diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index dcd7c99..e04a90c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -39874,7 +39874,7 @@ index b50c5fe..9eacd9b 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..e82be7a 100644 +index 4e94884..7b39545 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -39970,18 +39970,11 @@ index 4e94884..e82be7a 100644 gen_require(` - type syslogd_t, devlog_t; + attribute syslog_client_type; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; ++ ') ++ + typeattribute $1 syslog_client_type; +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Connect to the syslog control unix stream socket. @@ -39996,11 +39989,7 @@ index 4e94884..e82be7a 100644 + gen_require(` + type devlog_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + allow $1 devlog_t:lnk_file manage_lnk_file_perms; + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, lnk_file, "log") @@ -40021,12 +40010,19 @@ index 4e94884..e82be7a 100644 +interface(`logging_relabel_devlog_dev',` + gen_require(` + type devlog_t; -+ ') -+ + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + allow $1 devlog_t:sock_file relabel_sock_file_perms; + allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Allow domain to read the syslog pid files. @@ -40041,7 +40037,11 @@ index 4e94884..e82be7a 100644 + gen_require(` + type syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') @@ -40388,7 +40388,7 @@ index 4e94884..e82be7a 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1443,107 @@ interface(`logging_admin',` +@@ -1085,3 +1443,110 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -40496,7 +40496,9 @@ index 4e94884..e82be7a 100644 + ') + + allow $1 syslogd_var_run_t:file map; -\ No newline at end of file ++ ++') ++ diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 59b04c1..2ad89c5 100644 --- a/policy/modules/system/logging.te @@ -56368,10 +56370,10 @@ index f4ac38d..1589d60 100644 + ssh_signal(confined_admindomain) +') diff --git a/policy/policy_capabilities b/policy/policy_capabilities -index db3cbca..e677b81 100644 +index db3cbca..710bd7c 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities -@@ -31,3 +31,12 @@ policycap network_peer_controls; +@@ -31,3 +31,14 @@ policycap network_peer_controls; # blk_file: open # policycap open_perms; @@ -56384,7 +56386,8 @@ index db3cbca..e677b81 100644 +# process2: nnp_transition, nosuid_transition +# +#policycap nnp_nosuid_transition; -\ No newline at end of file ++ ++ diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d545..101086d 100644 --- a/policy/support/misc_patterns.spt diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c14c291..1dd75a9 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -23432,7 +23432,7 @@ index 62d22cb..01f6380 100644 + ') diff --git a/dbus.te b/dbus.te -index c9998c8..b3f7ab2 100644 +index c9998c8..b697f66 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23559,7 +23559,7 @@ index c9998c8..b3f7ab2 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +124,174 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +124,175 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -23743,12 +23743,13 @@ index c9998c8..b3f7ab2 100644 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) -files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir }) ++userdom_user_tmp_filetrans(session_bus_type, sessions_dbusd_tmp_t, { file dir }) -kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +300,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +301,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -23773,7 +23774,7 @@ index c9998c8..b3f7ab2 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +319,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +320,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -23781,7 +23782,7 @@ index c9998c8..b3f7ab2 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +328,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +329,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -23823,7 +23824,7 @@ index c9998c8..b3f7ab2 100644 ') ######################################## -@@ -244,5 +365,9 @@ optional_policy(` +@@ -244,5 +366,9 @@ optional_policy(` # Unconfined access to this module #