diff --git a/policy-F16.patch b/policy-F16.patch index 0f27563..456e3f9 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4705,7 +4705,7 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..ab334b0 100644 +index f5afe78..8136040 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,731 @@ @@ -5583,7 +5583,7 @@ index f5afe78..ab334b0 100644 ## ## ## -@@ -140,51 +831,355 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +831,356 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -5911,6 +5911,7 @@ index f5afe78..ab334b0 100644 + # /root/.color/icc: legacy + userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc") +') ++ +###################################### +## +## Execute gnome-keyring executable @@ -17131,7 +17132,7 @@ index 6346378..8c500cd 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index d91c62f..e8faa88 100644 +index d91c62f..c857dc0 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,12 @@ @@ -17312,7 +17313,7 @@ index d91c62f..e8faa88 100644 + # calls sched_setscheduler() + allow can_load_kernmodule self:capability sys_nice; + kernel_setsched(can_load_kernmodule) -+'} ++} + diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index f52faaf..6bb6529 100644 @@ -22383,7 +22384,7 @@ index 9e39aa5..d7a8d41 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..13d57b7 100644 +index 6480167..6a02978 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -22893,7 +22894,20 @@ index 6480167..13d57b7 100644 ') ######################################## -@@ -1170,17 +1360,15 @@ interface(`apache_cgi_domain',` +@@ -1150,12 +1340,6 @@ interface(`apache_cgi_domain',` + ## + ## All of the rules required to administrate an apache environment + ## +-## +-## +-## Prefix of the domain. Example, user would be +-## the prefix for the uder_t domain. +-## +-## + ## + ## + ## Domain allowed access. +@@ -1170,17 +1354,15 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -22916,7 +22930,7 @@ index 6480167..13d57b7 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1379,10 @@ interface(`apache_admin',` +@@ -1191,10 +1373,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -22929,7 +22943,7 @@ index 6480167..13d57b7 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1393,69 @@ interface(`apache_admin',` +@@ -1205,14 +1387,69 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -24280,7 +24294,7 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..c873197 100644 +index b3b0176..7cc09e8 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -19,10 +19,11 @@ type asterisk_log_t; @@ -24296,15 +24310,17 @@ index b3b0176..c873197 100644 type asterisk_tmpfs_t; files_tmpfs_file(asterisk_tmpfs_t) -@@ -39,7 +40,7 @@ files_pid_file(asterisk_var_run_t) +@@ -39,8 +40,8 @@ files_pid_file(asterisk_var_run_t) # # dac_override for /var/run/asterisk -allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin }; +-dontaudit asterisk_t self:capability sys_tty_config; +allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; - dontaudit asterisk_t self:capability sys_tty_config; ++dontaudit asterisk_t self:capability { sys_module sys_tty_config }; allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; + allow asterisk_t self:sem create_sem_perms; @@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) @@ -24565,7 +24581,7 @@ index 44a1e3d..7e9d2fb 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..991629d 100644 +index 4deca04..5f387b2 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -6,16 +6,24 @@ policy_module(bind, 1.11.0) @@ -24629,7 +24645,7 @@ index 4deca04..991629d 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -198,15 +211,14 @@ allow ndc_t self:process { fork signal_perms }; +@@ -198,18 +211,18 @@ allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; allow ndc_t self:tcp_socket create_socket_perms; @@ -24647,7 +24663,11 @@ index 4deca04..991629d 100644 allow ndc_t named_zone_t:dir search_dir_perms; -@@ -228,6 +240,8 @@ files_search_pids(ndc_t) ++kernel_read_system_state(ndc_t) + kernel_read_kernel_sysctls(ndc_t) + + corenet_all_recvfrom_unlabeled(ndc_t) +@@ -228,6 +241,8 @@ files_search_pids(ndc_t) fs_getattr_xattr_fs(ndc_t) @@ -24656,7 +24676,7 @@ index 4deca04..991629d 100644 init_use_fds(ndc_t) init_use_script_ptys(ndc_t) -@@ -235,24 +249,13 @@ logging_send_syslog_msg(ndc_t) +@@ -235,24 +250,13 @@ logging_send_syslog_msg(ndc_t) miscfiles_read_localization(ndc_t) @@ -26578,7 +26598,7 @@ index fd8cd0b..3d61138 100644 +/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if -index 9a0da94..8fb526a 100644 +index 9a0da94..5383054 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` @@ -26606,7 +26626,7 @@ index 9a0da94..8fb526a 100644 #################################### ## ## Execute chronyd -@@ -56,6 +74,123 @@ interface(`chronyd_read_log',` +@@ -56,6 +74,126 @@ interface(`chronyd_read_log',` read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') @@ -26680,6 +26700,7 @@ index 9a0da94..8fb526a 100644 +# +interface(`chronyd_systemctl',` + gen_require(` ++ type chronyd_t; + type chronyd_unit_t; + ') + @@ -26687,6 +26708,8 @@ index 9a0da94..8fb526a 100644 + systemd_search_unit_dirs($1) + allow $1 chronyd_unit_t:file read_file_perms; + allow $1 chronyd_unit_t:service all_service_perms; ++ ++ ps_process_pattern($1, chronyd_t) +') + +######################################## @@ -26730,7 +26753,7 @@ index 9a0da94..8fb526a 100644 #################################### ## ## All of the rules required to administrate -@@ -75,9 +210,9 @@ interface(`chronyd_read_log',` +@@ -75,9 +213,9 @@ interface(`chronyd_read_log',` # interface(`chronyd_admin',` gen_require(` @@ -26743,7 +26766,7 @@ index 9a0da94..8fb526a 100644 ') allow $1 chronyd_t:process { ptrace signal_perms }; -@@ -88,18 +223,19 @@ interface(`chronyd_admin',` +@@ -88,18 +226,19 @@ interface(`chronyd_admin',` role_transition $2 chronyd_initrc_exec_t system_r; allow $2 system_r; @@ -26767,7 +26790,7 @@ index 9a0da94..8fb526a 100644 - admin_pattern($1, chronyd_tmp_t) + admin_pattern($1, chronyd_tmpfs_t) + -+ chronyd_sysemctl($1) ++ chronyd_systemctl($1) ') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te index fa82327..4b32348 100644 @@ -26907,10 +26930,10 @@ index 1f11572..9eb2461 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..4032a58 100644 +index f758323..8cd02e2 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te -@@ -1,9 +1,9 @@ +@@ -1,9 +1,16 @@ policy_module(clamav, 1.9.0) ## @@ -26918,12 +26941,19 @@ index f758323..4032a58 100644 -## Allow clamd to use JIT compiler -##

+##

++## Allow clamscan to read user content ++##

++## ++gen_tunable(clamscan_read_user_content, false) ++ ++## ++##

+## Allow clamd to use JIT compiler +##

## gen_tunable(clamd_use_jit, false) -@@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t) +@@ -64,6 +71,8 @@ logging_log_file(freshclam_var_log_t) allow clamd_t self:capability { kill setgid setuid dac_override }; dontaudit clamd_t self:capability sys_tty_config; @@ -26932,7 +26962,7 @@ index f758323..4032a58 100644 allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow clamd_t self:unix_dgram_socket create_socket_perms; -@@ -80,6 +82,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) +@@ -80,6 +89,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) # var/lib files for clamd @@ -26940,7 +26970,7 @@ index f758323..4032a58 100644 manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -@@ -89,9 +92,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +@@ -89,9 +99,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) # pid file @@ -26952,7 +26982,7 @@ index f758323..4032a58 100644 kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) -@@ -110,6 +114,7 @@ corenet_tcp_bind_generic_node(clamd_t) +@@ -110,6 +121,7 @@ corenet_tcp_bind_generic_node(clamd_t) corenet_tcp_bind_clamd_port(clamd_t) corenet_tcp_bind_generic_port(clamd_t) corenet_tcp_connect_generic_port(clamd_t) @@ -26960,7 +26990,7 @@ index f758323..4032a58 100644 corenet_sendrecv_clamd_server_packets(clamd_t) dev_read_rand(clamd_t) -@@ -127,12 +132,16 @@ logging_send_syslog_msg(clamd_t) +@@ -127,12 +139,16 @@ logging_send_syslog_msg(clamd_t) miscfiles_read_localization(clamd_t) @@ -26982,7 +27012,7 @@ index f758323..4032a58 100644 optional_policy(` amavis_read_lib_files(clamd_t) -@@ -147,8 +156,10 @@ optional_policy(` +@@ -147,8 +163,10 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; @@ -26994,7 +27024,7 @@ index f758323..4032a58 100644 ') ######################################## -@@ -178,10 +189,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +196,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -27013,7 +27043,7 @@ index f758323..4032a58 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +206,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +213,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -27021,7 +27051,7 @@ index f758323..4032a58 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +225,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +232,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -27044,7 +27074,7 @@ index f758323..4032a58 100644 ######################################## # # clamscam local policy -@@ -242,15 +262,22 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,15 +269,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -27062,12 +27092,19 @@ index f758323..4032a58 100644 +corenet_tcp_bind_generic_node(clamscan_t) corenet_tcp_connect_clamd_port(clamscan_t) ++corecmd_read_all_executables(clamscan_t) ++ ++tunable_policy(`clamscan_read_user_content',` ++ userdom_read_user_home_content_files(clamscan_t) ++ userdom_dontaudit_read_user_home_content_files(clamscan_t) ++') ++ kernel_read_kernel_sysctls(clamscan_t) +kernel_read_system_state(clamscan_t) files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +291,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +305,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -31624,7 +31661,7 @@ index 0000000..c6cbc80 +/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if new file mode 100644 -index 0000000..a951202 +index 0000000..332a1c9 --- /dev/null +++ b/policy/modules/services/dirsrv-admin.if @@ -0,0 +1,134 @@ @@ -31759,7 +31796,7 @@ index 0000000..a951202 + ') + + domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t) -+ allow httpd_t dirsrvadmin_unconfined_script_t:process signal_perms; ++ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms; + +') diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te @@ -33598,7 +33635,7 @@ index 6bef7f8..464669c 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..12ade3b 100644 +index f28f64b..05784e2 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) @@ -33661,7 +33698,15 @@ index f28f64b..12ade3b 100644 corecmd_search_bin(exim_t) -@@ -171,6 +174,10 @@ optional_policy(` +@@ -108,6 +111,7 @@ domain_use_interactive_fds(exim_t) + + files_search_usr(exim_t) + files_search_var(exim_t) ++files_read_usr_files(exim_t) + files_read_etc_files(exim_t) + files_read_etc_runtime_files(exim_t) + files_getattr_all_mountpoints(exim_t) +@@ -171,6 +175,10 @@ optional_policy(` ') optional_policy(` @@ -33672,7 +33717,7 @@ index f28f64b..12ade3b 100644 tunable_policy(`exim_can_connect_db',` mysql_stream_connect(exim_t) ') -@@ -184,6 +191,7 @@ optional_policy(` +@@ -184,6 +192,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -42548,7 +42593,7 @@ index 15448d5..b6b42c1 100644 +/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_t,s0) +/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..6314fa6 100644 +index abe3f7f..2de87de 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -42602,7 +42647,7 @@ index abe3f7f..6314fa6 100644 ## Read ypserv configuration files. ## ## -@@ -337,6 +318,48 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -337,6 +318,57 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## @@ -42617,12 +42662,15 @@ index abe3f7f..6314fa6 100644 +interface(`nis_systemctl_ypbind',` + gen_require(` + type ypbind_unit_t; ++ type ypbind_t; + ') + + systemd_exec_systemctl($1) + systemd_search_unit_dirs($1) + allow $1 ypbind_unit_t:file read_file_perms; + allow $1 ypbind_unit_t:service all_service_perms; ++ ++ ps_process_pattern($1, ypbind_t) +') + +######################################## @@ -42638,12 +42686,18 @@ index abe3f7f..6314fa6 100644 +interface(`nis_systemctl',` + gen_require(` + type nis_unit_t; ++ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; + ') + + systemd_exec_systemctl($1) + systemd_search_unit_dirs($1) + allow $1 nis_unit_t:file read_file_perms; + allow $1 nis_unit_t:service all_service_perms; ++ ++ ps_process_pattern($1, ypbind_t) ++ ps_process_pattern($1, yppasswdd_t) ++ ps_process_pattern($1, ypserv_t) ++ ps_process_pattern($1, ypxfr_t) +') + +######################################## @@ -42651,7 +42705,7 @@ index abe3f7f..6314fa6 100644 ## All of the rules required to administrate ## an nis environment ## -@@ -354,10 +377,10 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -354,10 +386,10 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -42664,7 +42718,7 @@ index abe3f7f..6314fa6 100644 ') allow $1 ypbind_t:process { ptrace signal_perms }; -@@ -384,6 +407,7 @@ interface(`nis_admin',` +@@ -384,6 +416,7 @@ interface(`nis_admin',` files_list_pids($1) admin_pattern($1, ypbind_var_run_t) @@ -42672,7 +42726,7 @@ index abe3f7f..6314fa6 100644 admin_pattern($1, yppasswdd_var_run_t) -@@ -393,4 +417,5 @@ interface(`nis_admin',` +@@ -393,4 +426,5 @@ interface(`nis_admin',` admin_pattern($1, ypserv_tmp_t) admin_pattern($1, ypserv_var_run_t) @@ -42991,10 +43045,10 @@ index e79dccc..50202ef 100644 /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..e3d6ebb 100644 +index e80f8c0..4b93b29 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if -@@ -98,6 +98,46 @@ interface(`ntp_initrc_domtrans',` +@@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',` init_labeled_script_domtrans($1, ntpd_initrc_exec_t) ') @@ -43030,18 +43084,21 @@ index e80f8c0..e3d6ebb 100644 +interface(`ntp_systemctl',` + gen_require(` + type ntpd_unit_t; ++ type ntpd_t; + ') + + systemd_exec_systemctl($1) + systemd_search_unit_dirs($1) + allow $1 ntpd_unit_t:file read_file_perms; + allow $1 ntpd_unit_t:service all_service_perms; ++ ++ ps_process_pattern($1, ntpd_t) +') + ######################################## ## ## Read and write ntpd shared memory. -@@ -122,6 +162,25 @@ interface(`ntp_rw_shm',` +@@ -122,6 +165,25 @@ interface(`ntp_rw_shm',` ######################################## ## @@ -43067,7 +43124,7 @@ index e80f8c0..e3d6ebb 100644 ## All of the rules required to administrate ## an ntp environment ## -@@ -140,11 +199,10 @@ interface(`ntp_rw_shm',` +@@ -140,11 +202,10 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -43081,7 +43138,7 @@ index e80f8c0..e3d6ebb 100644 ps_process_pattern($1, ntpd_t) init_labeled_script_domtrans($1, ntpd_initrc_exec_t) -@@ -162,4 +220,6 @@ interface(`ntp_admin',` +@@ -162,4 +223,6 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -46417,7 +46474,7 @@ index b524673..9d90fb3 100644 admin_pattern($1, pptp_var_run_t) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..95a25b6 100644 +index 2af42e7..0d51fe4 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -46526,7 +46583,7 @@ index 2af42e7..95a25b6 100644 ') optional_policy(` -@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,14 +248,17 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -46537,7 +46594,14 @@ index 2af42e7..95a25b6 100644 +files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) kernel_list_proc(pptp_t) ++kernel_signal(pptp_t) kernel_read_kernel_sysctls(pptp_t) + kernel_read_proc_symlinks(pptp_t) + kernel_read_system_state(pptp_t) ++kernel_signal(pptp_t) + + dev_read_sysfs(pptp_t) + diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 2316653..77ef768 100644 --- a/policy/modules/services/prelude.if @@ -47626,7 +47690,7 @@ index 0055e54..f988f51 100644 /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if -index a55bf44..27007ed 100644 +index a55bf44..c6dee66 100644 --- a/policy/modules/services/qmail.if +++ b/policy/modules/services/qmail.if @@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',` @@ -47671,7 +47735,7 @@ index a55bf44..27007ed 100644 +## Create, read, write, and delete qmail +## spool directories. +## -+## ++## +## +## Domain allowed access. +## @@ -47690,7 +47754,7 @@ index a55bf44..27007ed 100644 +## Create, read, write, and delete qmail +## spool files. +## -+## ++## +## +## Domain allowed access. +## @@ -52105,10 +52169,10 @@ index 0000000..b077a62 + diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te new file mode 100644 -index 0000000..ea10ecc +index 0000000..067c552 --- /dev/null +++ b/policy/modules/services/sblim.te -@@ -0,0 +1,105 @@ +@@ -0,0 +1,108 @@ +policy_module(sblim, 1.0.0) + +######################################## @@ -52136,6 +52200,7 @@ index 0000000..ea10ecc + +#needed by ps +allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override }; ++allow sblim_gatherd_t self:process signal; + +allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; +allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms; @@ -52170,6 +52235,7 @@ index 0000000..ea10ecc +') + +optional_policy(` ++ ssh_signull(sblim_gatherd_t) + sysnet_dns_name_resolve(sblim_gatherd_t) +') + @@ -52214,6 +52280,7 @@ index 0000000..ea10ecc +files_read_etc_files(sblim_domain) + +miscfiles_read_localization(sblim_domain) ++ diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc index a86ec50..ef4199b 100644 --- a/policy/modules/services/sendmail.fc @@ -52758,7 +52825,7 @@ index 275f9fb..4f4a192 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..0c5769c 100644 +index 3d8d1b3..633e4ce 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -52799,7 +52866,7 @@ index 3d8d1b3..0c5769c 100644 kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) -@@ -97,9 +100,10 @@ fs_search_auto_mountpoints(snmpd_t) +@@ -97,12 +100,15 @@ fs_search_auto_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) @@ -52811,7 +52878,12 @@ index 3d8d1b3..0c5769c 100644 init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) -@@ -115,7 +119,7 @@ sysnet_read_config(snmpd_t) ++# need write to /var/run/systemd/notify ++init_write_pid_socket(snmpd_t) + + logging_send_syslog_msg(snmpd_t) + +@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -61446,7 +61518,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..f4a1020 100644 +index 94fd8dd..6794869 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,42 @@ interface(`init_script_domain',` @@ -61647,7 +61719,7 @@ index 94fd8dd..f4a1020 100644 +# +interface(`init_dyntrans',` + gen_require(` -+ type anon_sftpd_t; ++ type init_t; + ') + + dyntrans_pattern($1, init_t) @@ -67962,10 +68034,10 @@ index 0000000..9eaa38e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..fc8cac1 +index 0000000..eb3673d --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,435 @@ +@@ -0,0 +1,436 @@ +## SELinux policy for systemd components + +####################################### @@ -68360,6 +68432,7 @@ index 0000000..fc8cac1 + ') + + manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +######################################## @@ -69958,7 +70031,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..efc9525 100644 +index 4b2878a..fe5913a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -70586,38 +70659,34 @@ index 4b2878a..efc9525 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +672,124 @@ template(`userdom_common_user_template',` +@@ -574,67 +672,117 @@ template(`userdom_common_user_template',` ') optional_policy(` -+ alsa_read_rw_config($1_usertype) - alsa_manage_home_files($1_t) +- alsa_manage_home_files($1_t) - alsa_read_rw_config($1_t) - alsa_relabel_home_files($1_t) -+ alsa_filetrans_named_content($1_t) +- alsa_relabel_home_files($1_t) ++ # Allow graphical boot to check battery lifespan ++ apm_stream_connect($1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan +- # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ apm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + canna_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ colord_read_lib_files($1_usertype) ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) ++ colord_read_lib_files($1_usertype) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -70625,64 +70694,66 @@ index 4b2878a..efc9525 100644 + optional_policy(` + avahi_dbus_chat($1_usertype) + ') ++ ++ optional_policy(` ++ policykit_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ bluetooth_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ ') ++ ++ optional_policy(` ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ gnome_dbus_chat_gconfdefault($1_usertype) ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ policykit_dbus_chat($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ bluetooth_dbus_chat($1_usertype) ++ kde_dbus_chat_backlighthelper($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) - ') -+ -+ optional_policy(` -+ gnome_dbus_chat_gconfdefault($1_usertype) -+ ') -+ -+ optional_policy(` -+ hal_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ kde_dbus_chat_backlighthelper($1_usertype) -+ ') -+ -+ optional_policy(` -+ modemmanager_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + vpn_dbus_chat($1_usertype) -+ ') -+ ') -+ -+ optional_policy(` + ') + ') + + optional_policy(` +- inetd_use_fds($1_t) +- inetd_rw_tcp_sockets($1_t) + git_session_role($1_r, $1_usertype) + ') + @@ -70692,22 +70763,20 @@ index 4b2878a..efc9525 100644 ') optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) - ') - - optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ lircd_stream_connect($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) ++ lircd_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` + locate_read_lib_files($1_usertype) ') @@ -70715,21 +70784,21 @@ index 4b2878a..efc9525 100644 optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ++ mta_filetrans_home_content($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ mta_filetrans_home_content($1_usertype) -+ ') -+ -+ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -650,41 +805,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +798,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -70791,7 +70860,7 @@ index 4b2878a..efc9525 100644 ') ####################################### -@@ -712,13 +876,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +869,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -70800,12 +70869,12 @@ index 4b2878a..efc9525 100644 + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -70823,7 +70892,7 @@ index 4b2878a..efc9525 100644 userdom_change_password_template($1) -@@ -736,72 +913,76 @@ template(`userdom_login_user_template', ` +@@ -736,72 +906,76 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -70891,10 +70960,10 @@ index 4b2878a..efc9525 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ -+ seutil_read_config($1_usertype) - seutil_read_config($1_t) ++ seutil_read_config($1_usertype) ++ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -70933,7 +71002,7 @@ index 4b2878a..efc9525 100644 ') ') -@@ -833,6 +1014,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1007,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -70943,7 +71012,7 @@ index 4b2878a..efc9525 100644 ############################## # # Local policy -@@ -874,45 +1058,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1051,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -71022,26 +71091,27 @@ index 4b2878a..efc9525 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') - - optional_policy(` -- consolekit_dbus_chat($1_t) ++ ++ optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) - ') ++ ') optional_policy(` -- cups_dbus_chat($1_t) +- consolekit_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) ') -+ -+ optional_policy(` + + optional_policy(` +- cups_dbus_chat($1_t) + fprintd_dbus_chat($1_t) -+ ') -+ ') -+ -+ optional_policy(` + ') + ') + + optional_policy(` +- java_role($1_r, $1_t) + openoffice_role_template($1, $1_r, $1_usertype) + ') + @@ -71053,10 +71123,9 @@ index 4b2878a..efc9525 100644 + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) + pulseaudio_filetrans_home_content($1_usertype) - ') - - optional_policy(` -- java_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` + rtkit_scheduled($1_usertype) ') @@ -71073,7 +71142,7 @@ index 4b2878a..efc9525 100644 ') ') -@@ -947,7 +1204,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1197,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -71082,7 +71151,7 @@ index 4b2878a..efc9525 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1213,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1206,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -71100,7 +71169,7 @@ index 4b2878a..efc9525 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1238,72 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1231,72 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -71159,9 +71228,11 @@ index 4b2878a..efc9525 100644 + + optional_policy(` + java_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + mono_role_template($1, $1_r, $1_t) + ') + @@ -71172,17 +71243,15 @@ index 4b2878a..efc9525 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1312,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -71193,7 +71262,7 @@ index 4b2878a..efc9525 100644 ') ') -@@ -1039,7 +1350,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -71202,7 +71271,7 @@ index 4b2878a..efc9525 100644 ') ############################## -@@ -1066,6 +1377,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1370,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -71210,7 +71279,7 @@ index 4b2878a..efc9525 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1386,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1379,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -71220,7 +71289,7 @@ index 4b2878a..efc9525 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1403,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1396,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -71228,7 +71297,7 @@ index 4b2878a..efc9525 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1421,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1414,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -71242,7 +71311,7 @@ index 4b2878a..efc9525 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1438,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1431,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -71285,7 +71354,7 @@ index 4b2878a..efc9525 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1479,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1472,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -71294,7 +71363,7 @@ index 4b2878a..efc9525 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1540,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1533,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -71303,7 +71372,7 @@ index 4b2878a..efc9525 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1554,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1547,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -71314,7 +71383,7 @@ index 4b2878a..efc9525 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1567,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1560,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -71343,7 +71412,7 @@ index 4b2878a..efc9525 100644 ') optional_policy(` -@@ -1251,12 +1595,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1588,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -71359,7 +71428,7 @@ index 4b2878a..efc9525 100644 ') optional_policy(` -@@ -1279,54 +1623,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1616,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -71441,13 +71510,14 @@ index 4b2878a..efc9525 100644 ## ## ## -@@ -1334,7 +1690,44 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,9 +1683,46 @@ interface(`userdom_setattr_user_ptys',` ## ## # -interface(`userdom_create_user_pty',` +interface(`userdom_attach_admin_tun_iface',` -+ gen_require(` + gen_require(` +- type user_devpts_t; + attribute admindomain; + ') + @@ -71484,10 +71554,12 @@ index 4b2878a..efc9525 100644 +## +# +interface(`userdom_create_user_pty',` - gen_require(` - type user_devpts_t; ++ gen_require(` ++ type user_devpts_t; ') -@@ -1395,6 +1788,7 @@ interface(`userdom_search_user_home_dirs',` + + term_create_pty($1, user_devpts_t) +@@ -1395,6 +1781,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -71495,7 +71567,7 @@ index 4b2878a..efc9525 100644 files_search_home($1) ') -@@ -1441,6 +1835,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1828,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -71510,7 +71582,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -1456,9 +1858,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1851,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -71522,7 +71594,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -1515,6 +1919,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1912,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -71565,7 +71637,7 @@ index 4b2878a..efc9525 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2029,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2022,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -71574,7 +71646,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -1603,10 +2045,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2038,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -71589,7 +71661,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -1649,6 +2093,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2086,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -71633,7 +71705,7 @@ index 4b2878a..efc9525 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2149,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2142,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -71659,7 +71731,7 @@ index 4b2878a..efc9525 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2200,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2193,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -71692,7 +71764,7 @@ index 4b2878a..efc9525 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2236,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2229,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -71710,7 +71782,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -1779,6 +2302,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2295,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -71771,7 +71843,7 @@ index 4b2878a..efc9525 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2387,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2380,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -71781,7 +71853,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -1827,20 +2403,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2396,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -71806,7 +71878,7 @@ index 4b2878a..efc9525 100644 ######################################## ## -@@ -1941,6 +2511,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2504,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -71831,7 +71903,7 @@ index 4b2878a..efc9525 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2596,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2589,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -71840,7 +71912,16 @@ index 4b2878a..efc9525 100644 files_search_home($1) ') -@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2039,7 +2620,7 @@ interface(`userdom_user_home_content_filetrans',` + type user_home_dir_t, user_home_t; + ') + +- filetrans_pattern($1, user_home_t, $2, $3) ++ filetrans_pattern($1, user_home_t, $2, $3, $4) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) + ') +@@ -2182,7 +2763,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -71849,7 +71930,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -2390,7 +2978,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2971,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -71858,7 +71939,7 @@ index 4b2878a..efc9525 100644 files_search_tmp($1) ') -@@ -2435,13 +3023,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3016,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -71874,7 +71955,7 @@ index 4b2878a..efc9525 100644 ## ## ## -@@ -2462,26 +3051,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3044,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -71901,7 +71982,7 @@ index 4b2878a..efc9525 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3141,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3134,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -71910,7 +71991,7 @@ index 4b2878a..efc9525 100644 ## ## ## -@@ -2580,70 +3149,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3142,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -71982,9 +72063,8 @@ index 4b2878a..efc9525 100644 gen_require(` - type user_tty_device_t, user_devpts_t; + type user_devpts_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; ++ ') ++ + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + @@ -72051,9 +72131,9 @@ index 4b2878a..efc9525 100644 +interface(`userdom_dontaudit_use_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; -+ ') -+ -+ dontaudit $1 user_tty_device_t:chr_file rw_term_perms; + ') + + dontaudit $1 user_tty_device_t:chr_file rw_term_perms; dontaudit $1 user_devpts_t:chr_file rw_term_perms; ') @@ -72079,7 +72159,7 @@ index 4b2878a..efc9525 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2713,6 +3350,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,6 +3343,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -72104,7 +72184,7 @@ index 4b2878a..efc9525 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2736,24 +3391,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3384,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -72129,7 +72209,7 @@ index 4b2878a..efc9525 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3409,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3402,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -72155,7 +72235,7 @@ index 4b2878a..efc9525 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3470,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3463,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -72164,7 +72244,7 @@ index 4b2878a..efc9525 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3486,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3479,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -72198,7 +72278,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -2972,7 +3574,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3567,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -72207,7 +72287,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -3027,7 +3629,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3622,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -72254,7 +72334,7 @@ index 4b2878a..efc9525 100644 ') ######################################## -@@ -3064,6 +3704,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3697,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -72262,7 +72342,7 @@ index 4b2878a..efc9525 100644 kernel_search_proc($1) ') -@@ -3142,6 +3783,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3776,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -72287,7 +72367,7 @@ index 4b2878a..efc9525 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3853,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3846,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -73365,7 +73445,7 @@ index 4b2878a..efc9525 100644 + allow $1 unpriv_userdomain:sem rw_sem_perms; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9b4a930..6bdf7f7 100644 +index 9b4a930..02686f5 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2) @@ -73418,7 +73498,7 @@ index 9b4a930..6bdf7f7 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +98,66 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +98,73 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -73477,6 +73557,13 @@ index 9b4a930..6bdf7f7 100644 +dontaudit unpriv_userdomain self:dir setattr; + +optional_policy(` ++ alsa_read_rw_config(unpriv_userdomain) ++ alsa_manage_home_files(unpriv_userdomain) ++ alsa_relabel_home_files(unpriv_userdomain) ++ alsa_filetrans_named_content(unpriv_userdomain) ++') ++ ++optional_policy(` + gnome_filetrans_home_content(userdomain) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index c73a05b..a84fd5c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -13,11 +13,11 @@ %define POLICYVER 26 %define libsepolver 2.0.44-2 %define POLICYCOREUTILSVER 2.0.86-12 -%define CHECKPOLICYVER 2.0.26-1 +%define CHECKPOLICYVER 2.1.5-2 Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 29%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 20 2011 Miroslav Grepl 3.10.0-31 +- Needs to require a new version of checkpolicy +- Interface fixes + * Fri Sep 16 2011 Miroslav Grepl 3.10.0-29 - Allow sanlock to manage virt lib files - Add virt_use_sanlock booelan