diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f05841c..45f92f2 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..f678b45 100644 +index 4edc40d..fba95c8 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5250,7 +5250,7 @@ index 4edc40d..f678b45 100644 -network_port(milter) # no defined portcon +network_port(milter, tcp, 8891, s0) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) -+network_port(mongod, tcp,27017,s0) ++network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) network_port(monopd, tcp,1234,s0) network_port(mountd, tcp,20048,s0, udp,20048,s0) network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0) @@ -5515,7 +5515,7 @@ index b31c054..3a628fe 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..f7e9534 100644 +index 76f285e..059e984 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6306,7 +6306,7 @@ index 76f285e..f7e9534 100644 ') ######################################## -@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -6346,10 +6346,46 @@ index 76f285e..f7e9534 100644 + +######################################## +## ++## Mount sysfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_mount_sysfs_fs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Unmount sysfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_unmount_sysfs_fs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem unmount; ++') ++ ++######################################## ++## ## Search the sysfs directories. ## ## -@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',` +@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -6357,7 +6393,7 @@ index 76f285e..f7e9534 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -6378,7 +6414,7 @@ index 76f285e..f7e9534 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; + ') + @@ -6397,7 +6433,7 @@ index 76f285e..f7e9534 100644 +## +# +interface(`dev_relabel_cpu_online',` - gen_require(` ++ gen_require(` + type cpu_online_t; type sysfs_t; ') @@ -6411,7 +6447,7 @@ index 76f285e..f7e9534 100644 ######################################## ## ## Read hardware state information. -@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -6474,7 +6510,7 @@ index 76f285e..f7e9534 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -6500,7 +6536,7 @@ index 76f285e..f7e9534 100644 ## Getattr generic the USB devices. ## ## -@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -6525,7 +6561,7 @@ index 76f285e..f7e9534 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -6552,7 +6588,7 @@ index 76f285e..f7e9534 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',` +@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7386,6 +7422,26 @@ index 76f285e..f7e9534 100644 + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0") @@ -8084,7 +8140,7 @@ index cf04cb5..274ef6d 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..96aeeef 100644 +index c2c6e05..be423a7 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -8305,7 +8361,14 @@ index c2c6e05..96aeeef 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -262,6 +279,7 @@ ifndef(`distro_redhat',` +@@ -256,12 +273,14 @@ ifndef(`distro_redhat',` + /var/run -l gen_context(system_u:object_r:var_run_t,s0) + /var/run/.* gen_context(system_u:object_r:var_run_t,s0) + /var/run/.*\.*pid <> ++/var/run/lock/.* <> + + /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) + /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) @@ -8313,17 +8376,17 @@ index c2c6e05..96aeeef 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +288,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +289,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..90999af 100644 +index 64ff4d7..87c124c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -19,6 +19,119 @@ +@@ -19,6 +19,136 @@ ## Comains the file initial SID. ## @@ -8425,6 +8488,23 @@ index 64ff4d7..90999af 100644 + +##################################### +## ++## files stub var_run_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var',` ++ gen_require(` ++ type var_t; ++ ') ++') ++ ++ ++##################################### ++## +## files stub tmp_t interface. No access allowed. +## +## @@ -8443,7 +8523,7 @@ index 64ff4d7..90999af 100644 ######################################## ## ## Make the specified type usable for files -@@ -55,6 +168,7 @@ +@@ -55,6 +185,7 @@ ##
  • files_pid_file()
  • ##
  • files_security_file()
  • ##
  • files_security_mountpoint()
  • @@ -8451,7 +8531,7 @@ index 64ff4d7..90999af 100644 ##
  • files_tmp_file()
  • ##
  • files_tmpfs_file()
  • ##
  • logging_log_file()
  • -@@ -125,30 +239,31 @@ interface(`files_security_file',` +@@ -125,30 +256,31 @@ interface(`files_security_file',` typeattribute $1 file_type, security_file_type, non_auth_file_type; ') @@ -8489,7 +8569,7 @@ index 64ff4d7..90999af 100644 ##
    ## ## -@@ -156,33 +271,33 @@ interface(`files_lock_file',` +@@ -156,33 +288,33 @@ interface(`files_lock_file',` ## ## # @@ -8531,7 +8611,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -521,7 +636,7 @@ interface(`files_mounton_non_security',` +@@ -521,7 +653,7 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') @@ -8540,7 +8620,7 @@ index 64ff4d7..90999af 100644 allow $1 non_security_file_type:file mounton; ') -@@ -620,6 +735,63 @@ interface(`files_dontaudit_getattr_non_security_files',` +@@ -620,6 +752,63 @@ interface(`files_dontaudit_getattr_non_security_files',` ######################################## ## @@ -8604,7 +8684,7 @@ index 64ff4d7..90999af 100644 ## Read all files. ## ## -@@ -683,12 +855,82 @@ interface(`files_read_non_security_files',` +@@ -683,12 +872,82 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -8687,7 +8767,7 @@ index 64ff4d7..90999af 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ##
    -@@ -953,6 +1195,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1212,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -8713,7 +8793,7 @@ index 64ff4d7..90999af 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1252,25 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1269,25 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -8739,7 +8819,7 @@ index 64ff4d7..90999af 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,10 +1353,8 @@ interface(`files_relabel_all_files',` +@@ -1073,10 +1370,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8752,7 +8832,7 @@ index 64ff4d7..90999af 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1460,6 @@ interface(`files_list_all',` +@@ -1182,24 +1477,6 @@ interface(`files_list_all',` ######################################## ## @@ -8777,7 +8857,7 @@ index 64ff4d7..90999af 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1703,6 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,9 +1720,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -8787,7 +8867,7 @@ index 64ff4d7..90999af 100644 ') ############################################# -@@ -1583,6 +1840,24 @@ interface(`files_getattr_all_mountpoints',` +@@ -1583,6 +1857,24 @@ interface(`files_getattr_all_mountpoints',` ######################################## ## @@ -8812,58 +8892,55 @@ index 64ff4d7..90999af 100644 ## Set the attributes of all mount points. ## ## -@@ -1673,6 +1948,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1673,25 +1965,61 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## +-## Do not audit attempts to write to mount points. +## Write all mount points. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_write_all_mountpoints',` +- gen_require(` +- attribute mountpoint; +- ') +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') -+ + +- dontaudit $1 mountpoint:dir write; + allow $1 mountpoint:dir write; -+') -+ -+######################################## -+## - ## Do not audit attempts to write to mount points. - ## - ## -@@ -1691,7 +1984,7 @@ interface(`files_dontaudit_write_all_mountpoints',` + ') ######################################## ## -## List the contents of the root directory. -+## Write all file type directories. - ## - ## - ## -@@ -1699,12 +1992,30 @@ interface(`files_dontaudit_write_all_mountpoints',` - ## - ## - # --interface(`files_list_root',` -+interface(`files_write_all_dirs',` - gen_require(` -- type root_t; -+ attribute file_type; - ') - -- allow $1 root_t:dir list_dir_perms; -+ allow $1 file_type:dir write; ++## Do not audit attempts to write to mount points. ++##
    ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ dontaudit $1 mountpoint:dir write; +') + +######################################## +## -+## List the contents of the root directory. ++## Write all file type directories. +## +## +## @@ -8871,16 +8948,21 @@ index 64ff4d7..90999af 100644 +## +## +# -+interface(`files_list_root',` ++interface(`files_write_all_dirs',` + gen_require(` -+ type root_t; ++ attribute file_type; + ') + -+ allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; - ') - -@@ -1874,25 +2185,25 @@ interface(`files_delete_root_dir_entry',` ++ allow $1 file_type:dir write; ++') ++ ++######################################## ++## ++## List the contents of the root directory. + ## + ## + ## +@@ -1874,25 +2202,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -8912,7 +8994,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -1905,7 +2216,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2233,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -8921,7 +9003,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -1928,6 +2239,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2256,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -8946,7 +9028,7 @@ index 64ff4d7..90999af 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +2956,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +2973,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -8971,7 +9053,7 @@ index 64ff4d7..90999af 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +3045,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3062,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -8979,7 +9061,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -2706,7 +3054,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3071,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -8988,7 +9070,7 @@ index 64ff4d7..90999af 100644 ## ## # -@@ -2762,6 +3110,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3127,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -9014,7 +9096,7 @@ index 64ff4d7..90999af 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +3147,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3164,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -9039,7 +9121,7 @@ index 64ff4d7..90999af 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3330,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3347,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -9064,7 +9146,7 @@ index 64ff4d7..90999af 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3003,9 +3370,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3387,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -9075,7 +9157,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -3013,18 +3378,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3395,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -9097,7 +9179,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -3042,6 +3406,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3423,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -9124,7 +9206,7 @@ index 64ff4d7..90999af 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3059,6 +3443,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3460,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -9132,7 +9214,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -3080,6 +3465,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3482,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -9140,7 +9222,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -3132,6 +3518,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3535,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -9166,7 +9248,7 @@ index 64ff4d7..90999af 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3613,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3630,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -9192,7 +9274,7 @@ index 64ff4d7..90999af 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3879,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3896,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -9218,7 +9300,7 @@ index 64ff4d7..90999af 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4239,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4256,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -9262,7 +9344,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -4199,156 +4660,176 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,156 +4677,176 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -9515,7 +9597,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4356,53 +4837,56 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4356,53 +4854,56 @@ interface(`files_delete_tmp_dir_entry',` ## ## # @@ -9584,7 +9666,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4410,35 +4894,36 @@ interface(`files_manage_generic_tmp_files',` +@@ -4410,35 +4911,36 @@ interface(`files_manage_generic_tmp_files',` ## ## # @@ -9627,7 +9709,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4446,77 +4931,74 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4446,77 +4948,74 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -9732,7 +9814,7 @@ index 64ff4d7..90999af 100644 ##
    ## ## -@@ -4524,58 +5006,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4524,58 +5023,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -9811,7 +9893,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4583,51 +5068,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` +@@ -4583,51 +5085,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` ## ## # @@ -9870,7 +9952,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4635,22 +5104,17 @@ interface(`files_tmp_filetrans',` +@@ -4635,22 +5121,17 @@ interface(`files_tmp_filetrans',` ## ## # @@ -9897,7 +9979,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4658,17 +5122,17 @@ interface(`files_purge_tmp',` +@@ -4658,17 +5139,17 @@ interface(`files_purge_tmp',` ## ## # @@ -9919,7 +10001,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4676,18 +5140,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4676,18 +5157,17 @@ interface(`files_setattr_usr_dirs',` ## ## # @@ -9942,7 +10024,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4695,35 +5158,35 @@ interface(`files_search_usr',` +@@ -4695,35 +5175,35 @@ interface(`files_search_usr',` ## ## # @@ -9987,7 +10069,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4731,36 +5194,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4731,36 +5211,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # @@ -10033,7 +10115,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4768,111 +5230,100 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4768,111 +5247,100 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # @@ -10177,7 +10259,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4880,35 +5331,17 @@ interface(`files_exec_usr_files',` +@@ -4880,35 +5348,17 @@ interface(`files_exec_usr_files',` ## ## # @@ -10217,7 +10299,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4916,67 +5349,70 @@ interface(`files_manage_usr_files',` +@@ -4916,67 +5366,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -10306,7 +10388,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4985,35 +5421,50 @@ interface(`files_read_usr_symlinks',` +@@ -4985,35 +5438,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -10366,7 +10448,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5021,20 +5472,17 @@ interface(`files_dontaudit_search_src',` +@@ -5021,20 +5489,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -10391,7 +10473,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5042,20 +5490,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5042,20 +5507,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -10416,7 +10498,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5063,38 +5509,35 @@ interface(`files_read_usr_src_files',` +@@ -5063,38 +5526,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -10464,7 +10546,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5102,37 +5545,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5102,37 +5562,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -10512,7 +10594,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5140,35 +5582,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5140,35 +5599,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -10557,7 +10639,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5176,36 +5618,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5176,36 +5635,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -10623,7 +10705,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5213,36 +5674,37 @@ interface(`files_dontaudit_search_var',` +@@ -5213,36 +5691,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -10671,7 +10753,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5250,17 +5712,17 @@ interface(`files_manage_var_dirs',` +@@ -5250,17 +5729,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -10693,7 +10775,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5268,17 +5730,17 @@ interface(`files_read_var_files',` +@@ -5268,17 +5747,17 @@ interface(`files_read_var_files',` ## ## # @@ -10715,7 +10797,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5286,73 +5748,86 @@ interface(`files_append_var_files',` +@@ -5286,73 +5765,86 @@ interface(`files_append_var_files',` ## ## # @@ -10822,7 +10904,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5360,50 +5835,41 @@ interface(`files_read_var_symlinks',` +@@ -5360,50 +5852,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -10887,7 +10969,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5411,69 +5877,57 @@ interface(`files_var_filetrans',` +@@ -5411,69 +5894,57 @@ interface(`files_var_filetrans',` ## ## # @@ -10974,7 +11056,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5481,17 +5935,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5481,17 +5952,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -10998,7 +11080,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5499,51 +5954,35 @@ interface(`files_list_var_lib',` +@@ -5499,51 +5971,35 @@ interface(`files_list_var_lib',` ## ## # @@ -11059,7 +11141,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5551,40 +5990,36 @@ interface(`files_var_lib_filetrans',` +@@ -5551,40 +6007,36 @@ interface(`files_var_lib_filetrans',` ## ## # @@ -11110,7 +11192,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5592,38 +6027,36 @@ interface(`files_read_var_lib_symlinks',` +@@ -5592,38 +6044,36 @@ interface(`files_read_var_lib_symlinks',` ## ## # @@ -11159,7 +11241,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5631,17 +6064,17 @@ interface(`files_manage_mounttab',` +@@ -5631,17 +6081,17 @@ interface(`files_manage_mounttab',` ## ## # @@ -11181,7 +11263,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5649,38 +6082,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5649,38 +6099,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -11229,7 +11311,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5688,80 +6118,73 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,80 +6135,73 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11331,7 +11413,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5769,41 +6192,50 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,41 +6209,50 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11396,7 +11478,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5811,65 +6243,69 @@ interface(`files_delete_generic_locks',` +@@ -5811,65 +6260,69 @@ interface(`files_delete_generic_locks',` ## ## # @@ -11491,7 +11573,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5877,37 +6313,49 @@ interface(`files_read_all_locks',` +@@ -5877,37 +6330,49 @@ interface(`files_read_all_locks',` ## ## # @@ -11555,7 +11637,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5916,39 +6364,37 @@ interface(`files_manage_all_locks',` +@@ -5916,39 +6381,37 @@ interface(`files_manage_all_locks',` ## ## # @@ -11605,7 +11687,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5956,19 +6402,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5956,19 +6419,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # @@ -11630,7 +11712,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5976,39 +6421,41 @@ interface(`files_setattr_pid_dirs',` +@@ -5976,19 +6438,1114 @@ interface(`files_setattr_pid_dirs',` ## ## # @@ -11655,41 +11737,33 @@ index 64ff4d7..90999af 100644 -## the /var/run directory. +## Create, read, write, and delete the +## pseudorandom number generator seed. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_pids',` ++## ++## ++# +interface(`files_manage_urandom_seed',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) - ') - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). ++') ++ ++######################################## ++## +## Allow domain to manage mount tables +## necessary for rpcd, nfsd, etc. - ## - ## - ## -@@ -6016,18 +6463,1012 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_mounttab',` + gen_require(` + type var_t, var_lib_t; @@ -12051,7 +12125,7 @@ index 64ff4d7..90999af 100644 + type var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:dir setattr; +') + @@ -12071,6 +12145,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + ++ allow $1 var_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_run_t) +') @@ -12167,7 +12242,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) +') + @@ -12186,7 +12261,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) +') @@ -12206,7 +12281,7 @@ index 64ff4d7..90999af 100644 + type var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:fifo_file write; +') + @@ -12309,7 +12384,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) +') @@ -12597,8 +12672,8 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) @@ -12622,8 +12697,8 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') + @@ -12686,71 +12761,174 @@ index 64ff4d7..90999af 100644 +## +# +interface(`files_create_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Relabel to and from all spool ++## directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_all_spool_dirs',` ++ gen_require(` ++ attribute spoolfile; ++ type var_t; ++ ') ++ ++ relabel_dirs_pattern($1, spoolfile, spoolfile) ++') ++ ++######################################## ++## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. + ## + ## + ## +@@ -5996,19 +7553,18 @@ interface(`files_search_pids',` + ## + ## + # +-interface(`files_dontaudit_search_pids',` ++interface(`files_dontaudit_search_spool',` + gen_require(` +- type var_run_t; ++ type var_spool_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; ++ dontaudit $1 var_spool_t:dir search_dir_perms; + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). ++## List the contents of generic spool ++## (/var/spool) directories. + ## + ## + ## +@@ -6016,18 +7572,18 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_list_spool',` gen_require(` - type var_t, var_run_t; -+ attribute spoolfile; ++ type var_t, var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) -+ allow $1 spoolfile:sock_file create_sock_file_perms; ++ list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## -## Read generic process ID files. -+## Delete all spool sockets ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ## ## ## -@@ -6035,123 +7476,336 @@ interface(`files_list_pids',` +@@ -6035,19 +7591,18 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` -+interface(`files_delete_all_spool_sockets',` ++interface(`files_manage_generic_spool_dirs',` gen_require(` - type var_t, var_run_t; -+ attribute spoolfile; ++ type var_t, var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) -+ allow $1 spoolfile:sock_file delete_sock_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## -## Write named generic process ID pipes -+## Relabel to and from all spool -+## directory types. ++## Read generic spool files. ## ## ## - ## Domain allowed access. +@@ -6055,103 +7610,220 @@ interface(`files_read_generic_pids',` ## ## -+## # -interface(`files_write_generic_pid_pipes',` -+interface(`files_relabel_all_spool_dirs',` ++interface(`files_read_generic_spool',` gen_require(` - type var_run_t; -+ attribute spoolfile; -+ type var_t; ++ type var_t, var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:fifo_file write; -+ relabel_dirs_pattern($1, spoolfile, spoolfile) ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## -## Create an object in the process ID directory, with a private type. -+## Search the contents of generic spool -+## directories (/var/spool). ++## Create, read, write, and delete generic ++## spool files. ## -## -##

    @@ -12785,105 +12963,6 @@ index 64ff4d7..90999af 100644 ## -## +# -+interface(`files_search_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+##

    -+## Do not audit attempts to search generic -+## spool directories. -+## -+## - ## --## The type of the object to be created. -+## Domain to not audit. - ## - ## --## -+# -+interface(`files_dontaudit_search_spool',` -+ gen_require(` -+ type var_spool_t; -+ ') -+ -+ dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of generic spool -+## (/var/spool) directories. -+## -+## - ## --## The object class of the object being created. -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool_dirs',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Read generic spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# +interface(`files_manage_generic_spool',` + gen_require(` + type var_t, var_spool_t; @@ -12899,12 +12978,15 @@ index 64ff4d7..90999af 100644 +## with a private type with a type transition. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## + ## + ## +-## +## -+## + ## +-## The object class of the object being created. +## Type to which the created node will be transitioned. +## +## @@ -13099,7 +13181,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',` ## ## # @@ -13125,7 +13207,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',` +@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -13149,7 +13231,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -13172,7 +13254,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -13230,7 +13312,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',` +@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',` ## ## # @@ -13315,7 +13397,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',` +@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',` ## ## # @@ -13364,7 +13446,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6368,186 +8007,169 @@ interface(`files_search_spool',` +@@ -6368,186 +8025,169 @@ interface(`files_search_spool',` ## ## # @@ -13631,7 +13713,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',` +@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -15150,18 +15232,20 @@ index 8416beb..60b2ce1 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..97dbeb4 100644 +index 9e603f5..2b79004 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); +@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem -@@ -53,6 +54,7 @@ type anon_inodefs_t; +@@ -53,6 +55,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -15169,7 +15253,7 @@ index 9e603f5..97dbeb4 100644 type bdev_t; fs_type(bdev_t) -@@ -68,7 +70,7 @@ fs_type(capifs_t) +@@ -68,7 +71,7 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -15178,7 +15262,7 @@ index 9e603f5..97dbeb4 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -89,6 +91,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +92,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -15190,7 +15274,7 @@ index 9e603f5..97dbeb4 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +104,7 @@ type hugetlbfs_t; +@@ -97,6 +105,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -15198,7 +15282,7 @@ index 9e603f5..97dbeb4 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -125,6 +133,10 @@ type oprofilefs_t; +@@ -125,6 +134,10 @@ type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -15209,7 +15293,7 @@ index 9e603f5..97dbeb4 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +157,6 @@ fs_type(spufs_t) +@@ -145,11 +158,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -15221,7 +15305,7 @@ index 9e603f5..97dbeb4 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +174,8 @@ type vxfs_t; +@@ -167,6 +175,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -15230,7 +15314,7 @@ index 9e603f5..97dbeb4 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +185,8 @@ fs_type(tmpfs_t) +@@ -176,6 +186,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -15239,7 +15323,7 @@ index 9e603f5..97dbeb4 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +267,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -15248,7 +15332,7 @@ index 9e603f5..97dbeb4 100644 files_mountpoint(removable_t) # -@@ -274,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +288,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -15265,7 +15349,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..31a14c8 100644 +index 649e458..cc924ae 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -15277,7 +15361,32 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',` +@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',` + + ######################################## + ## ++## Mount the proc filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mount_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ allow $1 proc_t:filesystem mount; ++') ++ ++######################################## ++## + ## Unmount the proc filesystem. + ## + ## +@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',` ######################################## ## @@ -15302,7 +15411,7 @@ index 649e458..31a14c8 100644 ## Get the attributes of the proc filesystem. ## ## -@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',` +@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',` # interface(`kernel_read_system_state',` gen_require(` @@ -15318,7 +15427,7 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -15343,7 +15452,7 @@ index 649e458..31a14c8 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -15352,7 +15461,7 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -15378,7 +15487,7 @@ index 649e458..31a14c8 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -15387,7 +15496,7 @@ index 649e458..31a14c8 100644 ## ## # -@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -15412,7 +15521,7 @@ index 649e458..31a14c8 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -15437,7 +15546,7 @@ index 649e458..31a14c8 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -15446,7 +15555,7 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -15471,7 +15580,7 @@ index 649e458..31a14c8 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -15497,7 +15606,7 @@ index 649e458..31a14c8 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -15531,7 +15640,7 @@ index 649e458..31a14c8 100644 ######################################## ## -@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -15556,7 +15665,7 @@ index 649e458..31a14c8 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -17136,7 +17245,7 @@ index 7d45d15..22c9cfe 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 771bce1..8b0e5e6 100644 +index 771bce1..55ebf4b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -17198,7 +17307,50 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -481,6 +504,24 @@ interface(`term_list_ptys',` +@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',` + + ######################################## + ## ++## Mount a pty filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_mount_pty_fs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:filesystem mount; ++') ++ ++######################################## ++## ++## Unmount a pty filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_unmount_pty_fs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:filesystem unmount; ++') ++ ++######################################## ++## + ## Relabel from and to pty filesystem. + ## + ## +@@ -481,6 +540,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -17223,7 +17375,7 @@ index 771bce1..8b0e5e6 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',` +@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',` ######################################## ## @@ -17232,7 +17384,7 @@ index 771bce1..8b0e5e6 100644 ## write the generic pty type. This is ## generally only used in the targeted policy. ## -@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',` +@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') @@ -17240,7 +17392,7 @@ index 771bce1..8b0e5e6 100644 dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') -@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',` +@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -17267,7 +17419,7 @@ index 771bce1..8b0e5e6 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -17276,7 +17428,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',` +@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',` ') dev_list_all_dev_nodes($1) @@ -17285,7 +17437,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -17294,7 +17446,7 @@ index 771bce1..8b0e5e6 100644 ## ## # -@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -17343,7 +17495,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -17357,7 +17509,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -17370,7 +17522,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -17399,7 +17551,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -17408,7 +17560,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -17417,7 +17569,7 @@ index 771bce1..8b0e5e6 100644 ## ## # -@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -18965,10 +19117,10 @@ index 0000000..0e8654b +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..bac0dc0 +index 0000000..cf6582f --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,595 @@ +@@ -0,0 +1,613 @@ +## Unconfiend user role + +######################################## @@ -19396,6 +19548,24 @@ index 0000000..bac0dc0 + +######################################## +## ++## Write keys for the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_write_keys',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:key write; ++') ++ ++######################################## ++## +## Send messages to the unconfined domain over dbus. +## +## @@ -22053,7 +22223,7 @@ index d1f64a0..3be3d00 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..d4ed029 100644 +index 6bf0ecc..ad955d5 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -22301,32 +22471,11 @@ index 6bf0ecc..d4ed029 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +495,13 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP") -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority") -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c") -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc") ++ xserver_filetrans_home_content($2) + # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -22338,7 +22487,7 @@ index 6bf0ecc..d4ed029 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +513,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -22368,7 +22517,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +564,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -22376,7 +22525,7 @@ index 6bf0ecc..d4ed029 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',` +@@ -547,6 +595,42 @@ interface(`xserver_domtrans_xauth',` domtrans_pattern($1, xauth_exec_t, xauth_t) ') @@ -22419,7 +22568,7 @@ index 6bf0ecc..d4ed029 100644 ######################################## ## ## Create a Xauthority file in the user home directory. -@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -22427,7 +22576,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -22436,7 +22585,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -638,6 +744,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +723,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -22462,7 +22611,7 @@ index 6bf0ecc..d4ed029 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -22471,7 +22620,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -22480,7 +22629,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -22489,7 +22638,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -22503,7 +22652,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -22577,7 +22726,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -22603,7 +22752,7 @@ index 6bf0ecc..d4ed029 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -22630,7 +22779,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -22658,7 +22807,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -22683,7 +22832,7 @@ index 6bf0ecc..d4ed029 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',` +@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -22711,7 +22860,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -22720,7 +22869,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -22766,7 +22915,7 @@ index 6bf0ecc..d4ed029 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -22775,7 +22924,7 @@ index 6bf0ecc..d4ed029 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -22818,7 +22967,7 @@ index 6bf0ecc..d4ed029 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -22827,7 +22976,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -22839,7 +22988,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -22866,7 +23015,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -22875,7 +23024,7 @@ index 6bf0ecc..d4ed029 100644 ## ## ## -@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -22900,7 +23049,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -23393,14 +23542,28 @@ index 6bf0ecc..d4ed029 100644 + ') + + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") -+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") @@ -23429,6 +23592,18 @@ index 6bf0ecc..d4ed029 100644 + + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") @@ -23440,6 +23615,7 @@ index 6bf0ecc..d4ed029 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++ + optional_policy(` + gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") + ') @@ -23481,7 +23657,7 @@ index 6bf0ecc..d4ed029 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..8ac9130 100644 +index 2696452..0881350 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -24046,7 +24222,7 @@ index 2696452..8ac9130 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -24087,10 +24263,11 @@ index 2696452..8ac9130 100644 -sysnet_read_config(xdm_t) +systemd_write_inhibit_pipes(xdm_t) ++systemd_dbus_chat_localed(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24140,7 +24317,7 @@ index 2696452..8ac9130 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -24167,7 +24344,7 @@ index 2696452..8ac9130 100644 ') optional_policy(` -@@ -514,12 +739,72 @@ optional_policy(` +@@ -514,12 +740,72 @@ optional_policy(` ') optional_policy(` @@ -24240,7 +24417,7 @@ index 2696452..8ac9130 100644 hostname_exec(xdm_t) ') -@@ -537,28 +822,78 @@ optional_policy(` +@@ -537,28 +823,78 @@ optional_policy(` ') optional_policy(` @@ -24328,7 +24505,7 @@ index 2696452..8ac9130 100644 ') optional_policy(` -@@ -570,6 +905,14 @@ optional_policy(` +@@ -570,6 +906,14 @@ optional_policy(` ') optional_policy(` @@ -24343,7 +24520,7 @@ index 2696452..8ac9130 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -24356,7 +24533,7 @@ index 2696452..8ac9130 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -24372,7 +24549,7 @@ index 2696452..8ac9130 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +970,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -24383,7 +24560,7 @@ index 2696452..8ac9130 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +985,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24405,7 +24582,7 @@ index 2696452..8ac9130 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1005,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -24419,7 +24596,7 @@ index 2696452..8ac9130 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1031,27 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -24450,7 +24627,7 @@ index 2696452..8ac9130 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1062,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -24468,7 +24645,7 @@ index 2696452..8ac9130 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1085,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1086,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -24492,7 +24669,7 @@ index 2696452..8ac9130 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1104,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -24501,7 +24678,7 @@ index 2696452..8ac9130 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1148,44 @@ optional_policy(` +@@ -775,16 +1149,44 @@ optional_policy(` ') optional_policy(` @@ -24547,7 +24724,7 @@ index 2696452..8ac9130 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1194,10 @@ optional_policy(` +@@ -793,6 +1195,10 @@ optional_policy(` ') optional_policy(` @@ -24558,7 +24735,7 @@ index 2696452..8ac9130 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -24572,7 +24749,7 @@ index 2696452..8ac9130 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -24581,7 +24758,7 @@ index 2696452..8ac9130 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1237,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1238,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24616,7 +24793,7 @@ index 2696452..8ac9130 100644 ') optional_policy(` -@@ -902,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24625,7 +24802,7 @@ index 2696452..8ac9130 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1356,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -24657,7 +24834,7 @@ index 2696452..8ac9130 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1402,40 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -26275,7 +26452,7 @@ index 016a770..1effeb4 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 6c4b6ee..4ea7640 100644 +index 6c4b6ee..f512b72 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,6 +13,9 @@ role system_r types fsadm_t; @@ -26304,7 +26481,15 @@ index 6c4b6ee..4ea7640 100644 # log files allow fsadm_t fsadm_log_t:dir setattr; -@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t) +@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) + # Enable swapping to files + allow fsadm_t swapfile_t:file { rw_file_perms swapon }; + ++kernel_get_sysvipc_info(fsadm_t) + kernel_read_system_state(fsadm_t) + kernel_read_kernel_sysctls(fsadm_t) + kernel_request_load_module(fsadm_t) +@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) files_manage_isid_type_dirs(fsadm_t) @@ -26313,7 +26498,7 @@ index 6c4b6ee..4ea7640 100644 # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t) +@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -26323,7 +26508,7 @@ index 6c4b6ee..4ea7640 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -26341,6 +26526,7 @@ index 6c4b6ee..4ea7640 100644 +init_stream_connect(fsadm_t) logging_send_syslog_msg(fsadm_t) ++logging_send_audit_msgs(fsadm_t) +logging_stream_connect_syslog(fsadm_t) -miscfiles_read_localization(fsadm_t) @@ -26352,7 +26538,7 @@ index 6c4b6ee..4ea7640 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +185,11 @@ optional_policy(` +@@ -166,6 +187,11 @@ optional_policy(` ') optional_policy(` @@ -26364,7 +26550,7 @@ index 6c4b6ee..4ea7640 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -179,6 +203,10 @@ optional_policy(` +@@ -179,6 +205,10 @@ optional_policy(` ') optional_policy(` @@ -26375,7 +26561,7 @@ index 6c4b6ee..4ea7640 100644 nis_use_ypbind(fsadm_t) ') -@@ -192,6 +220,10 @@ optional_policy(` +@@ -192,6 +222,10 @@ optional_policy(` ') optional_policy(` @@ -26716,7 +26902,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..f03be17 100644 +index 24e7804..1894886 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -27601,7 +27787,7 @@ index 24e7804..f03be17 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -27828,6 +28014,7 @@ index 24e7804..f03be17 100644 + ') + + allow $1 init_t:system status; ++ allow $1 init_t:service status; +') + +######################################## @@ -27886,7 +28073,7 @@ index 24e7804..f03be17 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..8913598 100644 +index dd3be8d..61531ce 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -28152,10 +28339,9 @@ index dd3be8d..8913598 100644 + +optional_policy(` + gnome_filetrans_home_content(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) +') @@ -28287,10 +28473,11 @@ index dd3be8d..8913598 100644 ') optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -28948,7 +29135,7 @@ index dd3be8d..8913598 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1353,185 @@ optional_policy(` +@@ -896,3 +1353,191 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28999,6 +29186,8 @@ index dd3be8d..8913598 100644 +allow initrc_t daemon:process siginh; +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; +allow daemon initrc_transition_domain:fd use; ++allow daemon init_var_run_t:dir search_dir_perms; ++allow systemprocess init_var_run_t:dir search_dir_perms; + +allow init_t daemon:unix_stream_socket create_stream_socket_perms; +allow init_t daemon:unix_dgram_socket create_socket_perms; @@ -29128,14 +29317,18 @@ index dd3be8d..8913598 100644 +allow initrc_domain systemprocess_entry:file { getattr open read execute }; +allow initrc_domain systemprocess:process transition; + ++optional_policy(` ++ rgmanager_search_lib(initrc_domain) ++') ++ +ifdef(`direct_sysadm_daemon',` -+ allow daemon direct_run_init:fd use; -+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; -+ allow daemon direct_run_init:process sigchld; -+ allow direct_run_init direct_init_entry:file { getattr open read execute }; ++ allow daemon direct_run_init:fd use; ++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; ++ allow daemon direct_run_init:process sigchld; ++ allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..a452892 100644 +index 662e79b..626a689 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,6 +1,8 @@ @@ -29160,7 +29353,7 @@ index 662e79b..a452892 100644 /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -+/usr/libexec/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) @@ -29170,7 +29363,7 @@ index 662e79b..a452892 100644 /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..ac0a652 100644 +index 0d4c8d3..3375525 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',` @@ -29197,7 +29390,68 @@ index 0d4c8d3..ac0a652 100644 interface(`ipsec_kill_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',` +@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',` + allow $1 ipsec_mgmt_t:process sigkill; + ') + ++######################################## ++## ++## Send ipsec a general signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_signal',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process signal; ++') ++ ++######################################## ++## ++## Send ipsec a null signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_signull',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process signull; ++') ++ ++######################################## ++## ++## Send ipsec a kill signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_kill',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process sigkill; ++') ++ + ###################################### + ## + ## Send and receive messages from +@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',` allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; @@ -29205,7 +29459,7 @@ index 0d4c8d3..ac0a652 100644 ') ######################################## -@@ -369,3 +367,26 @@ interface(`ipsec_run_setkey',` +@@ -369,3 +421,26 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -31580,7 +31834,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..ea56d23 100644 +index e8c59a5..df70cac 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -31602,7 +31856,7 @@ index e8c59a5..ea56d23 100644 type lvm_lock_t; files_lock_file(lvm_lock_t) -@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t) +@@ -49,15 +52,19 @@ files_tmp_file(lvm_tmp_t) allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; allow clvmd_t self:process { signal_perms setsched }; @@ -31617,10 +31871,14 @@ index e8c59a5..ea56d23 100644 +manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) +fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) + ++manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) - files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) +-files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) ++files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir }) -@@ -71,7 +77,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) + read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) + +@@ -71,7 +78,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) corecmd_exec_shell(clvmd_t) corecmd_getattr_bin_files(clvmd_t) @@ -31628,7 +31886,7 @@ index e8c59a5..ea56d23 100644 corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_generic_if(clvmd_t) corenet_udp_sendrecv_generic_if(clvmd_t) -@@ -120,9 +125,7 @@ init_dontaudit_getattr_initctl(clvmd_t) +@@ -120,9 +126,7 @@ init_dontaudit_getattr_initctl(clvmd_t) logging_send_syslog_msg(clvmd_t) @@ -31638,7 +31896,7 @@ index e8c59a5..ea56d23 100644 seutil_sigchld_newrole(clvmd_t) seutil_read_config(clvmd_t) seutil_read_file_contexts(clvmd_t) -@@ -141,6 +144,11 @@ ifdef(`distro_redhat',` +@@ -141,6 +145,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -31650,7 +31908,7 @@ index e8c59a5..ea56d23 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +178,7 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -31658,7 +31916,7 @@ index e8c59a5..ea56d23 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -191,10 +200,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,10 +201,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -31671,7 +31929,7 @@ index e8c59a5..ea56d23 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,8 +214,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -31679,10 +31937,11 @@ index e8c59a5..ea56d23 100644 manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) +files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) ++init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +232,7 @@ kernel_read_kernel_sysctls(lvm_t) +@@ -220,6 +234,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -31690,7 +31949,7 @@ index e8c59a5..ea56d23 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +245,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -31705,7 +31964,7 @@ index e8c59a5..ea56d23 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -31713,7 +31972,7 @@ index e8c59a5..ea56d23 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +273,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -31736,7 +31995,7 @@ index e8c59a5..ea56d23 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -31745,15 +32004,15 @@ index e8c59a5..ea56d23 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +315,22 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) +logging_stream_connect_syslog(lvm_t) -+ -+authlogin_rw_pipes(lvm_t) -miscfiles_read_localization(lvm_t) ++authlogin_rw_pipes(lvm_t) ++auth_use_nsswitch(lvm_t) seutil_read_config(lvm_t) seutil_read_file_contexts(lvm_t) @@ -31764,10 +32023,12 @@ index e8c59a5..ea56d23 100644 userdom_use_user_terminals(lvm_t) +userdom_rw_semaphores(lvm_t) +userdom_search_user_home_dirs(lvm_t) ++ ++usermanage_read_crack_db(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +338,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +342,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -31779,7 +32040,7 @@ index e8c59a5..ea56d23 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +363,26 @@ optional_policy(` +@@ -333,14 +367,26 @@ optional_policy(` ') optional_policy(` @@ -31807,7 +32068,7 @@ index e8c59a5..ea56d23 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..06fa481 100644 +index 9fe8e01..fa82aac 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` @@ -31826,7 +32087,7 @@ index 9fe8e01..06fa481 100644 ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -37,11 +39,6 @@ ifdef(`distro_redhat',` +@@ -37,14 +39,10 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31838,7 +32099,19 @@ index 9fe8e01..06fa481 100644 /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -77,7 +74,7 @@ ifdef(`distro_redhat',` ++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +@@ -53,6 +51,7 @@ ifdef(`distro_redhat',` + /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) + /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) + ++/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) + +@@ -77,7 +76,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -31847,7 +32120,7 @@ index 9fe8e01..06fa481 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +87,7 @@ ifdef(`distro_debian',` +@@ -90,6 +89,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -32478,7 +32751,7 @@ index 72c746e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..0755e25 100644 +index 4584457..e432df3 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,13 @@ interface(`mount_domtrans',` @@ -32495,7 +32768,7 @@ index 4584457..0755e25 100644 ') ######################################## -@@ -38,11 +45,103 @@ interface(`mount_domtrans',` +@@ -38,11 +45,122 @@ interface(`mount_domtrans',` # interface(`mount_run',` gen_require(` @@ -32583,6 +32856,25 @@ index 4584457..0755e25 100644 + +######################################## +## ++## Read/write mount PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mount_rw_pid_files',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ rw_files_pattern($1, mount_var_run_t, mount_var_run_t) ++ files_search_pids($1) ++') ++ ++######################################## ++## +## Manage mount PID files. +## +## @@ -32601,7 +32893,7 @@ index 4584457..0755e25 100644 ') ######################################## -@@ -91,7 +190,7 @@ interface(`mount_signal',` +@@ -91,7 +209,7 @@ interface(`mount_signal',` ## ## ## @@ -32610,7 +32902,7 @@ index 4584457..0755e25 100644 ## ## # -@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',` +@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -32670,14 +32962,19 @@ index 4584457..0755e25 100644 ## -## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`mount_run_unconfined',` +interface(`mount_exec_fusermount',` -+ gen_require(` + gen_require(` +- type unconfined_mount_t; + type fusermount_exec_t; -+ ') -+ + ') + +- mount_domtrans_unconfined($1) +- role $2 types unconfined_mount_t; + can_exec($1, fusermount_exec_t) +') + @@ -32688,19 +32985,14 @@ index 4584457..0755e25 100644 +## +## +## Domain to not audit. - ## - ## --## - # --interface(`mount_run_unconfined',` ++## ++## ++# +interface(`mount_dontaudit_exec_fusermount',` - gen_require(` -- type unconfined_mount_t; ++ gen_require(` + type fusermount_exec_t; - ') - -- mount_domtrans_unconfined($1) -- role $2 types unconfined_mount_t; ++ ') ++ + dontaudit $1 fusermount_exec_t:file exec_file_perms; +') + @@ -32766,7 +33058,7 @@ index 4584457..0755e25 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..ac90315 100644 +index 6a50270..b34911e 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) @@ -32867,7 +33159,7 @@ index 6a50270..ac90315 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t) +@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -32883,6 +33175,7 @@ index 6a50270..ac90315 100644 dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) ++dev_rw_loop_control(mount_t) + +ifdef(`hide_broken_symptoms',` + dev_rw_generic_blk_files(mount_t) @@ -32917,7 +33210,7 @@ index 6a50270..ac90315 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +147,39 @@ files_list_mnt(mount_t) +@@ -92,28 +148,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -32963,7 +33256,7 @@ index 6a50270..ac90315 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -32987,7 +33280,7 @@ index 6a50270..ac90315 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -33027,7 +33320,7 @@ index 6a50270..ac90315 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +251,8 @@ optional_policy(` +@@ -179,6 +252,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -33036,7 +33329,7 @@ index 6a50270..ac90315 100644 ') optional_policy(` -@@ -186,6 +260,36 @@ optional_policy(` +@@ -186,6 +261,36 @@ optional_policy(` ') optional_policy(` @@ -33073,7 +33366,7 @@ index 6a50270..ac90315 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +298,124 @@ optional_policy(` +@@ -194,24 +299,128 @@ optional_policy(` ') optional_policy(` @@ -33133,16 +33426,20 @@ index 6a50270..ac90315 100644 +optional_policy(` + usbmuxd_stream_connect(mount_t) +') ++ ++optional_policy(` ++ userhelper_exec_console(mount_t) ++') ++ ++optional_policy(` ++ unconfined_write_keys(mount_t) ++') optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) -+ userhelper_exec_console(mount_t) - ') -+ -+optional_policy(` + virt_read_blk_images(mount_t) -+') + ') + +optional_policy(` + vmware_exec_host(mount_t) @@ -34692,10 +34989,10 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 346a7cc..2fa1253 100644 +index 346a7cc..b44bb0c 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -17,14 +17,15 @@ ifdef(`distro_debian',` +@@ -17,16 +17,17 @@ ifdef(`distro_debian',` /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -34712,8 +35009,11 @@ index 346a7cc..2fa1253 100644 /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) +-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) + + ifdef(`distro_redhat',` @@ -55,6 +56,20 @@ ifdef(`distro_redhat',` # # /usr @@ -35417,12 +35717,29 @@ index 0000000..4e12420 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..fc080a1 +index 0000000..2927875 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1064 @@ +@@ -0,0 +1,1103 @@ +## SELinux policy for systemd components + ++###################################### ++## ++## Create a domain for processes which are started ++## exuting systemctl. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_stub_unit_file',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++') ++ +####################################### +## +## Create a domain for processes which are started @@ -36467,7 +36784,7 @@ index 0000000..fc080a1 +######################################## +## +## Send and receive messages from -+## systemd timedated over dbus. ++## systemd hostnamed over dbus. +## +## +## @@ -36485,9 +36802,31 @@ index 0000000..fc080a1 + allow systemd_hostnamed_t $1:dbus send_msg; + ps_process_pattern(systemd_hostnamed_t, $1) +') ++ ++######################################## ++## ++## Send and receive messages from ++## systemd localed over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_localed',` ++ gen_require(` ++ type systemd_localed_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_localed_t:dbus send_msg; ++ allow systemd_localed_t $1:dbus send_msg; ++ ps_process_pattern(systemd_localed_t, $1) ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..60e3e89 +index 0000000..4d56107 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,641 @@ @@ -36970,7 +37309,7 @@ index 0000000..60e3e89 + +userdom_dbus_send_all_users(systemd_localed_t) + -+xserver_read_config(systemd_localed_t) ++xserver_manage_config(systemd_localed_t) + +optional_policy(` + dbus_connect_system_bus(systemd_localed_t) @@ -38503,7 +38842,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..05bc969 100644 +index 3c5dba7..9799799 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39765,7 +40104,7 @@ index 3c5dba7..05bc969 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1309,59 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -39812,6 +40151,7 @@ index 3c5dba7..05bc969 100644 + optional_policy(` + systemd_dbus_chat_timedated($1_t) + systemd_dbus_chat_hostnamed($1_t) ++ systemd_dbus_chat_localed($1_t) + ') + + optional_policy(` @@ -39835,7 +40175,7 @@ index 3c5dba7..05bc969 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -39846,7 +40186,7 @@ index 3c5dba7..05bc969 100644 ') ') -@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -39855,7 +40195,7 @@ index 3c5dba7..05bc969 100644 ') ############################## -@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -39863,7 +40203,7 @@ index 3c5dba7..05bc969 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -39873,7 +40213,7 @@ index 3c5dba7..05bc969 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -39881,7 +40221,7 @@ index 3c5dba7..05bc969 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -39896,7 +40236,7 @@ index 3c5dba7..05bc969 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -39939,7 +40279,7 @@ index 3c5dba7..05bc969 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -39948,7 +40288,7 @@ index 3c5dba7..05bc969 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -39967,7 +40307,7 @@ index 3c5dba7..05bc969 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -39976,7 +40316,7 @@ index 3c5dba7..05bc969 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -39988,7 +40328,7 @@ index 3c5dba7..05bc969 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -40031,7 +40371,7 @@ index 3c5dba7..05bc969 100644 ') optional_policy(` -@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -40050,7 +40390,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -40102,7 +40442,7 @@ index 3c5dba7..05bc969 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -40134,7 +40474,7 @@ index 3c5dba7..05bc969 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -40149,7 +40489,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -40161,7 +40501,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -40204,7 +40544,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -40213,7 +40553,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -40228,7 +40568,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2247,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -40237,7 +40577,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2255,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -40261,7 +40601,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2273,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -40301,7 +40641,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2321,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -40327,7 +40667,7 @@ index 3c5dba7..05bc969 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2370,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -40365,7 +40705,7 @@ index 3c5dba7..05bc969 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2410,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -40383,7 +40723,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2458,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -40410,7 +40750,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2486,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -40431,7 +40771,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2502,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -40482,7 +40822,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2579,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -40492,7 +40832,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2595,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -40517,7 +40857,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## -@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2685,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -40526,7 +40866,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2693,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -40550,7 +40890,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2711,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -40566,7 +40906,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2953,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -40581,7 +40921,7 @@ index 3c5dba7..05bc969 100644 files_search_tmp($1) ') -@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2977,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -40590,7 +40930,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3224,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -40616,7 +40956,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3259,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -40632,7 +40972,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3287,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -40641,7 +40981,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3295,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -40664,7 +41004,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2735,25 +3313,43 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -40714,7 +41054,7 @@ index 3c5dba7..05bc969 100644 gen_require(` type user_tty_device_t; ') -@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3413,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -40739,7 +41079,7 @@ index 3c5dba7..05bc969 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3449,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -40782,7 +41122,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3485,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -40820,7 +41160,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3530,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -40850,7 +41190,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3622,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -40951,7 +41291,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3691,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -40966,7 +41306,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3760,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -40975,7 +41315,7 @@ index 3c5dba7..05bc969 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3776,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41009,7 +41349,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3217,7 +3863,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41018,7 +41358,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3272,7 +3918,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41084,7 +41424,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3290,7 +3993,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41093,7 +41433,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3309,6 +4012,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41101,7 +41441,7 @@ index 3c5dba7..05bc969 100644 kernel_search_proc($1) ') -@@ -3385,6 +4089,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41144,7 +41484,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4145,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -41169,7 +41509,7 @@ index 3c5dba7..05bc969 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4196,1357 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ff0cb24..43bfddb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -516,7 +516,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..304203f 100644 +index cc43d25..563c773 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -732,7 +732,7 @@ index cc43d25..304203f 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -756,13 +756,14 @@ index cc43d25..304203f 100644 fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) --auth_use_nsswitch(abrt_t) -- - logging_read_generic_logs(abrt_t) ++logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) - -+auth_use_nsswitch(abrt_t) + + auth_use_nsswitch(abrt_t) + +-logging_read_generic_logs(abrt_t) ++init_read_utmp(abrt_t) + +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) @@ -771,7 +772,7 @@ index cc43d25..304203f 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -788,7 +789,7 @@ index cc43d25..304203f 100644 ') optional_policy(` -@@ -209,6 +220,12 @@ optional_policy(` +@@ -209,6 +222,12 @@ optional_policy(` ') optional_policy(` @@ -801,7 +802,7 @@ index cc43d25..304203f 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +237,7 @@ optional_policy(` +@@ -220,6 +239,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -809,7 +810,7 @@ index cc43d25..304203f 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +248,7 @@ optional_policy(` +@@ -230,6 +250,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -817,7 +818,7 @@ index cc43d25..304203f 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +259,17 @@ optional_policy(` +@@ -240,9 +261,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -836,7 +837,7 @@ index cc43d25..304203f 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -851,7 +852,7 @@ index cc43d25..304203f 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +299,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -859,7 +860,7 @@ index cc43d25..304203f 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -880,7 +881,7 @@ index cc43d25..304203f 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -907,7 +908,7 @@ index cc43d25..304203f 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +365,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -921,7 +922,7 @@ index cc43d25..304203f 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +383,11 @@ optional_policy(` +@@ -330,10 +385,11 @@ optional_policy(` ####################################### # @@ -935,7 +936,7 @@ index cc43d25..304203f 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -947,6 +948,7 @@ index cc43d25..304203f 100644 +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) ++ mock_manage_lib_files(abrt_t) +') + ######################################## @@ -976,7 +978,7 @@ index cc43d25..304203f 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) -@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) +@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) @@ -994,7 +996,7 @@ index cc43d25..304203f 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -2720,7 +2722,7 @@ index 0000000..b334e9a + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..e714059 100644 +index 550a69e..78579c0 100644 --- a/apache.fc +++ b/apache.fc @@ -1,161 +1,184 @@ @@ -3017,12 +3019,12 @@ index 550a69e..e714059 100644 -/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + -+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) + +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + -+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + @@ -4365,7 +4367,7 @@ index 83e899c..e3bed6a 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..c388418 100644 +index 1a82e29..5e167ca 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,353 @@ @@ -5103,7 +5105,7 @@ index 1a82e29..c388418 100644 -fs_read_anon_inodefs_files(httpd_t) fs_read_iso9660_files(httpd_t) -fs_search_auto_mountpoints(httpd_t) -+fs_read_anon_inodefs_files(httpd_t) ++fs_rw_anon_inodefs_files(httpd_t) +fs_read_hugetlbfs_files(httpd_t) + +auth_use_nsswitch(httpd_t) @@ -5726,10 +5728,11 @@ index 1a82e29..c388418 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache PHP script local policy +# + @@ -5788,11 +5791,10 @@ index 1a82e29..c388418 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache suexec local policy # @@ -6004,7 +6006,7 @@ index 1a82e29..c388418 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1270,103 @@ optional_policy(` +@@ -1077,172 +1270,104 @@ optional_policy(` ') ') @@ -6029,11 +6031,11 @@ index 1a82e29..c388418 100644 - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -+allow httpd_sys_script_t self:process getsched; - +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) -- ++allow httpd_sys_script_t self:process getsched; + -corenet_all_recvfrom_unlabeled(httpd_script_domains) -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) @@ -6143,6 +6145,7 @@ index 1a82e29..c388418 100644 +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) ++fs_rw_anon_inodefs_files(httpd_sys_script_t) - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_script_domains) @@ -6170,7 +6173,8 @@ index 1a82e29..c388418 100644 -# - -allow httpd_sys_script_t self:tcp_socket { accept listen }; -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6200,8 +6204,7 @@ index 1a82e29..c388418 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -6239,7 +6242,7 @@ index 1a82e29..c388418 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1374,70 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1375,70 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6333,7 +6336,7 @@ index 1a82e29..c388418 100644 ######################################## # -@@ -1315,8 +1445,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1446,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6350,7 +6353,7 @@ index 1a82e29..c388418 100644 ') ######################################## -@@ -1324,49 +1461,36 @@ optional_policy(` +@@ -1324,49 +1462,36 @@ optional_policy(` # User content local policy # @@ -6414,7 +6417,7 @@ index 1a82e29..c388418 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1500,94 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -9740,10 +9743,10 @@ index 2354e21..bec6c06 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 403af41..7c0b1be 100644 +index 403af41..68a5e26 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t; +@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t; allow certwatch_t self:capability sys_nice; allow certwatch_t self:process { setsched getsched }; @@ -9774,7 +9777,10 @@ index 403af41..7c0b1be 100644 +userdom_dontaudit_list_admin_dir(certwatch_t) optional_policy(` ++ apache_exec(certwatch_t) apache_exec_modules(certwatch_t) + apache_read_config(certwatch_t) + ') diff --git a/cfengine.if b/cfengine.if index a731122..5279d4e 100644 --- a/cfengine.if @@ -9933,7 +9939,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index fdee107..eb7a3ac 100644 +index fdee107..7a38b63 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -9979,10 +9985,10 @@ index fdee107..eb7a3ac 100644 # # cgred local policy # ++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; ++allow cgred_t self:process signal_perms; -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; -+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; -+ allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; @@ -11801,7 +11807,7 @@ index 8e27a37..825f537 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 09f18e2..e891ec4 100644 +index 09f18e2..f0cade4 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -11902,7 +11908,7 @@ index 09f18e2..e891ec4 100644 ') optional_policy(` -@@ -133,3 +142,14 @@ optional_policy(` +@@ -133,3 +142,16 @@ optional_policy(` optional_policy(` udev_read_db(colord_t) ') @@ -11912,6 +11918,8 @@ index 09f18e2..e891ec4 100644 + xserver_read_xdm_state(colord_t) + # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc + xserver_read_inherited_xdm_lib_files(colord_t) ++ # allow to read /run/initial-setup-$username ++ xserver_read_xdm_pid(colord_t) +') + +optional_policy(` @@ -12406,7 +12414,7 @@ index 3fe3cb8..684b700 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..22ddc47 100644 +index 3f2b672..2af6e1e 100644 --- a/condor.te +++ b/condor.te @@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -12419,8 +12427,13 @@ index 3f2b672..22ddc47 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -59,8 +62,9 @@ condor_domain_template(startd) +@@ -57,10 +60,14 @@ condor_domain_template(startd) + # Global local policy + # ++allow condor_domain self:capability dac_override; ++allow condor_domain self:capability2 block_suspend; ++ allow condor_domain self:process signal_perms; allow condor_domain self:fifo_file rw_fifo_file_perms; -allow condor_domain self:tcp_socket { accept listen }; @@ -12431,7 +12444,7 @@ index 3f2b672..22ddc47 100644 manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) append_files_pattern(condor_domain, condor_log_t, condor_log_t) -@@ -86,13 +90,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; +@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) @@ -12445,7 +12458,7 @@ index 3f2b672..22ddc47 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +107,7 @@ dev_read_rand(condor_domain) +@@ -106,9 +110,7 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -12456,16 +12469,36 @@ index 3f2b672..22ddc47 100644 tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -150,8 +149,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) +@@ -125,7 +127,7 @@ optional_policy(` + # Master local policy + # + +-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; ++allow condor_master_t self:capability { setuid setgid sys_ptrace }; + + allow condor_master_t condor_domain:process { sigkill signal }; + +@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) + manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) + files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) + ++can_exec(condor_master_t, condor_master_exec_t) ++ ++kernel_read_system_state(condor_master_tmp_t) ++ + corenet_udp_sendrecv_generic_if(condor_master_t) + corenet_udp_sendrecv_generic_node(condor_master_t) + corenet_tcp_bind_generic_node(condor_master_t) +@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) domain_read_all_domains_state(condor_master_t) -auth_use_nsswitch(condor_master_t) -- ++auth_read_passwd(condor_master_t) + optional_policy(` mta_send_mail(condor_master_t) - mta_read_config(condor_master_t) -@@ -178,6 +175,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -12474,7 +12507,16 @@ index 3f2b672..22ddc47 100644 ###################################### # # Procd local policy -@@ -209,6 +208,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; + + allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; + ++allow condor_schedd_t condor_master_tmp_t:dir getattr; ++ + domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) + domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) + +@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -12483,7 +12525,7 @@ index 3f2b672..22ddc47 100644 ##################################### # # Startd local policy -@@ -233,11 +234,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -12496,7 +12538,7 @@ index 3f2b672..22ddc47 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +249,7 @@ optional_policy(` +@@ -249,3 +260,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -16021,7 +16063,7 @@ index 06da9a0..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..45fe9a0 100644 +index 9f34c2e..3b03f21 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16243,7 +16285,7 @@ index 9f34c2e..45fe9a0 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t) +@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -16259,10 +16301,11 @@ index 9f34c2e..45fe9a0 100644 fs_search_fusefs(cupsd_t) fs_read_anon_inodefs_files(cupsd_t) +fs_rw_anon_inodefs_files(cupsd_t) ++fs_rw_inherited_tmpfs_files(cupsd_t) mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) -@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -16271,7 +16314,7 @@ index 9f34c2e..45fe9a0 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -16297,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -275,6 +307,8 @@ optional_policy(` +@@ -275,6 +308,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -16306,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +319,10 @@ optional_policy(` +@@ -285,8 +320,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -16317,7 +16360,7 @@ index 9f34c2e..45fe9a0 100644 ') ') -@@ -299,8 +335,8 @@ optional_policy(` +@@ -299,8 +336,8 @@ optional_policy(` ') optional_policy(` @@ -16327,7 +16370,7 @@ index 9f34c2e..45fe9a0 100644 ') optional_policy(` -@@ -309,7 +345,6 @@ optional_policy(` +@@ -309,7 +346,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -16335,7 +16378,7 @@ index 9f34c2e..45fe9a0 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +372,7 @@ optional_policy(` +@@ -337,7 +373,7 @@ optional_policy(` ') optional_policy(` @@ -16344,7 +16387,7 @@ index 9f34c2e..45fe9a0 100644 ') ######################################## -@@ -345,11 +380,9 @@ optional_policy(` +@@ -345,11 +381,9 @@ optional_policy(` # Configuration daemon local policy # @@ -16358,7 +16401,7 @@ index 9f34c2e..45fe9a0 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -16378,7 +16421,7 @@ index 9f34c2e..45fe9a0 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -16399,7 +16442,7 @@ index 9f34c2e..45fe9a0 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -16411,7 +16454,7 @@ index 9f34c2e..45fe9a0 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +469,12 @@ optional_policy(` +@@ -452,9 +470,12 @@ optional_policy(` ') optional_policy(` @@ -16425,7 +16468,7 @@ index 9f34c2e..45fe9a0 100644 ') optional_policy(` -@@ -490,10 +510,6 @@ optional_policy(` +@@ -490,10 +511,6 @@ optional_policy(` # Lpd local policy # @@ -16436,7 +16479,7 @@ index 9f34c2e..45fe9a0 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -16469,7 +16512,7 @@ index 9f34c2e..45fe9a0 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +553,6 @@ optional_policy(` +@@ -546,7 +554,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -16477,7 +16520,7 @@ index 9f34c2e..45fe9a0 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -16495,7 +16538,7 @@ index 9f34c2e..45fe9a0 100644 userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) -@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(cups_pdf_t) ') @@ -16626,7 +16669,7 @@ index 9f34c2e..45fe9a0 100644 ######################################## # -@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -16634,7 +16677,7 @@ index 9f34c2e..45fe9a0 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -16648,7 +16691,7 @@ index 9f34c2e..45fe9a0 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -18734,7 +18777,7 @@ index d294865..3b4f593 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index ff933af..41ca7ce 100644 +index ff933af..fc9d3f4 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) @@ -18837,18 +18880,19 @@ index ff933af..41ca7ce 100644 ') optional_policy(` -@@ -180,6 +184,10 @@ optional_policy(` +@@ -180,6 +184,11 @@ optional_policy(` ') optional_policy(` + systemd_read_logind_sessions_files(devicekit_disk_t) ++ systemd_write_inhibit_pipes(devicekit_disk_t) +') + +optional_policy(` udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -188,12 +196,19 @@ optional_policy(` +@@ -188,12 +197,19 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -18869,7 +18913,7 @@ index ff933af..41ca7ce 100644 allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -@@ -207,9 +222,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) @@ -18880,7 +18924,7 @@ index ff933af..41ca7ce 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -242,17 +255,16 @@ domain_read_all_domains_state(devicekit_power_t) +@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) @@ -18900,7 +18944,7 @@ index ff933af..41ca7ce 100644 sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -269,9 +281,11 @@ optional_policy(` +@@ -269,9 +282,11 @@ optional_policy(` optional_policy(` cron_initrc_domtrans(devicekit_power_t) @@ -18912,7 +18956,7 @@ index ff933af..41ca7ce 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -302,8 +316,11 @@ optional_policy(` +@@ -302,8 +317,11 @@ optional_policy(` ') optional_policy(` @@ -18925,7 +18969,7 @@ index ff933af..41ca7ce 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -341,3 +358,9 @@ optional_policy(` +@@ -341,3 +359,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -19296,10 +19340,10 @@ index 0000000..332a1c9 +') diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 0000000..a3d076f +index 0000000..35455bf --- /dev/null +++ b/dirsrv-admin.te -@@ -0,0 +1,144 @@ +@@ -0,0 +1,156 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -19332,9 +19376,10 @@ index 0000000..a3d076f +# +# Local policy for the daemon +# ++ +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; +allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; -+allow dirsrvadmin_t self:process setrlimit; ++allow dirsrvadmin_t self:process { setrlimit signal_perms }; + +manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) +manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) @@ -19353,7 +19398,6 @@ index 0000000..a3d076f + +logging_search_logs(dirsrvadmin_t) + -+ +# Needed for stop and restart scripts +dirsrv_read_var_run(dirsrvadmin_t) + @@ -19374,7 +19418,7 @@ index 0000000..a3d076f + apache_content_template(dirsrvadmin) + + allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; + allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; + allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; @@ -19387,7 +19431,12 @@ index 0000000..a3d076f + + kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) + ++ ++ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t) ++ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t) + corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) ++ ++ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) @@ -19401,6 +19450,13 @@ index 0000000..a3d076f + files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) + + optional_policy(` ++ apache_read_modules(httpd_dirsrvadmin_script_t) ++ apache_read_config(httpd_dirsrvadmin_script_t) ++ apache_signal(httpd_dirsrvadmin_script_t) ++ apache_signull(httpd_dirsrvadmin_script_t) ++ ') ++ ++ optional_policy(` + # The CGI scripts must be able to manage dirsrv-admin + dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) + dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) @@ -22541,7 +22597,7 @@ index 5cf6ac6..839999e 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index c8014f8..02de884 100644 +index c8014f8..64e18e1 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -22562,11 +22618,11 @@ index c8014f8..02de884 100644 # Local policy # - -+allow firewalld_t self:capability dac_override; ++allow firewalld_t self:capability { dac_override net_admin }; dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; -@@ -40,8 +49,17 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; +@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; allow firewalld_t firewalld_var_log_t:file setattr_file_perms; logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) @@ -22584,7 +22640,11 @@ index c8014f8..02de884 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -53,20 +71,17 @@ dev_read_urand(firewalld_t) ++kernel_rw_net_sysctls(firewalld_t) + + corecmd_exec_bin(firewalld_t) + corecmd_exec_shell(firewalld_t) +@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -22610,7 +22670,7 @@ index c8014f8..02de884 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -85,6 +100,10 @@ optional_policy(` +@@ -85,6 +101,10 @@ optional_policy(` ') optional_policy(` @@ -23081,7 +23141,7 @@ index d062080..e098a40 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..2f7de33 100644 +index e50f33c..5e6cdb8 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -23102,16 +23162,23 @@ index e50f33c..2f7de33 100644 ## ##

    -@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false) +@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false) ## used for public file transfer services. ##

    ##
    -gen_tunable(allow_ftpd_use_cifs, false) +gen_tunable(ftpd_use_cifs, false) ++ ++## ++##

    ++## Allow samba to export ntfs/fusefs volumes. ++##

    ++##
    ++gen_tunable(ftpd_use_fusefs, false) ## ##

    -@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false) +@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false) ## used for public file transfer services. ##

    ##
    @@ -23120,7 +23187,7 @@ index e50f33c..2f7de33 100644 ## ##

    -@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t) +@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -23130,7 +23197,7 @@ index e50f33c..2f7de33 100644 type ftpd_lock_t; files_lock_file(ftpd_lock_t) -@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; +@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -23140,7 +23207,7 @@ index e50f33c..2f7de33 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) +@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -23156,7 +23223,7 @@ index e50f33c..2f7de33 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -23170,7 +23237,7 @@ index e50f33c..2f7de33 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -23178,7 +23245,7 @@ index e50f33c..2f7de33 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t) +@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -23201,6 +23268,13 @@ index e50f33c..2f7de33 100644 ') -tunable_policy(`allow_ftpd_use_nfs',` ++tunable_policy(`ftpd_use_fusefs',` ++ fs_manage_fusefs_dirs(ftpd_t) ++ fs_manage_fusefs_files(ftpd_t) ++',` ++ fs_search_fusefs(ftpd_t) ++') ++ +tunable_policy(`ftpd_use_nfs',` fs_read_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) @@ -23228,7 +23302,7 @@ index e50f33c..2f7de33 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -23241,7 +23315,7 @@ index e50f33c..2f7de33 100644 ') tunable_policy(`ftp_home_dir',` -@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',` +@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',` userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_files(ftpd_t) @@ -23254,7 +23328,7 @@ index e50f33c..2f7de33 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -360,7 +374,7 @@ optional_policy(` +@@ -360,7 +388,7 @@ optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) @@ -23263,7 +23337,7 @@ index e50f33c..2f7de33 100644 ') optional_policy(` -@@ -410,21 +424,20 @@ optional_policy(` +@@ -410,21 +438,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -23287,7 +23361,7 @@ index e50f33c..2f7de33 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -23328,7 +23402,7 @@ index e50f33c..2f7de33 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -23503,7 +23577,7 @@ index 1e29af1..a1c464e 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index 93b0301..8561970 100644 +index 93b0301..9108ddc 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -23521,6 +23595,19 @@ index 93b0301..8561970 100644 ## Determine whether Git system daemon ## can search home directories. ##

    +@@ -92,10 +84,10 @@ type git_session_t, git_daemon; + userdom_user_application_domain(git_session_t, gitd_exec_t) + role git_session_roles types git_session_t; + +-type git_sys_content_t; ++type git_sys_content_t alias git_system_content_t; + files_type(git_sys_content_t) + +-type git_user_content_t; ++type git_user_content_t alias git_session_content_t; + userdom_user_home_content(git_user_content_t) + + ######################################## @@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -28129,8 +28216,20 @@ index 94ec5f8..801417b 100644 logging_send_syslog_msg(iodined_t) +diff --git a/irc.fc b/irc.fc +index 48e7739..c3285c2 100644 +--- a/irc.fc ++++ b/irc.fc +@@ -1,6 +1,6 @@ + HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) + HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) +-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) ++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0) + + /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) + diff --git a/irc.if b/irc.if -index ac00fb0..06cb083 100644 +index ac00fb0..53e4fc7 100644 --- a/irc.if +++ b/irc.if @@ -20,6 +20,7 @@ interface(`irc_role',` @@ -28141,7 +28240,7 @@ index ac00fb0..06cb083 100644 ') ######################################## -@@ -39,10 +40,33 @@ interface(`irc_role',` +@@ -39,10 +40,34 @@ interface(`irc_role',` ps_process_pattern($2, irc_t) allow $2 irc_t:process { ptrace signal_perms }; @@ -28176,16 +28275,23 @@ index ac00fb0..06cb083 100644 +interface(`irc_filetrans_home_content',` + gen_require(` + type irc_home_t; ++ type irssi_home_t; + ') + userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd") + userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi") -+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs") ++ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index ecad9c7..56e2b35 100644 +index ecad9c7..86d790f 100644 --- a/irc.te +++ b/irc.te -@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t) +@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t + typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; + userdom_user_home_content(irc_home_t) + +-type irc_log_home_t; +-userdom_user_home_content(irc_log_home_t) +- type irc_tmp_t; typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; @@ -28214,12 +28320,12 @@ index ecad9c7..56e2b35 100644 +type irssi_etc_t; +files_config_file(irssi_etc_t) + -+type irssi_home_t; ++type irssi_home_t alias irc_log_home_t; +userdom_user_home_content(irssi_home_t) ######################################## # -@@ -53,13 +78,7 @@ allow irc_t irc_conf_t:file read_file_perms; +@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms; manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) manage_files_pattern(irc_t, irc_home_t, irc_home_t) manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) @@ -28234,7 +28340,7 @@ index ecad9c7..56e2b35 100644 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -@@ -70,7 +89,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) +@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) kernel_read_system_state(irc_t) @@ -28242,7 +28348,7 @@ index ecad9c7..56e2b35 100644 corenet_all_recvfrom_netlabel(irc_t) corenet_tcp_sendrecv_generic_if(irc_t) corenet_tcp_sendrecv_generic_node(irc_t) -@@ -93,7 +111,6 @@ dev_read_rand(irc_t) +@@ -93,7 +108,6 @@ dev_read_rand(irc_t) domain_use_interactive_fds(irc_t) @@ -28250,7 +28356,7 @@ index ecad9c7..56e2b35 100644 fs_getattr_all_fs(irc_t) fs_search_auto_mountpoints(irc_t) -@@ -106,13 +123,15 @@ auth_use_nsswitch(irc_t) +@@ -106,13 +120,15 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) @@ -28268,7 +28374,7 @@ index ecad9c7..56e2b35 100644 tunable_policy(`irc_use_any_tcp_ports',` corenet_sendrecv_all_server_packets(irc_t) -@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',` +@@ -122,18 +138,71 @@ tunable_policy(`irc_use_any_tcp_ports',` corenet_tcp_sendrecv_all_ports(irc_t) ') @@ -33519,10 +33625,10 @@ index b9270f7..15f3748 100644 + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') diff --git a/mailman.if b/mailman.if -index 108c0f1..d28241c 100644 +index 108c0f1..a248501 100644 --- a/mailman.if +++ b/mailman.if -@@ -1,44 +1,66 @@ +@@ -1,44 +1,70 @@ -## Manage electronic mail discussion and e-newsletter lists. +## Mailman is for managing electronic mail discussion and e-newsletter lists @@ -33560,8 +33666,13 @@ index 108c0f1..d28241c 100644 + # Declarations + # - type mailman_$1_t; +- type mailman_$1_t; - type mailman_$1_exec_t; ++ gen_require(` ++ attribute mailman_domain; ++ ') ++ ++ type mailman_$1_t, mailman_domain; domain_type(mailman_$1_t) + type mailman_$1_exec_t; domain_entry_file(mailman_$1_t, mailman_$1_exec_t) @@ -33606,7 +33717,7 @@ index 108c0f1..d28241c 100644 ') ####################################### -@@ -56,15 +78,12 @@ interface(`mailman_domtrans',` +@@ -56,15 +82,12 @@ interface(`mailman_domtrans',` type mailman_mail_exec_t, mailman_mail_t; ') @@ -33623,7 +33734,7 @@ index 108c0f1..d28241c 100644 ##
    ## ## -@@ -73,18 +92,18 @@ interface(`mailman_domtrans',` +@@ -73,18 +96,18 @@ interface(`mailman_domtrans',` ## ## ## @@ -33645,7 +33756,7 @@ index 108c0f1..d28241c 100644 ') ####################################### -@@ -103,7 +122,6 @@ interface(`mailman_domtrans_cgi',` +@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',` type mailman_cgi_exec_t, mailman_cgi_t; ') @@ -33653,7 +33764,7 @@ index 108c0f1..d28241c 100644 domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) ') -@@ -122,13 +140,12 @@ interface(`mailman_exec',` +@@ -122,13 +144,12 @@ interface(`mailman_exec',` type mailman_mail_exec_t; ') @@ -33668,7 +33779,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -146,7 +163,7 @@ interface(`mailman_signal_cgi',` +@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',` ####################################### ## @@ -33677,7 +33788,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -159,13 +176,12 @@ interface(`mailman_search_data',` +@@ -159,13 +180,12 @@ interface(`mailman_search_data',` type mailman_data_t; ') @@ -33692,7 +33803,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -178,7 +194,6 @@ interface(`mailman_read_data_files',` +@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',` type mailman_data_t; ') @@ -33700,7 +33811,7 @@ index 108c0f1..d28241c 100644 list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -@@ -186,8 +201,8 @@ interface(`mailman_read_data_files',` +@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',` ####################################### ## @@ -33711,7 +33822,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -200,14 +215,13 @@ interface(`mailman_manage_data_files',` +@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',` type mailman_data_t; ') @@ -33727,7 +33838,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -220,13 +234,12 @@ interface(`mailman_list_data',` +@@ -220,13 +238,12 @@ interface(`mailman_list_data',` type mailman_data_t; ') @@ -33742,7 +33853,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -244,7 +257,7 @@ interface(`mailman_read_data_symlinks',` +@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',` ####################################### ## @@ -33751,7 +33862,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -257,13 +270,12 @@ interface(`mailman_read_log',` +@@ -257,13 +274,12 @@ interface(`mailman_read_log',` type mailman_log_t; ') @@ -33766,7 +33877,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -276,14 +288,13 @@ interface(`mailman_append_log',` +@@ -276,14 +292,13 @@ interface(`mailman_append_log',` type mailman_log_t; ') @@ -33782,7 +33893,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -296,14 +307,13 @@ interface(`mailman_manage_log',` +@@ -296,14 +311,13 @@ interface(`mailman_manage_log',` type mailman_log_t; ') @@ -33798,7 +33909,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -316,7 +326,6 @@ interface(`mailman_read_archive',` +@@ -316,7 +330,6 @@ interface(`mailman_read_archive',` type mailman_archive_t; ') @@ -33806,7 +33917,7 @@ index 108c0f1..d28241c 100644 allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) -@@ -324,8 +333,7 @@ interface(`mailman_read_archive',` +@@ -324,8 +337,7 @@ interface(`mailman_read_archive',` ####################################### ## @@ -33816,7 +33927,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -338,6 +346,5 @@ interface(`mailman_domtrans_queue',` +@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',` type mailman_queue_exec_t, mailman_queue_t; ') @@ -33824,10 +33935,23 @@ index 108c0f1..d28241c 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index 8eaf51b..5e9f5bb 100644 +index 8eaf51b..16086a5 100644 --- a/mailman.te +++ b/mailman.te -@@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) + # + # Declarations + # ++## ++##

    ++## Allow mailman to access FUSE file systems ++##

    ++##
    ++gen_tunable(mailman_use_fusefs, false) + + attribute mailman_domain; + +@@ -56,10 +62,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) logging_log_filetrans(mailman_domain, mailman_log_t, file) kernel_read_kernel_sysctls(mailman_domain) @@ -33838,7 +33962,7 @@ index 8eaf51b..5e9f5bb 100644 corenet_tcp_sendrecv_generic_if(mailman_domain) corenet_tcp_sendrecv_generic_node(mailman_domain) -@@ -82,10 +79,6 @@ fs_getattr_all_fs(mailman_domain) +@@ -82,10 +85,6 @@ fs_getattr_all_fs(mailman_domain) libs_exec_ld_so(mailman_domain) libs_exec_lib_files(mailman_domain) @@ -33849,7 +33973,7 @@ index 8eaf51b..5e9f5bb 100644 ######################################## # # CGI local policy -@@ -115,8 +108,9 @@ optional_policy(` +@@ -115,8 +114,9 @@ optional_policy(` # Mail local policy # @@ -33861,7 +33985,7 @@ index 8eaf51b..5e9f5bb 100644 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -@@ -127,8 +121,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) +@@ -127,8 +127,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) @@ -33871,7 +33995,7 @@ index 8eaf51b..5e9f5bb 100644 dev_read_urand(mailman_mail_t) -@@ -142,6 +136,10 @@ optional_policy(` +@@ -142,6 +142,10 @@ optional_policy(` ') optional_policy(` @@ -33882,6 +34006,16 @@ index 8eaf51b..5e9f5bb 100644 cron_read_pipes(mailman_mail_t) ') +@@ -182,3 +186,9 @@ optional_policy(` + optional_policy(` + su_exec(mailman_queue_t) + ') ++ ++tunable_policy(`mailman_use_fusefs',` ++ fs_manage_fusefs_dirs(mailman_domain) ++ fs_manage_fusefs_files(mailman_domain) ++ fs_manage_fusefs_symlinks(mailman_domain) ++') diff --git a/mailscanner.if b/mailscanner.if index 0293f34..bd1d48e 100644 --- a/mailscanner.if @@ -35595,10 +35729,10 @@ index 0000000..1446e6a +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..d27f8f3 +index 0000000..67b8b3d --- /dev/null +++ b/mock.te -@@ -0,0 +1,245 @@ +@@ -0,0 +1,264 @@ +policy_module(mock,1.0.0) + +## @@ -35651,6 +35785,8 @@ index 0000000..d27f8f3 +allow mock_t self:unix_stream_socket create_stream_socket_perms; +allow mock_t self:unix_dgram_socket create_socket_perms; + ++allow mock_t mock_build_t:process { siginh noatsecure rlimitinh }; ++ +manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t) +manage_files_pattern(mock_t, mock_cache_t, mock_cache_t) +manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t) @@ -35674,7 +35810,6 @@ index 0000000..d27f8f3 +allow mock_t mock_var_lib_t:dir relabel_dir_perms; +allow mock_t mock_var_lib_t:file relabel_file_perms; + -+kernel_list_proc(mock_t) +kernel_read_irq_sysctls(mock_t) +kernel_read_system_state(mock_t) +kernel_read_network_state(mock_t) @@ -35682,6 +35817,13 @@ index 0000000..d27f8f3 +kernel_request_load_module(mock_t) +kernel_dontaudit_setattr_proc_dirs(mock_t) +kernel_read_fs_sysctls(mock_t) ++# we run mount in mock_t ++kernel_mount_proc(mock_t) ++kernel_unmount_proc(mock_t) ++ ++fs_mount_tmpfs(mock_t) ++fs_unmount_tmpfs(mock_t) ++fs_unmount_xattr_fs(mock_t) + +corecmd_exec_bin(mock_t) +corecmd_exec_shell(mock_t) @@ -35693,23 +35835,28 @@ index 0000000..d27f8f3 +corenet_tcp_connect_all_ephemeral_ports(mock_t) + +dev_read_urand(mock_t) -+dev_read_sysfs(mock_t) ++dev_rw_sysfs(mock_t) +dev_setattr_sysfs_dirs(mock_t) ++dev_mount_sysfs_fs(mock_t) ++dev_unmount_sysfs_fs(mock_t) + +domain_read_all_domains_state(mock_t) +domain_use_interactive_fds(mock_t) + +files_read_etc_runtime_files(mock_t) +files_dontaudit_list_boot(mock_t) ++files_list_isid_type_dirs(mock_t) + +fs_getattr_all_fs(mock_t) -+fs_search_all(mock_t) +fs_manage_cgroup_dirs(mock_t) -+files_list_isid_type_dirs(mock_t) ++fs_search_all(mock_t) ++fs_setattr_tmpfs_dirs(mock_t) + +selinux_get_enforce_mode(mock_t) + +term_search_ptys(mock_t) ++term_mount_pty_fs(mock_t) ++term_unmount_pty_fs(mock_t) + +auth_use_nsswitch(mock_t) + @@ -35749,17 +35896,23 @@ index 0000000..d27f8f3 +') + +optional_policy(` -+ rpm_exec(mock_t) ++ apache_read_sys_content_rw_files(mock_t) +') + +optional_policy(` -+ mount_exec(mock_t) ++ rpm_exec(mock_t) ++ rpm_manage_cache(mock_t) ++ rpm_manage_db(mock_t) ++ rpm_manage_tmp_files(mock_t) ++ rpm_read_log(mock_t) +') + +optional_policy(` -+ apache_read_sys_content_rw_files(mock_t) ++ mount_exec(mock_t) ++ mount_rw_pid_files(mock_t) +') + ++ +######################################## +# +# mock_build local policy @@ -36091,7 +36244,7 @@ index 6ffaba2..18e3a70 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..648d041 100644 +index 6194b80..116d9d2 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -36254,14 +36407,14 @@ index 6194b80..648d041 100644 - allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ mozilla_filetrans_home_content($2) - +- - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - - can_exec($2, mozilla_plugin_rw_t) -- ++ mozilla_filetrans_home_content($2) + - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') @@ -36567,7 +36720,7 @@ index 6194b80..648d041 100644 ##
    ## ## -@@ -433,76 +320,90 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -36635,6 +36788,24 @@ index 6194b80..648d041 100644 - libs_search_lib($1) - manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; ++') ++ ++####################################### ++## ++## Dontaudit generict ipc read/write to a mozilla_plugin ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mozilla_plugin_dontaudit_rw_sem',` ++ gen_require(` ++ type mozilla_plugin_t; ++ ') ++ ++ allow $1 mozilla_plugin_t:sem { unix_read unix_write }; ') ######################################## @@ -36687,7 +36858,7 @@ index 6194b80..648d041 100644 ##
    ## ## -@@ -510,19 +411,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -36712,7 +36883,7 @@ index 6194b80..648d041 100644 ##
    ## ## -@@ -530,45 +430,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -36788,7 +36959,7 @@ index 6194b80..648d041 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..4c1c064 100644 +index 6a306ee..8faac8d 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -37047,10 +37218,10 @@ index 6a306ee..4c1c064 100644 -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -- --userdom_write_user_tmp_sockets(mozilla_t) +userdom_use_inherited_user_ptys(mozilla_t) +-userdom_write_user_tmp_sockets(mozilla_t) +- -mozilla_run_plugin(mozilla_t, mozilla_roles) -mozilla_run_plugin_config(mozilla_t, mozilla_roles) +#mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -37213,7 +37384,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -300,221 +308,171 @@ optional_policy(` +@@ -300,221 +308,173 @@ optional_policy(` ######################################## # @@ -37468,7 +37639,8 @@ index 6a306ee..4c1c064 100644 -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -37528,7 +37700,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -523,36 +481,47 @@ optional_policy(` +@@ -523,36 +483,47 @@ optional_policy(` ') optional_policy(` @@ -37589,7 +37761,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -560,7 +529,7 @@ optional_policy(` +@@ -560,7 +531,7 @@ optional_policy(` ') optional_policy(` @@ -37598,7 +37770,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -568,108 +537,108 @@ optional_policy(` +@@ -568,108 +539,108 @@ optional_policy(` ') optional_policy(` @@ -42621,7 +42793,7 @@ index 0e8508c..b9c69d2 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..0c6cd41 100644 +index 0b48a30..57fe60f 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -42652,7 +42824,7 @@ index 0b48a30..0c6cd41 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,24 +42,41 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -42679,6 +42851,7 @@ index 0b48a30..0c6cd41 100644 +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; +allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; ++allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_socket create_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; -allow NetworkManager_t self:tcp_socket { accept listen }; @@ -42703,7 +42876,7 @@ index 0b48a30..0c6cd41 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -@@ -68,6 +88,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -42711,7 +42884,7 @@ index 0b48a30..0c6cd41 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,9 +102,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -42721,7 +42894,7 @@ index 0b48a30..0c6cd41 100644 kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) -@@ -91,7 +109,6 @@ kernel_request_load_module(NetworkManager_t) +@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t) kernel_read_debugfs(NetworkManager_t) kernel_rw_net_sysctls(NetworkManager_t) @@ -42729,7 +42902,7 @@ index 0b48a30..0c6cd41 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +119,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -42755,7 +42928,7 @@ index 0b48a30..0c6cd41 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +135,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -42769,7 +42942,7 @@ index 0b48a30..0c6cd41 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +143,16 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -42786,7 +42959,7 @@ index 0b48a30..0c6cd41 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +161,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -42799,7 +42972,7 @@ index 0b48a30..0c6cd41 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +180,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -42836,7 +43009,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -196,10 +221,6 @@ optional_policy(` +@@ -196,10 +222,6 @@ optional_policy(` ') optional_policy(` @@ -42847,7 +43020,7 @@ index 0b48a30..0c6cd41 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +231,11 @@ optional_policy(` +@@ -210,16 +232,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -42866,7 +43039,7 @@ index 0b48a30..0c6cd41 100644 ') ') -@@ -231,18 +247,19 @@ optional_policy(` +@@ -231,18 +248,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -42889,7 +43062,18 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -257,11 +274,7 @@ optional_policy(` +@@ -250,6 +268,10 @@ optional_policy(` + ipsec_kill_mgmt(NetworkManager_t) + ipsec_signal_mgmt(NetworkManager_t) + ipsec_signull_mgmt(NetworkManager_t) ++ ipsec_domtrans(NetworkManager_t) ++ ipsec_kill(NetworkManager_t) ++ ipsec_signal(NetworkManager_t) ++ ipsec_signull(NetworkManager_t) + ') + + optional_policy(` +@@ -257,11 +279,7 @@ optional_policy(` ') optional_policy(` @@ -42902,7 +43086,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -274,10 +287,17 @@ optional_policy(` +@@ -274,10 +292,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -42920,7 +43104,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -289,6 +309,7 @@ optional_policy(` +@@ -289,6 +314,7 @@ optional_policy(` ') optional_policy(` @@ -42928,7 +43112,7 @@ index 0b48a30..0c6cd41 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +317,7 @@ optional_policy(` +@@ -296,7 +322,7 @@ optional_policy(` ') optional_policy(` @@ -42937,7 +43121,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -307,6 +328,7 @@ optional_policy(` +@@ -307,6 +333,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -42945,7 +43129,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -320,13 +342,15 @@ optional_policy(` +@@ -320,13 +347,15 @@ optional_policy(` ') optional_policy(` @@ -42965,7 +43149,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -356,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -43275,7 +43459,7 @@ index 46e55c3..346242e 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3e4a31c..0d16edc 100644 +index 3e4a31c..bd8e3ff 100644 --- a/nis.te +++ b/nis.te @@ -1,12 +1,10 @@ @@ -43465,7 +43649,7 @@ index 3e4a31c..0d16edc 100644 sysnet_read_config(yppasswdd_t) -@@ -219,6 +215,10 @@ optional_policy(` +@@ -219,6 +215,14 @@ optional_policy(` ') optional_policy(` @@ -43473,10 +43657,14 @@ index 3e4a31c..0d16edc 100644 +') + +optional_policy(` ++ nis_use_ypbind(yppasswdd_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(yppasswdd_t) ') -@@ -234,7 +234,8 @@ optional_policy(` +@@ -234,7 +238,8 @@ optional_policy(` dontaudit ypserv_t self:capability sys_tty_config; allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:process signal_perms; @@ -43486,7 +43674,7 @@ index 3e4a31c..0d16edc 100644 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; -@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t) +@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) @@ -43494,7 +43682,7 @@ index 3e4a31c..0d16edc 100644 corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) +@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) corenet_udp_sendrecv_all_ports(ypserv_t) corenet_tcp_bind_generic_node(ypserv_t) corenet_udp_bind_generic_node(ypserv_t) @@ -43532,7 +43720,7 @@ index 3e4a31c..0d16edc 100644 nis_domtrans_ypxfr(ypserv_t) -@@ -310,8 +306,8 @@ optional_policy(` +@@ -310,8 +310,8 @@ optional_policy(` # ypxfr local policy # @@ -43543,7 +43731,7 @@ index 3e4a31c..0d16edc 100644 allow ypxfr_t self:tcp_socket create_stream_socket_perms; allow ypxfr_t self:udp_socket create_socket_perms; allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; -@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) @@ -43551,7 +43739,7 @@ index 3e4a31c..0d16edc 100644 corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) +@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) corenet_udp_sendrecv_all_ports(ypxfr_t) corenet_tcp_bind_generic_node(ypxfr_t) corenet_udp_bind_generic_node(ypxfr_t) @@ -47517,7 +47705,7 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..e108d48 +index 0000000..f2d6119 --- /dev/null +++ b/openshift.fc @@ -0,0 +1,26 @@ @@ -47541,7 +47729,7 @@ index 0000000..e108d48 +/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) + +/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0) ++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0) +/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + @@ -48201,10 +48389,10 @@ index 0000000..407386d +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..45e60e5 +index 0000000..989a48d --- /dev/null +++ b/openshift.te -@@ -0,0 +1,526 @@ +@@ -0,0 +1,535 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -48301,6 +48489,8 @@ index 0000000..45e60e5 +unconfined_domain_noaudit(openshift_initrc_t) +mcs_process_set_categories(openshift_initrc_t) + ++virt_lxc_domain(openshift_initrc_t) ++ +systemd_dbus_chat_logind(openshift_initrc_t) + +manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) @@ -48369,7 +48559,10 @@ index 0000000..45e60e5 + +manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) +manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) -+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file }) ++manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file }) +can_exec(openshift_domain, openshift_tmpfs_t) + +manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) @@ -48664,7 +48857,7 @@ index 0000000..45e60e5 +# +# openshift_cron local policy +# -+allow openshift_cron_t self:capability { net_admin sys_admin }; ++allow openshift_cron_t self:capability { dac_override net_admin sys_admin }; +allow openshift_cron_t self:process signal_perms; +allow openshift_cron_t self:tcp_socket create_stream_socket_perms; +allow openshift_cron_t self:udp_socket create_socket_perms; @@ -48728,6 +48921,10 @@ index 0000000..45e60e5 +') + +optional_policy(` ++ quota_read_db(openshift_cron_t) ++') ++ ++optional_policy(` + ssh_exec_keygen(openshift_cron_t) + ssh_dontaudit_read_server_keys(openshift_cron_t) +') @@ -49123,7 +49320,7 @@ index 9b15730..14f29e4 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..3e42ef8 100644 +index 508fedf..9d7741b 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -49192,7 +49389,7 @@ index 508fedf..3e42ef8 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -57,33 +58,33 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -57,33 +58,34 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -49208,6 +49405,7 @@ index 508fedf..3e42ef8 100644 +kernel_request_load_module(openvswitch_t) corecmd_exec_bin(openvswitch_t) ++corecmd_exec_shell(openvswitch_t) +dev_read_rand(openvswitch_t) dev_read_urand(openvswitch_t) @@ -61238,10 +61436,28 @@ index cd51b96..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 76f5b39..53f9a64 100644 +index 76f5b39..8bb80a2 100644 --- a/qpid.te +++ b/qpid.te -@@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) +@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) + type qpidd_initrc_exec_t; + init_script_file(qpidd_initrc_exec_t) + ++type qpidd_tmp_t; ++files_tmp_file(qpidd_tmp_t) ++ + type qpidd_tmpfs_t; + files_tmpfs_file(qpidd_tmpfs_t) + +@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms; + allow qpidd_t self:tcp_socket { accept listen }; + allow qpidd_t self:unix_stream_socket { accept listen }; + ++manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) ++manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) ++files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file }) ++ + manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) @@ -61289,9 +61505,13 @@ index 76f5b39..53f9a64 100644 optional_policy(` - corosync_stream_connect(qpidd_t) -+ rhcs_stream_connect_cluster(qpidd_t) ++ kerberos_use(qpidd_t) ') + ++optional_policy(` ++ rhcs_stream_connect_cluster(qpidd_t) ++') ++ diff --git a/quantum.fc b/quantum.fc index 70ab68b..e97da31 100644 --- a/quantum.fc @@ -63122,7 +63342,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..727d60a 100644 +index 9a8f052..cffb3ca 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -63131,7 +63351,7 @@ index 9a8f052..727d60a 100644 ######################################## # -@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2) +@@ -7,29 +7,38 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; @@ -63139,6 +63359,9 @@ index 9a8f052..727d60a 100644 +application_domain(realmd_t, realmd_exec_t) +role system_r types realmd_t; + ++type realmd_tmp_t; ++files_tmp_file(realmd_tmp_t) ++ +type realmd_var_cache_t; +files_type(realmd_var_cache_t) @@ -63151,6 +63374,10 @@ index 9a8f052..727d60a 100644 allow realmd_t self:capability sys_nice; allow realmd_t self:process setsched; ++manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) ++manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) ++files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file }) ++ +manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) +manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) + @@ -63167,17 +63394,17 @@ index 9a8f052..727d60a 100644 -corenet_sendrecv_http_client_packets(realmd_t) corenet_tcp_connect_http_port(realmd_t) -corenet_tcp_sendrecv_http_port(realmd_t) ++corenet_tcp_connect_ldap_port(realmd_t) ++corenet_tcp_connect_smbd_port(realmd_t) domain_use_interactive_fds(realmd_t) - dev_read_rand(realmd_t) - dev_read_urand(realmd_t) +@@ -38,12 +47,20 @@ dev_read_urand(realmd_t) --fs_getattr_all_fs(realmd_t) + fs_getattr_all_fs(realmd_t) -files_read_usr_files(realmd_t) -+fs_getattr_all_fs(realmd_t) - +- auth_use_nsswitch(realmd_t) logging_send_syslog_msg(realmd_t) @@ -63195,7 +63422,7 @@ index 9a8f052..727d60a 100644 optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) -@@ -67,17 +76,25 @@ optional_policy(` +@@ -67,17 +84,25 @@ optional_policy(` optional_policy(` nis_exec_ypbind(realmd_t) @@ -63224,13 +63451,13 @@ index 9a8f052..727d60a 100644 ') optional_policy(` -@@ -86,5 +103,26 @@ optional_policy(` +@@ -86,5 +111,26 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) - sssd_initrc_domtrans(realmd_t) + sssd_systemctl(realmd_t) - ') ++') + +optional_policy(` + xserver_read_state_xdm(realmd_t) @@ -63249,7 +63476,7 @@ index 9a8f052..727d60a 100644 + oddjob_systemctl(realmd_consolehelper_t) + + unconfined_domain_noaudit(realmd_consolehelper_t) -+') + ') + + diff --git a/remotelogin.fc b/remotelogin.fc @@ -63506,7 +63733,7 @@ index 5421af0..91e69b8 100644 +/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/rgmanager.if b/rgmanager.if -index 1c2f9aa..8af1f78 100644 +index 1c2f9aa..a4133dc 100644 --- a/rgmanager.if +++ b/rgmanager.if @@ -1,13 +1,13 @@ @@ -63630,7 +63857,7 @@ index 1c2f9aa..8af1f78 100644 init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) -@@ -121,3 +158,47 @@ interface(`rgmanager_admin',` +@@ -121,3 +158,66 @@ interface(`rgmanager_admin',` files_list_pids($1) admin_pattern($1, rgmanager_var_run_t) ') @@ -63675,9 +63902,28 @@ index 1c2f9aa..8af1f78 100644 + ') + + files_list_var_lib($1) -+ allow $1 rgmanager_var_lib_t:dir search_dir_perms; ++ allow $1 rgmanager_var_lib_t:dir search_dir_perms; + can_exec($1, rgmanager_var_lib_t) +') ++ ++###################################### ++## ++## Allow the specified domain to search rgmanager's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_search_lib',` ++ gen_require(` ++ type rgmanager_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ allow $1 rgmanager_var_lib_t:dir search_dir_perms; ++') diff --git a/rgmanager.te b/rgmanager.te index b418d1c..1ad9c12 100644 --- a/rgmanager.te @@ -67052,7 +67298,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..699925d 100644 +index e5212e6..427ea8c 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -67384,7 +67630,7 @@ index e5212e6..699925d 100644 userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) -+ userdom_write_user_tmp_files(gssd_t) ++ userdom_manage_user_tmp_files(gssd_t) + files_read_generic_tmp_files(gssd_t) ') @@ -67581,10 +67827,10 @@ index c49828c..a323332 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..54fe358 100644 +index ebe91fc..8dd55c5 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,69 @@ +@@ -1,61 +1,70 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -67637,6 +67883,7 @@ index ebe91fc..54fe358 100644 -/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -67699,7 +67946,7 @@ index ebe91fc..54fe358 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..dbe00f4 100644 +index 0628d50..c73d362 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -67905,13 +68152,31 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -276,14 +318,12 @@ interface(`rpm_append_log',` +@@ -276,14 +318,30 @@ interface(`rpm_append_log',` type rpm_log_t; ') - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete the RPM log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_read_log',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ ++ read_files_pattern($1, rpm_log_t, rpm_log_t) ') ######################################## @@ -67922,7 +68187,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -302,7 +342,7 @@ interface(`rpm_manage_log',` +@@ -302,7 +360,7 @@ interface(`rpm_manage_log',` ######################################## ## @@ -67931,7 +68196,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -320,8 +360,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -67942,7 +68207,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -335,12 +375,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -67959,7 +68224,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -353,14 +396,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -67977,7 +68242,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -374,12 +416,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -67993,7 +68258,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -399,7 +443,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -68002,7 +68267,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -420,8 +464,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +482,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -68012,7 +68277,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -442,7 +485,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -68021,7 +68286,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -459,11 +502,12 @@ interface(`rpm_read_db',` +@@ -459,11 +520,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -68035,7 +68300,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -482,8 +526,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +544,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -68045,7 +68310,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -504,7 +547,7 @@ interface(`rpm_manage_db',` +@@ -504,7 +565,7 @@ interface(`rpm_manage_db',` ######################################## ## ## Do not audit attempts to create, read, @@ -68054,7 +68319,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -517,7 +560,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +578,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -68063,7 +68328,7 @@ index 0628d50..dbe00f4 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +586,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +604,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -68073,7 +68338,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -563,8 +605,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +623,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -68083,7 +68348,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -573,94 +614,72 @@ interface(`rpm_manage_pid_files',` +@@ -573,94 +632,72 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -68187,15 +68452,15 @@ index 0628d50..dbe00f4 100644 - - files_list_var($1) - admin_pattern($1, rpm_cache_t) -- ++ typeattribute $1 rpm_transition_domain; ++ allow $1 rpm_script_t:process transition; + - files_list_tmp($1) - admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, rpm_var_lib_t) -+ typeattribute $1 rpm_transition_domain; -+ allow $1 rpm_script_t:process transition; - +- - files_search_locks($1) - admin_pattern($1, rpm_lock_t) - @@ -72193,10 +72458,10 @@ index 0000000..1b21b7b +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..449a87c +index 0000000..5a3d049 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,462 @@ +@@ -0,0 +1,463 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -72657,6 +72922,7 @@ index 0000000..449a87c + mozilla_dontaudit_rw_user_home_files(sandbox_x_t) + mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) ++ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') diff --git a/sanlock.fc b/sanlock.fc @@ -72813,7 +73079,7 @@ index cd6c213..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index a34eac4..114c9d2 100644 +index a34eac4..25ad7ec 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -72947,12 +73213,13 @@ index a34eac4..114c9d2 100644 ') optional_policy(` -@@ -100,7 +117,7 @@ optional_policy(` +@@ -100,7 +117,8 @@ optional_policy(` ') optional_policy(` - virt_kill_all_virt_domains(sanlock_t) + virt_kill_svirt(sanlock_t) ++ virt_kill(sanlock_t) virt_manage_lib_files(sanlock_t) - virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) @@ -81326,10 +81593,10 @@ index 0000000..bfcd2c7 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..aaf768a +index 0000000..49cd645 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,137 @@ +@@ -0,0 +1,138 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -81424,6 +81691,7 @@ index 0000000..aaf768a +userdom_dontaudit_setattr_user_tmp(thumb_t) +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) ++userdom_exec_user_home_content_files(thumb_t) +userdom_write_user_tmp_files(thumb_t) +userdom_read_home_audio_files(thumb_t) +userdom_home_reader(thumb_t) @@ -82357,7 +82625,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..0bd0be9 100644 +index 7116181..a6bd365 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -82370,9 +82638,12 @@ index 7116181..0bd0be9 100644 type tuned_var_run_t; files_pid_file(tuned_var_run_t) -@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t) +@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t) + # Local policy + # - allow tuned_t self:capability { sys_admin sys_nice }; +-allow tuned_t self:capability { sys_admin sys_nice }; ++allow tuned_t self:capability { sys_admin sys_nice sys_rawio }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; +allow tuned_t self:process { setsched signal }; @@ -82403,7 +82674,7 @@ index 7116181..0bd0be9 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +74,48 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +74,52 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -82415,10 +82686,10 @@ index 7116181..0bd0be9 100644 files_dontaudit_search_home(tuned_t) -files_dontaudit_list_tmp(tuned_t) +files_list_tmp(tuned_t) -+ -+fs_getattr_all_fs(tuned_t) -fs_getattr_xattr_fs(tuned_t) ++fs_getattr_all_fs(tuned_t) ++ +auth_use_nsswitch(tuned_t) logging_send_syslog_msg(tuned_t) @@ -82435,6 +82706,10 @@ index 7116181..0bd0be9 100644 + dbus_connect_system_bus(tuned_t) +') + ++optional_policy(` ++ dmidecode_domtrans(tuned_t) ++') ++ +# to allow disk tuning +optional_policy(` fstools_domtrans(tuned_t) @@ -84055,7 +84330,7 @@ index c30da4c..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..b991ec7 100644 +index 9dec06c..fa2c674 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -85335,32 +85610,47 @@ index 9dec06c..b991ec7 100644 ######################################## ## -## Read virt image files. -+## Send a signal to virtual machines ++## Send a sigkill to virtd daemon. ## ## ## -@@ -995,36 +867,17 @@ interface(`virt_search_images',` +@@ -995,36 +867,35 @@ interface(`virt_search_images',` ## ## # -interface(`virt_read_images',` -+interface(`virt_signal_svirt',` ++interface(`virt_kill',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -- ') -- ++ type virtd_t; + ') + - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -- ++ allow $1 virtd_t:process sigkill; ++') + - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) ++######################################## ++## ++## Send a signal to virtual machines ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_signal_svirt',` ++ gen_require(` + attribute virt_domain; ') @@ -85380,7 +85670,7 @@ index 9dec06c..b991ec7 100644 ## ## ## -@@ -1032,58 +885,57 @@ interface(`virt_read_images',` +@@ -1032,58 +903,57 @@ interface(`virt_read_images',` ## ## # @@ -85460,7 +85750,7 @@ index 9dec06c..b991ec7 100644 ## ## ## -@@ -1091,95 +943,132 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +961,150 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -85479,16 +85769,16 @@ index 9dec06c..b991ec7 100644 - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") -+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") - +- - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') -- ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") + - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) @@ -85553,14 +85843,6 @@ index 9dec06c..b991ec7 100644 - allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) - ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) -- -- init_labeled_script_domtrans($1, virtd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 virtd_initrc_exec_t system_r; -- allow $2 system_r; -- -- fs_search_tmpfs($1) -- admin_pattern($1, virt_tmpfs_type) + type $1_t, svirt_lxc_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) @@ -85568,9 +85850,33 @@ index 9dec06c..b991ec7 100644 + mcs_constrained($1_t) + role system_r types $1_t; +- init_labeled_script_domtrans($1, virtd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 virtd_initrc_exec_t system_r; +- allow $2 system_r; ++ kernel_read_system_state($1_t) ++') + +- fs_search_tmpfs($1) +- admin_pattern($1, virt_tmpfs_type) ++######################################## ++## ++## Make the specified type usable as a lxc domain ++## ++## ++## ++## Type to be used as a lxc domain ++## ++## ++# ++template(`virt_lxc_domain',` ++ gen_require(` ++ attribute svirt_lxc_domain; ++ ') + - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -+ kernel_read_system_state($1_t) ++ typeattribute $1 svirt_lxc_domain; +') - files_search_etc($1) @@ -85655,7 +85961,7 @@ index 9dec06c..b991ec7 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..e780b1b 100644 +index 1f22fba..64e638c 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -86524,7 +86830,7 @@ index 1f22fba..e780b1b 100644 +# virtual domains common policy +# +allow virt_domain self:capability2 compromise_kernel; -+allow virt_domain self:process { setrlimit signal_perms getsched }; ++allow virt_domain self:process { setrlimit signal_perms getsched setsched }; +allow virt_domain self:fifo_file rw_fifo_file_perms; +allow virt_domain self:shm create_shm_perms; +allow virt_domain self:unix_stream_socket create_stream_socket_perms; @@ -87957,10 +88263,17 @@ index 1e3aec0..d17ff39 100644 + ') diff --git a/wdmd.te b/wdmd.te -index ebbdaf6..956f8f0 100644 +index ebbdaf6..144c0e7 100644 --- a/wdmd.te +++ b/wdmd.te -@@ -51,10 +51,8 @@ auth_use_nsswitch(wdmd_t) +@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t) + dev_read_watchdog(wdmd_t) + dev_write_watchdog(wdmd_t) + ++fs_getattr_all_fs(wdmd_t) + fs_read_anon_inodefs_files(wdmd_t) + + auth_use_nsswitch(wdmd_t) logging_send_syslog_msg(wdmd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index b22aa16..97e7a85 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 23%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,93 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 5 2013 Miroslav Grepl 3.12.1-26 +- Try to label on controlC devices up to 30 correctly +- Add mount_rw_pid_files() interface +- Add additional mount/umount interfaces needed by mock +- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk +- Fix tabs +- Allow initrc_domain to search rgmanager lib files +- Add more fixes which make mock working together with confined users + * Allow mock_t to manage rpm files + * Allow mock_t to read rpm log files + * Allow mock to setattr on tmpfs, devpts + * Allow mount/umount filesystems +- Add rpm_read_log() interface +- yum-cron runs rpm from within it. +- Allow tuned to transition to dmidecode +- Allow firewalld to do net_admin +- Allow mock to unmont tmpfs_t +- Fix virt_sigkill() interface +- Add additional fixes for mock. Mainly caused by mount running in mock_t +- Allow mock to write sysfs_t and mount pid files +- Add mailman_domain to mailman_template() +- Allow openvswitch to execute shell +- Allow qpidd to use kerberos +- Allow mailman to use fusefs, needs back port to RHEL6 +- Allow apache and its scripts to use anon_inodefs +- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 +- Realmd needs to connect to samba ports, needs back port to F18 also +- Allow colord to read /run/initial-setup- +- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock +- Add virt_kill() interface +- Add rgmanager_search_lib() interface +- Allow wdmd to getattr on all filesystems. Back ported from RHEL6 + +* Tue Apr 2 2013 Miroslav Grepl 3.12.1-25 +- Allow realmd to create tmp files +- FIx ircssi_home_t type to irssi_home_t +- Allow adcli running as realmd_t to connect to ldap port +- Allow NetworkManager to transition to ipsec_t, for running strongswan +- Make openshift_initrc_t an lxc_domain +- Allow gssd to manage user_tmp_t files +- Fix handling of irclogs in users homedir +- Fix labeling for drupal an wp-content in subdirs of /var/www/html +- Allow abrt to read utmp_t file +- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 +- fix labeling for (oo|rhc)-restorer-wrapper.sh +- firewalld needs to be able to write to network sysctls +- Fix mozilla_plugin_dontaudit_rw_sem() interface +- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains +- Add mozilla_plugin_dontaudit_rw_sem() interface +- Allow svirt_lxc_t to transition to openshift domains +- Allow condor domains block_suspend and dac_override caps +- Allow condor_master to read passd +- Allow condor_master to read system state +- Allow NetworkManager to transition to ipsec_t, for running strongswan +- Lots of access required by lvm_t to created encrypted usb device +- Allow xdm_t to dbus communicate with systemd_localed_t +- Label strongswan content as ipsec_exec_mgmt_t for now +- Allow users to dbus chat with systemd_localed +- Fix handling of .xsession-errors in xserver.if, so kde will work +- Might be a bug but we are seeing avc's about people status on init_t:service +- Make sure we label content under /var/run/lock as <> +- Allow daemon and systemprocesses to search init_var_run_t directory +- Add boolean to allow xdm to write xauth data to the home directory +- Allow mount to write keys for the unconfined domain + +* Tue Mar 26 2013 Miroslav Grepl 3.12.1-24 +- Add labeling for /usr/share/pki +- Allow programs that read var_run_t symlinks also read var_t symlinks +- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports +- Fix labeling for /etc/dhcp directory +- add missing systemd_stub_unit_file() interface +- Add files_stub_var() interface +- Add lables for cert_t directories +- Make localectl set-x11-keymap working at all +- Allow abrt to manage mock build environments to catch build problems. +- Allow virt_domains to setsched for running gdb on itself +- Allow thumb_t to execute user home content +- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 +- Allow certwatch to execut /usr/bin/httpd +- Allow cgred to send signal perms to itself, needs back port to RHEL6 +- Allow openshift_cron_t to look at quota +- Allow cups_t to read inhered tmpfs_t from the kernel +- Allow yppasswdd to use NIS +- Tuned wants sys_rawio capability +- Add ftpd_use_fusefs boolean +- Allow dirsrvadmin_t to signal itself + * Wed Mar 20 2013 Miroslav Grepl 3.12.1-23 - Allow localectl to read /etc/X11/xorg.conf.d directory - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""