diff --git a/policy-F14.patch b/policy-F14.patch index a644247..9f77722 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -2252,7 +2252,7 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..594dc0f 100644 +index f5afe78..91737d4 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,8 +37,7 @@ interface(`gnome_role',` @@ -2306,12 +2306,11 @@ index f5afe78..594dc0f 100644 +## Dontaudit search gnome homedir content (.config) +## +## - ## - ## Domain allowed access. - ## - ## - # --template(`gnome_read_gconf_config',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_dontaudit_search_config',` + gen_require(` + attribute gnome_home_type; @@ -2545,11 +2544,12 @@ index f5afe78..594dc0f 100644 +## read gconf config files +## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-template(`gnome_read_gconf_config',` +interface(`gnome_read_gconf_config',` gen_require(` type gconf_etc_t; @@ -2587,7 +2587,7 @@ index f5afe78..594dc0f 100644 ## ## ## -@@ -84,37 +359,39 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +359,40 @@ template(`gnome_read_gconf_config',` ## ## # @@ -2625,6 +2625,7 @@ index f5afe78..594dc0f 100644 - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; ++ userdom_search_user_home_dirs($1) + allow $1 gconf_home_t:dir list_dir_perms; + allow $1 data_home_t:dir list_dir_perms; + read_files_pattern($1, gconf_home_t, gconf_home_t) @@ -2638,7 +2639,7 @@ index f5afe78..594dc0f 100644 ## ## ## -@@ -122,12 +399,13 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,12 +400,13 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -2655,7 +2656,7 @@ index f5afe78..594dc0f 100644 ') ######################################## -@@ -151,40 +429,173 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +430,173 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -3700,7 +3701,7 @@ index 9a6d67d..47aa143 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..0a9a921 100644 +index cbf4bec..7243acc 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -3773,7 +3774,7 @@ index cbf4bec..0a9a921 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,90 @@ optional_policy(` +@@ -266,3 +291,91 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -3790,6 +3791,7 @@ index cbf4bec..0a9a921 100644 +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) ++can_exec(mozilla_plugin_t, mozilla_home_t) + +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -19080,7 +19082,7 @@ index 99a94de..6dbc203 100644 files_search_etc(gatekeeper_t) diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc -index 54f0737..28b71f6 100644 +index 54f0737..2b552c5 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc @@ -1,3 +1,13 @@ @@ -19093,7 +19095,8 @@ index 54f0737..28b71f6 100644 +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) - /var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) ++/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) @@ -20420,7 +20423,7 @@ index 9fab1dc..dc7dd01 100644 mta_send_mail(innd_t) diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc -index 4c9acec..908eb91 100644 +index 4c9acec..deef4c7 100644 --- a/policy/modules/services/jabber.fc +++ b/policy/modules/services/jabber.fc @@ -2,5 +2,14 @@ @@ -20429,9 +20432,9 @@ index 4c9acec..908eb91 100644 +# for new version of jabberd +/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) -+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) ++/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) ++/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) + +/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) + @@ -20561,7 +20564,7 @@ index 9878499..9167dc9 100644 domain_system_change_exemption($1) role_transition $2 jabberd_initrc_exec_t system_r; diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..5f8840f 100644 +index da2127e..e184dff 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0) @@ -20585,7 +20588,7 @@ index da2127e..5f8840f 100644 type jabberd_log_t; logging_log_file(jabberd_log_t) -@@ -21,40 +27,78 @@ files_type(jabberd_var_lib_t) +@@ -21,74 +27,94 @@ files_type(jabberd_var_lib_t) type jabberd_var_run_t; files_pid_file(jabberd_var_run_t) @@ -20593,10 +20596,10 @@ index da2127e..5f8840f 100644 +permissive jabberd_router_t; +permissive jabberd_t; + -+####################################### ++###################################### # -# Local policy -+# Local policy for jabberd domains ++# Local policy for jabberd-router and c2s components # -allow jabberd_t self:capability dac_override; @@ -20605,6 +20608,95 @@ index da2127e..5f8840f 100644 -allow jabberd_t self:fifo_file read_fifo_file_perms; -allow jabberd_t self:tcp_socket create_stream_socket_perms; -allow jabberd_t self:udp_socket create_socket_perms; +- +-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) +-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) +- +-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) +- +-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +- +-kernel_read_kernel_sysctls(jabberd_t) +-kernel_list_proc(jabberd_t) +-kernel_read_proc_symlinks(jabberd_t) +- +-corenet_all_recvfrom_unlabeled(jabberd_t) +-corenet_all_recvfrom_netlabel(jabberd_t) +-corenet_tcp_sendrecv_generic_if(jabberd_t) +-corenet_udp_sendrecv_generic_if(jabberd_t) +-corenet_tcp_sendrecv_generic_node(jabberd_t) +-corenet_udp_sendrecv_generic_node(jabberd_t) +-corenet_tcp_sendrecv_all_ports(jabberd_t) +-corenet_udp_sendrecv_all_ports(jabberd_t) +-corenet_tcp_bind_generic_node(jabberd_t) +-corenet_tcp_bind_jabber_client_port(jabberd_t) +-corenet_tcp_bind_jabber_interserver_port(jabberd_t) +-corenet_sendrecv_jabber_client_server_packets(jabberd_t) +-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) ++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; ++ ++corenet_tcp_bind_jabber_client_port(jabberd_router_t) ++corenet_tcp_bind_jabber_router_port(jabberd_router_t) ++corenet_tcp_connect_jabber_router_port(jabberd_router_t) ++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) ++corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) + +-dev_read_sysfs(jabberd_t) +-# For SSL +-dev_read_rand(jabberd_t) ++fs_getattr_all_fs(jabberd_router_t) + +-domain_use_interactive_fds(jabberd_t) ++miscfiles_read_certs(jabberd_router_t) + +-files_read_etc_files(jabberd_t) +-files_read_etc_runtime_files(jabberd_t) ++optional_policy(` ++ kerberos_use(jabberd_router_t) ++') + +-fs_getattr_all_fs(jabberd_t) +-fs_search_auto_mountpoints(jabberd_t) ++optional_policy(` ++ nis_use_ypbind(jabberd_router_t) ++') + +-logging_send_syslog_msg(jabberd_t) ++##################################### ++# ++# Local policy for other jabberd components ++# + +-miscfiles_read_localization(jabberd_t) ++kernel_read_system_state(jabberd_t) + +-sysnet_read_config(jabberd_t) ++corenet_tcp_bind_jabber_interserver_port(jabberd_t) ++corenet_tcp_connect_jabber_router_port(jabberd_t) + + userdom_dontaudit_use_unpriv_user_fds(jabberd_t) + userdom_dontaudit_search_user_home_dirs(jabberd_t) + + optional_policy(` +- nis_use_ypbind(jabberd_t) ++ seutil_sigchld_newrole(jabberd_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(jabberd_t) ++ udev_read_db(jabberd_t) + ') + +-optional_policy(` +- udev_read_db(jabberd_t) +-') ++####################################### ++# ++# Local policy for jabberd domains ++# ++ +allow jabberd_domain self:process signal_perms; +allow jabberd_domain self:fifo_file read_fifo_file_perms; +allow jabberd_domain self:tcp_socket create_stream_socket_perms; @@ -20616,14 +20708,10 @@ index da2127e..5f8840f 100644 +# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd +manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t) +logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir }) - --manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) --files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) ++ +manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t) +files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file) - --manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) --logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) ++ +corenet_all_recvfrom_unlabeled(jabberd_domain) +corenet_all_recvfrom_netlabel(jabberd_domain) +corenet_tcp_sendrecv_generic_if(jabberd_domain) @@ -20636,6 +20724,7 @@ index da2127e..5f8840f 100644 + +dev_read_urand(jabberd_domain) +dev_read_urand(jabberd_domain) ++dev_read_sysfs(jabberd_domain) + +files_read_etc_files(jabberd_domain) +files_read_etc_runtime_files(jabberd_domain) @@ -20645,68 +20734,6 @@ index da2127e..5f8840f 100644 +miscfiles_read_localization(jabberd_domain) + +sysnet_read_config(jabberd_domain) -+ -+###################################### -+# -+# Local policy for jabberd-router -+# - --manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) --files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) -+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; -+ -+corenet_tcp_bind_jabber_router_port(jabberd_router_t) -+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) -+ -+optional_policy(` -+ kerberos_use(jabberd_router_t) -+') -+ -+######################################## -+# -+# Local policy for jabberd -+# -+ -+allow jabberd_t self:capability dac_override; -+dontaudit jabberd_t self:capability sys_tty_config; - - kernel_read_kernel_sysctls(jabberd_t) --kernel_list_proc(jabberd_t) - kernel_read_proc_symlinks(jabberd_t) -+kernel_read_system_state(jabberd_t) - --corenet_all_recvfrom_unlabeled(jabberd_t) --corenet_all_recvfrom_netlabel(jabberd_t) --corenet_tcp_sendrecv_generic_if(jabberd_t) --corenet_udp_sendrecv_generic_if(jabberd_t) --corenet_tcp_sendrecv_generic_node(jabberd_t) --corenet_udp_sendrecv_generic_node(jabberd_t) --corenet_tcp_sendrecv_all_ports(jabberd_t) --corenet_udp_sendrecv_all_ports(jabberd_t) --corenet_tcp_bind_generic_node(jabberd_t) -+corenet_tcp_connect_jabber_router_port(jabberd_t) - corenet_tcp_bind_jabber_client_port(jabberd_t) - corenet_tcp_bind_jabber_interserver_port(jabberd_t) - corenet_sendrecv_jabber_client_server_packets(jabberd_t) -@@ -66,18 +110,9 @@ dev_read_rand(jabberd_t) - - domain_use_interactive_fds(jabberd_t) - --files_read_etc_files(jabberd_t) --files_read_etc_runtime_files(jabberd_t) -- - fs_getattr_all_fs(jabberd_t) - fs_search_auto_mountpoints(jabberd_t) - --logging_send_syslog_msg(jabberd_t) -- --miscfiles_read_localization(jabberd_t) -- --sysnet_read_config(jabberd_t) -- - userdom_dontaudit_use_unpriv_user_fds(jabberd_t) - userdom_dontaudit_search_user_home_dirs(jabberd_t) - diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc index 3525d24..e5db539 100644 --- a/policy/modules/services/kerberos.fc @@ -28390,24 +28417,20 @@ index f04a595..3203212 100644 + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te -index 340a6c0..eaa8706 100644 +index 340a6c0..f24c52e 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te -@@ -5,6 +5,32 @@ policy_module(razor, 2.1.1) +@@ -5,118 +5,139 @@ policy_module(razor, 2.1.1) # Declarations # +-type razor_exec_t; +-corecmd_executable_file(razor_exec_t) +ifdef(`distro_redhat',` -+ + gen_require(` -+ type spamc_t; -+ type spamc_exec_t; -+ type spamd_log_t; -+ type spamd_spool_t; -+ type spamd_var_lib_t; -+ type spamd_etc_t; -+ type spamc_home_t; -+ type spamc_tmp_t; ++ type spamc_t, spamc_exec_t, spamd_log_t; ++ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t; ++ type spamc_home_t, spamc_tmp_t; + ') + + typealias spamc_t alias razor_t; @@ -28420,37 +28443,232 @@ index 340a6c0..eaa8706 100644 + typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; + typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; + typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -+ +',` ++ type razor_exec_t; ++ corecmd_executable_file(razor_exec_t) + - type razor_exec_t; - corecmd_executable_file(razor_exec_t) - -@@ -14,6 +40,7 @@ files_config_file(razor_etc_t) - type razor_home_t; - typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; - typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -+files_poly_member(razor_home_t) - userdom_user_home_content(razor_home_t) ++ type razor_etc_t; ++ files_config_file(razor_etc_t) ++ ++ type razor_home_t; ++ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; ++ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; ++ userdom_user_home_content(razor_home_t) ++ ++ type razor_log_t; ++ logging_log_file(razor_log_t) ++ ++ type razor_tmp_t; ++ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; ++ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; ++ files_tmp_file(razor_tmp_t) ++ ubac_constrained(razor_tmp_t) ++ ++ type razor_var_lib_t; ++ files_type(razor_var_lib_t) ++ ++ # these are here due to ordering issues: ++ razor_common_domain_template(razor) ++ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; ++ typealias razor_t alias { auditadm_razor_t secadm_razor_t }; ++ ubac_constrained(razor_t) ++ ++ razor_common_domain_template(system_razor) ++ role system_r types system_razor_t; ++ ++ ######################################## ++ # ++ # System razor local policy ++ # ++ ++ # this version of razor is invoked typically ++ # via the system spam filter ++ ++ allow system_razor_t self:tcp_socket create_socket_perms; ++ ++ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) ++ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) ++ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) ++ files_search_etc(system_razor_t) ++ ++ allow system_razor_t razor_log_t:file manage_file_perms; ++ logging_log_filetrans(system_razor_t, razor_log_t, file) ++ ++ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) ++ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) ++ ++ corenet_all_recvfrom_unlabeled(system_razor_t) ++ corenet_all_recvfrom_netlabel(system_razor_t) ++ corenet_tcp_sendrecv_generic_if(system_razor_t) ++ corenet_raw_sendrecv_generic_if(system_razor_t) ++ corenet_tcp_sendrecv_generic_node(system_razor_t) ++ corenet_raw_sendrecv_generic_node(system_razor_t) ++ corenet_tcp_sendrecv_razor_port(system_razor_t) ++ corenet_tcp_connect_razor_port(system_razor_t) ++ corenet_sendrecv_razor_client_packets(system_razor_t) ++ ++ sysnet_read_config(system_razor_t) ++ ++ # cjp: this shouldn't be needed ++ userdom_use_unpriv_users_fds(system_razor_t) ++ ++ optional_policy(` ++ logging_send_syslog_msg(system_razor_t) ++ ') ++ ++ optional_policy(` ++ nscd_socket_use(system_razor_t) ++ ') ++ ++ ######################################## ++ # ++ # User razor local policy ++ # ++ ++ # Allow razor to be run by hand. Needed by any action other than ++ # invocation from a spam filter. ++ ++ allow razor_t self:unix_stream_socket create_stream_socket_perms; ++ ++ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) ++ manage_files_pattern(razor_t, razor_home_t, razor_home_t) ++ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) ++ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) ++ ++ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) ++ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) ++ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) ++ ++ auth_use_nsswitch(razor_t) ++ ++ logging_send_syslog_msg(razor_t) - type razor_log_t; -@@ -100,6 +127,8 @@ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) - manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) - files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) +-type razor_etc_t; +-files_config_file(razor_etc_t) ++ userdom_search_user_home_dirs(razor_t) ++ userdom_use_user_terminals(razor_t) -+auth_use_nsswitch(razor_t) -+ - logging_send_syslog_msg(razor_t) +-type razor_home_t; +-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; +-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; +-userdom_user_home_content(razor_home_t) ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(razor_t) ++ fs_manage_nfs_files(razor_t) ++ fs_manage_nfs_symlinks(razor_t) ++ ') - userdom_search_user_home_dirs(razor_t) -@@ -118,5 +147,7 @@ tunable_policy(`use_samba_home_dirs',` - ') +-type razor_log_t; +-logging_log_file(razor_log_t) ++ tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(razor_t) ++ fs_manage_cifs_files(razor_t) ++ fs_manage_cifs_symlinks(razor_t) ++ ') - optional_policy(` +-type razor_tmp_t; +-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; +-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; +-files_tmp_file(razor_tmp_t) +-ubac_constrained(razor_tmp_t) +- +-type razor_var_lib_t; +-files_type(razor_var_lib_t) +- +-# these are here due to ordering issues: +-razor_common_domain_template(razor) +-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; +-typealias razor_t alias { auditadm_razor_t secadm_razor_t }; +-ubac_constrained(razor_t) +- +-razor_common_domain_template(system_razor) +-role system_r types system_razor_t; +- +-######################################## +-# +-# System razor local policy +-# +- +-# this version of razor is invoked typically +-# via the system spam filter +- +-allow system_razor_t self:tcp_socket create_socket_perms; +- +-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) +-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +-files_search_etc(system_razor_t) +- +-allow system_razor_t razor_log_t:file manage_file_perms; +-logging_log_filetrans(system_razor_t, razor_log_t, file) +- +-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) +- +-corenet_all_recvfrom_unlabeled(system_razor_t) +-corenet_all_recvfrom_netlabel(system_razor_t) +-corenet_tcp_sendrecv_generic_if(system_razor_t) +-corenet_raw_sendrecv_generic_if(system_razor_t) +-corenet_tcp_sendrecv_generic_node(system_razor_t) +-corenet_raw_sendrecv_generic_node(system_razor_t) +-corenet_tcp_sendrecv_razor_port(system_razor_t) +-corenet_tcp_connect_razor_port(system_razor_t) +-corenet_sendrecv_razor_client_packets(system_razor_t) +- +-sysnet_read_config(system_razor_t) +- +-# cjp: this shouldn't be needed +-userdom_use_unpriv_users_fds(system_razor_t) +- +-optional_policy(` +- logging_send_syslog_msg(system_razor_t) +-') +- +-optional_policy(` +- nscd_socket_use(system_razor_t) +-') +- +-######################################## +-# +-# User razor local policy +-# +- +-# Allow razor to be run by hand. Needed by any action other than +-# invocation from a spam filter. +- +-allow razor_t self:unix_stream_socket create_stream_socket_perms; +- +-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) +-manage_files_pattern(razor_t, razor_home_t, razor_home_t) +-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) +-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) +- +-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) +-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) +-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) +- +-logging_send_syslog_msg(razor_t) +- +-userdom_search_user_home_dirs(razor_t) +-userdom_use_user_terminals(razor_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(razor_t) +- fs_manage_nfs_files(razor_t) +- fs_manage_nfs_symlinks(razor_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(razor_t) +- fs_manage_cifs_files(razor_t) +- fs_manage_cifs_symlinks(razor_t) +-') +- +-optional_policy(` - nscd_socket_use(razor_t) -+ milter_manage_spamass_state(razor_t) -+') -+ ++ optional_policy(` ++ milter_manage_spamass_state(razor_t) ++ ') ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index 0a76027..cdd0542 100644 @@ -28569,11 +28787,25 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..9ab1d80 100644 +index 00fa514..612e4e4 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te -@@ -17,6 +17,9 @@ type rgmanager_exec_t; - domain_type(rgmanager_t) +@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) + # + + ## +-##

+-## Allow rgmanager domain to connect to the network using TCP. +-##

++##

++## Allow rgmanager domain to connect to the network using TCP. ++##

+ ##
+ gen_tunable(rgmanager_can_network_connect, false) + + type rgmanager_t; + type rgmanager_exec_t; +-domain_type(rgmanager_t) init_daemon_domain(rgmanager_t, rgmanager_exec_t) +type rgmanager_initrc_exec_t; @@ -28582,7 +28814,16 @@ index 00fa514..9ab1d80 100644 type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) -@@ -55,11 +58,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) +@@ -37,7 +39,7 @@ files_pid_file(rgmanager_var_run_t) + allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; + dontaudit rgmanager_t self:capability { sys_ptrace }; + allow rgmanager_t self:process { setsched signal }; +-dontaudit rgmanager_t self:process { ptrace }; ++dontaudit rgmanager_t self:process ptrace; + + allow rgmanager_t self:fifo_file rw_fifo_file_perms; + allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; +@@ -55,11 +57,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) @@ -28598,7 +28839,7 @@ index 00fa514..9ab1d80 100644 kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -78,14 +84,19 @@ domain_read_all_domains_state(rgmanager_t) +@@ -78,14 +83,19 @@ domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -28619,7 +28860,7 @@ index 00fa514..9ab1d80 100644 storage_getattr_fixed_disk_dev(rgmanager_t) term_getattr_pty_fs(rgmanager_t) -@@ -140,6 +151,11 @@ optional_policy(` +@@ -140,6 +150,11 @@ optional_policy(` ') optional_policy(` @@ -28822,10 +29063,20 @@ index de37806..229a3c7 100644 + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te -index 93c896a..1ebc84d 100644 +index 93c896a..8d40ec9 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te -@@ -13,6 +13,8 @@ policy_module(rhcs, 1.1.0) +@@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0) + # + + ## +-##

+-## Allow fenced domain to connect to the network using TCP. +-##

++##

++## Allow fenced domain to connect to the network using TCP. ++##

+ ##
gen_tunable(fenced_can_network_connect, false) attribute cluster_domain; @@ -28881,7 +29132,7 @@ index 93c896a..1ebc84d 100644 +# needed by fence_scsi +optional_policy(` -+ corosync_exec(fenced_t) ++ corosync_exec(fenced_t) +') + optional_policy(` @@ -28890,7 +29141,15 @@ index 93c896a..1ebc84d 100644 ') optional_policy(` -@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -120,7 +129,6 @@ optional_policy(` + # + + allow gfs_controld_t self:capability { net_admin sys_resource }; +- + allow gfs_controld_t self:shm create_shm_perms; + allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + +@@ -139,10 +147,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -28901,16 +29160,25 @@ index 93c896a..1ebc84d 100644 lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -168,7 +173,7 @@ init_rw_script_tmp_files(groupd_t) +@@ -154,7 +158,6 @@ optional_policy(` + + allow groupd_t self:capability { sys_nice sys_resource }; + allow groupd_t self:process setsched; +- + allow groupd_t self:shm create_shm_perms; + + dev_list_sysfs(groupd_t) +@@ -168,8 +171,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # -allow qdiskd_t self:capability ipc_lock; +- +allow qdiskd_t self:capability { ipc_lock sys_boot }; - allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t) + +@@ -207,10 +209,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -28921,7 +29189,16 @@ index 93c896a..1ebc84d 100644 netutils_domtrans_ping(qdiskd_t) ') -@@ -231,10 +232,17 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms; +@@ -223,18 +221,24 @@ optional_policy(` + # rhcs domains common policy + # + +-allow cluster_domain self:capability { sys_nice }; ++allow cluster_domain self:capability sys_nice; + allow cluster_domain self:process setsched; +- + allow cluster_domain self:sem create_sem_perms; + allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms; allow cluster_domain self:unix_dgram_socket create_socket_perms; @@ -28950,6 +29227,19 @@ index 96efae7..793a29f 100644 + fs_search_tmpfs($1) allow $1 rhgb_tmpfs_t:file rw_file_perms; ') +diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te +index 0f262a7..4d10897 100644 +--- a/policy/modules/services/rhgb.te ++++ b/policy/modules/services/rhgb.te +@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms; + allow rhgb_t self:udp_socket create_socket_perms; + allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; + +-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; ++allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty(rhgb_t, rhgb_devpts_t) + + manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc index 5b08327..ed5dc05 100644 --- a/policy/modules/services/ricci.fc @@ -29167,11 +29457,14 @@ index f7826f9..3128dd8 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..e2434cb 100644 +index 33e72e8..29e7311 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te -@@ -10,6 +10,9 @@ type ricci_exec_t; - domain_type(ricci_t) +@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) + + type ricci_t; + type ricci_exec_t; +-domain_type(ricci_t) init_daemon_domain(ricci_t, ricci_exec_t) +type ricci_initrc_exec_t; @@ -29180,8 +29473,11 @@ index 33e72e8..e2434cb 100644 type ricci_tmp_t; files_tmp_file(ricci_tmp_t) -@@ -42,6 +45,9 @@ type ricci_modclusterd_exec_t; - domain_type(ricci_modclusterd_t) +@@ -39,9 +41,11 @@ files_pid_file(ricci_modcluster_var_run_t) + + type ricci_modclusterd_t; + type ricci_modclusterd_exec_t; +-domain_type(ricci_modclusterd_t) init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) +type ricci_modclusterd_tmpfs_t; @@ -29190,7 +29486,16 @@ index 33e72e8..e2434cb 100644 type ricci_modlog_t; type ricci_modlog_exec_t; domain_type(ricci_modlog_t) -@@ -105,6 +111,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) +@@ -95,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) + manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) + files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) + +-allow ricci_t ricci_var_log_t:dir setattr; ++allow ricci_t ricci_var_log_t:dir setattr_dir_perms; + manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) + manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) + logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) +@@ -105,6 +109,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_t) @@ -29198,7 +29503,7 @@ index 33e72e8..e2434cb 100644 corecmd_exec_bin(ricci_t) -@@ -170,6 +177,10 @@ optional_policy(` +@@ -170,6 +175,10 @@ optional_policy(` ') optional_policy(` @@ -29209,7 +29514,7 @@ index 33e72e8..e2434cb 100644 unconfined_use_fds(ricci_t) ') -@@ -241,8 +252,7 @@ optional_policy(` +@@ -241,8 +250,7 @@ optional_policy(` ') optional_policy(` @@ -29219,7 +29524,7 @@ index 33e72e8..e2434cb 100644 ') ######################################## -@@ -261,6 +271,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; +@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -29230,7 +29535,7 @@ index 33e72e8..e2434cb 100644 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +286,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock +@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -29238,7 +29543,7 @@ index 33e72e8..e2434cb 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -444,6 +459,12 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -444,6 +457,12 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -29264,10 +29569,28 @@ index 2785337..c3c2775 100644 /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te -index 779fa44..29a5d0d 100644 +index 779fa44..0155ca7 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te -@@ -43,7 +43,6 @@ can_exec(rlogind_t, rlogind_exec_t) +@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) + # Local policy + # + +-allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override }; ++allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; + allow rlogind_t self:process signal_perms; + allow rlogind_t self:fifo_file rw_fifo_file_perms; + allow rlogind_t self:tcp_socket connected_stream_socket_perms; + # for identd; cjp: this should probably only be inetd_child rules? + allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow rlogind_t self:capability { setuid setgid }; + +-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; ++allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty(rlogind_t, rlogind_devpts_t) + + # for /usr/lib/telnetlogin +@@ -43,7 +42,6 @@ can_exec(rlogind_t, rlogind_exec_t) manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) @@ -29275,7 +29598,7 @@ index 779fa44..29a5d0d 100644 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -71,6 +70,7 @@ fs_search_auto_mountpoints(rlogind_t) +@@ -71,6 +69,7 @@ fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) auth_rw_login_records(rlogind_t) auth_use_nsswitch(rlogind_t) @@ -29283,7 +29606,7 @@ index 779fa44..29a5d0d 100644 files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -88,6 +88,9 @@ seutil_read_config(rlogind_t) +@@ -88,6 +87,9 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -29380,13 +29703,42 @@ index cda37bb..28e7576 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index 8e1ab72..9ae080e 100644 +index 8e1ab72..288e6cc 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te -@@ -63,8 +63,9 @@ allow rpcd_t self:process { getcap setcap }; +@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) + # + + ## +-##

+-## Allow gssd to read temp directory. For access to kerberos tgt. +-##

++##

++## Allow gssd to read temp directory. For access to kerberos tgt. ++##

+ ##
+ gen_tunable(allow_gssd_read_tmp, true) + + ## +-##

+-## Allow nfs servers to modify public files +-## used for public file transfer services. Files/Directories must be +-## labeled public_content_rw_t. +-##

++##

++## Allow nfs servers to modify public files ++## used for public file transfer services. Files/Directories must be ++## labeled public_content_rw_t. ++##

+ ##
+ gen_tunable(allow_nfsd_anon_write, false) + +@@ -62,9 +62,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; + allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; - allow rpcd_t rpcd_var_run_t:dir setattr; +-allow rpcd_t rpcd_var_run_t:dir setattr; ++allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms; +manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -files_pid_filetrans(rpcd_t, rpcd_var_run_t, file) @@ -29394,7 +29746,15 @@ index 8e1ab72..9ae080e 100644 # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) -@@ -97,15 +98,26 @@ miscfiles_read_generic_certs(rpcd_t) +@@ -87,6 +88,7 @@ fs_read_rpc_files(rpcd_t) + fs_read_rpc_symlinks(rpcd_t) + fs_rw_rpc_sockets(rpcd_t) + fs_get_all_fs_quotas(rpcd_t) ++fs_set_xattr_fs_quotas(rpcd_t) + fs_getattr_all_fs(rpcd_t) + + storage_getattr_fixed_disk_dev(rpcd_t) +@@ -97,15 +99,26 @@ miscfiles_read_generic_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -29421,7 +29781,7 @@ index 8e1ab72..9ae080e 100644 ######################################## # # NFSD local policy -@@ -120,6 +132,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +@@ -120,6 +133,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -29429,15 +29789,25 @@ index 8e1ab72..9ae080e 100644 corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -160,6 +173,7 @@ tunable_policy(`nfs_export_all_rw',` - fs_read_noxattr_fs_files(nfsd_t) - auth_manage_all_files_except_shadow(nfsd_t) - ') +@@ -148,6 +162,8 @@ storage_raw_read_removable_device(nfsd_t) + # Read access to public_content_t and public_content_rw_t + miscfiles_read_public_files(nfsd_t) + +userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) ++ + # Write access to public_content_t and public_content_rw_t + tunable_policy(`allow_nfsd_anon_write',` + miscfiles_manage_public_files(nfsd_t) +@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',` - tunable_policy(`nfs_export_all_ro',` - dev_getattr_all_blk_files(nfsd_t) -@@ -218,6 +232,8 @@ tunable_policy(`allow_gssd_read_tmp',` + allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; + allow gssd_t self:process { getsched setsched }; +-allow gssd_t self:fifo_file rw_file_perms; ++allow gssd_t self:fifo_file rw_fifo_file_perms; + + manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) + manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -218,6 +234,8 @@ tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) @@ -30707,19 +31077,28 @@ index 275f9fb..bfdf197 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..b5cd366 100644 +index 3d8d1b3..0927db4 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te -@@ -24,7 +24,7 @@ files_type(snmpd_var_lib_t) +@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) + # + # Declarations + # ++ + type snmpd_t; + type snmpd_exec_t; + init_daemon_domain(snmpd_t, snmpd_exec_t) +@@ -24,7 +25,8 @@ files_type(snmpd_var_lib_t) # # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; ++ +allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -@@ -43,8 +43,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) +@@ -43,8 +45,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) @@ -30730,7 +31109,7 @@ index 3d8d1b3..b5cd366 100644 kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) -@@ -97,6 +98,7 @@ fs_search_auto_mountpoints(snmpd_t) +@@ -97,6 +100,7 @@ fs_search_auto_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) @@ -30738,6 +31117,15 @@ index 3d8d1b3..b5cd366 100644 auth_use_nsswitch(snmpd_t) auth_read_all_dirs_except_shadow(snmpd_t) +@@ -115,7 +119,7 @@ sysnet_read_config(snmpd_t) + userdom_dontaudit_use_unpriv_user_fds(snmpd_t) + userdom_dontaudit_search_user_home_dirs(snmpd_t) + +-ifdef(`distro_redhat', ` ++ifdef(`distro_redhat',` + optional_policy(` + rpm_read_db(snmpd_t) + rpm_dontaudit_manage_db(snmpd_t) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if index c117e8b..88ebedb 100644 --- a/policy/modules/services/snort.if @@ -30769,6 +31157,31 @@ index c117e8b..88ebedb 100644 - files_search_pids($1) + files_list_pids($1) ') +diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te +index d7f4bd4..012723c 100644 +--- a/policy/modules/services/snort.te ++++ b/policy/modules/services/snort.te +@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t) + allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; + dontaudit snort_t self:capability sys_tty_config; + allow snort_t self:process signal_perms; +-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; ++allow snort_t self:netlink_route_socket create_netlink_socket_perms; + allow snort_t self:tcp_socket create_stream_socket_perms; + allow snort_t self:udp_socket create_socket_perms; + allow snort_t self:packet_socket create_socket_perms; + allow snort_t self:socket create_socket_perms; + # Snort IPS node. unverified. +-allow snort_t self:netlink_firewall_socket { bind create getattr }; ++allow snort_t self:netlink_firewall_socket create_socket_perms; + + allow snort_t snort_etc_t:dir list_dir_perms; + allow snort_t snort_etc_t:file read_file_perms; +-allow snort_t snort_etc_t:lnk_file { getattr read }; ++allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; + + manage_files_pattern(snort_t, snort_log_t, snort_log_t) + create_dirs_pattern(snort_t, snort_log_t, snort_log_t) diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if index 93fe7bf..4a15633 100644 --- a/policy/modules/services/soundserver.if @@ -30991,64 +31404,127 @@ index c954f31..7f57f22 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index 9d40380..9ad4eff 100644 +index 9d40380..56e4c2e 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te -@@ -19,6 +19,35 @@ gen_tunable(spamassassin_can_network, false) +@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.3.1) + # + + ## +-##

+-## Allow user spamassassin clients to use the network. +-##

++##

++## Allow user spamassassin clients to use the network. ++##

+ ##
+ gen_tunable(spamassassin_can_network, false) + + ## +-##

+-## Allow spamd to read/write user home directories. +-##

++##

++## Allow spamd to read/write user home directories. ++##

##
gen_tunable(spamd_enable_home_dirs, true) +-type spamassassin_t; +-type spamassassin_exec_t; +-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; +-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; +-application_domain(spamassassin_t, spamassassin_exec_t) +-ubac_constrained(spamassassin_t) +- +-type spamassassin_home_t; +-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; +-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; +-userdom_user_home_content(spamassassin_home_t) +- +-type spamassassin_tmp_t; +-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; +-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; +-files_tmp_file(spamassassin_tmp_t) +-ubac_constrained(spamassassin_tmp_t) +- +-type spamc_t; +-type spamc_exec_t; +-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; +-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; +-application_domain(spamc_t, spamc_exec_t) +-ubac_constrained(spamc_t) +- +-type spamc_tmp_t; +-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; +-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +-files_tmp_file(spamc_tmp_t) +-ubac_constrained(spamc_tmp_t) +ifdef(`distro_redhat',` -+# spamassassin client executable -+type spamc_t; -+type spamc_exec_t; -+application_domain(spamc_t, spamc_exec_t) -+role system_r types spamc_t; -+ -+type spamd_etc_t; -+files_config_file(spamd_etc_t) -+ -+typealias spamc_exec_t alias spamassassin_exec_t; -+typealias spamc_t alias spamassassin_t; -+ -+type spamc_home_t; -+userdom_user_home_content(spamc_home_t) -+typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -+typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -+typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; -+typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; -+ -+type spamc_tmp_t; -+files_tmp_file(spamc_tmp_t) -+typealias spamc_tmp_t alias spamassassin_tmp_t; -+typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -+typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -+ -+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -+', ` - type spamassassin_t; - type spamassassin_exec_t; - typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -@@ -30,6 +59,7 @@ type spamassassin_home_t; - typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; - typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; - userdom_user_home_content(spamassassin_home_t) -+files_poly_member(spamassassin_home_t) - - type spamassassin_tmp_t; - typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -@@ -49,10 +79,21 @@ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tm - typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; - files_tmp_file(spamc_tmp_t) - ubac_constrained(spamc_tmp_t) ++ # spamassassin client executable ++ type spamc_t; ++ type spamc_exec_t; ++ application_domain(spamc_t, spamc_exec_t) ++ role system_r types spamc_t; ++ ++ type spamd_etc_t; ++ files_config_file(spamd_etc_t) ++ ++ typealias spamc_exec_t alias spamassassin_exec_t; ++ typealias spamc_t alias spamassassin_t; ++ ++ type spamc_home_t; ++ userdom_user_home_content(spamc_home_t) ++ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; ++ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; ++ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; ++ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; ++ ++ type spamc_tmp_t; ++ files_tmp_file(spamc_tmp_t) ++ typealias spamc_tmp_t alias spamassassin_tmp_t; ++ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; ++ ++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; ++',` ++ type spamassassin_t; ++ type spamassassin_exec_t; ++ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; ++ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; ++ application_domain(spamassassin_t, spamassassin_exec_t) ++ ubac_constrained(spamassassin_t) ++ ++ type spamassassin_home_t; ++ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; ++ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; ++ userdom_user_home_content(spamassassin_home_t) ++ ++ type spamassassin_tmp_t; ++ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; ++ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; ++ files_tmp_file(spamassassin_tmp_t) ++ ubac_constrained(spamassassin_tmp_t) ++ ++ type spamc_t; ++ type spamc_exec_t; ++ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; ++ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; ++ application_domain(spamc_t, spamc_exec_t) ++ ubac_constrained(spamc_t) ++ ++ type spamc_tmp_t; ++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; ++ files_tmp_file(spamc_tmp_t) ++ ubac_constrained(spamc_tmp_t) +') type spamd_t; type spamd_exec_t; init_daemon_domain(spamd_t, spamd_exec_t) -+can_exec(spamd_t, spamd_exec_t) -+ + +type spamd_compiled_t; +files_type(spamd_compiled_t) + @@ -31057,10 +31533,11 @@ index 9d40380..9ad4eff 100644 + +type spamd_log_t; +logging_log_file(spamd_log_t) - ++ type spamd_spool_t; files_type(spamd_spool_t) -@@ -108,6 +149,7 @@ kernel_read_kernel_sysctls(spamassassin_t) + +@@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) @@ -31068,7 +31545,7 @@ index 9d40380..9ad4eff 100644 # this should probably be removed corecmd_list_bin(spamassassin_t) -@@ -148,6 +190,9 @@ tunable_policy(`spamassassin_can_network',` +@@ -148,6 +188,9 @@ tunable_policy(`spamassassin_can_network',` corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -31078,7 +31555,7 @@ index 9d40380..9ad4eff 100644 sysnet_read_config(spamassassin_t) ') -@@ -184,6 +229,8 @@ optional_policy(` +@@ -184,6 +227,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -31087,18 +31564,12 @@ index 9d40380..9ad4eff 100644 ') ######################################## -@@ -205,16 +252,33 @@ allow spamc_t self:unix_dgram_socket sendto; - allow spamc_t self:unix_stream_socket connectto; +@@ -206,15 +251,30 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; -+corenet_all_recvfrom_unlabeled(spamc_t) -+corenet_all_recvfrom_netlabel(spamc_t) -+corenet_tcp_sendrecv_generic_if(spamc_t) -+corenet_tcp_sendrecv_generic_node(spamc_t) -+corenet_tcp_connect_spamd_port(spamc_t) -+ -+can_exec(spamc_t, spamc_exec_t) ++can_exec(spamc_t, spamc_exec_t) ++ manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) @@ -31111,6 +31582,9 @@ index 9d40380..9ad4eff 100644 +userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) +userdom_append_user_home_content_files(spamc_t) + ++list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) ++read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) ++ # Allow connecting to a local spamd allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; @@ -31121,13 +31595,19 @@ index 9d40380..9ad4eff 100644 corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -244,9 +308,16 @@ files_read_usr_files(spamc_t) +@@ -226,6 +286,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) + corenet_udp_sendrecv_all_ports(spamc_t) + corenet_tcp_connect_all_ports(spamc_t) + corenet_sendrecv_all_client_packets(spamc_t) ++corenet_tcp_connect_spamd_port(spamc_t) + + fs_search_auto_mountpoints(spamc_t) + +@@ -244,9 +305,14 @@ files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) +files_list_var_lib(spamc_t) -+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +fs_search_auto_mountpoints(spamc_t) @@ -31138,7 +31618,7 @@ index 9d40380..9ad4eff 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -254,27 +325,40 @@ seutil_read_config(spamc_t) +@@ -254,27 +320,40 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -31185,7 +31665,7 @@ index 9d40380..9ad4eff 100644 ') ######################################## -@@ -286,7 +370,7 @@ optional_policy(` +@@ -286,7 +365,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -31194,7 +31674,7 @@ index 9d40380..9ad4eff 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -302,10 +386,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -302,10 +381,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -31213,7 +31693,7 @@ index 9d40380..9ad4eff 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -314,11 +405,13 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -314,11 +400,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -31226,10 +31706,12 @@ index 9d40380..9ad4eff 100644 -files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) ++ ++can_exec(spamd_t, spamd_exec_t) kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +460,27 @@ files_read_var_lib_files(spamd_t) +@@ -367,22 +457,27 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -31261,7 +31743,7 @@ index 9d40380..9ad4eff 100644 fs_manage_cifs_files(spamd_t) ') -@@ -399,7 +497,9 @@ optional_policy(` +@@ -399,7 +494,9 @@ optional_policy(` ') optional_policy(` @@ -31271,7 +31753,16 @@ index 9d40380..9ad4eff 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -416,10 +516,6 @@ optional_policy(` +@@ -408,25 +505,17 @@ optional_policy(` + ') + + optional_policy(` +- corenet_tcp_connect_mysqld_port(spamd_t) +- corenet_sendrecv_mysqld_client_packets(spamd_t) +- ++ mysql_tcp_connect(spamd_t) + mysql_search_db(spamd_t) + mysql_stream_connect(spamd_t) ') optional_policy(` @@ -31282,7 +31773,15 @@ index 9d40380..9ad4eff 100644 postfix_read_config(spamd_t) ') -@@ -437,6 +533,10 @@ optional_policy(` + optional_policy(` +- corenet_tcp_connect_postgresql_port(spamd_t) +- corenet_sendrecv_postgresql_client_packets(spamd_t) +- ++ postgresql_tcp_connect(spamd_t) + postgresql_stream_connect(spamd_t) + ') + +@@ -437,6 +526,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -31324,6 +31823,35 @@ index d2496bd..1d0c078 100644 ') allow $1 squid_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te +index 4b2230e..744b172 100644 +--- a/policy/modules/services/squid.te ++++ b/policy/modules/services/squid.te +@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) + # + + ## +-##

+-## Allow squid to connect to all ports, not just +-## HTTP, FTP, and Gopher ports. +-##

++##

++## Allow squid to connect to all ports, not just ++## HTTP, FTP, and Gopher ports. ++##

+ ##
+ gen_tunable(squid_connect_any, false) + + ## +-##

+-## Allow squid to run as a transparent proxy (TPROXY) +-##

++##

++## Allow squid to run as a transparent proxy (TPROXY) ++##

+ ##
+ gen_tunable(squid_use_tproxy, false) + diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 078bcd7..dd706b0 100644 --- a/policy/modules/services/ssh.fc @@ -31636,24 +32164,50 @@ index 22adaca..784c363 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..68c3057 100644 +index 2dad3c8..c7efe5d 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false) +@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) + # + + ## +-##

+-## allow host key based authentication +-##

++##

++## allow host key based authentication ++##

+ ##
+ gen_tunable(allow_ssh_keysign, false) + + ## +-##

+-## Allow ssh logins as sysadm_r:sysadm_t +-##

++##

++## Allow ssh logins as sysadm_r:sysadm_t ++##

##
gen_tunable(ssh_sysadm_login, false) +## -+##

-+## allow sshd to forward port connections -+##

++##

++## allow sshd to forward port connections ++##

+##
+gen_tunable(sshd_forward_ports, false) + attribute ssh_server; attribute ssh_agent_type; -@@ -33,13 +40,12 @@ corecmd_executable_file(sshd_exec_t) + type ssh_keygen_t; + type ssh_keygen_exec_t; + init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) +-role system_r types ssh_keygen_t; + + type sshd_exec_t; + corecmd_executable_file(sshd_exec_t) +@@ -33,17 +39,12 @@ corecmd_executable_file(sshd_exec_t) ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -31667,10 +32221,28 @@ index 2dad3c8..68c3057 100644 -files_tmp_file(sshd_tmp_t) -files_poly_parent(sshd_tmp_t) - - ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) - ') -@@ -99,11 +105,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms; +-ifdef(`enable_mcs',` +- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) +-') +- + type ssh_t; + type ssh_exec_t; + typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; +@@ -76,9 +77,12 @@ ubac_constrained(ssh_tmpfs_t) + type ssh_home_t; + typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; + typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; +-files_type(ssh_home_t) + userdom_user_home_content(ssh_home_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ++') ++ + ############################## + # + # SSH client local policy +@@ -99,11 +103,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms; # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; @@ -31682,7 +32254,7 @@ index 2dad3c8..68c3057 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -113,6 +112,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -31690,7 +32262,7 @@ index 2dad3c8..68c3057 100644 # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) +@@ -124,9 +124,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -31704,7 +32276,7 @@ index 2dad3c8..68c3057 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -138,6 +139,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -31713,7 +32285,7 @@ index 2dad3c8..68c3057 100644 dev_read_urand(ssh_t) -@@ -169,8 +174,10 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) +@@ -169,14 +172,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -31724,8 +32296,15 @@ index 2dad3c8..68c3057 100644 +userdom_read_user_home_content_symlinks(ssh_t) tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -200,6 +207,54 @@ optional_policy(` +- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) +- allow ssh_keysign_t ssh_t:fd use; +- allow ssh_keysign_t ssh_t:process sigchld; +- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms; ++ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) + ') + + tunable_policy(`use_nfs_home_dirs',` +@@ -200,6 +202,53 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -31739,7 +32318,6 @@ index 2dad3c8..68c3057 100644 + +dontaudit ssh_keygen_t self:capability sys_tty_config; +allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; -+ +allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; + +allow ssh_keygen_t sshd_key_t:file manage_file_perms; @@ -31780,10 +32358,20 @@ index 2dad3c8..68c3057 100644 ############################## # # ssh_keysign_t local policy -@@ -233,44 +288,65 @@ optional_policy(` +@@ -209,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',` + allow ssh_keysign_t self:capability { setgid setuid }; + allow ssh_keysign_t self:unix_stream_socket create_socket_perms; + +- allow ssh_keysign_t sshd_key_t:file { getattr read }; ++ allow ssh_keysign_t sshd_key_t:file read_file_perms; + + dev_read_urand(ssh_keysign_t) + +@@ -232,33 +281,39 @@ optional_policy(` + # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; - +- -manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) @@ -31803,15 +32391,17 @@ index 2dad3c8..68c3057 100644 corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) -+tunable_policy(`sshd_forward_ports', ` -+ corenet_tcp_bind_all_unreserved_ports(sshd_t) -+ corenet_tcp_connect_all_ports(sshd_t) -+') -+ +userdom_read_user_home_content_files(sshd_t) +userdom_read_user_home_content_symlinks(sshd_t) +userdom_search_admin_dir(sshd_t) +userdom_manage_tmp_role(system_r, sshd_t) ++userdom_spec_domtrans_unpriv_users(sshd_t) ++userdom_signal_unpriv_users(sshd_t) ++ ++tunable_policy(`sshd_forward_ports',` ++ corenet_tcp_bind_all_unreserved_ports(sshd_t) ++ corenet_tcp_connect_all_ports(sshd_t) ++') + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd @@ -31825,11 +32415,8 @@ index 2dad3c8..68c3057 100644 - userdom_signal_unpriv_users(sshd_t) ') -+userdom_spec_domtrans_unpriv_users(sshd_t) -+userdom_signal_unpriv_users(sshd_t) -+ optional_policy(` - daemontools_service_domain(sshd_t, sshd_exec_t) +@@ -266,11 +321,24 @@ optional_policy(` ') optional_policy(` @@ -31855,7 +32442,7 @@ index 2dad3c8..68c3057 100644 ') optional_policy(` -@@ -284,6 +360,11 @@ optional_policy(` +@@ -284,6 +352,11 @@ optional_policy(` ') optional_policy(` @@ -31867,7 +32454,61 @@ index 2dad3c8..68c3057 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -353,10 +434,6 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -292,26 +365,26 @@ optional_policy(` + ') + + ifdef(`TODO',` +-tunable_policy(`ssh_sysadm_login',` +- # Relabel and access ptys created by sshd +- # ioctl is necessary for logout() processing for utmp entry and for w to +- # display the tty. +- # some versions of sshd on the new SE Linux require setattr +- allow sshd_t ptyfile:chr_file relabelto; +- +- optional_policy(` +- domain_trans(sshd_t, xauth_exec_t, userdomain) +- ') +-',` +- optional_policy(` +- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) ++ tunable_policy(`ssh_sysadm_login',` ++ # Relabel and access ptys created by sshd ++ # ioctl is necessary for logout() processing for utmp entry and for w to ++ # display the tty. ++ # some versions of sshd on the new SE Linux require setattr ++ allow sshd_t ptyfile:chr_file relabelto; ++ ++ optional_policy(` ++ domain_trans(sshd_t, xauth_exec_t, userdomain) ++ ') ++ ',` ++ optional_policy(` ++ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) ++ ') ++ # Relabel and access ptys created by sshd ++ # ioctl is necessary for logout() processing for utmp entry and for w to ++ # display the tty. ++ # some versions of sshd on the new SE Linux require setattr ++ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; + ') +- # Relabel and access ptys created by sshd +- # ioctl is necessary for logout() processing for utmp entry and for w to +- # display the tty. +- # some versions of sshd on the new SE Linux require setattr +- allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; +-') + ') dnl endif TODO + + ######################################## +@@ -324,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',` + + dontaudit ssh_keygen_t self:capability sys_tty_config; + allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; +- + allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; + + allow ssh_keygen_t sshd_key_t:file manage_file_perms; +@@ -353,10 +425,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -31936,22 +32577,33 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..07d6748 100644 +index 8ffa257..7113802 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te -@@ -28,9 +28,10 @@ files_pid_file(sssd_var_run_t) +@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) # # sssd local policy # -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; ++ +allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; - allow sssd_t self:fifo_file rw_file_perms; +-allow sssd_t self:fifo_file rw_file_perms; ++allow sssd_t self:fifo_file rw_fifo_file_perms; +allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -48,6 +49,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) ++files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) + + manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) + logging_log_filetrans(sssd_t, sssd_var_log_t, file) +@@ -48,6 +50,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -31959,7 +32611,7 @@ index 8ffa257..07d6748 100644 kernel_read_system_state(sssd_t) corecmd_exec_bin(sssd_t) -@@ -80,6 +82,8 @@ logging_send_audit_msgs(sssd_t) +@@ -80,6 +83,8 @@ logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -31980,11 +32632,78 @@ index 6073656..eaf49b2 100644 + domtrans_pattern(stunnel_t, $2, $1) allow $1 stunnel_t:tcp_socket rw_socket_perms; ') +diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te +index 7ecb27b..296e5ba 100644 +--- a/policy/modules/services/stunnel.te ++++ b/policy/modules/services/stunnel.te +@@ -6,17 +6,7 @@ policy_module(stunnel, 1.9.1) + # + + type stunnel_t; +-domain_type(stunnel_t) +-role system_r types stunnel_t; +- + type stunnel_exec_t; +-domain_entry_file(stunnel_t, stunnel_exec_t) +- +-ifdef(`distro_gentoo',` +- init_daemon_domain(stunnel_t, stunnel_exec_t) +-',` +- inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) +-') + + type stunnel_etc_t; + files_config_file(stunnel_etc_t) +@@ -27,6 +17,12 @@ files_tmp_file(stunnel_tmp_t) + type stunnel_var_run_t; + files_pid_file(stunnel_var_run_t) + ++ifdef(`distro_gentoo',` ++ init_daemon_domain(stunnel_t, stunnel_exec_t) ++',` ++ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) ++') ++ + ######################################## + # + # Local policy +@@ -40,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms; + + allow stunnel_t stunnel_etc_t:dir list_dir_perms; + allow stunnel_t stunnel_etc_t:file read_file_perms; +-allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; ++allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) + manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) +@@ -77,7 +73,7 @@ miscfiles_read_localization(stunnel_t) + + sysnet_read_config(stunnel_t) + +-ifdef(`distro_gentoo', ` ++ifdef(`distro_gentoo',` + dontaudit stunnel_t self:capability sys_tty_config; + allow stunnel_t self:udp_socket create_socket_perms; + +@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', ` + gen_require(` + type stunnel_port_t; + ') ++ + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te -index 52f0d6c..111b041 100644 +index 52f0d6c..3645a22 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te -@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t) +@@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0) + type sysstat_t; + type sysstat_exec_t; + init_system_domain(sysstat_t, sysstat_exec_t) +-role system_r types sysstat_t; + + type sysstat_log_t; + logging_log_file(sysstat_log_t) +@@ -18,8 +17,7 @@ logging_log_file(sysstat_log_t) # Local policy # @@ -31994,7 +32713,7 @@ index 52f0d6c..111b041 100644 allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) -@@ -68,3 +67,8 @@ optional_policy(` +@@ -68,3 +66,7 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(sysstat_t) ') @@ -32002,12 +32721,47 @@ index 52f0d6c..111b041 100644 +optional_policy(` + nscd_socket_use(sysstat_t) +') -+ +diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te +index 7038b55..4e84f23 100644 +--- a/policy/modules/services/tcpd.te ++++ b/policy/modules/services/tcpd.te +@@ -7,7 +7,6 @@ policy_module(tcpd, 1.4.0) + type tcpd_t; + type tcpd_exec_t; + inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) +-role system_r types tcpd_t; + + type tcpd_tmp_t; + files_tmp_file(tcpd_tmp_t) diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te -index f40e67b..a0eeea9 100644 +index f40e67b..34c4c57 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te -@@ -38,7 +38,6 @@ term_create_pty(telnetd_t, telnetd_devpts_t) +@@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0) + type telnetd_t; + type telnetd_exec_t; + inetd_service_domain(telnetd_t, telnetd_exec_t) +-role system_r types telnetd_t; + + type telnetd_devpts_t; #, userpty_type; + term_login_pty(telnetd_devpts_t) +@@ -24,21 +23,19 @@ files_pid_file(telnetd_var_run_t) + # Local policy + # + +-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; ++allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; + allow telnetd_t self:process signal_perms; + allow telnetd_t self:fifo_file rw_fifo_file_perms; + allow telnetd_t self:tcp_socket connected_stream_socket_perms; + allow telnetd_t self:udp_socket create_socket_perms; + # for identd; cjp: this should probably only be inetd_child rules? + allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow telnetd_t self:capability { setuid setgid }; + +-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; ++allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty(telnetd_t, telnetd_devpts_t) manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) @@ -32015,15 +32769,39 @@ index f40e67b..a0eeea9 100644 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) -@@ -85,6 +84,8 @@ remotelogin_domtrans(telnetd_t) +@@ -70,8 +67,6 @@ corecmd_search_bin(telnetd_t) + files_read_usr_files(telnetd_t) + files_read_etc_files(telnetd_t) + files_read_etc_runtime_files(telnetd_t) +-# for identd; cjp: this should probably only be inetd_child rules? +-files_search_home(telnetd_t) + + init_rw_utmp(telnetd_t) + +@@ -85,11 +80,8 @@ remotelogin_domtrans(telnetd_t) userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) +- +-optional_policy(` +- kerberos_keytab_template(telnetd, telnetd_t) +- kerberos_manage_host_rcache(telnetd_t) +-') +userdom_manage_user_tmp_files(telnetd_t) +userdom_tmp_filetrans_user_tmp(telnetd_t, file) - optional_policy(` - kerberos_keytab_template(telnetd, telnetd_t) + tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(telnetd_t) +@@ -98,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',` + tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(telnetd_t) + ') ++ ++optional_policy(` ++ kerberos_keytab_template(telnetd, telnetd_t) ++ kerberos_manage_host_rcache(telnetd_t) ++') ++ diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 38bb312..1427b54 100644 --- a/policy/modules/services/tftp.if @@ -32105,9 +32883,42 @@ index 38bb312..1427b54 100644 admin_pattern($1, tftpdir_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te -index d50c10d..66bfd1c 100644 +index d50c10d..97ce79e 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te +@@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0) + # + + ## +-##

+-## Allow tftp to modify public files +-## used for public file transfer services. +-##

++##

++## Allow tftp to modify public files ++## used for public file transfer services. ++##

+ ##
+ gen_tunable(tftp_anon_write, false) + +@@ -32,15 +32,15 @@ files_type(tftpdir_rw_t) + # + + allow tftpd_t self:capability { setgid setuid sys_chroot }; ++dontaudit tftpd_t self:capability sys_tty_config; + allow tftpd_t self:tcp_socket create_stream_socket_perms; + allow tftpd_t self:udp_socket create_socket_perms; + allow tftpd_t self:unix_dgram_socket create_socket_perms; + allow tftpd_t self:unix_stream_socket create_stream_socket_perms; +-dontaudit tftpd_t self:capability sys_tty_config; + + allow tftpd_t tftpdir_t:dir list_dir_perms; + allow tftpd_t tftpdir_t:file read_file_perms; +-allow tftpd_t tftpdir_t:lnk_file { getattr read }; ++allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) + manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) @@ -94,6 +94,10 @@ tunable_policy(`tftp_anon_write',` ') @@ -32169,9 +32980,18 @@ index b113b41..c2ed23a 100644 + allow $1 tgtd_t:sem create_sem_perms; ') diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te -index aa0cc45..678ab90 100644 +index aa0cc45..44dfdc8 100644 --- a/policy/modules/services/tgtd.te +++ b/policy/modules/services/tgtd.te +@@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t) + allow tgtd_t self:capability sys_resource; + allow tgtd_t self:process { setrlimit signal }; + allow tgtd_t self:fifo_file rw_fifo_file_perms; +-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; ++allow tgtd_t self:netlink_route_socket create_netlink_socket_perms; + allow tgtd_t self:shm create_shm_perms; + allow tgtd_t self:sem create_sem_perms; + allow tgtd_t self:tcp_socket create_stream_socket_perms; @@ -57,10 +57,18 @@ corenet_tcp_bind_generic_node(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_server_packets(tgtd_t) @@ -32205,19 +33025,33 @@ index 904f13e..464347f 100644 init_labeled_script_domtrans($1, tor_initrc_exec_t) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te -index 9fa94e4..0a0074c 100644 +index 9fa94e4..7f0d9a9 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te -@@ -42,6 +42,8 @@ files_pid_file(tor_var_run_t) +@@ -6,10 +6,10 @@ policy_module(tor, 1.7.0) + # + + ## +-##

+-## Allow tor daemon to bind +-## tcp sockets to all unreserved ports. +-##

++##

++## Allow tor daemon to bind ++## tcp sockets to all unreserved ports. ++##

+ ##
+ gen_tunable(tor_bind_all_unreserved_ports, false) + +@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t) # allow tor_t self:capability { setgid setuid sys_tty_config }; +allow tor_t self:process signal; -+ allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -67,9 +69,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +@@ -67,9 +68,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) # pid file @@ -32229,7 +33063,7 @@ index 9fa94e4..0a0074c 100644 kernel_read_system_state(tor_t) -@@ -88,6 +91,7 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -88,6 +90,7 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -32237,7 +33071,7 @@ index 9fa94e4..0a0074c 100644 # tor uses crypto and needs random dev_read_urand(tor_t) -@@ -100,6 +104,8 @@ files_read_usr_files(tor_t) +@@ -100,9 +103,11 @@ files_read_usr_files(tor_t) auth_use_nsswitch(tor_t) @@ -32245,7 +33079,11 @@ index 9fa94e4..0a0074c 100644 + miscfiles_read_localization(tor_t) - tunable_policy(`tor_bind_all_unreserved_ports', ` +-tunable_policy(`tor_bind_all_unreserved_ports', ` ++tunable_policy(`tor_bind_all_unreserved_ports',` + corenet_tcp_bind_all_unreserved_ports(tor_t) + ') + diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if index 54b8605..752697f 100644 --- a/policy/modules/services/tuned.if @@ -32327,18 +33165,30 @@ index c1feba4..1f6f55b 100644 + domtrans_pattern(ucspitcp_t, $2, $1) ') diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te -index a0794bf..dd23a9c 100644 +index a0794bf..37c056b 100644 --- a/policy/modules/services/ucspitcp.te +++ b/policy/modules/services/ucspitcp.te -@@ -91,3 +91,8 @@ optional_policy(` +@@ -8,12 +8,10 @@ policy_module(ucspitcp, 1.3.0) + type rblsmtpd_t; + type rblsmtpd_exec_t; + init_system_domain(rblsmtpd_t, rblsmtpd_exec_t) +-role system_r types rblsmtpd_t; + + type ucspitcp_t; + type ucspitcp_exec_t; + init_system_domain(ucspitcp_t, ucspitcp_exec_t) +-role system_r types ucspitcp_t; + + ######################################## + # +@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t) + + optional_policy(` daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) ++ daemontools_sigchld_run(ucspitcp_t) daemontools_read_svc(ucspitcp_t) ') + -+optional_policy(` -+ daemontools_sigchld_run(ucspitcp_t) -+') -+ diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if index b078bf7..fd72fe8 100644 --- a/policy/modules/services/ulogd.if @@ -32394,7 +33244,7 @@ index b078bf7..fd72fe8 100644 admin_pattern($1, ulogd_modules_t) ') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te -index eeaa641..eb4d8d5 100644 +index eeaa641..ef97cb3 100644 --- a/policy/modules/services/ulogd.te +++ b/policy/modules/services/ulogd.te @@ -31,6 +31,9 @@ logging_log_file(ulogd_var_log_t) @@ -32407,7 +33257,7 @@ index eeaa641..eb4d8d5 100644 # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -43,6 +46,18 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) +@@ -43,6 +46,19 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) @@ -32420,13 +33270,27 @@ index eeaa641..eb4d8d5 100644 +sysnet_dns_name_resolve(ulogd_t) + +optional_policy(` -+ mysql_stream_connect(ulogd_t) ++ mysql_stream_connect(ulogd_t) ++ mysql_tcp_connect(ulogd_t) +') + +optional_policy(` -+ postgresql_stream_connect(ulogd_t) ++ postgresql_stream_connect(ulogd_t) + postgresql_tcp_connect(ulogd_t) +') +diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te +index c2cf97e..037a1e8 100644 +--- a/policy/modules/services/uptime.te ++++ b/policy/modules/services/uptime.te +@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t) + + dontaudit uptimed_t self:capability sys_tty_config; + allow uptimed_t self:process signal_perms; +-allow uptimed_t self:fifo_file write_file_perms; ++allow uptimed_t self:fifo_file write_fifo_file_perms; + + allow uptimed_t uptimed_etc_t:file read_file_perms; + files_search_etc(uptimed_t) diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc index fa54aee..40b8b8d 100644 --- a/policy/modules/services/usbmuxd.fc @@ -32492,10 +33356,18 @@ index a4fbe31..a717e2d 100644 logging_list_logs($1) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index b775aaf..ec1562b 100644 +index b775aaf..1e40c2a 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te -@@ -83,6 +83,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t) +@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0) + type uucpd_t; + type uucpd_exec_t; + inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) +-role system_r types uucpd_t; + + type uucpd_lock_t; + files_lock_file(uucpd_lock_t) +@@ -83,6 +82,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t) corenet_udp_sendrecv_generic_node(uucpd_t) corenet_tcp_sendrecv_all_ports(uucpd_t) corenet_udp_sendrecv_all_ports(uucpd_t) @@ -32503,7 +33375,7 @@ index b775aaf..ec1562b 100644 dev_read_urand(uucpd_t) -@@ -113,6 +114,10 @@ optional_policy(` +@@ -113,13 +113,17 @@ optional_policy(` kerberos_use(uucpd_t) ') @@ -32514,6 +33386,14 @@ index b775aaf..ec1562b 100644 ######################################## # # UUX Local policy + # + + allow uux_t self:capability { setuid setgid }; +-allow uux_t self:fifo_file write_file_perms; ++allow uux_t self:fifo_file write_fifo_file_perms; + + uucp_append_log(uux_t) + uucp_manage_spool(uux_t) diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index b4d90ac..fe5ce10 100644 --- a/policy/modules/services/varnishd.if @@ -32611,9 +33491,24 @@ index b4d90ac..fe5ce10 100644 - ') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te -index 1cc80e8..95c6dc3 100644 +index 1cc80e8..c6bf70e 100644 --- a/policy/modules/services/varnishd.te +++ b/policy/modules/services/varnishd.te +@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0) + # + + ## +-##

+-## Allow varnishd to connect to all ports, +-## not just HTTP. +-##

++##

++## Allow varnishd to connect to all ports, ++## not just HTTP. ++##

+ ##
+ gen_tunable(varnishd_connect_any, false) + @@ -50,7 +50,8 @@ files_type(varnishlog_log_t) # varnishd local policy # @@ -32624,6 +33519,24 @@ index 1cc80e8..95c6dc3 100644 allow varnishd_t self:process signal; allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket create_stream_socket_perms; +@@ -69,7 +70,7 @@ manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) + files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) + + manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) +-files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file }) ++files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) + + kernel_read_system_state(varnishd_t) + +@@ -107,7 +108,7 @@ tunable_policy(`varnishd_connect_any',` + # + + manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) +-files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file }) ++files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) + + manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) + manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if index 1f872b5..da605ba 100644 --- a/policy/modules/services/vhostmd.if @@ -32693,9 +33606,18 @@ index 1f872b5..da605ba 100644 - ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te -index 32a3c13..f56f51f 100644 +index 32a3c13..7baeb6f 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te +@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t) + + allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; + allow vhostmd_t self:process { setsched getsched }; +-allow vhostmd_t self:fifo_file rw_file_perms; ++allow vhostmd_t self:fifo_file rw_fifo_file_perms; + + manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) + manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) @@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t) corenet_tcp_connect_soundd_port(vhostmd_t) @@ -33013,32 +33935,82 @@ index 7c5d8d8..dbdc0e0 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..8dac607 100644 +index 3eca020..62e349a 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te -@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0) - # +@@ -5,57 +5,66 @@ policy_module(virt, 1.4.0) # Declarations # + +attribute virsh_transition_domain; ++ + ## +-##

+-## Allow virt to use serial/parallell communication ports +-##

++##

++## Allow virt to use serial/parallell communication ports ++##

+ ##
+ gen_tunable(virt_use_comm, false) ## - ##

-@@ -42,6 +43,13 @@ gen_tunable(virt_use_sysfs, false) +-##

+-## Allow virt to read fuse files +-##

++##

++## Allow virt to read fuse files ++##

+ ##
+ gen_tunable(virt_use_fusefs, false) ## - ##

-+## Allow virtual machine to interact with the xserver -+##

+-##

+-## Allow virt to manage nfs files +-##

++##

++## Allow virt to manage nfs files ++##

+ ##
+ gen_tunable(virt_use_nfs, false) + + ## +-##

+-## Allow virt to manage cifs files +-##

++##

++## Allow virt to manage cifs files ++##

+ ##
+ gen_tunable(virt_use_samba, false) + + ## +-##

+-## Allow virt to manage device configuration, (pci) +-##

++##

++## Allow virt to manage device configuration, (pci) ++##

+ ##
+ gen_tunable(virt_use_sysfs, false) + + ## +-##

+-## Allow virt to use usb devices +-##

++##

++## Allow virtual machine to interact with the xserver ++##

+##
+gen_tunable(virt_use_xserver, false) + +## -+##

- ## Allow virt to use usb devices - ##

++##

++## Allow virt to use usb devices ++##

##
-@@ -50,12 +58,12 @@ gen_tunable(virt_use_usb, true) + gen_tunable(virt_use_usb, true) + virt_domain_template(svirt) role system_r types svirt_t; @@ -33054,7 +34026,7 @@ index 3eca020..8dac607 100644 type virt_etc_t; files_config_file(virt_etc_t) -@@ -65,20 +73,25 @@ files_type(virt_etc_rw_t) +@@ -65,20 +74,25 @@ files_type(virt_etc_rw_t) # virt Image files type virt_image_t; # customizable virt_image(virt_image_t) @@ -33081,7 +34053,7 @@ index 3eca020..8dac607 100644 type virtd_t; type virtd_exec_t; -@@ -89,6 +102,11 @@ domain_subj_id_change_exemption(virtd_t) +@@ -89,6 +103,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -33093,7 +34065,7 @@ index 3eca020..8dac607 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -104,15 +122,12 @@ ifdef(`enable_mls',` +@@ -104,15 +123,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -33110,7 +34082,7 @@ index 3eca020..8dac607 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -147,11 +162,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +163,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -33126,7 +34098,7 @@ index 3eca020..8dac607 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +179,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +180,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -33149,13 +34121,13 @@ index 3eca020..8dac607 100644 xen_rw_image_files(svirt_t) ') -@@ -174,22 +204,29 @@ optional_policy(` +@@ -174,22 +205,28 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; +- +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; - allow virtd_t self:fifo_file rw_fifo_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; @@ -33291,7 +34263,14 @@ index 3eca020..8dac607 100644 ') optional_policy(` -@@ -402,6 +479,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms; +@@ -396,12 +473,25 @@ optional_policy(` + + allow virt_domain self:capability { dac_read_search dac_override kill }; + allow virt_domain self:process { execmem execstack signal getsched signull }; +-allow virt_domain self:fifo_file rw_file_perms; ++allow virt_domain self:fifo_file rw_fifo_file_perms; + allow virt_domain self:shm create_shm_perms; + allow virt_domain self:unix_stream_socket create_stream_socket_perms; allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -33344,7 +34323,7 @@ index 3eca020..8dac607 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +555,121 @@ optional_policy(` +@@ -457,8 +555,117 @@ optional_policy(` ') optional_policy(` @@ -33364,15 +34343,12 @@ index 3eca020..8dac607 100644 +# +type virsh_t; +type virsh_exec_t; -+domain_type(virsh_t) +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; + +allow virsh_t self:capability { dac_override ipc_lock sys_tty_config }; +allow virsh_t self:process { getcap getsched setcap signal }; -+ -+# internal communication is often done using fifo and unix sockets. +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; @@ -33440,7 +34416,7 @@ index 3eca020..8dac607 100644 + +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) -+ vhostmd_stream_connect(virsh_t) ++ vhostmd_stream_connect(virsh_t) + vhostmd_dontaudit_rw_stream_connect(virsh_t) +') + @@ -33465,7 +34441,6 @@ index 3eca020..8dac607 100644 + + userdom_search_admin_dir(virsh_ssh_t) +') -+ diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc new file mode 100644 index 0000000..7667c31 @@ -33480,7 +34455,7 @@ index 0000000..7667c31 +/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if new file mode 100644 -index 0000000..14f8906 +index 0000000..b9104b7 --- /dev/null +++ b/policy/modules/services/vnstatd.if @@ -0,0 +1,144 @@ @@ -33492,7 +34467,7 @@ index 0000000..14f8906 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# @@ -33510,7 +34485,7 @@ index 0000000..14f8906 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# @@ -33630,11 +34605,11 @@ index 0000000..14f8906 +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 -index 0000000..db526e6 +index 0000000..8ec07ff --- /dev/null +++ b/policy/modules/services/vnstatd.te -@@ -0,0 +1,69 @@ -+policy_module(vnstatd,1.0.0) +@@ -0,0 +1,65 @@ ++policy_module(vnstatd, 1.0.0) + +######################################## +# @@ -33660,13 +34635,12 @@ index 0000000..db526e6 +# vnstatd local policy +# +allow vnstatd_t self:process { fork signal }; -+ +allow vnstatd_t self:fifo_file rw_fifo_file_perms; +allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } ) ++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) + +domain_use_interactive_fds(vnstatd_t) + @@ -33680,14 +34654,13 @@ index 0000000..db526e6 +# +# vnstat local policy +# -+allow vnstat_t self:process { signal }; -+ ++allow vnstat_t self:process signal; +allow vnstat_t self:fifo_file rw_fifo_file_perms; +allow vnstat_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } ) ++files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) + +kernel_read_network_state(vnstat_t) +kernel_read_system_state(vnstat_t) @@ -33701,8 +34674,6 @@ index 0000000..db526e6 +logging_send_syslog_msg(vnstat_t) + +miscfiles_read_localization(vnstat_t) -+ -+ diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te index 1174ad8..f4c4c1b 100644 --- a/policy/modules/services/w3c.te @@ -34762,52 +35733,80 @@ index da2601a..ef2a773 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index e226da4..29d5384 100644 +index e226da4..c80794b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te -@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false) +@@ -26,27 +26,43 @@ gen_require(` + # ## - ##

-+## Allows XServer to execute writable memory -+##

+-##

+-## Allows clients to write to the X server shared +-## memory segments. +-##

++##

++## Allows clients to write to the X server shared ++## memory segments. ++##

+ ##
+ gen_tunable(allow_write_xshm, false) + + ## +-##

+-## Allow xdm logins as sysadm +-##

++##

++## Allows XServer to execute writable memory ++##

+##
+gen_tunable(allow_xserver_execmem, false) + +## -+##

- ## Allow xdm logins as sysadm - ##

++##

++## Allow xdm logins as sysadm ++##

##
-@@ -47,6 +54,16 @@ gen_tunable(xdm_sysadm_login, false) + gen_tunable(xdm_sysadm_login, false) + + ## +-##

+-## Support X userspace object manager +-##

++##

++## Support X userspace object manager ++##

##
gen_tunable(xserver_object_manager, false) +## -+##

-+## Allow regular users direct dri device access -+##

++##

++## Allow regular users direct dri device access ++##

+##
+gen_tunable(user_direct_dri, false) + +attribute xdmhomewriter; +attribute x_userdomain; -+ attribute x_domain; # X Events -@@ -109,21 +126,26 @@ xserver_common_x_domain_template(remote,remote_t) +@@ -104,26 +120,30 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven + + type remote_t; + xserver_object_types_template(remote) +-xserver_common_x_domain_template(remote,remote_t) ++xserver_common_x_domain_template(remote, remote_t) + type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; -+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; ++typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; userdom_user_home_content(user_fonts_t) type user_fonts_cache_t; typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; +typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; -+; userdom_user_home_content(user_fonts_cache_t) type user_fonts_config_t; @@ -34823,12 +35822,11 @@ index e226da4..29d5384 100644 typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; application_domain(iceauth_t, iceauth_exec_t) ubac_constrained(iceauth_t) -@@ -131,22 +153,28 @@ ubac_constrained(iceauth_t) +@@ -131,22 +151,26 @@ ubac_constrained(iceauth_t) type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; -+typealias iceauth_home_t alias { xguest_iceauth_home_t }; -+files_poly_member(iceauth_home_t) ++typealias iceauth_home_t alias { xguest_iceauth_home_t }; userdom_user_home_content(iceauth_home_t) type xauth_t; @@ -34843,7 +35841,6 @@ index e226da4..29d5384 100644 typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; +typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; -+files_poly_member(xauth_home_t) userdom_user_home_content(xauth_home_t) type xauth_tmp_t; @@ -34852,7 +35849,7 @@ index e226da4..29d5384 100644 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) -@@ -161,15 +189,21 @@ type xdm_t; +@@ -161,15 +185,21 @@ type xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -34876,7 +35873,7 @@ index e226da4..29d5384 100644 type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -177,13 +211,27 @@ files_type(xdm_var_lib_t) +@@ -177,13 +207,27 @@ files_type(xdm_var_lib_t) type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -34905,7 +35902,7 @@ index e226da4..29d5384 100644 # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -196,15 +244,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; +@@ -196,15 +240,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -34923,7 +35920,7 @@ index e226da4..29d5384 100644 files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -234,9 +276,13 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) +@@ -234,9 +272,13 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) allow xdm_t iceauth_home_t:file read_file_perms; @@ -34937,17 +35934,17 @@ index e226da4..29d5384 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -246,50 +292,105 @@ tunable_policy(`use_samba_home_dirs',` +@@ -246,50 +288,105 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(iceauth_t) ') -+ifdef(`hide_broken_symptoms', ` ++ifdef(`hide_broken_symptoms',` + dev_dontaudit_read_urand(iceauth_t) + dev_dontaudit_rw_dri(iceauth_t) + dev_dontaudit_rw_generic_dev_nodes(iceauth_t) + fs_dontaudit_list_inotifyfs(iceauth_t) + fs_dontaudit_rw_anon_inodefs_files(iceauth_t) -+ term_dontaudit_use_unallocated_ttys(iceauth_t) ++ term_dontaudit_use_unallocated_ttys(iceauth_t) + + userdom_dontaudit_read_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_home_content_files(iceauth_t) @@ -35015,18 +36012,18 @@ index e226da4..29d5384 100644 userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) -+ -+ifdef(`hide_broken_symptoms', ` -+ fs_dontaudit_rw_anon_inodefs_files(xauth_t) -+ fs_dontaudit_list_inotifyfs(xauth_t) -+ userdom_manage_user_home_content_files(xauth_t) -+ userdom_manage_user_tmp_files(xauth_t) -+ dev_dontaudit_rw_generic_dev_nodes(xauth_t) -+ miscfiles_read_fonts(xauth_t) -+') xserver_rw_xdm_tmp_files(xauth_t) ++ifdef(`hide_broken_symptoms',` ++ fs_dontaudit_rw_anon_inodefs_files(xauth_t) ++ fs_dontaudit_list_inotifyfs(xauth_t) ++ userdom_manage_user_home_content_files(xauth_t) ++ userdom_manage_user_tmp_files(xauth_t) ++ dev_dontaudit_rw_generic_dev_nodes(xauth_t) ++ miscfiles_read_fonts(xauth_t) ++') ++ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(xauth_t) + fs_read_nfs_symlinks(xauth_t) @@ -35036,8 +36033,8 @@ index e226da4..29d5384 100644 fs_manage_cifs_files(xauth_t) ') -+ifdef(`hide_broken_symptoms', ` -+ term_dontaudit_use_unallocated_ttys(xauth_t) ++ifdef(`hide_broken_symptoms',` ++ term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) +') + @@ -35048,15 +36045,14 @@ index e226da4..29d5384 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -301,20 +402,33 @@ optional_policy(` +@@ -301,20 +398,32 @@ optional_policy(` # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace }; -+allow xdm_t self:process { getattr getcap setcap }; ++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace }; allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; @@ -35070,9 +36066,10 @@ index e226da4..29d5384 100644 allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; +-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t xauth_home_t:file manage_file_perms; + - allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) + @@ -35085,7 +36082,7 @@ index e226da4..29d5384 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -322,32 +436,55 @@ can_exec(xdm_t, xdm_exec_t) +@@ -322,43 +431,69 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -35110,7 +36107,8 @@ index e226da4..29d5384 100644 manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -+ + +-manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +fs_getattr_all_fs(xdm_t) +fs_list_inotifyfs(xdm_t) +fs_read_noxattr_fs_files(xdm_t) @@ -35124,8 +36122,8 @@ index e226da4..29d5384 100644 +manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) - - manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) ++ ++manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) +manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) @@ -35146,7 +36144,8 @@ index e226da4..29d5384 100644 allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -355,10 +492,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; +-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; ++allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -35160,7 +36159,7 @@ index e226da4..29d5384 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -367,15 +507,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -367,15 +502,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -35184,7 +36183,7 @@ index e226da4..29d5384 100644 corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -@@ -390,18 +537,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -390,18 +532,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -35208,7 +36207,7 @@ index e226da4..29d5384 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -410,18 +561,23 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -410,18 +556,23 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -35235,7 +36234,7 @@ index e226da4..29d5384 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -432,9 +588,17 @@ files_list_mnt(xdm_t) +@@ -432,9 +583,17 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -35253,7 +36252,7 @@ index e226da4..29d5384 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -443,28 +607,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -443,28 +602,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -35292,7 +36291,7 @@ index e226da4..29d5384 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -473,6 +645,13 @@ userdom_read_user_home_content_files(xdm_t) +@@ -473,10 +640,25 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -35306,7 +36305,19 @@ index e226da4..29d5384 100644 xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,11 +683,17 @@ tunable_policy(`xdm_sysadm_login',` + ++ifndef(`distro_redhat',` ++ allow xdm_t self:process { execheap execmem }; ++') ++ ++ifdef(`distro_rhel4',` ++ allow xdm_t self:process { execheap execmem }; ++') ++ + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(xdm_t) + fs_manage_nfs_files(xdm_t) +@@ -504,11 +686,17 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -35324,7 +36335,7 @@ index e226da4..29d5384 100644 ') optional_policy(` -@@ -516,12 +701,51 @@ optional_policy(` +@@ -516,12 +704,49 @@ optional_policy(` ') optional_policy(` @@ -35355,10 +36366,8 @@ index e226da4..29d5384 100644 + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') -+ +') + -+ +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) @@ -35376,11 +36385,11 @@ index e226da4..29d5384 100644 hostname_exec(xdm_t) ') -@@ -539,20 +763,64 @@ optional_policy(` +@@ -539,28 +764,63 @@ optional_policy(` ') optional_policy(` -+ policykit_dbus_chat(xdm_t) ++ policykit_dbus_chat(xdm_t) + policykit_domtrans_auth(xdm_t) + policykit_read_lib(xdm_t) + policykit_read_reload(xdm_t) @@ -35423,35 +36432,33 @@ index e226da4..29d5384 100644 ') optional_policy(` +- udev_read_db(xdm_t) + ssh_signull(xdm_t) -+') -+ -+optional_policy(` -+ shutdown_domtrans(xdm_t) -+') -+ -+optional_policy(` - udev_read_db(xdm_t) ') optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) -+ unconfined_shell_domtrans(xdm_t) -+ unconfined_signal(xdm_t) ++ shutdown_domtrans(xdm_t) +') - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; -@@ -561,7 +829,6 @@ optional_policy(` - ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; - ') --') +- ifndef(`distro_redhat',` +- allow xdm_t self:process { execheap execmem }; +- ') ++optional_policy(` ++ udev_read_db(xdm_t) ++') + +- ifdef(`distro_rhel4',` +- allow xdm_t self:process { execheap execmem }; +- ') ++optional_policy(` ++ unconfined_shell_domtrans(xdm_t) ++ unconfined_signal(xdm_t) + ') optional_policy(` - userhelper_dontaudit_search_config(xdm_t) -@@ -572,6 +839,10 @@ optional_policy(` +@@ -572,6 +832,10 @@ optional_policy(` ') optional_policy(` @@ -35462,7 +36469,7 @@ index e226da4..29d5384 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +867,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +860,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -35471,17 +36478,13 @@ index e226da4..29d5384 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +881,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +874,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; +allow xserver_t self:netlink_selinux_socket create_socket_perms; +allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; + -+# Device rules -+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; -+allow x_domain xserver_t:x_screen getattr; -+ +allow xserver_t { input_xevent_t input_xevent_type }:x_event send; + +domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) @@ -35490,17 +36493,17 @@ index e226da4..29d5384 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +912,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +901,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) -domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) -allow xserver_t xauth_home_t:file read_file_perms; -+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) ++manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) + -+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) ++manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) @@ -35512,7 +36515,7 @@ index e226da4..29d5384 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +932,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +921,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -35520,7 +36523,7 @@ index e226da4..29d5384 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +959,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +948,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -35528,7 +36531,7 @@ index e226da4..29d5384 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,8 +968,13 @@ dev_wx_raw_memory(xserver_t) +@@ -678,8 +957,13 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -35542,7 +36545,7 @@ index e226da4..29d5384 100644 files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) files_read_usr_files(xserver_t) -@@ -693,8 +988,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +977,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -35556,7 +36559,7 @@ index e226da4..29d5384 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1016,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1005,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -35571,7 +36574,7 @@ index e226da4..29d5384 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1076,28 @@ optional_policy(` +@@ -773,12 +1065,28 @@ optional_policy(` ') optional_policy(` @@ -35601,7 +36604,7 @@ index e226da4..29d5384 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1106,10 @@ optional_policy(` +@@ -787,6 +1095,10 @@ optional_policy(` ') optional_policy(` @@ -35612,34 +36615,40 @@ index e226da4..29d5384 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1114,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! -allow xserver_t xdm_var_lib_t:file { getattr read }; +-dontaudit xserver_t xdm_var_lib_t:dir search; +allow xserver_t xdm_var_lib_t:file read_file_perms; - dontaudit xserver_t xdm_var_lib_t:dir search; ++dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; -allow xserver_t xdm_var_run_t:file read_file_perms; +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -826,6 +1149,13 @@ init_use_fds(xserver_t) +@@ -813,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) + manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) + + # Run xkbcomp. +-allow xserver_t xkb_var_lib_t:lnk_file read; ++allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; + can_exec(xserver_t, xkb_var_lib_t) + + # VNC v4 module in X server +@@ -826,6 +1138,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) +userdom_read_all_users_state(xserver_t) + +xserver_use_user_fonts(xserver_t) -+ -+optional_policy(` -+ userhelper_search_config(xserver_t) -+') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -841,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1156,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -35656,20 +36665,77 @@ index e226da4..29d5384 100644 ') optional_policy(` -@@ -991,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; - allow xserver_unconfined_type xextension_type:x_extension *; - allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; - allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -+ +@@ -853,6 +1171,10 @@ optional_policy(` + rhgb_rw_tmpfs_files(xserver_t) + ') + +optional_policy(` -+ unconfined_rw_shm(xserver_t) -+ unconfined_execmem_rw_shm(xserver_t) -+ -+ # xserver signals unconfined user on startx -+ unconfined_signal(xserver_t) -+ unconfined_getpgid(xserver_t) ++ userhelper_search_config(xserver_t) +') + + ######################################## + # + # Rules common to all X window domains +@@ -896,7 +1218,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy + allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; + # operations allowed on my windows + allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; +-allow x_domain self:x_drawable { blend }; ++allow x_domain self:x_drawable blend; + # operations allowed on all windows + allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; + +@@ -950,11 +1272,31 @@ allow x_domain self:x_resource { read write }; + # can mess with the screensaver + allow x_domain xserver_t:x_screen { getattr saver_getattr }; + ++# Device rules ++allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; ++allow x_domain xserver_t:x_screen getattr; ++ + ######################################## + # + # Rules for unconfined access to this module + # + ++allow xserver_unconfined_type xserver_t:x_server *; ++allow xserver_unconfined_type xdrawable_type:x_drawable *; ++allow xserver_unconfined_type xserver_t:x_screen *; ++allow xserver_unconfined_type x_domain:x_gc *; ++allow xserver_unconfined_type xcolormap_type:x_colormap *; ++allow xserver_unconfined_type xproperty_type:x_property *; ++allow xserver_unconfined_type xselection_type:x_selection *; ++allow xserver_unconfined_type x_domain:x_cursor *; ++allow xserver_unconfined_type x_domain:x_client *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_device *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; ++allow xserver_unconfined_type xextension_type:x_extension *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; ++allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; ++ + tunable_policy(`! xserver_object_manager',` + # should be xserver_unconfined(x_domain), + # but typeattribute doesnt work in conditionals +@@ -976,18 +1318,32 @@ tunable_policy(`! xserver_object_manager',` + allow x_domain xevent_type:{ x_event x_synthetic_event } *; + ') + +-allow xserver_unconfined_type xserver_t:x_server *; +-allow xserver_unconfined_type xdrawable_type:x_drawable *; +-allow xserver_unconfined_type xserver_t:x_screen *; +-allow xserver_unconfined_type x_domain:x_gc *; +-allow xserver_unconfined_type xcolormap_type:x_colormap *; +-allow xserver_unconfined_type xproperty_type:x_property *; +-allow xserver_unconfined_type xselection_type:x_selection *; +-allow xserver_unconfined_type x_domain:x_cursor *; +-allow xserver_unconfined_type x_domain:x_client *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_device *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; +-allow xserver_unconfined_type xextension_type:x_extension *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; +-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; +tunable_policy(`allow_xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; +') @@ -35690,6 +36756,15 @@ index e226da4..29d5384 100644 +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') ++ ++optional_policy(` ++ unconfined_rw_shm(xserver_t) ++ unconfined_execmem_rw_shm(xserver_t) ++ ++ # xserver signals unconfined user on startx ++ unconfined_signal(xserver_t) ++ unconfined_getpgid(xserver_t) ++') diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index d77e631..4776863 100644 --- a/policy/modules/services/zabbix.if @@ -35718,6 +36793,24 @@ index d77e631..4776863 100644 ## # interface(`zabbix_append_log',` +diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te +index b8dd21a..20d7cde 100644 +--- a/policy/modules/services/zabbix.te ++++ b/policy/modules/services/zabbix.te +@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t) + # + + allow zabbix_t self:capability { setuid setgid }; +-allow zabbix_t self:fifo_file rw_file_perms; ++allow zabbix_t self:fifo_file rw_fifo_file_perms; + allow zabbix_t self:unix_stream_socket create_stream_socket_perms; + + # log files +-allow zabbix_t zabbix_log_t:dir setattr; ++allow zabbix_t zabbix_log_t:dir setattr_dir_perms; + manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) + logging_log_filetrans(zabbix_t, zabbix_log_t, file) + diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 index 0000000..56cb5af @@ -35861,10 +36954,10 @@ index 0000000..4f2dde8 +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 -index 0000000..3509088 +index 0000000..3ce4d86 --- /dev/null +++ b/policy/modules/services/zarafa.te -@@ -0,0 +1,133 @@ +@@ -0,0 +1,132 @@ +policy_module(zarafa, 1.0.0) + +######################################## @@ -35914,7 +37007,7 @@ index 0000000..3509088 +# zarafa_server local policy +# + -+allow zarafa_server_t self:capability { chown kill net_bind_service}; ++allow zarafa_server_t self:capability { chown kill net_bind_service }; +allow zarafa_server_t self:process { setrlimit signal }; + +corenet_tcp_bind_zarafa_port(zarafa_server_t) @@ -35940,7 +37033,7 @@ index 0000000..3509088 +# + +allow zarafa_spooler_t self:capability { chown kill }; -+allow zarafa_spooler_t self:process { signal }; ++allow zarafa_spooler_t self:process signal; + +corenet_tcp_connect_smtp_port(zarafa_spooler_t) + @@ -35977,7 +37070,6 @@ index 0000000..3509088 + +# bad permission on /etc/zarafa +allow zarafa_domain self:capability { dac_override setgid setuid }; -+ +allow zarafa_domain self:fifo_file rw_fifo_file_perms; +allow zarafa_domain self:tcp_socket create_stream_socket_perms; +allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; @@ -36022,6 +37114,34 @@ index 6b87605..347f754 100644 ') allow $1 zebra_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te +index c349adc..f0b1201 100644 +--- a/policy/modules/services/zebra.te ++++ b/policy/modules/services/zebra.te +@@ -6,11 +6,10 @@ policy_module(zebra, 1.11.1) + # + + ## +-##

+-## Allow zebra daemon to write it configuration files +-##

++##

++## Allow zebra daemon to write it configuration files ++##

+ ##
+-# + gen_tunable(allow_zebra_write_config, false) + + type zebra_t; +@@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms; + read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + +-allow zebra_t zebra_log_t:dir setattr; ++allow zebra_t zebra_log_t:dir setattr_dir_perms; + manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) + manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) + logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if index 702e768..13f0eef 100644 --- a/policy/modules/services/zosremote.if @@ -36046,6 +37166,19 @@ index 702e768..13f0eef 100644 # interface(`zosremote_run',` gen_require(` +diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te +index f9a06d2..3d407c6 100644 +--- a/policy/modules/services/zosremote.te ++++ b/policy/modules/services/zosremote.te +@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) + # + + allow zos_remote_t self:process signal; +-allow zos_remote_t self:fifo_file rw_file_perms; ++allow zos_remote_t self:fifo_file rw_fifo_file_perms; + allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; + + files_read_etc_files(zos_remote_t) diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if index ac50333..108595b 100644 --- a/policy/modules/system/application.if @@ -37123,7 +38256,7 @@ index f6aafe7..666a58f 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 698c11e..d7abdd1 100644 +index 698c11e..00283ba 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -37460,7 +38593,7 @@ index 698c11e..d7abdd1 100644 miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript -miscfiles_read_generic_certs(initrc_t) -+miscfiles_manage_cert_files(initrc_t) ++miscfiles_manage_generic_cert_files(initrc_t) modutils_read_module_config(initrc_t) modutils_domtrans_insmod(initrc_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 80e32c1..24032e1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.5 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,11 @@ exit 0 %endif %changelog +* Fri Sep 24 2010 Dan Walsh 3.9.5-5 +- Pull in cleanups from dgrift +- Allow mozilla_plugin_t to execute mozilla_home_t +- Allow rpc.quota to do quotamod + * Thu Sep 23 2010 Dan Walsh 3.9.5-4 - Cleanup policy via dgrift - Allow dovecot_deliver to append to inherited log files