diff --git a/policy-F16.patch b/policy-F16.patch index e3ba6d4..ece00d4 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -757,7 +757,7 @@ index 8fa451c..f3a67c9 100644 ') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te -index c4d8998..d62fdd2 100644 +index c4d8998..419d14a 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -75,12 +75,7 @@ logging_send_syslog_msg(firstboot_t) @@ -793,6 +793,15 @@ index c4d8998..d62fdd2 100644 optional_policy(` samba_rw_config(firstboot_t) +@@ -113,7 +118,7 @@ optional_policy(` + optional_policy(` + unconfined_domtrans(firstboot_t) + # The big hammer +- unconfined_domain(firstboot_t) ++ unconfined_domain_noaudit(firstboot_t) + ') + + optional_policy(` @@ -125,6 +130,7 @@ optional_policy(` ') @@ -1514,7 +1523,7 @@ index 7f1d18e..a68d519 100644 ifdef(`hide_broken_symptoms',` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..e12af8e 100644 +index af55369..5ede07b 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1556,7 +1565,7 @@ index af55369..e12af8e 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -98,7 +102,11 @@ libs_delete_lib_symlinks(prelink_t) +@@ -98,7 +102,13 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) @@ -1565,11 +1574,13 @@ index af55369..e12af8e 100644 +userdom_manage_user_home_content(prelink_t) +userdom_execmod_user_home_files(prelink_t) + ++systemd_read_unit_files(prelink_t) ++ +term_use_all_inherited_terms(prelink_t) optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,13 +117,22 @@ optional_policy(` +@@ -109,13 +119,22 @@ optional_policy(` ') optional_policy(` @@ -1594,7 +1605,7 @@ index af55369..e12af8e 100644 ######################################## # # Prelink Cron system Policy -@@ -129,6 +146,7 @@ optional_policy(` +@@ -129,6 +148,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -1602,7 +1613,7 @@ index af55369..e12af8e 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +166,28 @@ optional_policy(` +@@ -148,17 +168,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -2554,7 +2565,7 @@ index 8966ec9..8fbe943 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te -index bc00875..819a10b 100644 +index bc00875..2efc0d7 100644 --- a/policy/modules/admin/smoltclient.te +++ b/policy/modules/admin/smoltclient.te @@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0) @@ -2573,7 +2584,7 @@ index bc00875..819a10b 100644 fs_getattr_all_fs(smoltclient_t) fs_getattr_all_dirs(smoltclient_t) -@@ -46,15 +46,21 @@ fs_list_auto_mountpoints(smoltclient_t) +@@ -46,15 +46,25 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_files(smoltclient_t) @@ -2588,6 +2599,10 @@ index bc00875..819a10b 100644 miscfiles_read_localization(smoltclient_t) optional_policy(` ++ abrt_stream_connect(smoltclient_t) ++') ++ ++optional_policy(` + cron_system_entry(smoltclient_t, smoltclient_exec_t) +') + @@ -3304,10 +3319,10 @@ index 0000000..1f468aa +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..7b1047f +index 0000000..bbbba63 --- /dev/null +++ b/policy/modules/apps/chrome.if -@@ -0,0 +1,126 @@ +@@ -0,0 +1,128 @@ + +## policy for chrome + @@ -3329,6 +3344,8 @@ index 0000000..7b1047f + domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) + ps_process_pattern(chrome_sandbox_t, $1) + ++ allow $1 chrome_sandbox_t:fd use; ++ + ifdef(`hide_broken_symptoms',` + dontaudit chrome_sandbox_t $1:socket_class_set { read write }; + fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) @@ -11295,7 +11312,7 @@ index 4f3b542..4581434 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..e2f9c64 100644 +index 99b71cb..b49e084 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -11415,8 +11432,12 @@ index 99b71cb..e2f9c64 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -158,10 +188,18 @@ network_port(ntp, udp,123,s0) - network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) +@@ -155,13 +185,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) + network_port(nmbd, udp,137,s0, udp,138,s0) + network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) + network_port(ntp, udp,123,s0) +-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) +network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0) @@ -13117,10 +13138,18 @@ index c19518a..ba08cfe 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..c0e0b1e 100644 +index ff006ea..9097e58 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` +@@ -55,6 +55,7 @@ + ##
  • files_pid_file()
    • + ##
  • files_security_file()
    • + ##
  • files_security_mountpoint()
    • ++##
  • files_spool_file()
    • + ##
  • files_tmp_file()
    • + ##
  • files_tmpfs_file()
    • + ##
  • logging_log_file()
    • +@@ -1053,10 +1054,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -13133,7 +13162,7 @@ index ff006ea..c0e0b1e 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1482,6 +1480,42 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1482,6 +1481,42 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -13176,7 +13205,7 @@ index ff006ea..c0e0b1e 100644 ## List the contents of the root directory. ## ## -@@ -1562,7 +1596,7 @@ interface(`files_root_filetrans',` +@@ -1562,7 +1597,7 @@ interface(`files_root_filetrans',` type root_t; ') @@ -13185,7 +13214,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -1848,7 +1882,7 @@ interface(`files_boot_filetrans',` +@@ -1848,7 +1883,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -13194,7 +13223,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -2372,6 +2406,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2407,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -13219,7 +13248,7 @@ index ff006ea..c0e0b1e 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2503,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2504,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -13228,7 +13257,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -2525,6 +2577,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2578,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -13253,7 +13282,7 @@ index ff006ea..c0e0b1e 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2694,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2695,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -13262,7 +13291,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -2680,24 +2750,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2751,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -13287,7 +13316,7 @@ index ff006ea..c0e0b1e 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2790,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2791,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -13312,7 +13341,7 @@ index ff006ea..c0e0b1e 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2845,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -13320,7 +13349,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3364,7 +3435,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3436,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -13329,7 +13358,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3502,20 +3573,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3574,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -13373,7 +13402,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3900,6 +3989,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +3990,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13473,7 +13502,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4127,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -13482,7 +13511,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4017,7 +4199,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4200,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13491,7 +13520,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4029,6 +4211,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13516,7 +13545,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4285,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4085,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13549,7 +13578,7 @@ index ff006ea..c0e0b1e 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4139,6 +4365,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4139,6 +4366,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13592,7 +13621,7 @@ index ff006ea..c0e0b1e 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4202,7 +4464,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4202,7 +4465,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13601,7 +13630,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4262,7 +4524,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4525,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13610,7 +13639,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4318,7 +4580,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4581,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -13619,7 +13648,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -4342,6 +4604,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4605,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13636,7 +13665,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -4681,7 +4953,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +4954,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -13645,7 +13674,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5084,7 +5356,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5357,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -13654,7 +13683,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5219,7 +5491,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5492,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13663,7 +13692,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5304,6 +5576,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5577,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -13689,7 +13718,7 @@ index ff006ea..c0e0b1e 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5608,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5609,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -13698,7 +13727,7 @@ index ff006ea..c0e0b1e 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5629,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5630,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -13714,7 +13743,7 @@ index ff006ea..c0e0b1e 100644 ## ## ## -@@ -5349,12 +5644,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5645,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13747,7 +13776,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5373,6 +5686,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5687,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -13755,7 +13784,7 @@ index ff006ea..c0e0b1e 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5699,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5700,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -13763,7 +13792,7 @@ index ff006ea..c0e0b1e 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5725,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5726,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -13772,7 +13801,7 @@ index ff006ea..c0e0b1e 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5741,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5742,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -13789,7 +13818,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5452,7 +5765,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5766,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -13798,7 +13827,7 @@ index ff006ea..c0e0b1e 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5806,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5807,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -13807,7 +13836,7 @@ index ff006ea..c0e0b1e 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5828,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5829,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -13816,7 +13845,7 @@ index ff006ea..c0e0b1e 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5860,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5861,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -13827,7 +13856,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5608,6 +5921,43 @@ interface(`files_search_pids',` +@@ -5608,6 +5922,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -13871,7 +13900,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Do not audit attempts to search -@@ -5736,7 +6086,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6087,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13880,7 +13909,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5815,6 +6165,98 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,6 +6166,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -13938,6 +13967,24 @@ index ff006ea..c0e0b1e 100644 + +######################################## +## ++## Create all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ++') ++ ++######################################## ++## +## Delete all pid named pipes +## +## @@ -13979,7 +14026,7 @@ index ff006ea..c0e0b1e 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6274,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6293,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -14024,7 +14071,98 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -6042,7 +6522,7 @@ interface(`files_spool_filetrans',` +@@ -5900,6 +6399,90 @@ interface(`files_delete_all_pid_dirs',` + + ######################################## + ## ++## Make the specified type a file ++## used for spool files. ++## ++## ++##

    ++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

    ++##

    ++## Related interfaces: ++##

    ++## ++##

    ++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

    ++##

    ++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

    ++##     ++## ++## ++## Type of the file to be used as a ++## spool file. ++## ++## ++## ++# ++interface(`files_spool_file',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 spoolfile; ++') ++ ++######################################## ++## ++## Create all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## + ## Search the contents of generic spool + ## directories (/var/spool). + ## +@@ -6042,7 +6625,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14033,7 +14171,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -6117,3 +6597,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6700,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -14319,18 +14457,20 @@ index ff006ea..c0e0b1e 100644 + dontaudit $1 file_type:dir_file_class_set write; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 22821ff..567322b 100644 +index 22821ff..20251b0 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te -@@ -11,6 +11,7 @@ attribute lockfile; +@@ -10,7 +10,9 @@ attribute files_unconfined_type; + attribute lockfile; attribute mountpoint; attribute pidfile; ++attribute spoolfile; attribute configfile; +attribute etcfile; # For labeling types that are to be polyinstantiated attribute polydir; -@@ -58,12 +59,21 @@ files_type(etc_t) +@@ -58,12 +60,21 @@ files_type(etc_t) typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -14353,7 +14493,7 @@ index 22821ff..567322b 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -167,6 +177,7 @@ files_mountpoint(var_lib_t) +@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t) # type var_lock_t; files_lock_file(var_lock_t) @@ -14361,6 +14501,14 @@ index 22821ff..567322b 100644 # # var_run_t is the type of /var/run, usually +@@ -181,6 +193,7 @@ files_mountpoint(var_run_t) + # + type var_spool_t; + files_tmp_file(var_spool_t) ++files_spool_file(var_spool_t) + + ######################################## + # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 97fcdac..3babb37 100644 --- a/policy/modules/kernel/filesystem.if @@ -15287,6 +15435,13 @@ index 0e5b661..3168d72 100644 attribute mcsreadall; +attribute mcsuntrustedproc; +attribute mcsnetwrite; +diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc +index 7be4ddf..4d4c577 100644 +--- a/policy/modules/kernel/selinux.fc ++++ b/policy/modules/kernel/selinux.fc +@@ -1 +1 @@ +-# This module currently does not have any file contexts. ++/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index ca7e808..23a065c 100644 --- a/policy/modules/kernel/selinux.if @@ -18022,10 +18177,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..230d370 +index 0000000..99f35d5 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,543 @@ +@@ -0,0 +1,545 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18148,6 +18303,8 @@ index 0000000..230d370 +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + ++systemd_config_all_services(unconfined_t) ++ +optional_policy(` + mount_run_unconfined(unconfined_t, unconfined_r) + # Unconfined running as system_r @@ -18888,14 +19045,14 @@ index e88b95f..0eb55db 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..f7a7a96 100644 +index 1bd5812..b3631d6 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc @@ -1,11 +1,9 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) @@ -19124,7 +19281,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..ffe6d41 100644 +index 30861ec..ced411a 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -19142,7 +19299,20 @@ index 30861ec..ffe6d41 100644 type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -43,14 +51,37 @@ ifdef(`enable_mcs',` +@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t) + type abrt_var_run_t; + files_pid_file(abrt_var_run_t) + ++type abrt_dump_oops_t; ++type abrt_dump_oops_exec_t; ++init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) ++ ++permissive abrt_dump_oops_t; ++ + # type needed to allow all domains + # to handle /var/cache/abrt + type abrt_helper_t; +@@ -43,14 +57,37 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -19167,7 +19337,7 @@ index 30861ec..ffe6d41 100644 +files_type(abrt_retrace_cache_t) + +type abrt_retrace_spool_t; -+files_type(abrt_retrace_spool_t) ++files_spool_file(abrt_retrace_spool_t) + ######################################## # @@ -19182,7 +19352,7 @@ index 30861ec..ffe6d41 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -19190,7 +19360,7 @@ index 30861ec..ffe6d41 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -19198,7 +19368,7 @@ index 30861ec..ffe6d41 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -19207,7 +19377,7 @@ index 30861ec..ffe6d41 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -19215,7 +19385,7 @@ index 30861ec..ffe6d41 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -19225,7 +19395,7 @@ index 30861ec..ffe6d41 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -19234,7 +19404,7 @@ index 30861ec..ffe6d41 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -19243,7 +19413,7 @@ index 30861ec..ffe6d41 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -19260,7 +19430,7 @@ index 30861ec..ffe6d41 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +197,11 @@ optional_policy(` +@@ -150,6 +203,11 @@ optional_policy(` ') optional_policy(` @@ -19272,7 +19442,7 @@ index 30861ec..ffe6d41 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +219,7 @@ optional_policy(` +@@ -167,6 +225,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -19280,7 +19450,7 @@ index 30861ec..ffe6d41 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +231,18 @@ optional_policy(` +@@ -178,12 +237,18 @@ optional_policy(` ') optional_policy(` @@ -19300,7 +19470,7 @@ index 30861ec..ffe6d41 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,9 +259,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -19313,7 +19483,7 @@ index 30861ec..ffe6d41 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +278,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -19323,7 +19493,7 @@ index 30861ec..ffe6d41 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +287,100 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -19331,7 +19501,7 @@ index 30861ec..ffe6d41 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') -+') + ') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -19423,7 +19593,38 @@ index 30861ec..ffe6d41 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) - ') ++') ++ ++######################################## ++# ++# abrt_dump_oops local policy ++# ++ ++allow abrt_dump_oops_t self:capability dac_override; ++allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; ++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_search_spool(abrt_dump_oops_t) ++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) ++ ++read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++ ++kernel_read_kernel_sysctls(abrt_dump_oops_t) ++kernel_read_ring_buffer(abrt_dump_oops_t) ++kernel_read_system_state(abrt_dump_oops_t) ++ ++domain_use_interactive_fds(abrt_dump_oops_t) ++ ++files_read_etc_files(abrt_dump_oops_t) ++ ++logging_read_generic_logs(abrt_dump_oops_t) ++logging_send_syslog_msg(abrt_dump_oops_t) ++ ++miscfiles_read_localization(abrt_dump_oops_t) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if index c0f858d..d639ae0 100644 --- a/policy/modules/services/accountsd.if @@ -19802,9 +20003,18 @@ index d96fdfa..e07158f 100644 ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..4556eb2 100644 +index deca9d3..ae8c579 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te +@@ -38,7 +38,7 @@ type amavis_quarantine_t; + files_type(amavis_quarantine_t) + + type amavis_spool_t; +-files_type(amavis_spool_t) ++files_spool_file(amavis_spool_t) + + ######################################## + # @@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) @@ -19850,7 +20060,7 @@ index deca9d3..4556eb2 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..70d68cb 100644 +index 9e39aa5..a0876b5 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -19873,7 +20083,16 @@ index 9e39aa5..70d68cb 100644 /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -@@ -24,16 +29,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u +@@ -16,6 +21,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u + /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) + /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + ++/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) ++ + /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + +@@ -24,16 +31,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -19898,7 +20117,7 @@ index 9e39aa5..70d68cb 100644 /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -@@ -43,8 +49,9 @@ ifdef(`distro_suse', ` +@@ -43,8 +51,9 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -19910,7 +20129,7 @@ index 9e39aa5..70d68cb 100644 /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -73,8 +80,10 @@ ifdef(`distro_suse', ` +@@ -73,8 +82,10 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -19922,7 +20141,7 @@ index 9e39aa5..70d68cb 100644 /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -84,9 +93,10 @@ ifdef(`distro_suse', ` +@@ -84,9 +95,10 @@ ifdef(`distro_suse', ` /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -19934,7 +20153,12 @@ index 9e39aa5..70d68cb 100644 ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -109,3 +119,22 @@ ifdef(`distro_debian', ` +@@ -105,7 +117,27 @@ ifdef(`distro_debian', ` + + /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/html(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -19958,7 +20182,7 @@ index 9e39aa5..70d68cb 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..b32b10e 100644 +index 6480167..970916e 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -20397,11 +20621,12 @@ index 6480167..b32b10e 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +1026,11 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1026,12 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; - type httpd_sys_script_t; ++ type httpd_sys_script_exec_t; + type httpd_sys_script_t, httpd_sys_content_t; + ') + @@ -20410,7 +20635,7 @@ index 6480167..b32b10e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1089,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1090,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -20422,7 +20647,7 @@ index 6480167..b32b10e 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1119,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1120,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -20431,7 +20656,7 @@ index 6480167..b32b10e 100644 ') ######################################## -@@ -1091,6 +1260,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1261,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -20457,7 +20682,7 @@ index 6480167..b32b10e 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1295,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -20466,7 +20691,7 @@ index 6480167..b32b10e 100644 ') ######################################## -@@ -1170,17 +1358,14 @@ interface(`apache_cgi_domain',` +@@ -1170,17 +1359,15 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -20481,6 +20706,7 @@ index 6480167..b32b10e 100644 + type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; type httpd_suexec_tmp_t, httpd_tmp_t; - type httpd_initrc_exec_t; ++ type httpd_unit_t; ') - allow $1 httpd_t:process { getattr ptrace signal_perms }; @@ -20488,7 +20714,7 @@ index 6480167..b32b10e 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1376,10 @@ interface(`apache_admin',` +@@ -1191,10 +1378,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -20501,7 +20727,7 @@ index 6480167..b32b10e 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1390,67 @@ interface(`apache_admin',` +@@ -1205,14 +1392,69 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -20520,6 +20746,8 @@ index 6480167..b32b10e 100644 admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) + ++ allow $1 httpd_unit_t:service all_service_perms; ++ + ifdef(`TODO',` + apache_set_booleans($1, $2, $3, httpd_bool_t) + seutil_setsebool_role_template($1, $3, $2) @@ -20575,7 +20803,7 @@ index 6480167..b32b10e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..a079c51 100644 +index 3136c6a..0966da0 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -20839,7 +21067,17 @@ index 3136c6a..a079c51 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -177,6 +242,9 @@ role system_r types httpd_helper_t; + type httpd_initrc_exec_t; + init_script_file(httpd_initrc_exec_t) + ++type httpd_unit_t; ++systemd_unit_file(httpd_unit_t) ++ + type httpd_lock_t; + files_lock_file(httpd_lock_t) + +@@ -216,7 +284,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -20858,7 +21096,7 @@ index 3136c6a..a079c51 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +304,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -20869,7 +21107,7 @@ index 3136c6a..a079c51 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +315,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -20877,7 +21115,7 @@ index 3136c6a..a079c51 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t) +@@ -254,9 +337,13 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -20887,7 +21125,11 @@ index 3136c6a..a079c51 100644 # File Type of squirrelmail attachments type squirrelmail_spool_t; files_tmp_file(squirrelmail_spool_t) -@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; ++files_spool_file(squirrelmail_spool_t) + + optional_policy(` + prelink_object_file(httpd_modules_t) +@@ -281,11 +368,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -20901,7 +21143,7 @@ index 3136c6a..a079c51 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +414,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +418,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -20912,7 +21154,7 @@ index 3136c6a..a079c51 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +441,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +445,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -20921,7 +21163,7 @@ index 3136c6a..a079c51 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +453,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +457,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -20937,7 +21179,7 @@ index 3136c6a..a079c51 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +473,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -20953,7 +21195,7 @@ index 3136c6a..a079c51 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +482,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +486,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -20961,7 +21203,7 @@ index 3136c6a..a079c51 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,6 +494,13 @@ files_read_etc_files(httpd_t) +@@ -402,6 +498,13 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -20975,7 +21217,7 @@ index 3136c6a..a079c51 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +515,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +519,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -21012,8 +21254,8 @@ index 3136c6a..a079c51 100644 + corenet_tcp_connect_firebird_port(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) -+ corenet_tcp_connect_oracledb_port(httpd_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) +') + +tunable_policy(`httpd_can_network_memcache',` @@ -21052,7 +21294,7 @@ index 3136c6a..a079c51 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +595,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +599,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -21063,7 +21305,7 @@ index 3136c6a..a079c51 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +609,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +613,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -21093,7 +21335,7 @@ index 3136c6a..a079c51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +639,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +643,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -21110,7 +21352,7 @@ index 3136c6a..a079c51 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +663,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +667,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -21131,7 +21373,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -513,7 +687,13 @@ optional_policy(` +@@ -513,7 +691,13 @@ optional_policy(` ') optional_policy(` @@ -21146,7 +21388,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -528,7 +708,18 @@ optional_policy(` +@@ -528,7 +712,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -21166,7 +21408,7 @@ index 3136c6a..a079c51 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +728,13 @@ optional_policy(` +@@ -537,8 +732,13 @@ optional_policy(` ') optional_policy(` @@ -21181,7 +21423,7 @@ index 3136c6a..a079c51 100644 ') ') -@@ -556,7 +752,13 @@ optional_policy(` +@@ -556,7 +756,13 @@ optional_policy(` ') optional_policy(` @@ -21195,7 +21437,7 @@ index 3136c6a..a079c51 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +769,7 @@ optional_policy(` +@@ -567,6 +773,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -21203,7 +21445,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -577,6 +780,16 @@ optional_policy(` +@@ -577,6 +784,16 @@ optional_policy(` ') optional_policy(` @@ -21220,7 +21462,7 @@ index 3136c6a..a079c51 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +804,11 @@ optional_policy(` +@@ -591,6 +808,11 @@ optional_policy(` ') optional_policy(` @@ -21232,7 +21474,7 @@ index 3136c6a..a079c51 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +821,12 @@ optional_policy(` +@@ -603,6 +825,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -21245,7 +21487,7 @@ index 3136c6a..a079c51 100644 ######################################## # # Apache helper local policy -@@ -616,7 +840,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +844,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -21258,7 +21500,7 @@ index 3136c6a..a079c51 100644 ######################################## # -@@ -654,28 +882,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +886,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -21278,8 +21520,8 @@ index 3136c6a..a079c51 100644 + corenet_tcp_connect_firebird_port(httpd_php_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) -+ corenet_tcp_connect_oracledb_port(httpd_php_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ') optional_policy(` @@ -21302,7 +21544,7 @@ index 3136c6a..a079c51 100644 ') ######################################## -@@ -685,6 +915,8 @@ optional_policy(` +@@ -685,6 +919,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -21311,7 +21553,7 @@ index 3136c6a..a079c51 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +931,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +935,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -21337,7 +21579,7 @@ index 3136c6a..a079c51 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +977,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +981,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -21345,8 +21587,8 @@ index 3136c6a..a079c51 100644 + corenet_tcp_connect_firebird_port(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -+ corenet_tcp_connect_oracledb_port(httpd_suexec_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) +') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) @@ -21370,7 +21612,7 @@ index 3136c6a..a079c51 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1024,25 @@ optional_policy(` +@@ -769,6 +1028,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -21396,7 +21638,7 @@ index 3136c6a..a079c51 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1063,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1067,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -21414,7 +21656,7 @@ index 3136c6a..a079c51 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1082,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1086,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -21428,8 +21670,8 @@ index 3136c6a..a079c51 100644 + corenet_tcp_connect_firebird_port(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -21471,7 +21713,7 @@ index 3136c6a..a079c51 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1133,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1137,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -21502,7 +21744,7 @@ index 3136c6a..a079c51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1168,20 @@ optional_policy(` +@@ -842,10 +1172,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -21523,7 +21765,7 @@ index 3136c6a..a079c51 100644 ') ######################################## -@@ -891,11 +1227,21 @@ optional_policy(` +@@ -891,11 +1231,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -21781,10 +22023,15 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..0e8a352 100644 +index b3b0176..c873197 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te -@@ -23,6 +23,7 @@ files_type(asterisk_spool_t) +@@ -19,10 +19,11 @@ type asterisk_log_t; + logging_log_file(asterisk_log_t) + + type asterisk_spool_t; +-files_type(asterisk_spool_t) ++files_spool_file(asterisk_spool_t) type asterisk_tmp_t; files_tmp_file(asterisk_tmp_t) @@ -23381,7 +23628,7 @@ index 0000000..564acbd +') diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te new file mode 100644 -index 0000000..a67f732 +index 0000000..a7c96a5 --- /dev/null +++ b/policy/modules/services/callweaver.te @@ -0,0 +1,79 @@ @@ -23411,7 +23658,7 @@ index 0000000..a67f732 +files_pid_file(callweaver_var_run_t) + +type callweaver_spool_t; -+files_type(callweaver_spool_t) ++files_spool_file(callweaver_spool_t) + +######################################## +# @@ -25244,9 +25491,18 @@ index 9971337..f081899 100644 ') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te -index 838dec7..452741c 100644 +index 838dec7..59d0f96 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te +@@ -15,7 +15,7 @@ courier_domain_template(pcp) + courier_domain_template(pop) + + type courier_spool_t; +-files_type(courier_spool_t) ++files_spool_file(courier_spool_t) + + courier_domain_template(tcpd) + @@ -95,7 +95,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; @@ -25688,7 +25944,7 @@ index 35241ed..2976df7 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..1812563 100644 +index f7583ab..3c9cf5a 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -25718,7 +25974,15 @@ index f7583ab..1812563 100644 ## gen_tunable(fcron_crond, false) -@@ -38,7 +38,7 @@ type cron_var_lib_t; +@@ -31,14 +31,14 @@ type anacron_exec_t; + application_executable_file(anacron_exec_t) + + type cron_spool_t; +-files_type(cron_spool_t) ++files_spool_file(cron_spool_t) + + # var/lib files + type cron_var_lib_t; files_type(cron_var_lib_t) type cron_var_run_t; @@ -25740,15 +26004,17 @@ index f7583ab..1812563 100644 type crontab_exec_t; application_executable_file(crontab_exec_t) -@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; +@@ -79,14 +82,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +allow admin_crontab_t crond_t:process signal; type system_cron_spool_t, cron_spool_type; - files_type(system_cron_spool_t) -@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t; +-files_type(system_cron_spool_t) ++files_spool_file(system_cron_spool_t) + + type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) role system_r types system_cronjob_t; @@ -25767,9 +26033,12 @@ index f7583ab..1812563 100644 type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) -@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon +@@ -106,8 +107,20 @@ domain_cron_exemption_target(unconfined_cronjob_t) + type user_cron_spool_t, cron_spool_type; + typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; - files_type(user_cron_spool_t) +-files_type(user_cron_spool_t) ++files_spool_file(user_cron_spool_t) ubac_constrained(user_cron_spool_t) +mta_system_content(user_cron_spool_t) + @@ -25851,10 +26120,11 @@ index f7583ab..1812563 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t) +@@ -220,8 +243,11 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) ++userdom_list_admin_dir(crond_t) +userdom_create_all_users_keys(crond_t) mta_send_mail(crond_t) @@ -25862,7 +26132,7 @@ index f7583ab..1812563 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -233,7 +258,7 @@ ifdef(`distro_debian',` +@@ -233,7 +259,7 @@ ifdef(`distro_debian',` ') ') @@ -25871,7 +26141,7 @@ index f7583ab..1812563 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -250,11 +275,30 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +276,30 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -25902,7 +26172,7 @@ index f7583ab..1812563 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +308,8 @@ optional_policy(` +@@ -264,6 +309,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -25911,7 +26181,7 @@ index f7583ab..1812563 100644 ') optional_policy(` -@@ -286,15 +332,26 @@ optional_policy(` +@@ -286,15 +333,26 @@ optional_policy(` ') optional_policy(` @@ -25938,7 +26208,7 @@ index f7583ab..1812563 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -306,10 +363,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +364,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -25959,7 +26229,7 @@ index f7583ab..1812563 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -329,6 +395,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +396,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -25967,7 +26237,7 @@ index f7583ab..1812563 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +407,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,9 +408,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -25982,7 +26252,7 @@ index f7583ab..1812563 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +436,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +437,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -25990,7 +26260,7 @@ index f7583ab..1812563 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +463,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +464,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -25998,7 +26268,7 @@ index f7583ab..1812563 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +486,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +487,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -26010,7 +26280,7 @@ index f7583ab..1812563 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +514,8 @@ optional_policy(` +@@ -439,6 +515,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -26019,7 +26289,7 @@ index f7583ab..1812563 100644 ') optional_policy(` -@@ -446,6 +523,14 @@ optional_policy(` +@@ -446,6 +524,14 @@ optional_policy(` ') optional_policy(` @@ -26034,7 +26304,7 @@ index f7583ab..1812563 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,15 +541,24 @@ optional_policy(` +@@ -456,15 +542,24 @@ optional_policy(` ') optional_policy(` @@ -26059,7 +26329,7 @@ index f7583ab..1812563 100644 ') optional_policy(` -@@ -480,7 +574,7 @@ optional_policy(` +@@ -480,7 +575,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -26068,7 +26338,7 @@ index f7583ab..1812563 100644 ') optional_policy(` -@@ -495,6 +589,7 @@ optional_policy(` +@@ -495,6 +590,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -26076,7 +26346,7 @@ index f7583ab..1812563 100644 ') optional_policy(` -@@ -502,7 +597,13 @@ optional_policy(` +@@ -502,7 +598,13 @@ optional_policy(` ') optional_policy(` @@ -26090,7 +26360,7 @@ index f7583ab..1812563 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +696,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +697,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -26106,10 +26376,10 @@ index f7583ab..1812563 100644 diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc new file mode 100644 -index 0000000..a7c4f1e +index 0000000..e490a2a --- /dev/null +++ b/policy/modules/services/ctdbd.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,15 @@ + +/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) + @@ -26122,14 +26392,15 @@ index 0000000..a7c4f1e +/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) +/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) + diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if new file mode 100644 -index 0000000..3317390 +index 0000000..9146ef1 --- /dev/null +++ b/policy/modules/services/ctdbd.if -@@ -0,0 +1,236 @@ +@@ -0,0 +1,255 @@ + +## policy for ctdbd + @@ -26325,6 +26596,25 @@ index 0000000..3317390 + allow $1 ctdbd_var_run_t:file read_file_perms; +') + ++####################################### ++## ++## Connect to ctdbd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_stream_connect',` ++ gen_require(` ++ type ctdbd_t, ctdbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -26368,10 +26658,10 @@ index 0000000..3317390 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..8ce09c4 +index 0000000..09cb39f --- /dev/null +++ b/policy/modules/services/ctdbd.te -@@ -0,0 +1,90 @@ +@@ -0,0 +1,114 @@ +policy_module(ctdbd, 1.0.0) + +######################################## @@ -26393,6 +26683,7 @@ index 0000000..8ce09c4 + +type ctdbd_spool_t; +files_type(ctdbd_spool_t) ++#files_spool_file(ctdbd_spool_t) + +type ctdbd_tmp_t; +files_tmp_file(ctdbd_tmp_t) @@ -26407,10 +26698,13 @@ index 0000000..8ce09c4 +# +# ctdbd local policy +# -+allow ctdbd_t self:capability { chown ipc_lock sys_nice }; ++ ++allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace }; +allow ctdbd_t self:process { setpgid signal_perms setsched }; ++ +allow ctdbd_t self:fifo_file rw_fifo_file_perms; +allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; +allow ctdbd_t self:packet_socket create_socket_perms; +allow ctdbd_t self:tcp_socket create_stream_socket_perms; + @@ -26418,14 +26712,16 @@ index 0000000..8ce09c4 +manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } ) + ++manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) +manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) -+files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, sock_file) ++files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file}) + +manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file }) + ++exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } ) @@ -26434,6 +26730,8 @@ index 0000000..8ce09c4 +manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) +files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file }) + ++kernel_read_network_state(ctdbd_t) ++kernel_rw_net_sysctls(ctdbd_t) +kernel_read_system_state(ctdbd_t) + +corenet_tcp_bind_generic_node(ctdbd_t) @@ -26441,27 +26739,43 @@ index 0000000..8ce09c4 +corecmd_exec_bin(ctdbd_t) +corecmd_exec_shell(ctdbd_t) + ++dev_read_sysfs(ctdbd_t) ++ +domain_use_interactive_fds(ctdbd_t) +domain_dontaudit_read_all_domains_state(ctdbd_t) + +files_read_etc_files(ctdbd_t) -+ -+iptables_domtrans(ctdbd_t) ++files_search_all_mountpoints(ctdbd_t) + +logging_send_syslog_msg(ctdbd_t) + +miscfiles_read_localization(ctdbd_t) + -+sysnet_domtrans_ifconfig(ctdbd_t) + +# corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t) +# corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t) + +optional_policy(` -+ samba_initrc_domtrans(ctdbd_t) ++ consoletype_exec(ctdbd_t) +') + ++optional_policy(` ++ hostname_exec(ctdbd_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(ctdbd_t) ++') + ++optional_policy(` ++ samba_initrc_domtrans(ctdbd_t) ++ samba_domtrans_net(ctdbd_t) ++ samba_read_var_files(ctdbd_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(ctdbd_t) ++') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc index 1b492ed..c79454d 100644 --- a/policy/modules/services/cups.fc @@ -29013,7 +29327,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..4bbff24 100644 +index acf6d4f..87949e8 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -29035,6 +29349,15 @@ index acf6d4f..4bbff24 100644 type dovecot_etc_t; files_config_file(dovecot_etc_t) +@@ -36,7 +39,7 @@ type dovecot_passwd_t; + files_type(dovecot_passwd_t) + + type dovecot_spool_t; +-files_type(dovecot_spool_t) ++files_spool_file(dovecot_spool_t) + + type dovecot_tmp_t; + files_tmp_file(dovecot_tmp_t) @@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t) # dovecot local policy # @@ -29933,7 +30256,7 @@ index 6bef7f8..464669c 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..0b19f11 100644 +index f28f64b..6419b55 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) @@ -29971,7 +30294,7 @@ index f28f64b..0b19f11 100644 ## gen_tunable(exim_manage_user_files, false) -@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t) +@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t) application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) @@ -29981,6 +30304,12 @@ index f28f64b..0b19f11 100644 type exim_log_t; logging_log_file(exim_log_t) + type exim_spool_t; +-files_type(exim_spool_t) ++files_spool_file(exim_spool_t) + + type exim_tmp_t; + files_tmp_file(exim_tmp_t) @@ -171,6 +174,10 @@ optional_policy(` ') @@ -32397,7 +32726,7 @@ index ebc9e0d..2f3d8dc 100644 allow $1 innd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te -index 9fab1dc..dc7dd01 100644 +index 9fab1dc..2462aa7 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -4,6 +4,7 @@ policy_module(inn, 1.9.0) @@ -32408,7 +32737,13 @@ index 9fab1dc..dc7dd01 100644 type innd_t; type innd_exec_t; init_daemon_domain(innd_t, innd_exec_t) -@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t) +@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t) + + type news_spool_t; + files_mountpoint(news_spool_t) ++files_spool_file(news_spool_t) + + ######################################## # # Local policy # @@ -32416,7 +32751,7 @@ index 9fab1dc..dc7dd01 100644 allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; -@@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) +@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) can_exec(innd_t, innd_exec_t) manage_files_pattern(innd_t, innd_log_t, innd_log_t) @@ -32425,7 +32760,7 @@ index 9fab1dc..dc7dd01 100644 logging_log_filetrans(innd_t, innd_log_t, file) manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -@@ -56,7 +58,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) +@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) @@ -32434,7 +32769,7 @@ index 9fab1dc..dc7dd01 100644 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -105,6 +107,7 @@ sysnet_read_config(innd_t) +@@ -105,6 +108,7 @@ sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -32648,7 +32983,7 @@ index 9878499..81fcd0f 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..0ba2bdc 100644 +index da2127e..6538d66 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -5,90 +5,152 @@ policy_module(jabber, 1.8.0) @@ -32684,7 +33019,7 @@ index da2127e..0ba2bdc 100644 -######################################## +type pyicqt_var_spool_t; -+files_type(pyicqt_var_spool_t) ++files_spool_file(pyicqt_var_spool_t) + +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) @@ -32861,7 +33196,7 @@ index da2127e..0ba2bdc 100644 + +sysnet_read_config(jabberd_domain) diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc -index 3525d24..923e979 100644 +index 3525d24..74ec098 100644 --- a/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc @@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -32873,9 +33208,13 @@ index 3525d24..923e979 100644 /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -@@ -31,3 +31,4 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++ ++krb5_host_rcache_t /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if @@ -34251,7 +34590,7 @@ index a4f32f5..ea7dca0 100644 type lpr_t, lpr_exec_t; ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te -index 93c14ca..c08de17 100644 +index 93c14ca..f28acd2 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0) @@ -34267,7 +34606,15 @@ index 93c14ca..c08de17 100644 ## gen_tunable(use_lpd_server, false) -@@ -54,7 +54,7 @@ type printer_t; +@@ -47,14 +47,14 @@ ubac_constrained(lpr_tmp_t) + type print_spool_t; + typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; + typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +-files_type(print_spool_t) ++files_spool_file(print_spool_t) + ubac_constrained(print_spool_t) + + type printer_t; files_type(printer_t) type printconf_t; @@ -36275,10 +36622,10 @@ index 343cee3..5e792cc 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..dbddbef 100644 +index 64268e4..3bd4ceb 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te -@@ -20,8 +20,8 @@ files_type(etc_aliases_t) +@@ -20,14 +20,16 @@ files_type(etc_aliases_t) type etc_mail_t; files_config_file(etc_mail_t) @@ -36289,7 +36636,15 @@ index 64268e4..dbddbef 100644 type mqueue_spool_t; files_mountpoint(mqueue_spool_t) -@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t) ++files_spool_file(mqueue_spool_t) + + type mail_spool_t; + files_mountpoint(mail_spool_t) ++files_spool_file(mail_spool_t) + + type sendmail_exec_t; + mta_agent_executable(sendmail_exec_t) +@@ -50,22 +52,11 @@ ubac_constrained(user_mail_tmp_t) # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; @@ -36313,7 +36668,7 @@ index 64268e4..dbddbef 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -80,8 +69,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t) +@@ -80,8 +71,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t) init_use_script_ptys(system_mail_t) @@ -36329,7 +36684,7 @@ index 64268e4..dbddbef 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +87,28 @@ optional_policy(` +@@ -92,17 +89,28 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -36359,7 +36714,7 @@ index 64268e4..dbddbef 100644 clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +117,8 @@ optional_policy(` +@@ -111,6 +119,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -36368,7 +36723,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -124,12 +132,9 @@ optional_policy(` +@@ -124,12 +134,9 @@ optional_policy(` ') optional_policy(` @@ -36383,7 +36738,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -146,6 +151,10 @@ optional_policy(` +@@ -146,6 +153,10 @@ optional_policy(` ') optional_policy(` @@ -36394,7 +36749,7 @@ index 64268e4..dbddbef 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +167,6 @@ optional_policy(` +@@ -158,18 +169,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -36413,7 +36768,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -189,6 +186,10 @@ optional_policy(` +@@ -189,6 +188,10 @@ optional_policy(` ') optional_policy(` @@ -36424,7 +36779,7 @@ index 64268e4..dbddbef 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +200,7 @@ optional_policy(` +@@ -199,7 +202,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -36433,7 +36788,7 @@ index 64268e4..dbddbef 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +221,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -36443,7 +36798,7 @@ index 64268e4..dbddbef 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +244,10 @@ optional_policy(` +@@ -242,6 +246,10 @@ optional_policy(` ') optional_policy(` @@ -36454,7 +36809,7 @@ index 64268e4..dbddbef 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +255,25 @@ optional_policy(` +@@ -249,16 +257,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -36482,7 +36837,7 @@ index 64268e4..dbddbef 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -292,3 +307,44 @@ optional_policy(` +@@ -292,3 +309,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -37302,9 +37657,18 @@ index 8581040..2367841 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index bf64a4c..8a9789c 100644 +index bf64a4c..971f741 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te +@@ -25,7 +25,7 @@ type nagios_var_run_t; + files_pid_file(nagios_var_run_t) + + type nagios_spool_t; +-files_type(nagios_spool_t) ++files_spool_file(nagios_spool_t) + + nagios_plugin_template(admin) + nagios_plugin_template(checkdisk) @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) kernel_read_system_state(nagios_t) @@ -39742,10 +40106,10 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index 06e217d..208ef3a 100644 +index 06e217d..4f9a575 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te -@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1) +@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1) type plymouth_t; type plymouth_exec_t; application_domain(plymouth_t, plymouth_exec_t) @@ -39753,7 +40117,12 @@ index 06e217d..208ef3a 100644 type plymouthd_t; type plymouthd_exec_t; -@@ -19,6 +20,9 @@ files_type(plymouthd_spool_t) + init_daemon_domain(plymouthd_t, plymouthd_exec_t) + + type plymouthd_spool_t; +-files_type(plymouthd_spool_t) ++files_spool_file(plymouthd_spool_t) + type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) @@ -40302,7 +40671,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..c22af86 100644 +index 46bee12..9e2714e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -40538,7 +40907,7 @@ index 46bee12..c22af86 100644 ') ######################################## -@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +701,107 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -40641,9 +41010,13 @@ index 46bee12..c22af86 100644 + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write }; ++ ') +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..701607c 100644 +index a32c4b3..d60a654 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -40661,15 +41034,17 @@ index a32c4b3..701607c 100644 attribute postfix_user_domains; # domains that transition to the # postfix user domains -@@ -12,7 +20,7 @@ attribute postfix_user_domtrans; +@@ -12,8 +20,8 @@ attribute postfix_user_domtrans; postfix_server_domain_template(bounce) -type postfix_spool_bounce_t; +-files_type(postfix_spool_bounce_t) +type postfix_spool_bounce_t, postfix_spool_type; - files_type(postfix_spool_bounce_t) ++files_spool_file(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) + @@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t; # generation macro work mta_mailserver(postfix_t, postfix_master_exec_t) @@ -40688,23 +41063,27 @@ index a32c4b3..701607c 100644 type postfix_private_t; files_type(postfix_private_t) -@@ -65,13 +77,13 @@ mta_mailserver_sender(postfix_smtp_t) +@@ -65,14 +77,14 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) -type postfix_spool_t; +-files_type(postfix_spool_t) +type postfix_spool_t, postfix_spool_type; - files_type(postfix_spool_t) ++files_spool_file(postfix_spool_t) -type postfix_spool_maildrop_t; +-files_type(postfix_spool_maildrop_t) +type postfix_spool_maildrop_t, postfix_spool_type; - files_type(postfix_spool_maildrop_t) ++files_spool_file(postfix_spool_maildrop_t) -type postfix_spool_flush_t; +-files_type(postfix_spool_flush_t) +type postfix_spool_flush_t, postfix_spool_type; - files_type(postfix_spool_flush_t) ++files_spool_file(postfix_spool_flush_t) type postfix_public_t; + files_type(postfix_public_t) @@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t) # chown is to set the correct ownership of queue dirs @@ -40774,7 +41153,18 @@ index a32c4b3..701607c 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -264,8 +285,8 @@ optional_policy(` +@@ -249,6 +270,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) + ++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; ++ + allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; + + corecmd_exec_bin(postfix_cleanup_t) +@@ -264,8 +289,8 @@ optional_policy(` # Postfix local local policy # @@ -40784,7 +41174,7 @@ index a32c4b3..701607c 100644 # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -273,6 +294,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +298,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -40793,7 +41183,7 @@ index a32c4b3..701607c 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +309,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +313,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -40812,7 +41202,7 @@ index a32c4b3..701607c 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +325,10 @@ optional_policy(` +@@ -297,6 +329,10 @@ optional_policy(` ') optional_policy(` @@ -40823,7 +41213,7 @@ index a32c4b3..701607c 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +336,22 @@ optional_policy(` +@@ -304,9 +340,22 @@ optional_policy(` ') optional_policy(` @@ -40846,7 +41236,7 @@ index a32c4b3..701607c 100644 ######################################## # # Postfix map local policy -@@ -372,6 +417,7 @@ optional_policy(` +@@ -372,6 +421,7 @@ optional_policy(` # Postfix pickup local policy # @@ -40854,7 +41244,17 @@ index a32c4b3..701607c 100644 allow postfix_pickup_t self:tcp_socket create_socket_perms; stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) -@@ -385,13 +431,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; +@@ -379,19 +429,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p + rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) + rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) + ++allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; ++read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) ++delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) ++ + postfix_list_spool(postfix_pickup_t) + + allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -40872,7 +41272,7 @@ index a32c4b3..701607c 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +450,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +458,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -40881,7 +41281,7 @@ index a32c4b3..701607c 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +471,7 @@ optional_policy(` +@@ -420,6 +479,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -40889,7 +41289,7 @@ index a32c4b3..701607c 100644 ') optional_policy(` -@@ -436,11 +488,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +496,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -40907,7 +41307,7 @@ index a32c4b3..701607c 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +545,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +553,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -40918,7 +41318,7 @@ index a32c4b3..701607c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +565,8 @@ optional_policy(` +@@ -507,6 +573,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -40927,7 +41327,7 @@ index a32c4b3..701607c 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +579,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -40935,11 +41335,12 @@ index a32c4b3..701607c 100644 +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +602,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -40950,7 +41351,7 @@ index a32c4b3..701607c 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +630,10 @@ optional_policy(` +@@ -565,6 +639,10 @@ optional_policy(` ') optional_policy(` @@ -40961,7 +41362,7 @@ index a32c4b3..701607c 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +657,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +666,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -40978,7 +41379,7 @@ index a32c4b3..701607c 100644 ') optional_policy(` -@@ -611,8 +686,8 @@ optional_policy(` +@@ -611,8 +695,8 @@ optional_policy(` # Postfix virtual local policy # @@ -40988,7 +41389,7 @@ index a32c4b3..701607c 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +705,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +714,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -41278,6 +41679,19 @@ index ad15fde..6f55445 100644 ') allow $1 postgrey_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te +index db843e2..4389e81 100644 +--- a/policy/modules/services/postgrey.te ++++ b/policy/modules/services/postgrey.te +@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; + init_script_file(postgrey_initrc_exec_t) + + type postgrey_spool_t; +-files_type(postgrey_spool_t) ++files_spool_file(postgrey_spool_t) + + type postgrey_var_lib_t; + files_type(postgrey_var_lib_t) diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc index 2d82c6d..352032a 100644 --- a/policy/modules/services/ppp.fc @@ -41586,9 +42000,18 @@ index 2316653..77ef768 100644 + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te -index b1bc02c..8f0b07e 100644 +index b1bc02c..e0c0f70 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te +@@ -13,7 +13,7 @@ type prelude_initrc_exec_t; + init_script_file(prelude_initrc_exec_t) + + type prelude_spool_t; +-files_type(prelude_spool_t) ++files_spool_file(prelude_spool_t) + + type prelude_log_t; + logging_log_file(prelude_log_t) @@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t) type prelude_correlator_t; type prelude_correlator_exec_t; @@ -41897,7 +42320,7 @@ index bc329d1..0589f97 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te -index d4000e0..312e537 100644 +index d4000e0..f35afa4 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) @@ -41909,6 +42332,15 @@ index d4000e0..312e537 100644 type psad_initrc_exec_t; init_script_file(psad_initrc_exec_t) +@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t) + + allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; + dontaudit psad_t self:capability sys_tty_config; +-allow psad_t self:process signull; ++allow psad_t self:process signal_perms; + allow psad_t self:fifo_file rw_fifo_file_perms; + allow psad_t self:rawip_socket create_socket_perms; + @@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) @@ -42238,6 +42670,19 @@ index 64c5f95..cb7c5e2 100644 + usermanage_access_check_passwd(puppetmaster_t) + usermanage_access_check_useradd(puppetmaster_t) +') +diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te +index a841221..b62a01f 100644 +--- a/policy/modules/services/pyicqt.te ++++ b/policy/modules/services/pyicqt.te +@@ -13,7 +13,7 @@ type pyicqt_conf_t; + files_config_file(pyicqt_conf_t) + + type pyicqt_spool_t; +-files_type(pyicqt_spool_t) ++files_spool_file(pyicqt_spool_t) + + type pyicqt_var_run_t; + files_pid_file(pyicqt_var_run_t) diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index d4a7750..705196e 100644 --- a/policy/modules/services/pyzor.fc @@ -42488,9 +42933,18 @@ index a55bf44..77a25f5 100644 ') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te -index 355b2a2..54329f9 100644 +index 355b2a2..88e6f40 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te +@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) + qmail_child_domain_template(qmail_splogger, qmail_start_t) + + type qmail_spool_t; +-files_type(qmail_spool_t) ++files_spool_file(qmail_spool_t) + + type qmail_start_t; + type qmail_start_exec_t; @@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) ######################################## # @@ -43488,7 +43942,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..034544f 100644 +index 00fa514..9e237a7 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -43548,7 +44002,7 @@ index 00fa514..034544f 100644 # need to write to /dev/misc/dlm-control dev_rw_dlm_control(rgmanager_t) -@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t) +@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -43573,7 +44027,12 @@ index 00fa514..034544f 100644 # needed by resources scripts auth_read_all_files_except_shadow(rgmanager_t) -@@ -100,7 +108,7 @@ logging_send_syslog_msg(rgmanager_t) + auth_dontaudit_getattr_shadow(rgmanager_t) + auth_use_nsswitch(rgmanager_t) + ++init_domtrans_script(rgmanager_t) ++ + logging_send_syslog_msg(rgmanager_t) miscfiles_read_localization(rgmanager_t) @@ -43582,7 +44041,7 @@ index 00fa514..034544f 100644 tunable_policy(`rgmanager_can_network_connect',` corenet_tcp_connect_all_ports(rgmanager_t) -@@ -118,6 +126,14 @@ optional_policy(` +@@ -118,6 +128,14 @@ optional_policy(` ') optional_policy(` @@ -43597,7 +44056,7 @@ index 00fa514..034544f 100644 fstools_domtrans(rgmanager_t) ') -@@ -140,6 +156,15 @@ optional_policy(` +@@ -140,6 +158,15 @@ optional_policy(` ') optional_policy(` @@ -43613,7 +44072,7 @@ index 00fa514..034544f 100644 mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') -@@ -193,9 +218,9 @@ optional_policy(` +@@ -193,9 +220,9 @@ optional_policy(` virt_stream_connect(rgmanager_t) ') @@ -45287,7 +45746,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..e8ee29b 100644 +index b1468ed..06e637c 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -45393,14 +45852,14 @@ index b1468ed..e8ee29b 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -196,6 +214,7 @@ kernel_signal(gssd_t) - - corecmd_exec_bin(gssd_t) - -+fs_search_nfsd_fs(gssd_t) +@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) ++fs_search_nfsd_fs(gssd_t) + + fs_list_inotifyfs(gssd_t) + files_list_tmp(gssd_t) @@ -210,14 +229,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -45774,9 +46233,18 @@ index 71ea0ea..664e68e 100644 # interface(`rwho_domtrans',` diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te -index a07b2f4..0ba4495 100644 +index a07b2f4..ee39810 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te +@@ -16,7 +16,7 @@ type rwho_log_t; + files_type(rwho_log_t) + + type rwho_spool_t; +-files_type(rwho_spool_t) ++files_spool_file(rwho_spool_t) + + ######################################## + # @@ -55,6 +55,10 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) @@ -46037,7 +46505,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..941f823 100644 +index e30bb63..fdfa9bf 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -46134,7 +46602,17 @@ index e30bb63..941f823 100644 ') # Support Samba sharing of NFS mount points -@@ -445,8 +442,8 @@ optional_policy(` +@@ -410,6 +407,9 @@ tunable_policy(`samba_share_fusefs',` + fs_search_fusefs(smbd_t) + ') + ++optional_policy(` ++ ctdbd_stream_connect(smbd_t) ++') + + optional_policy(` + cups_read_rw_config(smbd_t) +@@ -445,8 +445,8 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -46144,7 +46622,7 @@ index e30bb63..941f823 100644 tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) -@@ -462,8 +459,8 @@ tunable_policy(`samba_export_all_rw',` +@@ -462,8 +462,8 @@ tunable_policy(`samba_export_all_rw',` auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -46154,7 +46632,7 @@ index e30bb63..941f823 100644 ######################################## # -@@ -484,8 +481,9 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -46165,7 +46643,7 @@ index e30bb63..941f823 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +558,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -46183,7 +46661,7 @@ index e30bb63..941f823 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -578,7 +576,7 @@ files_read_etc_files(smbcontrol_t) +@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -46192,7 +46670,7 @@ index e30bb63..941f823 100644 ######################################## # -@@ -644,19 +642,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -46217,7 +46695,7 @@ index e30bb63..941f823 100644 ######################################## # # SWAT Local policy -@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -46226,7 +46704,7 @@ index e30bb63..941f823 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -46241,7 +46719,7 @@ index e30bb63..941f823 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -46249,7 +46727,7 @@ index e30bb63..941f823 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +757,8 @@ logging_search_logs(swat_t) +@@ -754,6 +760,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -46258,7 +46736,7 @@ index e30bb63..941f823 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -46280,7 +46758,7 @@ index e30bb63..941f823 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -46288,7 +46766,7 @@ index e30bb63..941f823 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -904,7 +911,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -46297,7 +46775,7 @@ index e30bb63..941f823 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +929,18 @@ optional_policy(` +@@ -922,6 +932,18 @@ optional_policy(` # optional_policy(` @@ -46316,7 +46794,7 @@ index e30bb63..941f823 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +951,12 @@ optional_policy(` +@@ -932,9 +954,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -46952,6 +47430,19 @@ index 086cd5f..79347e7 100644 optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) +diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te +index e5e72fd..92eecec 100644 +--- a/policy/modules/services/slrnpull.te ++++ b/policy/modules/services/slrnpull.te +@@ -13,7 +13,7 @@ type slrnpull_var_run_t; + files_pid_file(slrnpull_var_run_t) + + type slrnpull_spool_t; +-files_type(slrnpull_spool_t) ++files_spool_file(slrnpull_spool_t) + + type slrnpull_log_t; + logging_log_file(slrnpull_log_t) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index adea9f9..d5b2d93 100644 --- a/policy/modules/services/smartmon.if @@ -47503,10 +47994,10 @@ index c954f31..c7cadcb 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..7573826 100644 +index ec1eb1e..e1f3477 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te -@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0) +@@ -6,56 +6,95 @@ policy_module(spamassassin, 2.4.0) # ## @@ -47634,8 +48125,11 @@ index ec1eb1e..7573826 100644 +logging_log_file(spamd_log_t) + type spamd_spool_t; - files_type(spamd_spool_t) +-files_type(spamd_spool_t) ++files_spool_file(spamd_spool_t) + type spamd_tmp_t; + files_tmp_file(spamd_tmp_t) @@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) @@ -49585,9 +50079,18 @@ index 3b953f5..70f687a 100644 # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te -index c2cf97e..037a1e8 100644 +index c2cf97e..1f8f768 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te +@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t; + files_config_file(uptimed_etc_t) + + type uptimed_spool_t; +-files_type(uptimed_spool_t) ++files_spool_file(uptimed_spool_t) + + type uptimed_var_run_t; + files_pid_file(uptimed_var_run_t) @@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t) dontaudit uptimed_t self:capability sys_tty_config; @@ -49610,9 +50113,18 @@ index 4440aa6..34ffbfd 100644 + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..4d112ba 100644 +index d4349e9..5e7be4f 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te +@@ -24,7 +24,7 @@ type uucpd_ro_t; + files_type(uucpd_ro_t) + + type uucpd_spool_t; +-files_type(uucpd_spool_t) ++files_spool_file(uucpd_spool_t) + + type uucpd_log_t; + logging_log_file(uucpd_log_t) @@ -125,6 +125,8 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; @@ -50443,7 +50955,7 @@ index 7c5d8d8..59ba27c 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..ae4a925 100644 +index 3eca020..b2c36e4 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -50678,8 +51190,9 @@ index 3eca020..ae4a925 100644 +') -allow virtd_t self:fifo_file rw_fifo_file_perms; +-allow virtd_t self:unix_stream_socket create_stream_socket_perms; +allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; - allow virtd_t self:unix_stream_socket create_stream_socket_perms; ++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow virtd_t self:tcp_socket create_stream_socket_perms; allow virtd_t self:tun_socket create_socket_perms; +allow virtd_t self:rawip_socket create_socket_perms; @@ -50951,7 +51464,7 @@ index 3eca020..ae4a925 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -457,8 +613,166 @@ optional_policy(` +@@ -457,8 +613,176 @@ optional_policy(` ') optional_policy(` @@ -51080,8 +51593,12 @@ index 3eca020..ae4a925 100644 +allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms; + ++allow virt_lxc_t virt_image_type:dir mounton; ++ ++allow virt_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; ++ +domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t) -+allow virtd_t virt_lxc_t:process signal; ++allow virtd_t virt_lxc_t:process { signal signull sigkill }; + +manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) @@ -51100,9 +51617,15 @@ index 3eca020..ae4a925 100644 +files_mount_all_file_type_fs(virt_lxc_t) +files_unmount_all_file_type_fs(virt_lxc_t) + ++fs_manage_tmpfs_dirs(virt_lxc_t) ++fs_manage_tmpfs_chr_files(virt_lxc_t) ++fs_manage_tmpfs_symlinks(virt_lxc_t) +fs_manage_cgroup_dirs(virt_lxc_t) +fs_rw_cgroup_files(virt_lxc_t) + ++selinux_mount_fs(virt_lxc_t) ++selinux_unmount_fs(virt_lxc_t) ++ +term_use_generic_ptys(virt_lxc_t) +term_use_ptmx(virt_lxc_t) + @@ -52729,7 +53252,7 @@ index 130ced9..10b57e0 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..bc547bf 100644 +index 143c893..d293052 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -52864,7 +53387,7 @@ index 143c893..bc547bf 100644 +files_config_file(xdm_rw_etc_t) + +type xdm_spool_t; -+files_type(xdm_spool_t) ++files_spool_file(xdm_spool_t) type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -53271,7 +53794,7 @@ index 143c893..bc547bf 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +629,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -53279,6 +53802,7 @@ index 143c893..bc547bf 100644 term_setattr_console(xdm_t) +term_use_console(xdm_t) ++term_use_virtio_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +term_relabel_all_ttys(xdm_t) @@ -53310,7 +53834,7 @@ index 143c893..bc547bf 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -53341,7 +53865,7 @@ index 143c893..bc547bf 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -53356,7 +53880,7 @@ index 143c893..bc547bf 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -53378,7 +53902,7 @@ index 143c893..bc547bf 100644 ') optional_policy(` -@@ -519,12 +749,62 @@ optional_policy(` +@@ -519,12 +750,62 @@ optional_policy(` ') optional_policy(` @@ -53441,7 +53965,7 @@ index 143c893..bc547bf 100644 hostname_exec(xdm_t) ') -@@ -542,28 +822,70 @@ optional_policy(` +@@ -542,28 +823,70 @@ optional_policy(` ') optional_policy(` @@ -53521,7 +54045,7 @@ index 143c893..bc547bf 100644 ') optional_policy(` -@@ -575,6 +897,14 @@ optional_policy(` +@@ -575,6 +898,14 @@ optional_policy(` ') optional_policy(` @@ -53536,7 +54060,7 @@ index 143c893..bc547bf 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +930,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -53545,7 +54069,7 @@ index 143c893..bc547bf 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +944,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -53561,7 +54085,7 @@ index 143c893..bc547bf 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +971,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -53583,7 +54107,7 @@ index 143c893..bc547bf 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +991,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -53591,7 +54115,7 @@ index 143c893..bc547bf 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,7 +1018,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -53599,7 +54123,7 @@ index 143c893..bc547bf 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t) +@@ -682,11 +1027,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -53617,7 +54141,7 @@ index 143c893..bc547bf 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1048,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -53631,7 +54155,7 @@ index 143c893..bc547bf 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1066,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1067,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -53640,7 +54164,7 @@ index 143c893..bc547bf 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1074,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -53655,7 +54179,7 @@ index 143c893..bc547bf 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1132,36 @@ optional_policy(` +@@ -778,16 +1133,36 @@ optional_policy(` ') optional_policy(` @@ -53693,7 +54217,7 @@ index 143c893..bc547bf 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1170,10 @@ optional_policy(` +@@ -796,6 +1171,10 @@ optional_policy(` ') optional_policy(` @@ -53704,7 +54228,7 @@ index 143c893..bc547bf 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1189,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1190,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -53718,7 +54242,7 @@ index 143c893..bc547bf 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1200,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1201,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -53727,7 +54251,7 @@ index 143c893..bc547bf 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1213,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1214,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -53737,7 +54261,7 @@ index 143c893..bc547bf 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1223,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1224,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -53749,7 +54273,7 @@ index 143c893..bc547bf 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1236,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1237,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -53766,7 +54290,7 @@ index 143c893..bc547bf 100644 ') optional_policy(` -@@ -862,6 +1251,10 @@ optional_policy(` +@@ -862,6 +1252,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -53777,7 +54301,7 @@ index 143c893..bc547bf 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1298,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1299,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -53786,7 +54310,7 @@ index 143c893..bc547bf 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1352,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1353,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -53818,7 +54342,7 @@ index 143c893..bc547bf 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1398,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1399,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -54228,7 +54752,7 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..c2dc2c5 100644 +index 73554ec..dedb917 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -54301,7 +54825,7 @@ index 73554ec..c2dc2c5 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,13 +171,113 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +171,89 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -54349,30 +54873,10 @@ index 73554ec..c2dc2c5 100644 + ') + + optional_policy(` ++ systemd_dbus_chat_logind($1) + systemd_use_fds_logind($1) + systemd_write_inherited_logind_sessions_pipes($1) - ') - ') - - ######################################## - ## -+## Send and receive messages from -+## login program domains over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authlogin_dbus_chat',` -+ gen_require(` -+ attribute polydomain; -+ class dbus send_msg; + ') -+ -+ allow $1 polydomain:dbus send_msg; -+ allow polydomain $1:dbus send_msg; +') + +######################################## @@ -54407,17 +54911,13 @@ index 73554ec..c2dc2c5 100644 +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; -+ ') + ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## - ## Use the login program as an entry point program. - ## - ## -@@ -368,13 +484,15 @@ interface(`auth_domtrans_chk_passwd',` + ') + + ######################################## +@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -54434,7 +54934,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -421,6 +539,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -54460,7 +54960,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -736,7 +873,47 @@ interface(`auth_rw_faillog',` +@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -54509,7 +55009,7 @@ index 73554ec..c2dc2c5 100644 ') ####################################### -@@ -932,9 +1109,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -54543,7 +55043,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -1387,6 +1585,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -54569,7 +55069,7 @@ index 73554ec..c2dc2c5 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1758,6 @@ interface(`auth_manage_login_records',` +@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',` ######################################## ## @@ -54594,7 +55094,7 @@ index 73554ec..c2dc2c5 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1579,28 +1778,36 @@ interface(`auth_relabel_login_records',` +@@ -1579,28 +1758,36 @@ interface(`auth_relabel_login_records',` # interface(`auth_use_nsswitch',` @@ -54638,7 +55138,7 @@ index 73554ec..c2dc2c5 100644 optional_policy(` kerberos_use($1) ') -@@ -1610,7 +1817,7 @@ interface(`auth_use_nsswitch',` +@@ -1610,7 +1797,7 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -55860,7 +56360,7 @@ index 94fd8dd..0d7aa40 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..82cf8ae 100644 +index 29a9565..70532cc 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -55955,7 +56455,7 @@ index 29a9565..82cf8ae 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -114,24 +151,32 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,25 +151,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -55986,9 +56486,11 @@ index 29a9565..82cf8ae 100644 files_dontaudit_search_isid_type_dirs(init_t) +files_read_etc_runtime_files(init_t) files_manage_etc_runtime_files(init_t) ++files_manage_etc_symlinks(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: -@@ -151,10 +196,19 @@ mls_file_read_all_levels(init_t) + files_exec_etc_files(init_t) +@@ -151,10 +197,19 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -56009,7 +56511,7 @@ index 29a9565..82cf8ae 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +216,16 @@ init_domtrans_script(init_t) +@@ -162,12 +217,16 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -56026,7 +56528,7 @@ index 29a9565..82cf8ae 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +236,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +237,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -56035,7 +56537,7 @@ index 29a9565..82cf8ae 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,126 @@ tunable_policy(`init_upstart',` +@@ -186,12 +245,131 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56081,6 +56583,7 @@ index 29a9565..82cf8ae 100644 + dev_manage_sysfs_dirs(init_t) + dev_relabel_sysfs_dirs(init_t) + ++ files_search_all(init_t) + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) + files_manage_all_pid_dirs(init_t) @@ -56088,6 +56591,10 @@ index 29a9565..82cf8ae 100644 + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) + files_delete_all_pid_sockets(init_t) ++ files_create_all_pid_pipes(init_t) ++ files_delete_all_pid_pipes(init_t) ++ files_create_all_spool_sockets(init_t) ++ files_delete_all_spool_sockets(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) + files_list_spool(init_t) @@ -56162,7 +56669,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -199,10 +371,26 @@ optional_policy(` +@@ -199,10 +377,26 @@ optional_policy(` ') optional_policy(` @@ -56189,7 +56696,7 @@ index 29a9565..82cf8ae 100644 unconfined_domain(init_t) ') -@@ -212,7 +400,7 @@ optional_policy(` +@@ -212,7 +406,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -56198,7 +56705,7 @@ index 29a9565..82cf8ae 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +429,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -56214,7 +56721,7 @@ index 29a9565..82cf8ae 100644 init_write_initctl(initrc_t) -@@ -258,20 +449,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -56251,7 +56758,7 @@ index 29a9565..82cf8ae 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +482,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -56259,7 +56766,7 @@ index 29a9565..82cf8ae 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +493,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -56270,7 +56777,7 @@ index 29a9565..82cf8ae 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +504,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -56287,7 +56794,7 @@ index 29a9565..82cf8ae 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +523,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -56295,7 +56802,7 @@ index 29a9565..82cf8ae 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +531,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -56307,7 +56814,7 @@ index 29a9565..82cf8ae 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +550,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -56321,7 +56828,7 @@ index 29a9565..82cf8ae 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +565,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -56330,7 +56837,7 @@ index 29a9565..82cf8ae 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +579,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -56338,7 +56845,7 @@ index 29a9565..82cf8ae 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +591,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -56346,7 +56853,7 @@ index 29a9565..82cf8ae 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +612,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -56368,7 +56875,7 @@ index 29a9565..82cf8ae 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +675,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -56379,7 +56886,7 @@ index 29a9565..82cf8ae 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +699,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +705,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -56388,7 +56895,7 @@ index 29a9565..82cf8ae 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +714,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +720,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -56396,7 +56903,7 @@ index 29a9565..82cf8ae 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +744,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +750,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -56430,7 +56937,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -531,10 +778,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +784,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -56457,7 +56964,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -549,6 +812,39 @@ ifdef(`distro_suse',` +@@ -549,6 +818,39 @@ ifdef(`distro_suse',` ') ') @@ -56497,7 +57004,7 @@ index 29a9565..82cf8ae 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +857,8 @@ optional_policy(` +@@ -561,6 +863,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -56506,7 +57013,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -577,6 +875,7 @@ optional_policy(` +@@ -577,6 +881,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -56514,7 +57021,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -589,6 +888,11 @@ optional_policy(` +@@ -589,6 +894,11 @@ optional_policy(` ') optional_policy(` @@ -56526,7 +57033,7 @@ index 29a9565..82cf8ae 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +909,13 @@ optional_policy(` +@@ -605,9 +915,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -56540,7 +57047,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -649,6 +957,11 @@ optional_policy(` +@@ -649,6 +963,11 @@ optional_policy(` ') optional_policy(` @@ -56552,7 +57059,7 @@ index 29a9565..82cf8ae 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1002,7 @@ optional_policy(` +@@ -689,6 +1008,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -56560,7 +57067,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -706,7 +1020,13 @@ optional_policy(` +@@ -706,7 +1026,13 @@ optional_policy(` ') optional_policy(` @@ -56574,7 +57081,7 @@ index 29a9565..82cf8ae 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1049,10 @@ optional_policy(` +@@ -729,6 +1055,10 @@ optional_policy(` ') optional_policy(` @@ -56585,7 +57092,7 @@ index 29a9565..82cf8ae 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1062,20 @@ optional_policy(` +@@ -738,10 +1068,20 @@ optional_policy(` ') optional_policy(` @@ -56606,7 +57113,7 @@ index 29a9565..82cf8ae 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1084,10 @@ optional_policy(` +@@ -750,6 +1090,10 @@ optional_policy(` ') optional_policy(` @@ -56617,7 +57124,7 @@ index 29a9565..82cf8ae 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1109,6 @@ optional_policy(` +@@ -771,8 +1115,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -56626,7 +57133,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -790,10 +1126,12 @@ optional_policy(` +@@ -790,10 +1132,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -56639,7 +57146,7 @@ index 29a9565..82cf8ae 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1143,6 @@ optional_policy(` +@@ -805,7 +1149,6 @@ optional_policy(` ') optional_policy(` @@ -56647,7 +57154,7 @@ index 29a9565..82cf8ae 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1152,24 @@ optional_policy(` +@@ -815,11 +1158,24 @@ optional_policy(` ') optional_policy(` @@ -56673,7 +57180,7 @@ index 29a9565..82cf8ae 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1179,25 @@ optional_policy(` +@@ -829,6 +1185,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -56699,7 +57206,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -844,6 +1213,10 @@ optional_policy(` +@@ -844,6 +1219,10 @@ optional_policy(` ') optional_policy(` @@ -56710,7 +57217,7 @@ index 29a9565..82cf8ae 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1227,45 @@ optional_policy(` +@@ -854,3 +1233,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -56959,7 +57466,7 @@ index 05fb364..6b895d1 100644 -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index f3e1b57..a7b2adc 100644 +index f3e1b57..d6a93ac 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -13,9 +13,6 @@ role system_r types iptables_t; @@ -56983,7 +57490,15 @@ index f3e1b57..a7b2adc 100644 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -61,6 +58,9 @@ corenet_relabelto_all_packets(iptables_t) +@@ -46,6 +43,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; + allow iptables_t iptables_tmp_t:file manage_file_perms; + files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) + ++kernel_getattr_proc(iptables_t) + kernel_request_load_module(iptables_t) + kernel_read_system_state(iptables_t) + kernel_read_network_state(iptables_t) +@@ -61,6 +59,9 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -56993,7 +57508,7 @@ index f3e1b57..a7b2adc 100644 fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -69,11 +69,13 @@ fs_list_inotifyfs(iptables_t) +@@ -69,11 +70,13 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -57008,7 +57523,7 @@ index f3e1b57..a7b2adc 100644 auth_use_nsswitch(iptables_t) -@@ -82,6 +84,7 @@ init_use_script_ptys(iptables_t) +@@ -82,6 +85,7 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -57016,7 +57531,7 @@ index f3e1b57..a7b2adc 100644 logging_send_syslog_msg(iptables_t) -@@ -90,7 +93,7 @@ miscfiles_read_localization(iptables_t) +@@ -90,7 +94,7 @@ miscfiles_read_localization(iptables_t) sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) @@ -57025,7 +57540,7 @@ index f3e1b57..a7b2adc 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -99,6 +102,8 @@ ifdef(`hide_broken_symptoms',` +@@ -99,6 +103,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -57034,7 +57549,7 @@ index f3e1b57..a7b2adc 100644 ') optional_policy(` -@@ -121,6 +126,7 @@ optional_policy(` +@@ -121,6 +127,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -57042,7 +57557,7 @@ index f3e1b57..a7b2adc 100644 ') optional_policy(` -@@ -134,6 +140,7 @@ optional_policy(` +@@ -134,6 +141,7 @@ optional_policy(` optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) @@ -57072,7 +57587,7 @@ index ddbd8be..ac8e814 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..98b8d89 100644 +index 560dc48..6673319 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -37,17 +37,12 @@ ifdef(`distro_redhat',` @@ -57208,7 +57723,7 @@ index 560dc48..98b8d89 100644 /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -203,86 +194,85 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -203,86 +194,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -57299,6 +57814,8 @@ index 560dc48..98b8d89 100644 +/usr/lib/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libffmpegsumo\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -57351,7 +57868,7 @@ index 560dc48..98b8d89 100644 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -303,8 +293,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -303,8 +295,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -57361,7 +57878,7 @@ index 560dc48..98b8d89 100644 ') dnl end distro_redhat # -@@ -312,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +303,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -57946,14 +58463,14 @@ index 831b909..57064ad 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..eedd444 100644 +index b6ec597..fa034d6 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; -+files_type(audit_spool_t) ++files_spool_file(audit_spool_t) files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) @@ -59012,7 +59529,7 @@ index 8b5c196..1ac1567 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..43f0a0b 100644 +index 15832c7..ed497ff 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -59089,7 +59606,7 @@ index 15832c7..43f0a0b 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,50 +95,74 @@ kernel_request_load_module(mount_t) +@@ -57,65 +95,93 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -59171,8 +59688,9 @@ index 15832c7..43f0a0b 100644 +mls_process_write_to_clearance(mount_t) selinux_get_enforce_mode(mount_t) ++selinux_mounton_fs(mount_t) -@@ -108,14 +170,17 @@ storage_raw_read_fixed_disk(mount_t) + storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -59191,7 +59709,7 @@ index 15832c7..43f0a0b 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +191,12 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +192,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -59204,7 +59722,7 @@ index 15832c7..43f0a0b 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +212,29 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +213,29 @@ ifdef(`distro_ubuntu',` ') ') @@ -59242,7 +59760,7 @@ index 15832c7..43f0a0b 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +248,8 @@ optional_policy(` +@@ -174,6 +249,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -59251,7 +59769,7 @@ index 15832c7..43f0a0b 100644 ') optional_policy(` -@@ -181,6 +257,28 @@ optional_policy(` +@@ -181,6 +258,28 @@ optional_policy(` ') optional_policy(` @@ -59280,7 +59798,7 @@ index 15832c7..43f0a0b 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +286,52 @@ optional_policy(` +@@ -188,13 +287,52 @@ optional_policy(` ') ') @@ -59333,7 +59851,7 @@ index 15832c7..43f0a0b 100644 ') ######################################## -@@ -203,6 +340,43 @@ optional_policy(` +@@ -203,6 +341,43 @@ optional_policy(` # optional_policy(` @@ -61082,10 +61600,10 @@ index 0000000..3248032 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..9cc3fb6 +index 0000000..67fcd26 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,325 @@ +@@ -0,0 +1,365 @@ +## SELinux policy for systemd components + +####################################### @@ -61198,6 +61716,25 @@ index 0000000..9cc3fb6 + +###################################### +## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_read_pid_files',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++') ++ ++###################################### ++## +## Use and and inherited systemd +## logind file descriptors. +## @@ -61411,12 +61948,33 @@ index 0000000..9cc3fb6 + + allow $1 systemd_logger_t:unix_stream_socket connectto; +') ++ ++######################################## ++## ++## Allow the specified domain to connect to ++## systemd_logger with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_config_all_services',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ allow $1 systemd_unit_file_type:service all_service_perms; ++') ++ ++ diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..06e5b12 +index 0000000..f0a3169 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,310 @@ +@@ -0,0 +1,311 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -61484,7 +62042,7 @@ index 0000000..06e5b12 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown dac_override }; ++allow systemd_logind_t self:capability { chown dac_override fowner }; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -61522,7 +62080,6 @@ index 0000000..06e5b12 +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) +auth_manage_var_auth(systemd_logind_t) + -+authlogin_dbus_chat(systemd_logind_t) +authlogin_read_state(systemd_logind_t) + +dbus_connect_system_bus(systemd_logind_t) @@ -61537,6 +62094,8 @@ index 0000000..06e5b12 + +udev_read_db(systemd_logind_t) + ++userdom_read_all_users_state(systemd_logind_t) ++ +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) + cron_read_state_crond(systemd_logind_t) @@ -61949,7 +62508,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..ca207d7 100644 +index d88f7c3..73c1dbc 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -62068,7 +62627,16 @@ index d88f7c3..ca207d7 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +200,16 @@ ifdef(`distro_redhat',` +@@ -169,6 +183,8 @@ sysnet_signal_dhcpc(udev_t) + sysnet_manage_config(udev_t) + sysnet_etc_filetrans_config(udev_t) + ++systemd_login_read_pid_files(udev_t) ++ + userdom_dontaudit_search_user_home_content(udev_t) + + ifdef(`distro_gentoo',` +@@ -186,15 +202,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -62089,7 +62657,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -216,11 +231,16 @@ optional_policy(` +@@ -216,11 +233,16 @@ optional_policy(` ') optional_policy(` @@ -62107,7 +62675,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -230,6 +250,15 @@ optional_policy(` +@@ -230,6 +252,15 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -62123,7 +62691,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -259,6 +288,10 @@ optional_policy(` +@@ -259,6 +290,10 @@ optional_policy(` ') optional_policy(` @@ -62134,7 +62702,7 @@ index d88f7c3..ca207d7 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +306,11 @@ optional_policy(` +@@ -273,6 +308,11 @@ optional_policy(` ') optional_policy(` @@ -62167,7 +62735,7 @@ index ce2fbb9..8b34dbc 100644 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 416e668..9f3c1c1 100644 +index 416e668..a56f542 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,27 +12,34 @@ @@ -62212,20 +62780,21 @@ index 416e668..9f3c1c1 100644 kernel_unconfined($1) corenet_unconfined($1) -@@ -44,6 +51,12 @@ interface(`unconfined_domain_noaudit',` +@@ -43,6 +50,13 @@ interface(`unconfined_domain_noaudit',` + files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) - ++ systemd_config_all_services($1) ++ + domain_mmap_low($1) + + mcs_file_read_all($1) + + ubac_process_exempt($1) -+ + tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. - allow $1 self:process execheap; -@@ -69,6 +82,7 @@ interface(`unconfined_domain_noaudit',` +@@ -69,6 +83,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -62233,7 +62802,7 @@ index 416e668..9f3c1c1 100644 ') optional_policy(` -@@ -122,6 +136,10 @@ interface(`unconfined_domain_noaudit',` +@@ -122,6 +137,10 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -62244,7 +62813,7 @@ index 416e668..9f3c1c1 100644 unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` -@@ -178,412 +196,3 @@ interface(`unconfined_alias_domain',` +@@ -178,412 +197,3 @@ interface(`unconfined_alias_domain',` interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ') @@ -62918,7 +63487,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..b0955cf 100644 +index 4b2878a..c0e5c10 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -62932,7 +63501,7 @@ index 4b2878a..b0955cf 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,103 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,104 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -63024,6 +63593,7 @@ index 4b2878a..b0955cf 100644 + + files_read_etc_files($1_usertype) + files_list_mnt($1_usertype) ++ files_list_var($1_usertype) + files_read_mnt_files($1_usertype) + files_dontaudit_access_check_mnt($1_usertype) + files_read_etc_runtime_files($1_usertype) @@ -63085,7 +63655,7 @@ index 4b2878a..b0955cf 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +151,20 @@ template(`userdom_base_user_template',` +@@ -116,6 +152,20 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -63106,7 +63676,7 @@ index 4b2878a..b0955cf 100644 ') ####################################### -@@ -149,6 +198,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +199,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -63115,7 +63685,7 @@ index 4b2878a..b0955cf 100644 ############################## # # Domain access to home dir -@@ -166,27 +217,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +218,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -63143,7 +63713,7 @@ index 4b2878a..b0955cf 100644 ') ####################################### -@@ -218,8 +248,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +249,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -63155,7 +63725,7 @@ index 4b2878a..b0955cf 100644 ############################## # # Domain access to home dir -@@ -228,17 +261,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +262,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -63187,7 +63757,7 @@ index 4b2878a..b0955cf 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +283,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +284,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -63217,7 +63787,7 @@ index 4b2878a..b0955cf 100644 ') ') -@@ -286,17 +321,63 @@ interface(`userdom_manage_home_role',` +@@ -286,17 +322,63 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -63286,7 +63856,7 @@ index 4b2878a..b0955cf 100644 ') ####################################### -@@ -316,6 +397,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +398,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -63294,7 +63864,7 @@ index 4b2878a..b0955cf 100644 files_search_tmp($1) ') -@@ -347,59 +429,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,59 +430,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -63389,7 +63959,7 @@ index 4b2878a..b0955cf 100644 ') ####################################### -@@ -430,6 +515,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +516,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -63397,7 +63967,7 @@ index 4b2878a..b0955cf 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -462,8 +548,8 @@ template(`userdom_change_password_template',` +@@ -462,8 +549,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -63408,7 +63978,7 @@ index 4b2878a..b0955cf 100644 ') ') -@@ -490,7 +576,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +577,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -63417,7 +63987,7 @@ index 4b2878a..b0955cf 100644 ############################## # -@@ -500,73 +586,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +587,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -63541,7 +64111,7 @@ index 4b2878a..b0955cf 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +668,123 @@ template(`userdom_common_user_template',` +@@ -574,67 +669,123 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -63683,7 +64253,7 @@ index 4b2878a..b0955cf 100644 ') optional_policy(` -@@ -650,41 +800,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +801,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -63745,7 +64315,7 @@ index 4b2878a..b0955cf 100644 ') ####################################### -@@ -712,13 +871,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +872,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -63777,7 +64347,7 @@ index 4b2878a..b0955cf 100644 userdom_change_password_template($1) -@@ -736,72 +908,76 @@ template(`userdom_login_user_template', ` +@@ -736,72 +909,76 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -63887,7 +64457,7 @@ index 4b2878a..b0955cf 100644 ') ') -@@ -833,6 +1009,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -63897,7 +64467,7 @@ index 4b2878a..b0955cf 100644 ############################## # # Local policy -@@ -874,45 +1053,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -64027,7 +64597,7 @@ index 4b2878a..b0955cf 100644 ') ') -@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -64036,7 +64606,7 @@ index 4b2878a..b0955cf 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -64054,7 +64624,7 @@ index 4b2878a..b0955cf 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,32 +1233,76 @@ template(`userdom_unpriv_user_template', ` +@@ -978,32 +1234,76 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -64143,7 +64713,7 @@ index 4b2878a..b0955cf 100644 ') ') -@@ -1039,7 +1338,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1339,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -64152,7 +64722,7 @@ index 4b2878a..b0955cf 100644 ') ############################## -@@ -1066,6 +1365,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1366,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -64160,7 +64730,7 @@ index 4b2878a..b0955cf 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1375,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -64170,7 +64740,7 @@ index 4b2878a..b0955cf 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1392,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -64178,7 +64748,7 @@ index 4b2878a..b0955cf 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1410,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -64192,7 +64762,7 @@ index 4b2878a..b0955cf 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1426,22 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1427,22 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -64216,7 +64786,7 @@ index 4b2878a..b0955cf 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1453,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1454,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -64228,7 +64798,16 @@ index 4b2878a..b0955cf 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1525,8 @@ template(`userdom_security_admin_template',` +@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',` + # But presently necessary for installing the file_contexts file. + seutil_manage_bin_policy($1_t) + ++ systemd_config_all_services($1_t) ++ + userdom_manage_user_home_content_dirs($1_t) + userdom_manage_user_home_content_files($1_t) + userdom_manage_user_home_content_symlinks($1_t) +@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -64237,7 +64816,7 @@ index 4b2878a..b0955cf 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1539,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1542,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -64245,7 +64824,7 @@ index 4b2878a..b0955cf 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1234,13 +1552,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -64274,7 +64853,7 @@ index 4b2878a..b0955cf 100644 ') optional_policy(` -@@ -1251,12 +1580,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -64290,7 +64869,7 @@ index 4b2878a..b0955cf 100644 ') optional_policy(` -@@ -1279,54 +1608,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1611,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -64372,7 +64951,7 @@ index 4b2878a..b0955cf 100644 ## ## ## -@@ -1334,12 +1675,49 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,9 +1678,46 @@ interface(`userdom_setattr_user_ptys',` ## ## # @@ -64381,9 +64960,8 @@ index 4b2878a..b0955cf 100644 gen_require(` - type user_devpts_t; + attribute admindomain; - ') - -- term_create_pty($1, user_devpts_t) ++ ') ++ + allow $1 admindomain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') @@ -64419,13 +64997,10 @@ index 4b2878a..b0955cf 100644 +interface(`userdom_create_user_pty',` + gen_require(` + type user_devpts_t; -+ ') -+ -+ term_create_pty($1, user_devpts_t) - ') + ') - ######################################## -@@ -1395,6 +1773,7 @@ interface(`userdom_search_user_home_dirs',` + term_create_pty($1, user_devpts_t) +@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -64433,7 +65008,7 @@ index 4b2878a..b0955cf 100644 files_search_home($1) ') -@@ -1441,6 +1820,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1823,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -64448,7 +65023,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1456,9 +1843,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -64460,7 +65035,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1515,6 +1904,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -64503,7 +65078,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2014,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -64512,7 +65087,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1603,10 +2030,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -64527,7 +65102,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1649,6 +2078,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -64571,7 +65146,7 @@ index 4b2878a..b0955cf 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2134,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -64597,7 +65172,7 @@ index 4b2878a..b0955cf 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2185,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -64630,7 +65205,7 @@ index 4b2878a..b0955cf 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2221,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -64648,7 +65223,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1779,6 +2287,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -64709,7 +65284,7 @@ index 4b2878a..b0955cf 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2372,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -64719,7 +65294,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1827,20 +2388,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2391,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -64744,7 +65319,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## -@@ -1941,6 +2496,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -64769,7 +65344,7 @@ index 4b2878a..b0955cf 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2581,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -64778,7 +65353,7 @@ index 4b2878a..b0955cf 100644 files_search_home($1) ') -@@ -2182,7 +2755,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -64787,7 +65362,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -2435,13 +3008,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3011,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -64803,7 +65378,7 @@ index 4b2878a..b0955cf 100644 ## ## ## -@@ -2462,26 +3036,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3039,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -64830,7 +65405,7 @@ index 4b2878a..b0955cf 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3126,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3129,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -64839,7 +65414,7 @@ index 4b2878a..b0955cf 100644 ## ## ## -@@ -2580,70 +3134,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3137,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -64911,8 +65486,9 @@ index 4b2878a..b0955cf 100644 gen_require(` - type user_tty_device_t, user_devpts_t; + type user_devpts_t; -+ ') -+ + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + @@ -64979,9 +65555,9 @@ index 4b2878a..b0955cf 100644 +interface(`userdom_dontaudit_use_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; - ') - - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; ++ ') ++ ++ dontaudit $1 user_tty_device_t:chr_file rw_term_perms; dontaudit $1 user_devpts_t:chr_file rw_term_perms; ') @@ -65007,7 +65583,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2736,24 +3358,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3361,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -65032,7 +65608,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3376,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3379,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -65058,7 +65634,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3437,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3440,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -65067,7 +65643,7 @@ index 4b2878a..b0955cf 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3453,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3456,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -65101,7 +65677,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -2972,7 +3541,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3544,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -65110,7 +65686,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -3027,7 +3596,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3599,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -65157,7 +65733,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -3064,6 +3671,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3674,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -65165,7 +65741,7 @@ index 4b2878a..b0955cf 100644 kernel_search_proc($1) ') -@@ -3142,6 +3750,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3753,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -65190,7 +65766,7 @@ index 4b2878a..b0955cf 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3820,1075 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3823,1075 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -66723,7 +67299,7 @@ index 22ca011..df6b5de 100644 # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index f7380b3..184f238 100644 +index f7380b3..fb62555 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -66823,7 +67399,7 @@ index f7380b3..184f238 100644 # # Sockets -@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept +@@ -317,3 +324,15 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') @@ -66837,6 +67413,7 @@ index f7380b3..184f238 100644 +define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') ++define(`all_service_perms', `{ start stop status reload kill } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --git a/policy/users b/policy/users index c4ebc7e..30d6d7a 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index b8fbc05..2ea5fbe 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 5%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 22 2011 Miroslav Grepl 3.10.0-8 +- Fix oracledb_port definition +- Allow mount to mounton the selinux file system +- Allow users to list /var directories + +* Thu Jul 21 2011 Miroslav Grepl 3.10.0-7 +- systemd fixes + +* Tue Jul 19 2011 Miroslav Grepl 3.10.0-6 +- Add initial policy for abrt_dump_oops_t +- xtables-multi wants to getattr of the proc fs +- Smoltclient is connecting to abrt +- Dontaudit leaked file descriptors to postdrop +- Allow abrt_dump_oops to look at kernel sysctls +- Abrt_dump_oops_t reads kernel ring buffer +- Allow mysqld to request the kernel to load modules +- systemd-login needs fowner +- Allow postfix_cleanup_t to searh maildrop + * Mon Jul 18 2011 Miroslav Grepl 3.10.0-5 - Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind