_tcp_bind_jabber_interserver_port(ejabberd_t) ++corenet_tcp_connect_epmd_port(ejabberd_t) ++corenet_tcp_connect_generic_port(ejabberd_t) ++corenet_tcp_connect_jabber_interserver_port(ejabberd_t) ++ ++corenet_udp_bind_generic_node(ejabberd_t) ++ ++dev_read_rand(ejabberd_t) ++dev_read_sysfs(ejabberd_t) ++ ++files_search_var_lib(ejabberd_t, ejabberd_var_lib_t, dir) ++ ++kernel_dgram_send(ejabberd_t) ++ ++logging_create_devlog_dev(ejabberd_t) ++logging_log_filetrans(ejabberd_t, ejabberd_var_log_t, { dir file }) ++ ++manage_dirs_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t) ++manage_dirs_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t) ++manage_files_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t) ++manage_files_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t) ++ ++miscfiles_read_generic_certs(ejabberd_t) ++ ++sysnet_read_config(ejabberd_t) diff --git a/entropyd.te b/entropyd.te index b8b8328..111084c 100644 --- a/entropyd.te @@ -32826,10 +32947,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..03db2af +index 0000000..ce9dd75 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,308 @@ +@@ -0,0 +1,312 @@ +policy_module(glusterd, 1.1.3) + +## @@ -33081,6 +33202,10 @@ index 0000000..03db2af +') + +optional_policy(` ++ ganesha_systemctl(glusterd_t) ++') ++ ++optional_policy(` + hostname_exec(glusterd_t) +') + @@ -42725,10 +42850,10 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..66e747b +index 0000000..82772f2 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,92 @@ +@@ -0,0 +1,93 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -42768,6 +42893,7 @@ index 0000000..66e747b +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) +kernel_request_load_module(keepalived_t) ++kernel_read_usermodehelper_state(keepalived_t) + +auth_use_nsswitch(keepalived_t) + @@ -84339,30 +84465,20 @@ index f47c8e8..af09c76 100644 + dbus_connect_system_bus(quota_nld_t) ') diff --git a/rabbitmq.fc b/rabbitmq.fc -index c5ad6de..af2d46f 100644 +index c5ad6de..44135d4 100644 --- a/rabbitmq.fc +++ b/rabbitmq.fc -@@ -1,10 +1,18 @@ +@@ -1,7 +1,8 @@ /etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0) -/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) -/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) +/usr/lib/systemd/system/rabbitmq-server.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0) -+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0) + +/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) -+ -+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) -+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) -+ -+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0) - - /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) -+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) - /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/rabbitmq.if b/rabbitmq.if index 2c3d338..7d49554 100644 --- a/rabbitmq.if @@ -84682,7 +84798,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..b1668fa 100644 +index 403a4fe..c659271 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -84805,10 +84921,11 @@ index 403a4fe..b1668fa 100644 logrotate_exec(radiusd_t) ') -@@ -132,6 +159,10 @@ optional_policy(` +@@ -132,6 +159,11 @@ optional_policy(` ') optional_policy(` ++ postgresql_stream_connect(radiusd_t) + postgresql_tcp_connect(radiusd_t) +') + @@ -84816,7 +84933,7 @@ index 403a4fe..b1668fa 100644 samba_domtrans_winbind_helper(radiusd_t) ') -@@ -140,5 +171,10 @@ optional_policy(` +@@ -140,5 +172,10 @@ optional_policy(` ') optional_policy(` @@ -105585,10 +105702,10 @@ index 0000000..821e158 +') + diff --git a/sssd.fc b/sssd.fc -index dbb005a..25d119e 100644 +index dbb005a..47b49ea 100644 --- a/sssd.fc +++ b/sssd.fc -@@ -1,15 +1,28 @@ +@@ -1,15 +1,30 @@ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) -/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) @@ -105599,6 +105716,7 @@ index dbb005a..25d119e 100644 +/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_kcm -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_pac -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_pam -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0) @@ -105623,8 +105741,9 @@ index dbb005a..25d119e 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/run/.heim_org.h5l.kcm-socket -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..277f8f2 100644 +index a240455..aac2584 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -105753,13 +105872,13 @@ index a240455..277f8f2 100644 + gen_require(` + type sssd_conf_t; + ') - -- files_search_etc($1) -- write_files_pattern($1, sssd_conf_t, sssd_conf_t) ++ + files_search_etc($1) + write_files_pattern($1, sssd_conf_t, sssd_conf_t) +') -+ + +- files_search_etc($1) +- write_files_pattern($1, sssd_conf_t, sssd_conf_t) +##################################### +## +## Write sssd configuration. @@ -105836,10 +105955,11 @@ index a240455..277f8f2 100644 sssd_search_lib($1) - manage_files_pattern($1, sssd_public_t, sssd_public_t) + allow $1 sssd_public_t:file unlink; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read sssd pid files. +## Dontaudit read sssd public files. +## +## @@ -105873,11 +105993,10 @@ index a240455..277f8f2 100644 + + sssd_search_lib($1) + manage_files_pattern($1, sssd_public_t, sssd_public_t) - ') - - ######################################## - ## --## Read sssd pid files. ++') ++ ++######################################## ++## +## Read sssd PID files. ## ## @@ -105937,7 +106056,7 @@ index a240455..277f8f2 100644 ## ## ## -@@ -317,8 +408,92 @@ interface(`sssd_stream_connect',` +@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -105960,6 +106079,44 @@ index a240455..277f8f2 100644 + dontaudit $1 sssd_var_lib_t:sock_file { read write }; +') + ++######################################## ++## ++## Connect to sssd over a unix stream socket in /var/run. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_run_stream_connect',` ++ gen_require(` ++ type sssd_t, sssd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t) ++') ++ ++######################################## ++## ++## Dontaudit attempts to connect to sssd over a unix stream socket in /var/run. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_dontaudit_run_stream_connect',` ++ gen_require(` ++ type sssd_t, sssd_var_lib_t; ++ ') ++ ++ dontaudit $1 sssd_t:unix_stream_socket connectto; ++ dontaudit $1 sssd_var_run_t:sock_file { read write }; ++') ++ +####################################### +## +## Manage keys for all user domains. @@ -106032,7 +106189,7 @@ index a240455..277f8f2 100644 ## ## ## -@@ -327,7 +502,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -106041,7 +106198,7 @@ index a240455..277f8f2 100644 ## ## ## -@@ -335,27 +510,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -106083,7 +106240,7 @@ index a240455..277f8f2 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..d4fee07 100644 +index 2d8db1f..f0f3862 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) @@ -106122,7 +106279,7 @@ index 2d8db1f..d4fee07 100644 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -51,9 +63,11 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) @@ -106137,7 +106294,9 @@ index 2d8db1f..d4fee07 100644 logging_log_filetrans(sssd_t, sssd_var_log_t, file) manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -62,17 +76,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) ++manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) + files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -106160,7 +106319,7 @@ index 2d8db1f..d4fee07 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +94,36 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -106201,7 +106360,7 @@ index 2d8db1f..d4fee07 100644 init_read_utmp(sssd_t) -@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +132,67 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -107573,10 +107732,10 @@ index 0000000..a6e216c + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 0000000..e187320 +index 0000000..0315421 --- /dev/null +++ b/targetd.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,81 @@ +policy_module(targetd, 1.0.0) + +######################################## @@ -107599,21 +107758,33 @@ index 0000000..e187320 +# targetd local policy +# + -+allow targetd_t self:capability { sys_admin }; ++allow targetd_t self:capability { ipc_lock sys_admin sys_nice }; +allow targetd_t self:fifo_file rw_fifo_file_perms; +allow targetd_t self:unix_stream_socket create_stream_socket_perms; +allow targetd_t self:unix_dgram_socket create_socket_perms; +allow targetd_t self:tcp_socket listen; +allow targetd_t self:netlink_route_socket r_netlink_socket_perms; -+allow targetd_t self:process setfscreate; ++allow targetd_t self:process { setfscreate setsched }; + +manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file }) + ++fs_getattr_xattr_fs(targetd_t) ++fs_manage_configfs_files(targetd_t) ++fs_manage_configfs_lnk_files(targetd_t) ++fs_manage_configfs_dirs(targetd_t) ++fs_read_nfsd_files(targetd_t) ++ ++kernel_rw_rpc_sysctls(targetd_t) ++kernel_get_sysvipc_info(targetd_t) +kernel_read_system_state(targetd_t) +kernel_read_network_state(targetd_t) + ++rpc_read_exports(targetd_t) ++ ++storage_raw_rw_fixed_disk(targetd_t) ++ +auth_use_nsswitch(targetd_t) + +corecmd_exec_shell(targetd_t) @@ -107622,7 +107793,7 @@ index 0000000..e187320 +corenet_tcp_bind_generic_node(targetd_t) +corenet_tcp_bind_lsm_plugin_port(targetd_t) + -+dev_read_sysfs(targetd_t) ++dev_rw_sysfs(targetd_t) +dev_read_urand(targetd_t) +dev_rw_lvm_control(targetd_t) +dev_getattr_loop_control(targetd_t) @@ -107636,8 +107807,9 @@ index 0000000..e187320 + +optional_policy(` + lvm_read_config(targetd_t) -+ lvm_read_metadata(targetd_t) ++ lvm_write_metadata(targetd_t) + lvm_manage_lock(targetd_t) ++ lvm_rw_pipes(targetd_t) + lvm_stream_connect(targetd_t) +') + @@ -110850,10 +111022,10 @@ index 0000000..e5cec8f +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..71e14ac +index 0000000..cc0c5fe --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,86 @@ +@@ -0,0 +1,89 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -110912,6 +111084,7 @@ index 0000000..71e14ac +can_exec(tomcat_domain, tomcat_exec_t) + +kernel_read_network_state(tomcat_domain) ++kernel_read_net_sysctls(tomcat_domain) + +corecmd_exec_bin(tomcat_domain) +corecmd_exec_shell(tomcat_domain) @@ -110925,6 +111098,8 @@ index 0000000..71e14ac +corenet_tcp_connect_ldap_port(tomcat_domain) +corenet_tcp_connect_mxi_port(tomcat_domain) +corenet_tcp_connect_http_cache_port(tomcat_domain) ++corenet_tcp_connect_postgresql_port(tomcat_domain) ++corenet_tcp_connect_amqp_port(tomcat_domain) + +dev_read_rand(tomcat_domain) +dev_read_urand(tomcat_domain) @@ -113341,7 +113516,7 @@ index a4f20bc..9777de2 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..487857a 100644 +index facdee8..b5a815a 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,111 @@ @@ -113775,7 +113950,7 @@ index facdee8..487857a 100644 - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; -+ allow $1 svirt_t:unix_stream_socket { read write }; ++ allow $1 svirt_t:unix_stream_socket { setopt getopt read write }; ') -####################################### @@ -115541,10 +115716,10 @@ index facdee8..487857a 100644 + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ') diff --git a/virt.te b/virt.te -index f03dcf5..fee0027 100644 +index f03dcf5..6e0d11b 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,413 @@ +@@ -1,451 +1,415 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -116182,6 +116357,8 @@ index f03dcf5..fee0027 100644 + +virt_dontaudit_read_state(svirt_t) + ++storage_raw_read_fixed_disk(svirt_t) ++ +####################################### +# +# svirt_prot_exec local policy @@ -116268,7 +116445,7 @@ index f03dcf5..fee0027 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +417,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +419,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -116315,27 +116492,27 @@ index f03dcf5..fee0027 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +452,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +454,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --can_exec(virtd_t, virt_tmp_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -116349,7 +116526,7 @@ index f03dcf5..fee0027 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +477,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +479,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -116377,7 +116554,7 @@ index f03dcf5..fee0027 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +497,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +499,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -116408,7 +116585,7 @@ index f03dcf5..fee0027 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +549,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +551,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -116428,7 +116605,7 @@ index f03dcf5..fee0027 100644 selinux_validate_context(virtd_t) -@@ -620,18 +571,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +573,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -116465,7 +116642,7 @@ index f03dcf5..fee0027 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +599,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +601,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -116474,7 +116651,7 @@ index f03dcf5..fee0027 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +624,12 @@ optional_policy(` +@@ -665,20 +626,12 @@ optional_policy(` ') optional_policy(` @@ -116496,7 +116673,7 @@ index f03dcf5..fee0027 100644 ') optional_policy(` -@@ -691,20 +642,26 @@ optional_policy(` +@@ -691,20 +644,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -116527,7 +116704,7 @@ index f03dcf5..fee0027 100644 ') optional_policy(` -@@ -712,11 +669,18 @@ optional_policy(` +@@ -712,11 +671,18 @@ optional_policy(` ') optional_policy(` @@ -116546,7 +116723,7 @@ index f03dcf5..fee0027 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +691,18 @@ optional_policy(` +@@ -727,10 +693,18 @@ optional_policy(` ') optional_policy(` @@ -116565,7 +116742,7 @@ index f03dcf5..fee0027 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +718,344 @@ optional_policy(` +@@ -746,44 +720,344 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -116678,7 +116855,7 @@ index f03dcf5..fee0027 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) -+ + +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) @@ -116839,7 +117016,7 @@ index f03dcf5..fee0027 100644 + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) +') - ++ +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) @@ -116932,7 +117109,7 @@ index f03dcf5..fee0027 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1066,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1068,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116959,7 +117136,7 @@ index f03dcf5..fee0027 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1086,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1088,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116993,7 +117170,7 @@ index f03dcf5..fee0027 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1123,20 @@ optional_policy(` +@@ -856,14 +1125,20 @@ optional_policy(` ') optional_policy(` @@ -117015,7 +117192,7 @@ index f03dcf5..fee0027 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1161,66 @@ optional_policy(` +@@ -888,49 +1163,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -117100,7 +117277,7 @@ index f03dcf5..fee0027 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1232,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1234,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -117120,7 +117297,7 @@ index f03dcf5..fee0027 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1253,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1255,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -117144,7 +117321,7 @@ index f03dcf5..fee0027 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1278,296 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1280,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -117588,7 +117765,7 @@ index f03dcf5..fee0027 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1580,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1582,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -117603,7 +117780,7 @@ index f03dcf5..fee0027 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1598,7 @@ optional_policy(` +@@ -1192,7 +1600,7 @@ optional_policy(` ######################################## # @@ -117612,7 +117789,7 @@ index f03dcf5..fee0027 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1607,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1609,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index aeab6e6..f591cb1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 253%{?dist} +Release: 254%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -689,6 +689,21 @@ exit 0 %endif %changelog +* Mon May 15 2017 Lukas Vrabec - 3.13.1-254 +- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit +- ejabberd small fixes +- Update targetd policy to accommodate changes in the service +- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls +- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit +- Allow glusterd_t domain start ganesha service +- Made few cosmetic changes in sssd SELinux module +- Merge pull request #11 from lslebodn/sssd_kcm +- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. +- Allow keepalived_t domain read usermodehelper_t +- Allow radius domain stream connec to postgresql +- Merge pull request #8 from bowlofeggs/142-rawhide +- Add fs_manage_configfs_lnk_files() interface + * Fri May 12 2017 Lukas Vrabec - 3.13.1-253 - auth_use_nsswitch can call only domain not attribute - Dontaudit net_admin cap for winbind_t