diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 2dada19..9abc9f0 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ab24bc0..b488b01 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -15451,7 +15451,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..843f849 100644 +index 8416beb..1a164a7 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -16373,11 +16373,16 @@ index 8416beb..843f849 100644 ## Get the attributes of an hugetlbfs ## filesystem. ## -@@ -2062,7 +2579,43 @@ interface(`fs_list_hugetlbfs',` +@@ -2057,12 +2574,66 @@ interface(`fs_list_hugetlbfs',` + type hugetlbfs_t; + ') - ######################################## - ## --## Manage hugetlbfs dirs. +- allow $1 hugetlbfs_t:dir list_dir_perms; ++ allow $1 hugetlbfs_t:dir list_dir_perms; ++') ++ ++######################################## ++## +## Manage hugetlbfs dirs. +## +## @@ -16415,21 +16420,40 @@ index 8416beb..843f849 100644 +######################################## +## +## Read and write hugetlbfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + ') + + ######################################## + ## +-## Manage hugetlbfs dirs. ++## Manage hugetlbfs files. ## ## ## -@@ -2070,17 +2623,17 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +2641,17 @@ interface(`fs_list_hugetlbfs',` ## ## # -interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_rw_hugetlbfs_files',` ++interface(`fs_manage_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## @@ -16439,7 +16463,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -2088,12 +2641,13 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,12 +2659,13 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # @@ -16455,7 +16479,7 @@ index 8416beb..843f849 100644 ') ######################################## -@@ -2148,11 +2702,12 @@ interface(`fs_list_inotifyfs',` +@@ -2148,11 +2720,12 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -16469,7 +16493,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -2297,14 +2852,332 @@ interface(`fs_getattr_iso9660_files',` +@@ -2297,14 +2870,332 @@ interface(`fs_getattr_iso9660_files',` type iso9660_t; ') @@ -16806,7 +16830,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -2312,16 +3185,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3203,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -16827,7 +16851,7 @@ index 8416beb..843f849 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3270,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3288,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -16852,7 +16876,7 @@ index 8416beb..843f849 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3375,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -16860,7 +16884,7 @@ index 8416beb..843f849 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3414,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3432,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -16868,7 +16892,7 @@ index 8416beb..843f849 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3441,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3459,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -16913,7 +16937,7 @@ index 8416beb..843f849 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3499,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3517,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -16922,7 +16946,7 @@ index 8416beb..843f849 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3519,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3537,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -16965,7 +16989,7 @@ index 8416beb..843f849 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3569,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3587,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -16974,7 +16998,7 @@ index 8416beb..843f849 100644 ') ######################################## -@@ -2627,7 +3593,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3611,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -16983,7 +17007,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -2719,6 +3685,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3703,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -17049,7 +17073,7 @@ index 8416beb..843f849 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3766,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3784,7 @@ interface(`fs_search_removable',` ## ## ## @@ -17058,7 +17082,7 @@ index 8416beb..843f849 100644 ## ## # -@@ -2777,7 +3802,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3820,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -17067,7 +17091,7 @@ index 8416beb..843f849 100644 ## ## # -@@ -2970,6 +3995,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4013,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -17075,7 +17099,7 @@ index 8416beb..843f849 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4036,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4054,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -17083,7 +17107,7 @@ index 8416beb..843f849 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4077,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4095,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -17091,7 +17115,7 @@ index 8416beb..843f849 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4165,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4183,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -17116,7 +17140,7 @@ index 8416beb..843f849 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,7 +4309,25 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,7 +4327,25 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -17143,7 +17167,7 @@ index 8416beb..843f849 100644 ## ## Read and write NFS server files. ## -@@ -3281,6 +4345,42 @@ interface(`fs_rw_nfsd_fs',` +@@ -3281,6 +4363,42 @@ interface(`fs_rw_nfsd_fs',` rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -17186,7 +17210,7 @@ index 8416beb..843f849 100644 ######################################## ## ## Allow the type to associate to ramfs filesystems. -@@ -3392,7 +4492,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4510,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -17195,7 +17219,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -3429,7 +4529,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4547,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -17204,7 +17228,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -3447,7 +4547,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4565,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -17213,7 +17237,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -3779,6 +4879,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +4897,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -17238,7 +17262,7 @@ index 8416beb..843f849 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +4933,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4951,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -17263,7 +17287,7 @@ index 8416beb..843f849 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +4975,76 @@ interface(`fs_getattr_tmpfs',` +@@ -3839,39 +4993,76 @@ interface(`fs_getattr_tmpfs',` ## ## ## @@ -17349,7 +17373,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -3879,36 +5052,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3879,36 +5070,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # @@ -17393,7 +17417,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -3916,35 +5088,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5106,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -17437,7 +17461,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -3952,17 +5125,17 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5143,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -17458,7 +17482,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -3970,31 +5143,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5161,30 @@ interface(`fs_search_tmpfs',` ## ## # @@ -17496,7 +17520,7 @@ index 8416beb..843f849 100644 ') ######################################## -@@ -4105,7 +5277,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5295,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -17505,7 +17529,7 @@ index 8416beb..843f849 100644 ') ######################################## -@@ -4165,6 +5337,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5355,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -17530,7 +17554,7 @@ index 8416beb..843f849 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5392,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5410,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -17539,7 +17563,7 @@ index 8416beb..843f849 100644 ## ## ## -@@ -4221,6 +5411,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5429,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -17600,7 +17624,7 @@ index 8416beb..843f849 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5522,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5540,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -17645,7 +17669,7 @@ index 8416beb..843f849 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5579,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5597,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -17671,7 +17695,7 @@ index 8416beb..843f849 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4407,6 +5708,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5726,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -17697,7 +17721,7 @@ index 8416beb..843f849 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5823,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5841,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -17706,7 +17730,7 @@ index 8416beb..843f849 100644 ') ######################################## -@@ -4549,7 +5871,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5889,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -17715,7 +17739,7 @@ index 8416beb..843f849 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5918,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5936,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -17742,7 +17766,7 @@ index 8416beb..843f849 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6013,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6031,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -17768,7 +17792,7 @@ index 8416beb..843f849 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6273,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6291,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -17833,7 +17857,7 @@ index 8416beb..843f849 100644 + read_files_pattern($1, efivarfs_t, efivarfs_t) +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..235b730 100644 +index e7d1738..b00be59 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -17937,7 +17961,7 @@ index e7d1738..235b730 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,11 +179,6 @@ fs_type(spufs_t) +@@ -150,17 +179,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -17949,7 +17973,17 @@ index e7d1738..235b730 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -172,6 +196,8 @@ type vxfs_t; + genfscon sysv / gen_context(system_u:object_r:sysv_t,s0) + genfscon v7 / gen_context(system_u:object_r:sysv_t,s0) + ++type tracefs_t; ++fs_type(tracefs_t) ++genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0) ++ + type vmblock_t; + fs_noxattr_type(vmblock_t) + files_mountpoint(vmblock_t) +@@ -172,6 +200,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -17958,7 +17992,7 @@ index e7d1738..235b730 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +208,8 @@ fs_type(tmpfs_t) +@@ -182,6 +212,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -17967,7 +18001,7 @@ index e7d1738..235b730 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +289,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +293,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -17976,7 +18010,7 @@ index e7d1738..235b730 100644 files_mountpoint(removable_t) # -@@ -280,6 +310,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +314,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -17984,7 +18018,7 @@ index e7d1738..235b730 100644 ######################################## # -@@ -301,9 +332,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +336,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -28137,7 +28171,7 @@ index 6bf0ecc..7d0c3c3 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..69be4cf 100644 +index 8b40377..23560f0 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -28496,7 +28530,7 @@ index 8b40377..69be4cf 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -300,64 +420,103 @@ optional_policy(` +@@ -300,64 +420,104 @@ optional_policy(` # XDM Local policy # @@ -28596,6 +28630,7 @@ index 8b40377..69be4cf 100644 -allow xdm_t xserver_t:process signal; +allow xdm_t xserver_t:process { signal signull }; allow xdm_t xserver_t:unix_stream_socket connectto; ++allow xdm_t xserver_t:unix_dgram_socket sendto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; @@ -28613,7 +28648,7 @@ index 8b40377..69be4cf 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -28646,7 +28681,7 @@ index 8b40377..69be4cf 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -28700,7 +28735,7 @@ index 8b40377..69be4cf 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +611,29 @@ files_list_mnt(xdm_t) +@@ -431,9 +612,29 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28730,7 +28765,7 @@ index 8b40377..69be4cf 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +642,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28779,7 +28814,7 @@ index 8b40377..69be4cf 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +688,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28949,7 +28984,7 @@ index 8b40377..69be4cf 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +857,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -28981,7 +29016,7 @@ index 8b40377..69be4cf 100644 ') optional_policy(` -@@ -518,8 +892,36 @@ optional_policy(` +@@ -518,8 +893,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -29019,7 +29054,7 @@ index 8b40377..69be4cf 100644 ') ') -@@ -530,6 +932,20 @@ optional_policy(` +@@ -530,6 +933,20 @@ optional_policy(` ') optional_policy(` @@ -29040,7 +29075,7 @@ index 8b40377..69be4cf 100644 hostname_exec(xdm_t) ') -@@ -547,28 +963,78 @@ optional_policy(` +@@ -547,28 +964,78 @@ optional_policy(` ') optional_policy(` @@ -29128,7 +29163,7 @@ index 8b40377..69be4cf 100644 ') optional_policy(` -@@ -580,6 +1046,14 @@ optional_policy(` +@@ -580,6 +1047,14 @@ optional_policy(` ') optional_policy(` @@ -29143,7 +29178,7 @@ index 8b40377..69be4cf 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1068,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1069,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -29152,7 +29187,7 @@ index 8b40377..69be4cf 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1078,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1079,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29165,7 +29200,7 @@ index 8b40377..69be4cf 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1095,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1096,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29181,7 +29216,7 @@ index 8b40377..69be4cf 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1111,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1112,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -29192,7 +29227,7 @@ index 8b40377..69be4cf 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1126,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1127,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29229,7 +29264,7 @@ index 8b40377..69be4cf 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1172,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1173,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29261,7 +29296,7 @@ index 8b40377..69be4cf 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1205,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1206,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29276,7 +29311,7 @@ index 8b40377..69be4cf 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1226,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1227,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -29300,7 +29335,7 @@ index 8b40377..69be4cf 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1245,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1246,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -29309,7 +29344,7 @@ index 8b40377..69be4cf 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1289,54 @@ optional_policy(` +@@ -785,17 +1290,54 @@ optional_policy(` ') optional_policy(` @@ -29366,7 +29401,7 @@ index 8b40377..69be4cf 100644 ') optional_policy(` -@@ -803,6 +1344,10 @@ optional_policy(` +@@ -803,6 +1345,10 @@ optional_policy(` ') optional_policy(` @@ -29377,7 +29412,7 @@ index 8b40377..69be4cf 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1363,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1364,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -29402,7 +29437,7 @@ index 8b40377..69be4cf 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1386,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1387,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29437,7 +29472,7 @@ index 8b40377..69be4cf 100644 ') optional_policy(` -@@ -912,7 +1451,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1452,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -29446,7 +29481,7 @@ index 8b40377..69be4cf 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1505,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1506,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -29478,7 +29513,7 @@ index 8b40377..69be4cf 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1551,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1552,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -42386,7 +42421,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..57c9025 100644 +index 2cea692..bf86a31 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -42631,7 +42666,7 @@ index 2cea692..57c9025 100644 ') ') -@@ -501,11 +669,31 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -501,11 +669,55 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -42658,12 +42693,36 @@ index 2cea692..57c9025 100644 + manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t) +') + ++######################################## ++## ++## Create specified objects in generic ++## pid directories with the dhcpc pid file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`sysnet_filetrans_dhcpc_pid',` ++ gen_require(` ++ type dhcpc_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, dhcpc_var_run_t, file, $2) ++') ++ +####################################### +## ## Execute ifconfig in the ifconfig domain. ## ## -@@ -610,6 +798,25 @@ interface(`sysnet_signull_ifconfig',` +@@ -610,6 +822,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -42689,7 +42748,7 @@ index 2cea692..57c9025 100644 ## Read the DHCP configuration files. ## ## -@@ -626,6 +833,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -626,6 +857,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -42697,7 +42756,7 @@ index 2cea692..57c9025 100644 ') ######################################## -@@ -647,6 +855,26 @@ interface(`sysnet_search_dhcp_state',` +@@ -647,6 +879,26 @@ interface(`sysnet_search_dhcp_state',` allow $1 dhcp_state_t:dir search_dir_perms; ') @@ -42724,7 +42783,7 @@ index 2cea692..57c9025 100644 ######################################## ## ## Create DHCP state data. -@@ -711,8 +939,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -711,8 +963,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -42733,7 +42792,7 @@ index 2cea692..57c9025 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -720,8 +946,13 @@ interface(`sysnet_dns_name_resolve',` +@@ -720,8 +970,13 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) @@ -42747,7 +42806,7 @@ index 2cea692..57c9025 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +981,6 @@ interface(`sysnet_use_ldap',` +@@ -750,8 +1005,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -42756,7 +42815,7 @@ index 2cea692..57c9025 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -760,9 +989,14 @@ interface(`sysnet_use_ldap',` +@@ -760,9 +1013,14 @@ interface(`sysnet_use_ldap',` # Support for LDAPS dev_read_rand($1) @@ -42771,7 +42830,7 @@ index 2cea692..57c9025 100644 ') ######################################## -@@ -784,7 +1018,6 @@ interface(`sysnet_use_portmap',` +@@ -784,7 +1042,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -42779,7 +42838,7 @@ index 2cea692..57c9025 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1029,125 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 03b15df..81a1fe2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..f1f976b 100644 +index f6eb485..438bc20 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -4255,10 +4255,12 @@ index f6eb485..f1f976b 100644 - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. +## Allow attempts to read and write Apache +## unix domain stream sockets. +## @@ -4274,12 +4276,10 @@ index f6eb485..f1f976b 100644 + ') + + allow $1 httpd_t:unix_stream_socket { getattr read write }; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unix domain stream sockets. ++') ++ ++######################################## ++## +## Do not audit attempts to read and write Apache +## unix domain stream sockets. ## @@ -4753,11 +4753,31 @@ index f6eb485..f1f976b 100644 -######################################## +###################################### ++## ++## Allow the specified domain to read ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_files',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ## -## Create, read, write, and delete -## httpd system rw content. +## Allow the specified domain to read -+## apache system content rw files. ++## apache system content rw dirs. ## ## ## @@ -4767,32 +4787,12 @@ index f6eb485..f1f976b 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_read_sys_content_rw_files',` ++interface(`apache_read_sys_content_rw_dirs',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to read -+## apache system content rw dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_dirs',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ + list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + @@ -5146,7 +5146,7 @@ index f6eb485..f1f976b 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1500,160 @@ interface(`apache_admin',` +@@ -1224,9 +1500,182 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5282,7 +5282,9 @@ index f6eb485..f1f976b 100644 + type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; + type httpd_user_content_ra_t; + ') -+ + +- apache_run_all_scripts($1, $2) +- apache_run_helper($1, $2) + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") @@ -5305,11 +5307,31 @@ index f6eb485..f1f976b 100644 + gen_require(` + type httpd_var_run_t; + ') - -- apache_run_all_scripts($1, $2) -- apache_run_helper($1, $2) ++ + files_search_pids($1) + read_files_pattern($1, httpd_var_run_t, httpd_var_run_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## httpd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_dbus_chat',` ++ gen_require(` ++ type httpd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 httpd_t:dbus send_msg; ++ allow httpd_t $1:dbus send_msg; ++ ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te index 6649962..1862dfb 100644 @@ -7819,7 +7841,7 @@ index f3c0aba..f6e25ed 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..5b4d973 100644 +index 080bc4d..f46078f 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) @@ -7849,7 +7871,12 @@ index 080bc4d..5b4d973 100644 logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) -@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t) +@@ -50,11 +57,11 @@ manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) + files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) + + kernel_read_system_state(apcupsd_t) ++kernel_read_network_state(apcupsd_t) + corecmd_exec_bin(apcupsd_t) corecmd_exec_shell(apcupsd_t) @@ -7857,7 +7884,7 @@ index 080bc4d..5b4d973 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -67,26 +73,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) +@@ -67,26 +74,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t) @@ -7904,7 +7931,7 @@ index 080bc4d..5b4d973 100644 optional_policy(` hostname_exec(apcupsd_t) -@@ -101,6 +122,11 @@ optional_policy(` +@@ -101,6 +123,11 @@ optional_policy(` shutdown_domtrans(apcupsd_t) ') @@ -7916,7 +7943,7 @@ index 080bc4d..5b4d973 100644 ######################################## # # CGI local policy -@@ -108,20 +134,20 @@ optional_policy(` +@@ -108,20 +135,20 @@ optional_policy(` optional_policy(` apache_content_template(apcupsd_cgi) @@ -29909,10 +29936,10 @@ index 0000000..c4d2c2d +') diff --git a/fwupd.te b/fwupd.te new file mode 100644 -index 0000000..8937282 +index 0000000..53ba6cd --- /dev/null +++ b/fwupd.te -@@ -0,0 +1,48 @@ +@@ -0,0 +1,50 @@ +policy_module(fwupd, 1.0.0) + +######################################## @@ -29956,6 +29983,8 @@ index 0000000..8937282 +dev_rw_sysfs(fwupd_t) +dev_rw_generic_usb_dev(fwupd_t) + ++fs_getattr_all_fs(fwupd_t) ++ +udev_read_pid_files(fwupd_t) + +optional_policy(` @@ -54538,7 +54567,7 @@ index b708708..f4c0e61 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index 06f8666..c2c13aa 100644 +index 06f8666..4599ab5 100644 --- a/mysql.fc +++ b/mysql.fc @@ -1,27 +1,46 @@ @@ -54581,7 +54610,8 @@ index 06f8666..c2c13aa 100644 +/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) + - /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) +-/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) ++/usr/sbin/mysqld(-max|-debug)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) -/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) @@ -54591,7 +54621,7 @@ index 06f8666..c2c13aa 100644 +# +# /var +# -+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) ++/var/lib/mysql(-files)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) /var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) @@ -62609,7 +62639,7 @@ index c87bd2a..4c17c99 100644 + ') ') diff --git a/oddjob.te b/oddjob.te -index e403097..033911e 100644 +index e403097..45d387d 100644 --- a/oddjob.te +++ b/oddjob.te @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0) @@ -62666,14 +62696,14 @@ index e403097..033911e 100644 locallogin_dontaudit_use_fds(oddjob_t) -@@ -65,28 +65,24 @@ optional_policy(` - dbus_connect_system_bus(oddjob_t) +@@ -66,27 +66,27 @@ optional_policy(` ') --optional_policy(` + optional_policy(` - unconfined_domtrans(oddjob_t) --') -- ++ apache_dbus_chat(oddjob_t) + ') + ######################################## # -# Mkhomedir local policy @@ -62699,7 +62729,7 @@ index e403097..033911e 100644 selinux_get_fs_mount(oddjob_mkhomedir_t) selinux_validate_context(oddjob_mkhomedir_t) selinux_compute_access_vector(oddjob_mkhomedir_t) -@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t) +@@ -98,8 +98,11 @@ seutil_read_config(oddjob_mkhomedir_t) seutil_read_file_contexts(oddjob_mkhomedir_t) seutil_read_default_contexts(oddjob_mkhomedir_t) @@ -65525,7 +65555,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..fce33b0 100644 +index 44dbc99..ede6e1c 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -65557,7 +65587,7 @@ index 44dbc99..fce33b0 100644 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; -+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; ++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource }; +allow openvswitch_t self:capability2 block_suspend; +allow openvswitch_t self:process { fork setsched setrlimit signal }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; @@ -65591,7 +65621,7 @@ index 44dbc99..fce33b0 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -65,33 +69,49 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -65627,7 +65657,8 @@ index 44dbc99..fce33b0 100644 fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) -+fs_rw_hugetlbfs_files(openvswitch_t) ++fs_manage_hugetlbfs_files(openvswitch_t) ++fs_manage_hugetlbfs_dirs(openvswitch_t) + +auth_use_nsswitch(openvswitch_t) @@ -108851,7 +108882,7 @@ index a4f20bc..58f9c69 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..19b6ffb 100644 +index facdee8..65b5a0d 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,226 @@ @@ -110497,7 +110528,7 @@ index facdee8..19b6ffb 100644 ## ## ## -@@ -935,117 +1266,133 @@ interface(`virt_read_log',` +@@ -935,117 +1266,134 @@ interface(`virt_read_log',` ## ## # @@ -110549,6 +110580,7 @@ index facdee8..19b6ffb 100644 + logging_send_syslog_msg($1_t) + + kernel_read_system_state($1_t) ++ kernel_read_all_proc($1_t) ') ######################################## @@ -110683,7 +110715,7 @@ index facdee8..19b6ffb 100644 ## ## ## -@@ -1053,15 +1400,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1401,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -110706,7 +110738,7 @@ index facdee8..19b6ffb 100644 ## ## ## -@@ -1069,21 +1418,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1419,17 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -110732,7 +110764,7 @@ index facdee8..19b6ffb 100644 ## ## ## -@@ -1091,36 +1436,36 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1437,36 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -110789,7 +110821,7 @@ index facdee8..19b6ffb 100644 ##
## ## -@@ -1136,50 +1481,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1482,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -110899,7 +110931,7 @@ index facdee8..19b6ffb 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..7056171 100644 +index f03dcf5..f347621 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,248 @@ @@ -111221,7 +111253,7 @@ index f03dcf5..7056171 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +251,135 @@ ifdef(`enable_mls',` +@@ -153,299 +251,137 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -111486,24 +111518,25 @@ index f03dcf5..7056171 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) ++allow svirt_t self:process ptrace; + +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - corenet_udp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) - corenet_udp_bind_generic_node(svirt_t) -- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) --corenet_udp_bind_generic_node(svirt_t) + corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) corenet_udp_bind_all_ports(svirt_t) @@ -111599,7 +111632,7 @@ index f03dcf5..7056171 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +389,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +391,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -111646,7 +111679,7 @@ index f03dcf5..7056171 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +424,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +426,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -111677,7 +111710,7 @@ index f03dcf5..7056171 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +445,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +447,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -111705,7 +111738,7 @@ index f03dcf5..7056171 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +465,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +467,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -111736,7 +111769,7 @@ index f03dcf5..7056171 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +517,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +519,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -111756,7 +111789,7 @@ index f03dcf5..7056171 100644 selinux_validate_context(virtd_t) -@@ -620,18 +539,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +541,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -111793,7 +111826,7 @@ index f03dcf5..7056171 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +567,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +569,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -111802,7 +111835,7 @@ index f03dcf5..7056171 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +592,12 @@ optional_policy(` +@@ -665,20 +594,12 @@ optional_policy(` ') optional_policy(` @@ -111823,7 +111856,7 @@ index f03dcf5..7056171 100644 ') optional_policy(` -@@ -691,20 +610,26 @@ optional_policy(` +@@ -691,20 +612,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -111834,11 +111867,12 @@ index f03dcf5..7056171 100644 ') optional_policy(` +- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` - iptables_domtrans(virtd_t) ++ iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -111854,7 +111888,7 @@ index f03dcf5..7056171 100644 ') optional_policy(` -@@ -712,11 +637,18 @@ optional_policy(` +@@ -712,11 +639,18 @@ optional_policy(` ') optional_policy(` @@ -111873,7 +111907,7 @@ index f03dcf5..7056171 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +659,18 @@ optional_policy(` +@@ -727,10 +661,18 @@ optional_policy(` ') optional_policy(` @@ -111892,7 +111926,7 @@ index f03dcf5..7056171 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +686,278 @@ optional_policy(` +@@ -746,44 +688,278 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -111930,13 +111964,7 @@ index f03dcf5..7056171 100644 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +kernel_read_net_sysctls(virt_domain) +kernel_read_network_state(virt_domain) - --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++ +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -111946,15 +111974,17 @@ index f03dcf5..7056171 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++ +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -111987,14 +112017,18 @@ index f03dcf5..7056171 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --allow virsh_t svirt_lxc_domain:process transition; +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +dontaudit virt_domain virt_tmpfs_type:file { read write }; --can_exec(virsh_t, virsh_exec_t) +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +append_files_pattern(virt_domain, virt_log_t, virt_log_t) -+ + +-allow virsh_t svirt_lxc_domain:process transition; +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +-can_exec(virsh_t, virsh_exec_t) +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -112074,7 +112108,7 @@ index f03dcf5..7056171 100644 + sssd_dontaudit_read_lib(virt_domain) + sssd_dontaudit_read_public_files(virt_domain) +') -+ + +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) @@ -112139,7 +112173,7 @@ index f03dcf5..7056171 100644 + xserver_stream_connect(virt_domain) + ') +') - ++ +######################################## +# +# xm local policy @@ -112193,7 +112227,7 @@ index f03dcf5..7056171 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +968,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +970,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -112220,7 +112254,7 @@ index f03dcf5..7056171 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +988,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +990,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -112254,7 +112288,7 @@ index f03dcf5..7056171 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1025,20 @@ optional_policy(` +@@ -856,14 +1027,20 @@ optional_policy(` ') optional_policy(` @@ -112276,7 +112310,7 @@ index f03dcf5..7056171 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1063,65 @@ optional_policy(` +@@ -888,49 +1065,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -112360,7 +112394,7 @@ index f03dcf5..7056171 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1133,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1135,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -112380,7 +112414,7 @@ index f03dcf5..7056171 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1154,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1156,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -112404,7 +112438,7 @@ index f03dcf5..7056171 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1179,343 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1181,343 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -112889,7 +112923,7 @@ index f03dcf5..7056171 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1530,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -112904,7 +112938,7 @@ index f03dcf5..7056171 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1546,7 @@ optional_policy(` +@@ -1192,7 +1548,7 @@ optional_policy(` ######################################## # @@ -112913,7 +112947,7 @@ index f03dcf5..7056171 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1557,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index ad84a35..b76d5d8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 168%{?dist} +Release: 169%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -664,6 +664,16 @@ exit 0 %endif %changelog +* Wed Feb 03 2016 Lukas Vrabec 3.13.1-169 +- Allow openvswitch domain capability sys_rawio. +- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)" +- Allow openvswitch to manage hugetlfs files and dirs. +- Allow NetworkManager create dhcpc pid files. BZ(1229755) +- Allow apcupsd to read kernel network state. BZ(1282003) +- Label /sys/kernel/debug/tracing filesystem +- Add fs_manage_hugetlbfs_files() interface. +- Add sysnet_filetrans_dhcpc_pid() interface. + * Wed Jan 20 2016 Lukas Vrabec 3.13.1-168 - Label virtlogd binary as virtd_exec_t. BZ(1291940) - Allow iptables to read nsfs files. BZ(1296826)