diff --git a/container-selinux.tgz b/container-selinux.tgz index 930b000..09d36e2 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 800ac4a..2487a9f 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2760,10 +2760,10 @@ index 0960199..2e75ec7 100644 + manage_files_pattern($1, sudo_db_t, sudo_db_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..5c4a213 100644 +index d9fce57..8a18a54 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,110 @@ attribute sudodomain; +@@ -7,3 +7,111 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -2868,6 +2868,7 @@ index d9fce57..5c4a213 100644 + + optional_policy(` + systemd_dbus_chat_logind(sudodomain) ++ init_getpgid(sudodomain) + ') +') + @@ -10185,7 +10186,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..990ecf3 100644 +index cf04cb5..43876e0 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10341,7 +10342,7 @@ index cf04cb5..990ecf3 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +237,380 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +237,382 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -10558,7 +10559,9 @@ index cf04cb5..990ecf3 100644 + +optional_policy(` + sysnet_filetrans_named_content(named_filetrans_domain) -+ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) ++ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) ++ sysnet_filetrans_named_content(unconfined_domain_type) ++ sysnet_filetrans_named_content_ifconfig(unconfined_domain_type) +') + +optional_policy(` @@ -17938,7 +17941,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..b204e90 100644 +index 8416beb..ca45838 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18437,7 +18440,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',` +@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',` ## ## # @@ -18543,7 +18546,6 @@ index 8416beb..b204e90 100644 -# -interface(`fs_exec_fusefs_files',` - gen_require(` -- type fusefs_t; +## +##

+## Execute a file on a FUSE filesystem @@ -18577,34 +18579,86 @@ index 8416beb..b204e90 100644 +interface(`fs_ecryptfs_domtrans',` + gen_require(` + type ecryptfs_t; ++ ') ++ ++ allow $1 ecryptfs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, ecryptfs_t, $2) ++') ++ ++######################################## ++##

++## Mount a FUSE filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mount_fusefs',` ++ gen_require(` + type fusefs_t; ') - exec_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 ecryptfs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, ecryptfs_t, $2) ++ allow $1 fusefs_t:filesystem mount; ') ######################################## ## -## Create, read, write, and delete files --## on a FUSEFS filesystem. -+## Mount a FUSE filesystem. ++## Unmount a FUSE filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:filesystem unmount; ++') ++ ++######################################## ++## ++## Mounton a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mounton_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir mounton; ++') ++ ++######################################## ++## ++## Search directories + ## on a FUSEFS filesystem. ## ## - ## - ## Domain allowed access. - ## +@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',` ## --## + ## # -interface(`fs_manage_fusefs_files',` -+interface(`fs_mount_fusefs',` ++interface(`fs_search_fusefs',` gen_require(` type fusefs_t; ') - manage_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:filesystem mount; ++ allow $1 fusefs_t:dir search_dir_perms; ') ######################################## @@ -18612,96 +18666,79 @@ index 8416beb..b204e90 100644 -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -+## Unmount a FUSE filesystem. ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',` ## ## # -interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_unmount_fusefs',` ++interface(`fs_dontaudit_list_fusefs',` gen_require(` type fusefs_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; -+ allow $1 fusefs_t:filesystem unmount; ++ dontaudit $1 fusefs_t:dir list_dir_perms; ') ######################################## ## -## Read symbolic links on a FUSEFS filesystem. -+## Mounton a FUSEFS filesystem. ++## Create, read, write, and delete directories ++## on a FUSEFS filesystem. ## ## ## -@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` + ## Domain allowed access. ## ## ++## # -interface(`fs_read_fusefs_symlinks',` -+interface(`fs_mounton_fusefs',` ++interface(`fs_manage_fusefs_dirs',` gen_require(` type fusefs_t; ') - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:dir mounton; ++ allow $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## -## Get the attributes of an hugetlbfs -## filesystem. -+## Search directories ++## Do not audit attempts to create, read, ++## write, and delete directories +## on a FUSEFS filesystem. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -+## # -interface(`fs_getattr_hugetlbfs',` -+interface(`fs_search_fusefs',` ++interface(`fs_dontaudit_manage_fusefs_dirs',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:filesystem getattr; -+ allow $1 fusefs_t:dir search_dir_perms; ++ dontaudit $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## -## List hugetlbfs. -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on a FUSEFS filesystem. ++## Read, a FUSEFS filesystem. ## ## ## @@ -18711,40 +18748,20 @@ index 8416beb..b204e90 100644 +## # -interface(`fs_list_hugetlbfs',` -+interface(`fs_manage_fusefs_dirs',` ++interface(`fs_read_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:dir list_dir_perms; -+ allow $1 fusefs_t:dir manage_dir_perms; ++ read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Manage hugetlbfs dirs. -+## Do not audit attempts to create, read, -+## write, and delete directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_fusefs_dirs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Read, a FUSEFS filesystem. ++## Execute files on a FUSEFS filesystem. ## ## ## @@ -18754,37 +18771,38 @@ index 8416beb..b204e90 100644 +## # -interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_read_fusefs_files',` ++interface(`fs_exec_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ read_files_pattern($1, fusefs_t, fusefs_t) ++ exec_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Read and write hugetlbfs files. -+## Execute files on a FUSEFS filesystem. ++## Make general progams in FUSEFS an entrypoint for ++## the specified domain. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## The domain for which fusefs_t is an entrypoint. ## ## -+## # -interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_exec_fusefs_files',` ++interface(`fs_fusefs_entry_type',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ exec_files_pattern($1, fusefs_t, fusefs_t) ++ domain_entry_file($1, fusefs_t) ') ######################################## @@ -18802,93 +18820,94 @@ index 8416beb..b204e90 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_fusefs_entry_type',` ++interface(`fs_fusefs_entrypoint',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:filesystem associate; -+ domain_entry_file($1, fusefs_t) ++ allow $1 fusefs_t:file entrypoint; ') ######################################## ## -## Search inotifyfs filesystem. -+## Make general progams in FUSEFS an entrypoint for -+## the specified domain. ++## Create, read, write, and delete files ++## on a FUSEFS filesystem. ## ## ## --## Domain allowed access. -+## The domain for which fusefs_t is an entrypoint. + ## Domain allowed access. ## ## ++## # -interface(`fs_search_inotifyfs',` -+interface(`fs_fusefs_entrypoint',` ++interface(`fs_manage_fusefs_files',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ allow $1 fusefs_t:file entrypoint; ++ manage_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## List inotifyfs filesystem. -+## Create, read, write, and delete files ++## Do not audit attempts to create, ++## read, write, and delete files +## on a FUSEFS filesystem. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -+## # -interface(`fs_list_inotifyfs',` -+interface(`fs_manage_fusefs_files',` ++interface(`fs_dontaudit_manage_fusefs_files',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ manage_files_pattern($1, fusefs_t, fusefs_t) ++ dontaudit $1 fusefs_t:file manage_file_perms; ') ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Do not audit attempts to create, -+## read, write, and delete files -+## on a FUSEFS filesystem. ++## Read symbolic links on a FUSEFS filesystem. ## ## ## -@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',` +-## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_read_fusefs_symlinks',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ dontaudit $1 fusefs_t:file manage_file_perms; ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## Read symbolic links on a FUSEFS filesystem. ++## Manage symbolic links on a FUSEFS filesystem. ## ## ## @@ -18897,27 +18916,6 @@ index 8416beb..b204e90 100644 ## -## +# -+interface(`fs_read_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## -+## Manage symbolic links on a FUSEFS filesystem. -+## -+## - ## --## The type of the object to be created. -+## Domain allowed access. - ## - ## --## -+# +interface(`fs_manage_fusefs_symlinks',` + gen_require(` + type fusefs_t; @@ -18952,73 +18950,68 @@ index 8416beb..b204e90 100644 +## +## ## --## The object class of the object being created. +-## The type of the object to be created. +## Domain allowed to transition. ## ## --## +-## +## ## --## The name of the object being created. +-## The object class of the object being created. +## The type of the new process. ## ## - # --interface(`fs_hugetlbfs_filetrans',` +-## ++# +interface(`fs_fusefs_domtrans',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $2 hugetlbfs_t:filesystem associate; -- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++ ') ++ + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) - ') - - ######################################## - ## --## Mount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Get the attributes of a FUSEFS filesystem. - ## - ## ++## ++## ## - ## Domain allowed access. +-## The name of the object being created. ++## Domain allowed access. ## ## +## # --interface(`fs_mount_iso9660_fs',` +-interface(`fs_hugetlbfs_filetrans',` +interface(`fs_getattr_fusefs',` gen_require(` -- type iso9660_t; +- type hugetlbfs_t; + type fusefs_t; ') -- allow $1 iso9660_t:filesystem mount; +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + allow $1 fusefs_t:filesystem getattr; ') ######################################## ## --## Remount an iso9660 filesystem, which --## is usually used on CDs. This allows --## some mount options to be changed. +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. +## Get the attributes of an hugetlbfs +## filesystem. ## ## ## -@@ -2234,18 +2588,701 @@ interface(`fs_mount_iso9660_fs',` +@@ -2214,19 +2588,681 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # --interface(`fs_remount_iso9660_fs',` +-interface(`fs_mount_iso9660_fs',` +interface(`fs_getattr_hugetlbfs',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type hugetlbfs_t; + ') + @@ -19678,29 +19671,36 @@ index 8416beb..b204e90 100644 +## +# +interface(`fs_read_kdbus_files',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type cgroup_t; + -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem mount; + read_files_pattern($1, kdbusfs_t, kdbusfs_t) + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. +## Write kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2234,18 +3270,19 @@ interface(`fs_mount_iso9660_fs',` + ## + ## + # +-interface(`fs_remount_iso9660_fs',` +interface(`fs_write_kdbus_files', ` -+ gen_require(` + gen_require(` +- type iso9660_t; + type kdbusfs_t; ') @@ -20110,42 +20110,11 @@ index 8416beb..b204e90 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3224,30 +4439,120 @@ interface(`fs_search_nfsd_fs',` - type nfsd_fs_t; - ') - -- allow $1 nfsd_fs_t:dir search_dir_perms; -+ allow $1 nfsd_fs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List NFS server directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_list_nfsd_fs',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ allow $1 nfsd_fs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Getattr files on an nfsd filesystem -+## -+## -+## -+## Domain allowed access. -+## -+## -+# +@@ -3255,17 +4470,107 @@ interface(`fs_list_nfsd_fs',` + ## + ## + # +-interface(`fs_getattr_nfsd_files',` +interface(`fs_getattr_nfsd_files',` + gen_require(` + type nfsd_fs_t; @@ -20206,48 +20175,36 @@ index 8416beb..b204e90 100644 + ') + + getattr_files_pattern($1, nsfs_t, nsfs_t) - ') - --######################################## ++') ++ +####################################### - ## --## List NFS server directories. ++## +## Read nsfs inodes (e.g. /proc/pid/ns/uts) - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`fs_list_nfsd_fs',` ++## ++# +interface(`fs_read_nsfs_files',` - gen_require(` -- type nfsd_fs_t; -- ') ++ gen_require(` + type nsfs_t; + ') - -- allow $1 nfsd_fs_t:dir list_dir_perms; ++ + allow $1 nsfs_t:file read_file_perms; - ') - --######################################## ++') ++ +####################################### - ## --## Getattr files on an nfsd filesystem ++## +## Read and write nsfs inodes (e.g. /proc/pid/ns/uts) - ## - ## - ## -@@ -3255,17 +4560,17 @@ interface(`fs_list_nfsd_fs',` - ## - ## - # --interface(`fs_getattr_nfsd_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_rw_nsfs_files',` gen_require(` - type nfsd_fs_t; @@ -20280,7 +20237,32 @@ index 8416beb..b204e90 100644 ') ######################################## -@@ -3392,7 +4697,7 @@ interface(`fs_search_ramfs',` +@@ -3301,6 +4606,24 @@ interface(`fs_associate_ramfs',` + + ######################################## + ## ++## Allow the type to associate to proc filesystems. ++## ++## ++## ++## The type of the object to be associated. ++## ++## ++# ++interface(`fs_associate_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ allow $1 proc_t:filesystem associate; ++') ++ ++######################################## ++## + ## Mount a RAM filesystem. + ## + ## +@@ -3392,7 +4715,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20289,7 +20271,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -3429,7 +4734,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4752,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20298,7 +20280,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -3447,7 +4752,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4770,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20307,7 +20289,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -3779,6 +5084,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5102,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20332,7 +20314,7 @@ index 8416beb..b204e90 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5138,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5156,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20357,7 +20339,7 @@ index 8416beb..b204e90 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5249,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5267,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20366,7 +20348,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -3916,17 +5257,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5275,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20387,7 +20369,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -3934,17 +5275,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5293,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20408,7 +20390,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -3952,17 +5293,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5311,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20448,7 +20430,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -3970,31 +5330,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5348,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20504,7 +20486,7 @@ index 8416beb..b204e90 100644 ') ######################################## -@@ -4057,23 +5434,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5452,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -20681,7 +20663,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4081,18 +5605,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5623,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -20704,7 +20686,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4100,54 +5624,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5642,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20771,7 +20753,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4155,17 +5678,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5696,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -20793,7 +20775,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4173,17 +5697,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5715,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -20815,7 +20797,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4191,37 +5716,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5734,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -20861,7 +20843,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4229,18 +5753,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5771,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -20883,7 +20865,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4248,18 +5772,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5790,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -20907,7 +20889,7 @@ index 8416beb..b204e90 100644 ## ## ## -@@ -4267,32 +5792,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5810,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -20946,7 +20928,7 @@ index 8416beb..b204e90 100644 ') ######################################## -@@ -4407,6 +5931,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5949,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20972,7 +20954,7 @@ index 8416beb..b204e90 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6046,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6064,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20981,7 +20963,7 @@ index 8416beb..b204e90 100644 ') ######################################## -@@ -4549,7 +6094,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6112,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20990,7 +20972,7 @@ index 8416beb..b204e90 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6141,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6159,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -21017,7 +20999,7 @@ index 8416beb..b204e90 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6236,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6254,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21043,7 +21025,7 @@ index 8416beb..b204e90 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6496,173 @@ interface(`fs_unconfined',` +@@ -4912,3 +6514,173 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -37476,7 +37458,7 @@ index 79a45f6..d092e6e 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..6e568f7 100644 +index 17eda24..e33db3f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37707,11 +37689,12 @@ index 17eda24..6e568f7 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +262,72 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +262,73 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) +fs_read_efivarfs_files(init_t) ++fs_read_nfsd_files(init_t) + +fstools_getattr_swap_files(init_t) + @@ -37785,7 +37768,7 @@ index 17eda24..6e568f7 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +336,267 @@ ifdef(`distro_gentoo',` +@@ -186,29 +337,271 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37840,14 +37823,13 @@ index 17eda24..6e568f7 100644 + +optional_policy(` + ipa_delete_tmp(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + rpm_read_db(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) +') @@ -37864,6 +37846,10 @@ index 17eda24..6e568f7 100644 + mta_manage_aliases(init_t) +') + ++optional_policy(` ++ systemd_allow_mount_dir(init_t) ++') ++ +allow init_t self:system all_system_perms; +allow init_t self:unix_dgram_socket { create_socket_perms sendto }; +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; @@ -38021,13 +38007,14 @@ index 17eda24..6e568f7 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -38035,10 +38022,9 @@ index 17eda24..6e568f7 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -38055,14 +38041,15 @@ index 17eda24..6e568f7 100644 + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + ssh_getattr_server_keys(init_t) ') optional_policy(` -@@ -216,7 +604,30 @@ optional_policy(` +@@ -216,7 +609,30 @@ optional_policy(` ') optional_policy(` @@ -38094,7 +38081,7 @@ index 17eda24..6e568f7 100644 ') ######################################## -@@ -225,9 +636,9 @@ optional_policy(` +@@ -225,9 +641,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38106,7 +38093,7 @@ index 17eda24..6e568f7 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +669,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +674,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38123,7 +38110,7 @@ index 17eda24..6e568f7 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +694,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +699,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38166,7 +38153,7 @@ index 17eda24..6e568f7 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +731,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +736,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38178,7 +38165,7 @@ index 17eda24..6e568f7 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +743,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +748,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38189,7 +38176,7 @@ index 17eda24..6e568f7 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +754,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +759,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38199,7 +38186,7 @@ index 17eda24..6e568f7 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +763,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +768,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38207,7 +38194,7 @@ index 17eda24..6e568f7 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +770,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +775,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38215,7 +38202,7 @@ index 17eda24..6e568f7 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +778,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +783,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38233,7 +38220,7 @@ index 17eda24..6e568f7 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +796,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +801,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38247,7 +38234,7 @@ index 17eda24..6e568f7 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +811,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +816,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38261,7 +38248,7 @@ index 17eda24..6e568f7 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +824,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +829,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38272,7 +38259,7 @@ index 17eda24..6e568f7 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +837,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +842,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38280,7 +38267,7 @@ index 17eda24..6e568f7 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +856,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +861,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38304,7 +38291,7 @@ index 17eda24..6e568f7 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +889,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +894,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38312,7 +38299,7 @@ index 17eda24..6e568f7 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +923,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +928,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38323,7 +38310,7 @@ index 17eda24..6e568f7 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +947,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +952,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38332,7 +38319,7 @@ index 17eda24..6e568f7 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +962,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +967,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38340,7 +38327,7 @@ index 17eda24..6e568f7 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +983,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +988,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38348,7 +38335,7 @@ index 17eda24..6e568f7 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +993,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +998,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38393,7 +38380,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -559,14 +1038,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1043,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38425,7 +38412,7 @@ index 17eda24..6e568f7 100644 ') ') -@@ -577,6 +1073,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1078,39 @@ ifdef(`distro_suse',` ') ') @@ -38465,7 +38452,7 @@ index 17eda24..6e568f7 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1118,8 @@ optional_policy(` +@@ -589,6 +1123,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38474,7 +38461,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -610,6 +1141,7 @@ optional_policy(` +@@ -610,6 +1146,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38482,7 +38469,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -626,6 +1158,17 @@ optional_policy(` +@@ -626,6 +1163,17 @@ optional_policy(` ') optional_policy(` @@ -38500,7 +38487,7 @@ index 17eda24..6e568f7 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1185,13 @@ optional_policy(` +@@ -642,9 +1190,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38514,7 +38501,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -657,15 +1204,11 @@ optional_policy(` +@@ -657,15 +1209,11 @@ optional_policy(` ') optional_policy(` @@ -38532,7 +38519,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -686,6 +1229,15 @@ optional_policy(` +@@ -686,6 +1234,15 @@ optional_policy(` ') optional_policy(` @@ -38548,7 +38535,7 @@ index 17eda24..6e568f7 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1278,7 @@ optional_policy(` +@@ -726,6 +1283,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38556,7 +38543,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -743,7 +1296,13 @@ optional_policy(` +@@ -743,7 +1301,13 @@ optional_policy(` ') optional_policy(` @@ -38571,7 +38558,7 @@ index 17eda24..6e568f7 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1325,10 @@ optional_policy(` +@@ -766,6 +1330,10 @@ optional_policy(` ') optional_policy(` @@ -38582,7 +38569,7 @@ index 17eda24..6e568f7 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1338,20 @@ optional_policy(` +@@ -775,10 +1343,20 @@ optional_policy(` ') optional_policy(` @@ -38603,7 +38590,7 @@ index 17eda24..6e568f7 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1360,10 @@ optional_policy(` +@@ -787,6 +1365,10 @@ optional_policy(` ') optional_policy(` @@ -38614,7 +38601,7 @@ index 17eda24..6e568f7 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1385,6 @@ optional_policy(` +@@ -808,8 +1390,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38623,7 +38610,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -818,6 +1393,10 @@ optional_policy(` +@@ -818,6 +1398,10 @@ optional_policy(` ') optional_policy(` @@ -38634,7 +38621,7 @@ index 17eda24..6e568f7 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1406,12 @@ optional_policy(` +@@ -827,10 +1411,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38647,7 +38634,7 @@ index 17eda24..6e568f7 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1438,62 @@ optional_policy(` +@@ -857,21 +1443,62 @@ optional_policy(` ') optional_policy(` @@ -38711,7 +38698,7 @@ index 17eda24..6e568f7 100644 ') optional_policy(` -@@ -887,6 +1509,10 @@ optional_policy(` +@@ -887,6 +1514,10 @@ optional_policy(` ') optional_policy(` @@ -38722,7 +38709,7 @@ index 17eda24..6e568f7 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1523,218 @@ optional_policy(` +@@ -897,3 +1528,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -46276,7 +46263,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..1c74c66 100644 +index 2cea692..e3cb4f2 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -46647,7 +46634,7 @@ index 2cea692..1c74c66 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -720,8 +970,13 @@ interface(`sysnet_dns_name_resolve',` +@@ -720,14 +970,23 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) @@ -46661,7 +46648,17 @@ index 2cea692..1c74c66 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +1005,6 @@ interface(`sysnet_use_ldap',` + avahi_stream_connect($1) + ') + ++ optional_policy(` ++ dbus_stream_connect_system_dbusd($1) ++ ') ++ + optional_policy(` + nscd_use($1) + ') +@@ -750,8 +1009,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -46670,7 +46667,7 @@ index 2cea692..1c74c66 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -760,9 +1013,14 @@ interface(`sysnet_use_ldap',` +@@ -760,9 +1017,14 @@ interface(`sysnet_use_ldap',` # Support for LDAPS dev_read_rand($1) @@ -46685,7 +46682,7 @@ index 2cea692..1c74c66 100644 ') ######################################## -@@ -784,7 +1042,6 @@ interface(`sysnet_use_portmap',` +@@ -784,7 +1046,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -46693,7 +46690,7 @@ index 2cea692..1c74c66 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1053,144 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1057,144 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -47331,10 +47328,10 @@ index 0000000..fc4c791 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..16cd1ac +index 0000000..86e3d01 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1763 @@ +@@ -0,0 +1,1803 @@ +## SELinux policy for systemd components + +###################################### @@ -49098,12 +49095,52 @@ index 0000000..16cd1ac + allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; + files_etc_filetrans($1, systemd_hwdb_etc_t, file) +') ++ ++######################################## ++## ++## Allow process to mount directory configured in a ++## systemd unit as ReadWriteDirectory or ReadOnlyDirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_allow_mount_dir',` ++ gen_require(` ++ attribute systemd_mount_directory; ++ ') ++ ++ allow $1 systemd_mount_directory:dir mounton; ++') ++ ++######################################## ++## ++## Mark the following type as mountable by systemd. ++## ++## ++## ++## Type to be authorized to be mounted ++## ++## ++## ++# ++interface(`systemd_mount_dir',` ++ gen_require(` ++ attribute systemd_mount_directory; ++ ') ++ ++ files_type($1) ++ typeattribute $1 systemd_mount_directory; ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..bd6672d +index 0000000..eff9e73 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,971 @@ +@@ -0,0 +1,972 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49114,6 +49151,7 @@ index 0000000..bd6672d +attribute systemd_unit_file_type; +attribute systemd_domain; +attribute systemctl_domain; ++attribute systemd_mount_directory; + +systemd_domain_template(systemd_logger) +systemd_domain_template(systemd_logind) @@ -51490,7 +51528,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..af8711d 100644 +index 9dc60c6..adc5f75 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -52659,15 +52697,18 @@ index 9dc60c6..af8711d 100644 ############################## # # Local policy -@@ -907,53 +1195,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1195,142 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # -+ kernel_stream_connect($1_usertype) ++ allow $1_usertype self:cap_userns { sys_admin sys_chroot }; ++ allow $1_usertype self:dir { add_name write }; - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) -- ++ kernel_stream_connect($1_usertype) ++ fs_associate_proc($1_usertype) + - dev_read_sound($1_t) - dev_write_sound($1_t) + dev_read_sound($1_usertype) @@ -52679,6 +52720,7 @@ index 9dc60c6..af8711d 100644 + dev_read_rand($1_usertype) - logging_send_syslog_msg($1_t) +- logging_dontaudit_send_audit_msgs($1_t) + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) @@ -52686,6 +52728,7 @@ index 9dc60c6..af8711d 100644 + libs_dontaudit_setattr_lib_files($1_usertype) + + init_read_state($1_usertype) ++ init_signal($1_usertype) + + tunable_policy(`selinuxuser_rw_noexattrfile',` + dev_rw_usbfs($1_t) @@ -52700,7 +52743,7 @@ index 9dc60c6..af8711d 100644 + ') + + logging_send_syslog_msg($1_t) - logging_dontaudit_send_audit_msgs($1_t) ++ logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) @@ -52748,25 +52791,25 @@ index 9dc60c6..af8711d 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ ') optional_policy(` - consolekit_dbus_chat($1_t) -+ fprintd_dbus_chat($1_t) ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + realmd_dbus_chat($1_t) ') @@ -52811,7 +52854,7 @@ index 9dc60c6..af8711d 100644 ') ####################################### -@@ -987,27 +1359,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1364,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -52849,7 +52892,7 @@ index 9dc60c6..af8711d 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1396,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1401,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -52923,7 +52966,7 @@ index 9dc60c6..af8711d 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1461,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1466,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -52934,7 +52977,7 @@ index 9dc60c6..af8711d 100644 ') ') -@@ -1079,7 +1499,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1504,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -52945,7 +52988,7 @@ index 9dc60c6..af8711d 100644 ') ############################## -@@ -1095,6 +1517,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1522,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -52953,7 +52996,7 @@ index 9dc60c6..af8711d 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1528,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1533,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -52970,7 +53013,7 @@ index 9dc60c6..af8711d 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1545,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1550,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -52979,7 +53022,7 @@ index 9dc60c6..af8711d 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1564,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1569,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -52995,7 +53038,7 @@ index 9dc60c6..af8711d 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1583,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1588,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -53040,7 +53083,7 @@ index 9dc60c6..af8711d 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1626,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1631,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -53049,7 +53092,7 @@ index 9dc60c6..af8711d 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1635,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1640,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -53072,7 +53115,7 @@ index 9dc60c6..af8711d 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1685,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1690,7 @@ template(`userdom_admin_user_template',` ##
## # @@ -53081,7 +53124,7 @@ index 9dc60c6..af8711d 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1695,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1700,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -53090,7 +53133,7 @@ index 9dc60c6..af8711d 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1709,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1714,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -53102,7 +53145,7 @@ index 9dc60c6..af8711d 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1723,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1728,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -53145,7 +53188,7 @@ index 9dc60c6..af8711d 100644 ') optional_policy(` -@@ -1357,14 +1808,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1813,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -53164,7 +53207,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1397,12 +1851,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1856,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -53218,7 +53261,7 @@ index 9dc60c6..af8711d 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +2003,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2008,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -53250,7 +53293,7 @@ index 9dc60c6..af8711d 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2069,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2074,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -53265,7 +53308,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1570,9 +2092,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2097,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -53277,7 +53320,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1613,6 +2137,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2142,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -53302,7 +53345,7 @@ index 9dc60c6..af8711d 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2173,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2178,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -53362,7 +53405,7 @@ index 9dc60c6..af8711d 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2299,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2304,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -53377,7 +53420,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1741,10 +2338,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2343,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -53392,7 +53435,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1769,7 +2368,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2373,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -53401,7 +53444,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1777,19 +2376,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2381,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -53425,7 +53468,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1797,55 +2394,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2399,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -53496,7 +53539,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1853,18 +2450,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2455,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -53524,7 +53567,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1872,18 +2470,71 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,13 +2475,163 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -53538,11 +53581,10 @@ index 9dc60c6..af8711d 100644 +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) - ') - - ######################################## - ## --## Do not audit attempts to read user home files. ++') ++ ++######################################## ++## +## Dontaudit getattr on user tmp sockets. +## +## @@ -53601,21 +53643,18 @@ index 9dc60c6..af8711d 100644 +## +## Do not audit attempts to set the +## attributes of user home files. - ## - ## - ## -@@ -1891,13 +2542,113 @@ interface(`userdom_read_user_home_content_files',` - ## - ## - # --interface(`userdom_dontaudit_read_user_home_content_files',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`userdom_dontaudit_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; ++ gen_require(` ++ type user_home_t; ++ ') ++ + dontaudit $1 user_home_t:file setattr_file_perms; +') + @@ -53696,24 +53735,20 @@ index 9dc60c6..af8711d 100644 + + dontaudit $1 user_home_type:dir getattr; + dontaudit $1 user_home_type:file getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to read user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_read_user_home_content_files',` -+ gen_require(` + ') + + ######################################## +@@ -1893,11 +2646,14 @@ interface(`userdom_read_user_home_content_files',` + # + interface(`userdom_dontaudit_read_user_home_content_files',` + gen_require(` +- type user_home_t; + attribute user_home_type; + type user_home_dir_t; -+ ') -+ + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; @@ -53721,7 +53756,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1938,7 +2689,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2694,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -53730,7 +53765,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1946,10 +2697,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2702,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -53743,7 +53778,7 @@ index 9dc60c6..af8711d 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2708,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2713,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -53752,7 +53787,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1966,12 +2716,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2721,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -53821,7 +53856,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2007,8 +2811,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2816,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -53831,7 +53866,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2024,20 +2827,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2832,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -53856,7 +53891,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## -@@ -2120,7 +2917,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2922,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -53865,7 +53900,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2128,19 +2925,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2930,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -53889,7 +53924,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2148,12 +2943,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2948,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -53905,7 +53940,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2388,18 +3183,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3188,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -53963,7 +53998,7 @@ index 9dc60c6..af8711d 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3245,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3250,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -53972,7 +54007,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2455,6 +3286,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3291,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -53998,7 +54033,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## -@@ -2538,7 +3388,27 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3393,27 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -54027,7 +54062,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2566,6 +3436,27 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,6 +3441,27 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -54055,7 +54090,7 @@ index 9dc60c6..af8711d 100644 interface(`userdom_manage_user_tmp_pipes',` gen_require(` type user_tmp_t; -@@ -2661,6 +3552,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3557,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -54077,7 +54112,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3578,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3583,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -54099,7 +54134,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2692,19 +3593,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3598,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -54122,7 +54157,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2713,13 +3608,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3613,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -54183,7 +54218,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2814,6 +3752,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3757,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -54208,7 +54243,7 @@ index 9dc60c6..af8711d 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3788,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3793,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -54251,7 +54286,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2856,14 +3824,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3829,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -54289,7 +54324,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2882,8 +3869,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3874,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -54319,7 +54354,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2955,6 +3961,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3966,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54362,7 +54397,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4020,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4025,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54387,7 +54422,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4038,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4043,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -54399,7 +54434,7 @@ index 9dc60c6..af8711d 100644 ## memory segments. ## ## -@@ -3025,17 +4049,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4054,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -54420,7 +54455,7 @@ index 9dc60c6..af8711d 100644 ## memory segments. ## ## -@@ -3044,12 +4068,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4073,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -54435,7 +54470,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -3094,7 +4118,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4123,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -54444,7 +54479,7 @@ index 9dc60c6..af8711d 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4134,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4139,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -54478,7 +54513,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -3214,7 +4222,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4227,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -54505,7 +54540,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -3269,12 +4295,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4300,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -54521,7 +54556,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -3282,54 +4309,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4314,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -54593,7 +54628,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -3337,17 +4366,91 @@ interface(`userdom_getattr_all_users',` +@@ -3337,18 +4371,92 @@ interface(`userdom_getattr_all_users',` ## ## # @@ -54610,6 +54645,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## -## Do not audit attempts to inherit the file +-## descriptors from any user domains. +## Do not audit attempts to use user ttys. +## +## @@ -54685,10 +54721,11 @@ index 9dc60c6..af8711d 100644 +######################################## +## +## Do not audit attempts to inherit the file - ## descriptors from any user domains. ++## descriptors from any user domains. ## ## -@@ -3382,6 +4485,42 @@ interface(`userdom_signal_all_users',` + ## +@@ -3382,6 +4490,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -54731,7 +54768,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4541,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4546,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -54792,7 +54829,7 @@ index 9dc60c6..af8711d 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4628,1817 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4633,1817 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 48b201d..d4a3261 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -20776,10 +20776,18 @@ index 949011e..8f8bc20 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 3023be7..4f0fe46 100644 +index 3023be7..5afde80 100644 --- a/cups.if +++ b/cups.if -@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` +@@ -70,6 +70,7 @@ interface(`cups_stream_connect',` + + files_search_pids($1) + stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) ++ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms; + ') + + ######################################## +@@ -200,10 +201,13 @@ interface(`cups_dbus_chat_config',` interface(`cups_read_config',` gen_require(` type cupsd_etc_t, cupsd_rw_etc_t; @@ -20794,7 +20802,7 @@ index 3023be7..4f0fe46 100644 ') ######################################## -@@ -306,6 +309,30 @@ interface(`cups_stream_connect_ptal',` +@@ -306,6 +310,30 @@ interface(`cups_stream_connect_ptal',` ######################################## ## @@ -20825,7 +20833,7 @@ index 3023be7..4f0fe46 100644 ## Read the process state (/proc/pid) of cupsd. ## ## -@@ -344,18 +371,23 @@ interface(`cups_read_state',` +@@ -344,18 +372,23 @@ interface(`cups_read_state',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; @@ -20854,7 +20862,7 @@ index 3023be7..4f0fe46 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -368,13 +400,46 @@ interface(`cups_admin',` +@@ -368,13 +401,46 @@ interface(`cups_admin',` logging_list_logs($1) admin_pattern($1, cupsd_log_t) @@ -20907,7 +20915,7 @@ index 3023be7..4f0fe46 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..71b61c4 100644 +index c91813c..474a13f 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21077,7 +21085,7 @@ index c91813c..71b61c4 100644 allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -@@ -136,22 +170,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +@@ -136,22 +170,24 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) @@ -21086,6 +21094,7 @@ index c91813c..71b61c4 100644 + manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) @@ -21105,7 +21114,7 @@ index c91813c..71b61c4 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -159,11 +194,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -159,11 +195,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -21117,7 +21126,7 @@ index c91813c..71b61c4 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -186,12 +219,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -186,12 +220,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -21142,7 +21151,7 @@ index c91813c..71b61c4 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -203,7 +244,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -203,7 +245,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -21150,7 +21159,7 @@ index c91813c..71b61c4 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -212,17 +252,19 @@ files_read_world_readable_files(cupsd_t) +@@ -212,17 +253,19 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -21172,7 +21181,7 @@ index c91813c..71b61c4 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) -@@ -232,6 +274,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -232,6 +275,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -21181,7 +21190,7 @@ index c91813c..71b61c4 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,22 +289,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -21215,7 +21224,7 @@ index c91813c..71b61c4 100644 optional_policy(` apm_domtrans_client(cupsd_t) -@@ -272,6 +322,8 @@ optional_policy(` +@@ -272,6 +323,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -21224,7 +21233,7 @@ index c91813c..71b61c4 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -279,11 +331,17 @@ optional_policy(` +@@ -279,11 +332,17 @@ optional_policy(` ') optional_policy(` @@ -21242,7 +21251,7 @@ index c91813c..71b61c4 100644 ') ') -@@ -296,8 +354,8 @@ optional_policy(` +@@ -296,8 +355,8 @@ optional_policy(` ') optional_policy(` @@ -21252,7 +21261,7 @@ index c91813c..71b61c4 100644 ') optional_policy(` -@@ -306,7 +364,6 @@ optional_policy(` +@@ -306,7 +365,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -21260,7 +21269,7 @@ index c91813c..71b61c4 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -316,6 +373,10 @@ optional_policy(` +@@ -316,6 +374,10 @@ optional_policy(` ') optional_policy(` @@ -21271,7 +21280,7 @@ index c91813c..71b61c4 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) -@@ -326,7 +387,7 @@ optional_policy(` +@@ -326,7 +388,7 @@ optional_policy(` ') optional_policy(` @@ -21280,7 +21289,7 @@ index c91813c..71b61c4 100644 ') optional_policy(` -@@ -334,7 +395,11 @@ optional_policy(` +@@ -334,7 +396,11 @@ optional_policy(` ') optional_policy(` @@ -21293,7 +21302,7 @@ index c91813c..71b61c4 100644 ') ######################################## -@@ -342,12 +407,11 @@ optional_policy(` +@@ -342,12 +408,11 @@ optional_policy(` # Configuration daemon local policy # @@ -21309,7 +21318,7 @@ index c91813c..71b61c4 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -367,23 +431,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -367,23 +432,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -21337,7 +21346,7 @@ index c91813c..71b61c4 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +456,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +457,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -21358,7 +21367,7 @@ index c91813c..71b61c4 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +473,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +474,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -21370,7 +21379,7 @@ index c91813c..71b61c4 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +500,12 @@ optional_policy(` +@@ -449,9 +501,12 @@ optional_policy(` ') optional_policy(` @@ -21384,7 +21393,7 @@ index c91813c..71b61c4 100644 ') optional_policy(` -@@ -467,6 +521,10 @@ optional_policy(` +@@ -467,6 +522,10 @@ optional_policy(` ') optional_policy(` @@ -21395,7 +21404,7 @@ index c91813c..71b61c4 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +545,6 @@ optional_policy(` +@@ -487,10 +546,6 @@ optional_policy(` # Lpd local policy # @@ -21406,7 +21415,7 @@ index c91813c..71b61c4 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +562,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +563,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -21424,7 +21433,7 @@ index c91813c..71b61c4 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +591,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +592,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -21434,7 +21443,7 @@ index c91813c..71b61c4 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +601,6 @@ optional_policy(` +@@ -550,7 +602,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -21442,7 +21451,7 @@ index c91813c..71b61c4 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +616,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +617,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -21594,7 +21603,7 @@ index c91813c..71b61c4 100644 ######################################## # -@@ -735,7 +660,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +661,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -21602,7 +21611,7 @@ index c91813c..71b61c4 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +669,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +670,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -21616,7 +21625,7 @@ index c91813c..71b61c4 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +681,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +682,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -21625,7 +21634,7 @@ index c91813c..71b61c4 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +693,4 @@ optional_policy(` +@@ -773,3 +694,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -22146,7 +22155,7 @@ index dda905b..5587295 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..90fc04d 100644 +index 62d22cb..1287d08 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -22295,9 +22304,9 @@ index 62d22cb..90fc04d 100644 - files_search_var_lib($1) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) -+ -+ dev_read_urand($1) ++ dev_read_urand($1) ++ + # For connecting to the bus files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) @@ -22676,7 +22685,7 @@ index 62d22cb..90fc04d 100644 ## ## ## Type to be used as a domain. -@@ -397,199 +410,228 @@ interface(`dbus_manage_lib_files',` +@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -22916,22 +22925,40 @@ index 62d22cb..90fc04d 100644 ## ## -## Type to be used as a domain. --## --## ++## Domain to not audit. + ## + ## -## --## ++# ++interface(`dbus_dontaudit_chat_system_bus',` ++ gen_require(` ++ attribute system_bus_type; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 system_bus_type:dbus send_msg; ++ dontaudit system_bus_type $1:dbus send_msg; ++') ++ ++ ++######################################## ++## ++## Allow attempts to connect to ++## session bus types with a unix ++## stream socket. ++## ++## + ## -## Type of the program to be used as an entry point to this domain. +## Domain to not audit. ## ## # -interface(`dbus_system_domain',` -+interface(`dbus_dontaudit_chat_system_bus',` ++interface(`dbus_stream_connect_system_dbusd',` gen_require(` -- type system_dbusd_t; + type system_dbusd_t; - role system_r; -+ attribute system_bus_type; -+ class dbus send_msg; ') - domain_type($1) @@ -22951,10 +22978,10 @@ index 62d22cb..90fc04d 100644 - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') -+ dontaudit $1 system_bus_type:dbus send_msg; -+ dontaudit system_bus_type $1:dbus send_msg; ++ allow $1 system_dbusd_t:unix_stream_socket connectto; ') ++ ######################################## ## -## Use and inherit DBUS system bus @@ -22990,7 +23017,7 @@ index 62d22cb..90fc04d 100644 ## ## ## -@@ -597,28 +639,50 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -23050,7 +23077,7 @@ index 62d22cb..90fc04d 100644 + ') diff --git a/dbus.te b/dbus.te -index c9998c8..44c6283 100644 +index c9998c8..8b447a3 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23174,7 +23201,7 @@ index c9998c8..44c6283 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +122,170 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +122,174 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -23223,9 +23250,10 @@ index c9998c8..44c6283 100644 optional_policy(` - policykit_read_lib(system_dbusd_t) + cpufreqselector_dbus_chat(system_dbusd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) + getty_start_services(system_dbusd_t) +') + @@ -23255,10 +23283,9 @@ index c9998c8..44c6283 100644 + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -23273,6 +23300,10 @@ index c9998c8..44c6283 100644 ') +optional_policy(` ++ virt_list_sandbox_dirs(system_dbusd_t) ++') ++ ++optional_policy(` + # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc + xserver_read_inherited_xdm_lib_files(system_dbusd_t) +') @@ -23292,7 +23323,7 @@ index c9998c8..44c6283 100644 +allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms; + +fs_search_all(system_bus_type) -+ + +dbus_system_bus_client(system_bus_type) +dbus_connect_system_bus(system_bus_type) + @@ -23322,7 +23353,7 @@ index c9998c8..44c6283 100644 +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') - ++ +######################################## +# +# session_bus_type rules @@ -23359,7 +23390,7 @@ index c9998c8..44c6283 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +294,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +298,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -23384,7 +23415,7 @@ index c9998c8..44c6283 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +313,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +317,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -23392,7 +23423,7 @@ index c9998c8..44c6283 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +322,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +326,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -23434,7 +23465,7 @@ index c9998c8..44c6283 100644 ') ######################################## -@@ -244,5 +359,9 @@ optional_policy(` +@@ -244,5 +363,9 @@ optional_policy(` # Unconfined access to this module # @@ -96244,10 +96275,10 @@ index 0000000..b7db254 +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..b21026b +index 0000000..cc29a06 --- /dev/null +++ b/sandbox.if -@@ -0,0 +1,92 @@ +@@ -0,0 +1,96 @@ + +## policy for sandbox + @@ -96339,13 +96370,17 @@ index 0000000..b21026b + # this is to satisfy the assertion: + auth_reader_shadow($1_t) + auth_writer_shadow($1_t) ++ ++ #optional_policy(` ++ # unconfined_typebounds($1_t) ++ #') +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..6b3fab1 +index 0000000..402257c --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,66 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -96411,6 +96446,7 @@ index 0000000..6b3fab1 +userdom_use_inherited_user_terminals(sandbox_domain) + +mta_dontaudit_read_spool_symlinks(sandbox_domain) ++ diff --git a/sandboxX.fc b/sandboxX.fc new file mode 100644 index 0000000..6caef63 @@ -96421,10 +96457,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..3e89d71 +index 0000000..98dc14e --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,396 @@ +@@ -0,0 +1,401 @@ + +## policy for sandboxX + @@ -96559,6 +96595,11 @@ index 0000000..3e89d71 + allow sandbox_xserver_t $1_t:shm rw_shm_perms; + allow $1_client_t $1_t:unix_stream_socket connectto; + allow $1_t $1_client_t:unix_stream_socket connectto; ++ ++ #optional_policy(` ++ # unconfined_typebounds($1_t) ++ # unconfined_typebounds($1_client_t) ++ #') +') + +######################################## @@ -96823,10 +96864,10 @@ index 0000000..3e89d71 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..24cb7ca +index 0000000..22e956f --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,508 @@ +@@ -0,0 +1,512 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -97001,8 +97042,8 @@ index 0000000..24cb7ca +files_read_config_files(sandbox_x_domain) +files_read_usr_symlinks(sandbox_x_domain) + -++corecmd_entrypoint_all_executables(sandbox_x_domain) -++files_entrypoint_all_mountpoint(sandbox_x_domain) ++corecmd_entrypoint_all_executables(sandbox_x_domain) ++files_entrypoint_all_mountpoint(sandbox_x_domain) + +fs_getattr_tmpfs(sandbox_x_domain) +fs_getattr_xattr_fs(sandbox_x_domain) @@ -97048,6 +97089,10 @@ index 0000000..24cb7ca +') + +optional_policy(` ++ colord_dbus_chat(sandbox_x_domain) ++') ++ ++optional_policy(` + consolekit_dbus_chat(sandbox_x_domain) +') + @@ -111806,7 +111851,7 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..d8b1fd1 100644 +index a4f20bc..9777de2 100644 --- a/virt.fc +++ b/virt.fc @@ -1,51 +1,109 @@ @@ -111919,7 +111964,7 @@ index a4f20bc..d8b1fd1 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_image_t,s0) ++/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +# add support vios-proxy-* +/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -111958,10 +112003,10 @@ index a4f20bc..d8b1fd1 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..31f7fd1 100644 +index facdee8..2cff369 100644 --- a/virt.if +++ b/virt.if -@@ -1,120 +1,110 @@ +@@ -1,120 +1,111 @@ -## Libvirt virtualization API. +## Libvirt virtualization API @@ -112065,7 +112110,7 @@ index facdee8..31f7fd1 100644 - pulseaudio_run($1_t, virt_domain_roles) +######################################## +## -+## container_image_t stub interface. No access allowed. ++## container_file_t stub interface. No access allowed. +## +## +## @@ -112075,7 +112120,7 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_stub_container_image',` + gen_require(` -+ type container_image_t; ++ type container_file_t; ') +') @@ -112083,7 +112128,8 @@ index facdee8..31f7fd1 100644 - xserver_rw_shm($1_t) +interface(`virt_stub_svirt_sandbox_file',` + gen_require(` -+ type container_image_t; ++ type container_file_t; ++ type container_ro_file_t; ') ') @@ -112153,7 +112199,7 @@ index facdee8..31f7fd1 100644 ## ## # -@@ -125,31 +115,32 @@ interface(`virt_image',` +@@ -125,31 +116,32 @@ interface(`virt_image',` typeattribute $1 virt_image_type; files_type($1) @@ -112198,7 +112244,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -157,95 +148,71 @@ interface(`virt_domtrans',` +@@ -157,95 +149,71 @@ interface(`virt_domtrans',` ## ## # @@ -112318,7 +112364,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -253,17 +220,18 @@ interface(`virt_run_virt_domain',` +@@ -253,17 +221,18 @@ interface(`virt_run_virt_domain',` ## ## # @@ -112342,7 +112388,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -271,48 +239,36 @@ interface(`virt_signal_all_virt_domains',` +@@ -271,48 +240,36 @@ interface(`virt_signal_all_virt_domains',` ## ## # @@ -112402,7 +112448,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -320,18 +276,18 @@ interface(`virt_run_svirt_lxc_domain',` +@@ -320,18 +277,18 @@ interface(`virt_run_svirt_lxc_domain',` ## ## # @@ -112427,7 +112473,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -339,18 +295,18 @@ interface(`virt_getattr_virtd_exec_files',` +@@ -339,18 +296,18 @@ interface(`virt_getattr_virtd_exec_files',` ## ## # @@ -112451,7 +112497,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -358,18 +314,20 @@ interface(`virt_stream_connect',` +@@ -358,18 +315,20 @@ interface(`virt_stream_connect',` ## ## # @@ -112477,7 +112523,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -377,22 +335,20 @@ interface(`virt_attach_tun_iface',` +@@ -377,22 +336,20 @@ interface(`virt_attach_tun_iface',` ## ## # @@ -112505,7 +112551,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -400,22 +356,17 @@ interface(`virt_read_config',` +@@ -400,22 +357,17 @@ interface(`virt_read_config',` ## ## # @@ -112532,7 +112578,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -434,6 +385,7 @@ interface(`virt_read_content',` +@@ -434,6 +386,7 @@ interface(`virt_read_content',` read_files_pattern($1, virt_content_t, virt_content_t) read_lnk_files_pattern($1, virt_content_t, virt_content_t) read_blk_files_pattern($1, virt_content_t, virt_content_t) @@ -112540,7 +112586,7 @@ index facdee8..31f7fd1 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -450,8 +402,7 @@ interface(`virt_read_content',` +@@ -450,8 +403,7 @@ interface(`virt_read_content',` ######################################## ## @@ -112550,7 +112596,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -459,35 +410,17 @@ interface(`virt_read_content',` +@@ -459,35 +411,17 @@ interface(`virt_read_content',` ## ## # @@ -112589,7 +112635,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -495,53 +428,38 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +429,38 @@ interface(`virt_manage_virt_content',` ## ## # @@ -112654,7 +112700,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -549,34 +467,21 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,34 +468,21 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -112697,7 +112743,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -584,32 +489,36 @@ interface(`virt_manage_svirt_home_content',` +@@ -584,32 +490,36 @@ interface(`virt_manage_svirt_home_content',` ## ## # @@ -112746,7 +112792,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -618,54 +527,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +528,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -112810,7 +112856,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -673,107 +564,607 @@ interface(`virt_home_filetrans',` +@@ -673,107 +565,625 @@ interface(`virt_home_filetrans',` ## ## # @@ -113165,15 +113211,15 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_exec_sandbox_files',` + gen_require(` -+ type container_image_t; ++ attribute svirt_file_type; + ') + -+ can_exec($1, container_image_t) ++ can_exec($1, svirt_file_type) +') + +######################################## +## -+## Allow any container_image_t to be an entrypoint of this domain ++## Allow any svirt_file_type to be an entrypoint of this domain +## +## +## @@ -113184,9 +113230,27 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_sandbox_entrypoint',` + gen_require(` -+ type container_image_t; ++ attribute svirt_file_type; ++ ') ++ allow $1 svirt_file_type:file entrypoint; ++') ++ ++####################################### ++## ++## List Sandbox Dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_list_sandbox_dirs',` ++ gen_require(` ++ type svirt_sandbox_file_t; + ') -+ allow $1 container_image_t:file entrypoint; ++ ++ list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) +') + +####################################### @@ -113201,12 +113265,12 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_read_sandbox_files',` + gen_require(` -+ type container_image_t; ++ attribute svirt_file_type; + ') + -+ list_dirs_pattern($1, container_image_t, container_image_t) -+ read_files_pattern($1, container_image_t, container_image_t) -+ read_lnk_files_pattern($1, container_image_t, container_image_t) ++ list_dirs_pattern($1, svirt_file_type, svirt_file_type) ++ read_files_pattern($1, svirt_file_type, svirt_file_type) ++ read_lnk_files_pattern($1, svirt_file_type, svirt_file_type) +') + +####################################### @@ -113221,15 +113285,15 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_manage_sandbox_files',` + gen_require(` -+ type container_image_t; ++ attribute svirt_file_type; + ') + -+ manage_dirs_pattern($1, container_image_t, container_image_t) -+ manage_files_pattern($1, container_image_t, container_image_t) -+ manage_fifo_files_pattern($1, container_image_t, container_image_t) -+ manage_chr_files_pattern($1, container_image_t, container_image_t) -+ manage_lnk_files_pattern($1, container_image_t, container_image_t) -+ allow $1 container_image_t:dir_file_class_set { relabelfrom relabelto }; ++ manage_dirs_pattern($1, svirt_file_type, svirt_file_type) ++ manage_files_pattern($1, svirt_file_type, svirt_file_type) ++ manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type) ++ manage_chr_files_pattern($1, svirt_file_type, svirt_file_type) ++ manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type) ++ allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto }; +') + +####################################### @@ -113244,10 +113308,10 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_getattr_sandbox_filesystem',` + gen_require(` -+ type container_image_t; ++ attribute svirt_file_type; + ') + -+ allow $1 container_image_t:filesystem getattr; ++ allow $1 svirt_file_type:filesystem getattr; +') + +####################################### @@ -113262,10 +113326,10 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_relabel_sandbox_filesystem',` + gen_require(` -+ type container_image_t; ++ attribute svirt_file_type; + ') + -+ allow $1 container_image_t:filesystem { relabelfrom relabelto }; ++ allow $1 svirt_file_type:filesystem { relabelfrom relabelto }; +') + +####################################### @@ -113280,10 +113344,10 @@ index facdee8..31f7fd1 100644 +# +interface(`virt_mounton_sandbox_file',` + gen_require(` -+ type container_image_t; ++ attribute svirt_file_type; + ') + -+ allow $1 container_image_t:dir_file_class_set mounton; ++ allow $1 svirt_file_type:dir_file_class_set mounton; +') + +####################################### @@ -113299,11 +113363,11 @@ index facdee8..31f7fd1 100644 +interface(`virt_stream_connect_sandbox',` + gen_require(` + attribute svirt_sandbox_domain; -+ type container_image_t; ++ attribute svirt_file_type; + ') + + files_search_pids($1) -+ stream_connect_pattern($1, container_image_t, container_image_t, svirt_sandbox_domain) ++ stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain) + ps_process_pattern(svirt_sandbox_domain, $1) +') + @@ -113463,7 +113527,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -781,19 +1172,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1191,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -113487,7 +113551,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -801,18 +1190,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1209,17 @@ interface(`virt_read_pid_files',` ## ## # @@ -113510,7 +113574,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -820,18 +1208,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +1227,17 @@ interface(`virt_manage_pid_files',` ## ## # @@ -113533,7 +113597,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -839,192 +1226,243 @@ interface(`virt_search_lib',` +@@ -839,192 +1245,247 @@ interface(`virt_search_lib',` ## ## # @@ -113686,6 +113750,10 @@ index facdee8..31f7fd1 100644 + + kernel_read_system_state($1_t) + kernel_read_all_proc($1_t) ++ ++ # optional_policy(` ++ # container_runtime_typebounds($1_t) ++ # ') ') ######################################## @@ -113857,7 +113925,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -1032,20 +1470,17 @@ interface(`virt_read_images',` +@@ -1032,20 +1493,17 @@ interface(`virt_read_images',` ## ## # @@ -113882,7 +113950,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -1053,15 +1488,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1511,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -113905,7 +113973,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -1069,21 +1506,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1529,17 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -113931,7 +113999,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -1091,36 +1524,18 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1547,18 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -113973,7 +114041,7 @@ index facdee8..31f7fd1 100644 ## ## ## -@@ -1136,50 +1551,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1574,109 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -114012,26 +114080,20 @@ index facdee8..31f7fd1 100644 - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) -- -- files_search_tmp($1) -- admin_pattern($1, { virt_tmp_type virt_tmp_t }) -- -- files_search_etc($1) -- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + allow $1 virt_domain:process signal_perms; -- logging_search_logs($1) -- admin_pattern($1, virt_log_t) +- files_search_tmp($1) +- admin_pattern($1, { virt_tmp_type virt_tmp_t }) + admin_pattern($1, virt_file_type) + admin_pattern($1, svirt_file_type) -- files_search_pids($1) -- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) +- files_search_etc($1) +- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + virt_systemctl($1) + allow $1 virtd_unit_file_t:service all_service_perms; -- files_search_var($1) -- admin_pattern($1, svirt_cache_t) +- logging_search_logs($1) +- admin_pattern($1, virt_log_t) + virt_stream_connect_sandbox($1) + virt_stream_connect_svirt($1) + virt_stream_connect($1) @@ -114051,16 +114113,16 @@ index facdee8..31f7fd1 100644 + attribute sandbox_caps_domain; + ') -- files_search_var_lib($1) -- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) +- files_search_pids($1) +- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) + typeattribute $1 sandbox_caps_domain; +') -- files_search_locks($1) -- admin_pattern($1, virt_lock_t) +- files_search_var($1) +- admin_pattern($1, svirt_cache_t) -- dev_list_all_dev_nodes($1) -- allow $1 virt_ptynode:chr_file rw_term_perms; +- files_search_var_lib($1) +- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) +######################################## +## +## Send and receive messages from @@ -114081,12 +114143,49 @@ index facdee8..31f7fd1 100644 + allow $1 virtd_t:dbus send_msg; + allow virtd_t $1:dbus send_msg; + ps_process_pattern(virtd_t, $1) ++') + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) ++######################################## ++## ++## Execute a file in a sandbox directory ++## in the specified domain. ++## ++## ++##

++## Execute a file in a sandbox directory ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

++##
++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`virt_sandbox_domtrans',` ++ gen_require(` ++ type container_file_t; ++ ') + +- dev_list_all_dev_nodes($1) +- allow $1 virt_ptynode:chr_file rw_term_perms; ++ domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..d369e60 100644 +index f03dcf5..923fbbe 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,400 @@ +@@ -1,451 +1,403 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -114642,28 +114741,30 @@ index f03dcf5..d369e60 100644 -optional_policy(` - dbus_read_lib_files(virt_domain) -') -- --optional_policy(` -- nscd_use(virt_domain) --') +type virtd_lxc_t, virt_system_domain; +type virtd_lxc_exec_t, virt_file_type; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) -optional_policy(` -- samba_domtrans_smbd(virt_domain) +- nscd_use(virt_domain) -') +type virt_lxc_var_run_t, virt_file_type; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; -optional_policy(` -- xen_rw_image_files(virt_domain) +- samba_domtrans_smbd(virt_domain) -') +# virt lxc container files -+type container_image_t, svirt_file_type; -+typealias container_image_t alias { svirt_sandbox_file_t svirt_lxc_file_t }; -+files_mountpoint(container_image_t) ++type container_file_t, svirt_file_type; ++typealias container_file_t alias { svirt_sandbox_file_t svirt_lxc_file_t }; ++files_mountpoint(container_file_t) + +-optional_policy(` +- xen_rw_image_files(virt_domain) +-') ++type container_ro_file_t, svirt_file_type; ++files_mountpoint(container_ro_file_t) ######################################## # @@ -114675,17 +114776,17 @@ index f03dcf5..d369e60 100644 - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -+allow svirt_t self:process ptrace; - +- -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) ++allow svirt_t self:process ptrace; + +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -114798,7 +114899,7 @@ index f03dcf5..d369e60 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +404,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +407,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -114845,7 +114946,7 @@ index f03dcf5..d369e60 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +439,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +442,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -114878,7 +114979,7 @@ index f03dcf5..d369e60 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +464,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +467,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -114906,7 +115007,7 @@ index f03dcf5..d369e60 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +484,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +487,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -114937,7 +115038,7 @@ index f03dcf5..d369e60 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +536,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +539,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -114957,7 +115058,7 @@ index f03dcf5..d369e60 100644 selinux_validate_context(virtd_t) -@@ -620,18 +558,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +561,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -114994,7 +115095,7 @@ index f03dcf5..d369e60 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +586,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +589,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -115003,7 +115104,7 @@ index f03dcf5..d369e60 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +611,12 @@ optional_policy(` +@@ -665,20 +614,12 @@ optional_policy(` ') optional_policy(` @@ -115024,7 +115125,7 @@ index f03dcf5..d369e60 100644 ') optional_policy(` -@@ -691,20 +629,26 @@ optional_policy(` +@@ -691,20 +632,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -115035,11 +115136,12 @@ index f03dcf5..d369e60 100644 ') optional_policy(` +- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` - iptables_domtrans(virtd_t) ++ iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -115055,7 +115157,7 @@ index f03dcf5..d369e60 100644 ') optional_policy(` -@@ -712,11 +656,18 @@ optional_policy(` +@@ -712,11 +659,18 @@ optional_policy(` ') optional_policy(` @@ -115074,7 +115176,7 @@ index f03dcf5..d369e60 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +678,18 @@ optional_policy(` +@@ -727,10 +681,18 @@ optional_policy(` ') optional_policy(` @@ -115093,7 +115195,7 @@ index f03dcf5..d369e60 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +705,336 @@ optional_policy(` +@@ -746,44 +708,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -115291,7 +115393,7 @@ index f03dcf5..d369e60 100644 +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) - ++ +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) @@ -115304,7 +115406,7 @@ index f03dcf5..d369e60 100644 +optional_policy(` + alsa_read_rw_config(virt_domain) +') -+ + +optional_policy(` + nscd_dontaudit_write_sock_file(virt_domain) +') @@ -115433,12 +115535,12 @@ index f03dcf5..d369e60 100644 +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) + -+manage_dirs_pattern(virsh_t, container_image_t, container_image_t) -+manage_files_pattern(virsh_t, container_image_t, container_image_t) -+manage_chr_files_pattern(virsh_t, container_image_t, container_image_t) -+manage_lnk_files_pattern(virsh_t, container_image_t, container_image_t) -+manage_sock_files_pattern(virsh_t, container_image_t, container_image_t) -+manage_fifo_files_pattern(virsh_t, container_image_t, container_image_t) ++manage_dirs_pattern(virsh_t, container_file_t, container_file_t) ++manage_files_pattern(virsh_t, container_file_t, container_file_t) ++manage_chr_files_pattern(virsh_t, container_file_t, container_file_t) ++manage_lnk_files_pattern(virsh_t, container_file_t, container_file_t) ++manage_sock_files_pattern(virsh_t, container_file_t, container_file_t) ++manage_fifo_files_pattern(virsh_t, container_file_t, container_file_t) +virt_transition_svirt_sandbox(virsh_t, system_r) + +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) @@ -115452,7 +115554,7 @@ index f03dcf5..d369e60 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1045,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1048,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -115479,7 +115581,7 @@ index f03dcf5..d369e60 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1065,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1068,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -115513,7 +115615,7 @@ index f03dcf5..d369e60 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1102,20 @@ optional_policy(` +@@ -856,14 +1105,20 @@ optional_policy(` ') optional_policy(` @@ -115535,7 +115637,7 @@ index f03dcf5..d369e60 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1140,66 @@ optional_policy(` +@@ -888,49 +1143,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -115598,15 +115700,15 @@ index f03dcf5..d369e60 100644 +files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) +filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") + -+manage_dirs_pattern(virtd_lxc_t, container_image_t, container_image_t) -+manage_files_pattern(virtd_lxc_t, container_image_t, container_image_t) -+manage_chr_files_pattern(virtd_lxc_t, container_image_t, container_image_t) -+manage_lnk_files_pattern(virtd_lxc_t, container_image_t, container_image_t) -+manage_sock_files_pattern(virtd_lxc_t, container_image_t, container_image_t) -+manage_fifo_files_pattern(virtd_lxc_t, container_image_t, container_image_t) -+allow virtd_lxc_t container_image_t:dir_file_class_set { relabelto relabelfrom }; -+allow virtd_lxc_t container_image_t:filesystem { relabelto relabelfrom }; -+files_associate_rootfs(container_image_t) ++manage_dirs_pattern(virtd_lxc_t, container_file_t, container_file_t) ++manage_files_pattern(virtd_lxc_t, container_file_t, container_file_t) ++manage_chr_files_pattern(virtd_lxc_t, container_file_t, container_file_t) ++manage_lnk_files_pattern(virtd_lxc_t, container_file_t, container_file_t) ++manage_sock_files_pattern(virtd_lxc_t, container_file_t, container_file_t) ++manage_fifo_files_pattern(virtd_lxc_t, container_file_t, container_file_t) ++allow virtd_lxc_t container_file_t:dir_file_class_set { relabelto relabelfrom }; ++allow virtd_lxc_t container_file_t:filesystem { relabelto relabelfrom }; ++files_associate_rootfs(container_file_t) + +seutil_read_file_contexts(virtd_lxc_t) @@ -115620,7 +115722,7 @@ index f03dcf5..d369e60 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1211,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1214,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -115634,13 +115736,13 @@ index f03dcf5..d369e60 100644 files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) -files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) -+files_root_filetrans(virtd_lxc_t, container_image_t, dir_file_class_set) ++files_root_filetrans(virtd_lxc_t, container_file_t, dir_file_class_set) +fs_read_fusefs_files(virtd_lxc_t) fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1232,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1235,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -115664,7 +115766,7 @@ index f03dcf5..d369e60 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1257,360 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1260,360 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115746,26 +115848,26 @@ index f03dcf5..d369e60 100644 +allow svirt_sandbox_domain virtd_lxc_t:fd use; +allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; + -+manage_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+manage_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+manage_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+manage_sock_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+manage_fifo_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+allow svirt_sandbox_domain container_image_t:file { execmod relabelfrom relabelto }; -+allow svirt_sandbox_domain container_image_t:dir { execmod relabelfrom relabelto }; -+virt_mounton_sandbox_file(svirt_sandbox_domain) -+ -+list_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+read_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+read_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+allow svirt_sandbox_domain container_image_t:file execmod; -+can_exec(svirt_sandbox_domain, container_image_t) -+ -+allow svirt_sandbox_domain container_image_t:blk_file setattr; -+rw_blk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) -+can_exec(svirt_sandbox_domain, container_image_t) -+allow svirt_sandbox_domain container_image_t:dir mounton; -+allow svirt_sandbox_domain container_image_t:filesystem { getattr remount }; ++manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++manage_fifo_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++allow svirt_sandbox_domain container_file_t:file { execmod relabelfrom relabelto }; ++allow svirt_sandbox_domain container_file_t:dir { execmod relabelfrom relabelto }; ++allow svirt_sandbox_domain svirt_file_type:dir_file_class_set mounton; ++ ++list_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++read_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++read_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++allow svirt_sandbox_domain container_file_t:file execmod; ++can_exec(svirt_sandbox_domain, container_file_t) ++ ++allow svirt_sandbox_domain container_file_t:blk_file setattr; ++rw_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) ++can_exec(svirt_sandbox_domain, container_file_t) ++allow svirt_sandbox_domain container_file_t:dir mounton; ++allow svirt_sandbox_domain container_file_t:filesystem { getattr remount }; + +kernel_getattr_proc(svirt_sandbox_domain) +kernel_list_all_proc(svirt_sandbox_domain) @@ -115969,7 +116071,7 @@ index f03dcf5..d369e60 100644 - apache_read_sys_content(svirt_lxc_domain) + container_read_share_files(svirt_sandbox_domain) + container_exec_share_files(svirt_sandbox_domain) -+ container_lib_filetrans(svirt_sandbox_domain,container_image_t, sock_file) ++ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) + container_use_ptys(svirt_sandbox_domain) + container_spc_stream_connect(svirt_sandbox_domain) + fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) @@ -115988,7 +116090,7 @@ index f03dcf5..d369e60 100644 +dontaudit container_t self:capability fsetid; +dontaudit container_t self:capability2 block_suspend ; +allow container_t self:process { execstack execmem }; -+manage_chr_files_pattern(container_t, container_image_t, container_image_t) ++manage_chr_files_pattern(container_t, container_file_t, container_file_t) +kernel_load_module(container_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` @@ -116061,7 +116163,7 @@ index f03dcf5..d369e60 100644 -fs_mount_cgroup(svirt_lxc_net_t) -fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) -+fs_noxattr_type(container_image_t) ++fs_noxattr_type(container_file_t) +# Do we actually need these? +fs_mount_cgroup(container_t) +fs_manage_cgroup_dirs(container_t) @@ -116070,7 +116172,7 @@ index f03dcf5..d369e60 100644 +fs_unmount_xattr_fs(container_t) -auth_use_nsswitch(svirt_lxc_net_t) -+term_pty(container_image_t) ++term_pty(container_file_t) -logging_send_audit_msgs(svirt_lxc_net_t) +auth_use_nsswitch(container_t) @@ -116136,12 +116238,12 @@ index f03dcf5..d369e60 100644 + +files_read_kernel_modules(svirt_qemu_net_t) + -+fs_noxattr_type(container_image_t) ++fs_noxattr_type(container_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) + -+term_pty(container_image_t) ++term_pty(container_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) + @@ -116169,7 +116271,7 @@ index f03dcf5..d369e60 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1626,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116184,7 +116286,7 @@ index f03dcf5..d369e60 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1641,7 @@ optional_policy(` +@@ -1192,7 +1644,7 @@ optional_policy(` ######################################## # @@ -116193,7 +116295,7 @@ index f03dcf5..d369e60 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1650,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1653,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -116403,12 +116505,12 @@ index f03dcf5..d369e60 100644 + +files_read_kernel_modules(svirt_kvm_net_t) + -+fs_noxattr_type(container_image_t) ++fs_noxattr_type(container_file_t) +fs_mount_cgroup(svirt_kvm_net_t) +fs_manage_cgroup_dirs(svirt_kvm_net_t) +fs_manage_cgroup_files(svirt_kvm_net_t) + -+term_pty(container_image_t) ++term_pty(container_file_t) + +auth_use_nsswitch(svirt_kvm_net_t) + @@ -116453,6 +116555,11 @@ index f03dcf5..d369e60 100644 + +allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; + ++list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) ++read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) ++read_lnk_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) ++allow svirt_sandbox_domain container_ro_file_t:file execmod; ++can_exec(svirt_sandbox_domain, container_ro_file_t) diff --git a/vlock.te b/vlock.te index 6b72968..de409cc 100644 --- a/vlock.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 4a40174..2bd0710 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 219%{?dist} +Release: 220%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,25 @@ exit 0 %endif %changelog +* Sun Oct 16 2016 Lukas Vrabec - 3.13.1-220 +- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build. +- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain. +- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain. +- Merge pull request #167 from rhatdan/container +- Add transition rules for sandbox domains +- container_typebounds() should be part of sandbox domain template +- Fix broken container_* interfaces +- unconfined_typebounds() should be part of sandbox domain template +- Fixed unrecognized characters at sandboxX module +- unconfined_typebounds() should be part of sandbox domain template +- svirt_file_type is atribute no type. +- Merge pull request #166 from rhatdan/container +- Allow users to transition from unconfined_t to container types +- Add dbus_stream_connect_system_dbusd() interface. +- Merge pull request #152 from rhatdan/network_filetrans +- Fix typo in filesystem module +- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473) + * Mon Oct 10 2016 Lukas Vrabec - 3.13.1-219 - Dontaudit leaked file descriptors for thumb. BZ(1383071) - Fix typo in cobbler SELinux module