diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ef917e0..3977b25 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9321,7 +9321,7 @@ index cf04cb5..32d58ca 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..bbd0e79 100644 +index b876c48..0f99fae 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9412,7 +9412,12 @@ index b876c48..bbd0e79 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -129,6 +133,8 @@ ifdef(`distro_debian',` +@@ -125,10 +129,12 @@ ifdef(`distro_debian',` + # + # Mount points; do not relabel subdirectories, since + # we don't want to change any removable media by default. +-/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) ++/media(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0) /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /media/[^/]*/.* <> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) @@ -9421,6 +9426,15 @@ index b876c48..bbd0e79 100644 # # /misc +@@ -138,7 +144,7 @@ ifdef(`distro_debian',` + # + # /mnt + # +-/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) ++/mnt(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0) + /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) + /mnt/[^/]*/.* <> + @@ -150,10 +156,10 @@ ifdef(`distro_debian',` # # /opt @@ -9568,7 +9582,7 @@ index b876c48..bbd0e79 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..51c5d2c 100644 +index f962f76..1f7b192 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10203,7 +10217,7 @@ index f962f76..51c5d2c 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1709,6 +2115,42 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1709,6 +2115,60 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -10225,6 +10239,24 @@ index f962f76..51c5d2c 100644 + +######################################## +## ++## Read all mountpoint symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_mountpoint_symlinks',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## +## Write all file type directories. +## +## @@ -10246,7 +10278,7 @@ index f962f76..51c5d2c 100644 ## List the contents of the root directory. ## ## -@@ -1725,6 +2167,23 @@ interface(`files_list_root',` +@@ -1725,6 +2185,23 @@ interface(`files_list_root',` allow $1 root_t:dir list_dir_perms; allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ') @@ -10270,7 +10302,7 @@ index f962f76..51c5d2c 100644 ######################################## ## -@@ -1765,6 +2224,26 @@ interface(`files_dontaudit_rw_root_dir',` +@@ -1765,6 +2242,26 @@ interface(`files_dontaudit_rw_root_dir',` ######################################## ## @@ -10297,7 +10329,7 @@ index f962f76..51c5d2c 100644 ## Create an object in the root directory, with a private ## type using a type transition. ## -@@ -1892,25 +2371,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1892,25 +2389,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -10329,7 +10361,7 @@ index f962f76..51c5d2c 100644 ## ## ## -@@ -1923,7 +2402,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2420,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -10338,7 +10370,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -1946,6 +2425,42 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2443,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10381,7 +10413,7 @@ index f962f76..51c5d2c 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2696,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2714,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10406,7 +10438,7 @@ index f962f76..51c5d2c 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3178,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3196,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10431,7 +10463,7 @@ index f962f76..51c5d2c 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3267,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3285,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10439,7 +10471,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -2724,7 +3276,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3294,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10448,7 +10480,7 @@ index f962f76..51c5d2c 100644 ## ## # -@@ -2780,6 +3332,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3350,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10474,7 +10506,7 @@ index f962f76..51c5d2c 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3369,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3387,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10499,7 +10531,7 @@ index f962f76..51c5d2c 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3552,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,26 +3570,8 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10521,10 +10553,14 @@ index f962f76..51c5d2c 100644 - -######################################## -## - ## Read files in /etc that are dynamically - ## created on boot, such as mtab. +-## Read files in /etc that are dynamically +-## created on boot, such as mtab. ++## Read files in /etc that are dynamically ++## created on boot, such as mtab. ## -@@ -3021,9 +3592,7 @@ interface(`files_read_etc_runtime_files',` + ## + ##

+@@ -3021,9 +3610,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ##

@@ -10535,7 +10571,7 @@ index f962f76..51c5d2c 100644 ## ## ## -@@ -3031,18 +3600,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3618,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10557,7 +10593,7 @@ index f962f76..51c5d2c 100644 ##
## ## -@@ -3060,6 +3628,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3646,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -10584,7 +10620,7 @@ index f962f76..51c5d2c 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3665,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3683,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10592,7 +10628,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3098,6 +3687,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3705,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10600,7 +10636,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3142,10 +3732,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3750,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -10625,8 +10661,9 @@ index f962f76..51c5d2c 100644 +interface(`files_getattr_isid_type',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- allow $1 file_t:dir getattr; + allow $1 unlabeled_t:dir_file_class_set getattr; +') + @@ -10644,14 +10681,13 @@ index f962f76..51c5d2c 100644 +interface(`files_setattr_isid_type_dirs',` + gen_require(` + type unlabeled_t; - ') - -- allow $1 file_t:dir getattr; ++ ') ++ + allow $1 unlabeled_t:dir setattr; ') ######################################## -@@ -3161,10 +3789,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3807,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -10664,7 +10700,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3180,10 +3808,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3826,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -10677,7 +10713,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3199,10 +3827,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3845,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -10690,7 +10726,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3218,10 +3846,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3864,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -10759,7 +10795,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3237,10 +3921,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +3939,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -10772,7 +10808,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3256,10 +3940,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +3958,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -10804,7 +10840,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3275,10 +3978,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +3996,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -10817,7 +10853,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3294,10 +3997,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +4015,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -10830,7 +10866,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3313,10 +4016,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4034,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -10843,7 +10879,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3332,10 +4035,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4053,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -10856,7 +10892,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3351,10 +4054,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4072,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -10869,7 +10905,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3370,10 +4073,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4091,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -10882,7 +10918,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3389,10 +4092,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4110,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -10895,7 +10931,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3408,10 +4111,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4129,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -10908,7 +10944,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3427,10 +4130,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4148,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -10921,7 +10957,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3446,10 +4149,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4167,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -10934,7 +10970,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3465,10 +4168,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4186,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -10966,7 +11002,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3484,10 +4206,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4224,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -10979,7 +11015,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3503,10 +4225,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4243,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -10992,7 +11028,7 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -3814,20 +4536,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4554,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -11036,64 +11072,98 @@ index f962f76..51c5d2c 100644 ') ######################################## -@@ -4217,6 +4957,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,192 +4975,215 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') +-######################################## +####################################### -+## + ## +-## Allow the specified type to associate +-## to a filesystem with the type of the +-## temporary directory (/tmp). +## Read manageable system configuration files in /etc -+## + ## +-## +-## +-## Type of the file to associate. +-## +## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_associate_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Get the attributes of the tmp directory (/tmp). +## Manage manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Do not audit attempts to get the +-## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- dontaudit $1 tmp_t:dir getattr; + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -11111,162 +11181,253 @@ index f962f76..51c5d2c 100644 + filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- allow $1 tmp_t:dir search_dir_perms; + relabelto_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain to not audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +################################### -+## + ## +-## Read the tmp directory (/tmp). +## Create files in /etc with the type used for +## the manageable system config files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## The type of the process performing this action. +## -+## -+# + ## + # +-interface(`files_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir list_dir_perms; + filetrans_pattern($1, etc_t, system_conf_t, file) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit listing of the tmp directory (/tmp). +## Manage manageable system db files in /var/lib. -+## -+## + ## + ## +-## +-## Domain not to audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') -+ + +- dontaudit $1 tmp_t:dir list_dir_perms; + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Remove entries from the tmp directory. +## File name transition for system db files in /var/lib. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_delete_tmp_dir_entry',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_db_named_files',` + gen_require(` + type var_lib_t, system_db_t; + ') -+ + +- allow $1 tmp_t:dir del_entry_dir_perms; + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") -+') -+ + ') + ######################################## ## - ## Allow the specified type to associate -@@ -4239,6 +5145,26 @@ interface(`files_associate_tmp',` +-## Read files in the tmp directory (/tmp). ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## temporary directory (/tmp). + ## +-## ++## + ## +-## Domain allowed access. ++## Type of the file to associate. + ## + ## + # +-interface(`files_read_generic_tmp_files',` ++interface(`files_associate_tmp',` + gen_require(` + type tmp_t; + ') + +- read_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:filesystem associate; + ') ######################################## ## +-## Manage temporary directories in /tmp. +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Type of the file to associate. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_associate_rootfs',` -+ gen_require(` + gen_require(` +- type tmp_t; + type root_t; -+ ') -+ + ') + +- manage_dirs_pattern($1, tmp_t, tmp_t) + allow $1 root_t:filesystem associate; -+') -+ -+######################################## -+## - ## Get the attributes of the tmp directory (/tmp). + ') + + ######################################## + ## +-## Manage temporary files and directories in /tmp. ++## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5178,37 @@ interface(`files_getattr_tmp_dirs',` + ## +@@ -4410,53 +5191,56 @@ interface(`files_manage_generic_tmp_dirs',` + ## + ## + # +-interface(`files_manage_generic_tmp_files',` ++interface(`files_getattr_tmp_dirs',` + gen_require(` type tmp_t; ') +- manage_files_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir getattr; ++ allow $1 tmp_t:dir getattr; ') ######################################## ## +-## Read symbolic links in the tmp directory (/tmp). +## Do not audit attempts to check the +## access on tmp files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_access_check_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + type etc_t; -+ ') -+ + ') + +- read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the - ## attributes of the tmp directory (/tmp). + ') + + ######################################## + ## +-## Read and write generic named sockets in the tmp directory (/tmp). ++## Do not audit attempts to get the ++## attributes of the tmp directory (/tmp). ## ## ## @@ -11275,24 +11436,95 @@ index f962f76..51c5d2c 100644 ## ## # -@@ -4289,6 +5235,8 @@ interface(`files_search_tmp',` +-interface(`files_rw_generic_tmp_sockets',` ++interface(`files_dontaudit_getattr_tmp_dirs',` + gen_require(` type tmp_t; ') +- rw_sock_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir getattr; + ') + + ######################################## + ## +-## Set the attributes of all tmp directories. ++## Search the tmp directory (/tmp). + ## + ## + ## +@@ -4464,77 +5248,93 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_search_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir { search_dir_perms setattr }; + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir search_dir_perms; ++ allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5273,7 @@ interface(`files_list_tmp',` - type tmp_t; + ######################################## + ## +-## List all tmp directories. ++## Do not audit attempts to search the tmp directory (/tmp). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_dontaudit_search_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ dontaudit $1 tmp_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## directory types. ++## Read the tmp directory (/tmp). + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` ++interface(`files_list_tmp',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; ') +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir list_dir_perms; ++ allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5283,7 @@ interface(`files_list_tmp',` + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. ++## Do not audit listing of the tmp directory (/tmp). ## ## ## @@ -11301,10 +11533,17 @@ index f962f76..51c5d2c 100644 ## ## # -@@ -4346,6 +5295,25 @@ interface(`files_dontaudit_list_tmp',` - dontaudit $1 tmp_t:dir list_dir_perms; - ') +-interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_dontaudit_list_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') +- dontaudit $1 tmpfile:file getattr; ++ dontaudit $1 tmp_t:dir list_dir_perms; ++') ++ +####################################### +## +## Allow read and write to the tmp directory (/tmp). @@ -11322,25 +11561,87 @@ index f962f76..51c5d2c 100644 + + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; -+') -+ + ') + ######################################## ## - ## Remove entries from the tmp directory. -@@ -4361,6 +5329,7 @@ interface(`files_delete_tmp_dir_entry',` - type tmp_t; +-## Allow attempts to get the attributes +-## of all tmp files. ++## Remove entries from the tmp directory. + ## + ## + ## +@@ -4542,110 +5342,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` + ## + ## + # +-interface(`files_getattr_all_tmp_files',` ++interface(`files_delete_tmp_dir_entry',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; ') +- allow $1 tmpfile:file getattr; + files_search_tmp($1) - allow $1 tmp_t:dir del_entry_dir_perms; ++ allow $1 tmp_t:dir del_entry_dir_perms; + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## file types. ++## Read files in the tmp directory (/tmp). + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_read_generic_tmp_files',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ read_files_pattern($1, tmp_t, tmp_t) ') -@@ -4402,6 +5371,32 @@ interface(`files_manage_generic_tmp_dirs',` + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Manage temporary directories in /tmp. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_manage_generic_tmp_dirs',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ manage_dirs_pattern($1, tmp_t, tmp_t) + ') ######################################## ## +-## Read all tmp files. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -11349,968 +11650,1060 @@ index f962f76..51c5d2c 100644 +## This is added to support java policy. +##

+##
-+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`files_read_all_tmp_files',` +interface(`files_execmod_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ + gen_require(` + attribute tmpfile; + ') + +- read_files_pattern($1, tmpfile, tmpfile) + allow $1 tmpfile:file execmod; -+') -+ -+######################################## -+## - ## Manage temporary files and directories in /tmp. + ') + + ######################################## + ## +-## Create an object in the tmp directories, with a private +-## type using a type transition. ++## Manage temporary files and directories in /tmp. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_tmp_filetrans',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` + type tmp_t; + ') + +- filetrans_pattern($1, tmp_t, $2, $3, $4) ++ manage_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Delete the contents of /tmp. ++## Read symbolic links in the tmp directory (/tmp). + ## + ## + ## +@@ -4653,22 +5441,17 @@ interface(`files_tmp_filetrans',` + ## + ## + # +-interface(`files_purge_tmp',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; +- delete_dirs_pattern($1, tmpfile, tmpfile) +- delete_files_pattern($1, tmpfile, tmpfile) +- delete_lnk_files_pattern($1, tmpfile, tmpfile) +- delete_fifo_files_pattern($1, tmpfile, tmpfile) +- delete_sock_files_pattern($1, tmpfile, tmpfile) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Set the attributes of the /usr directory. ++## Read and write generic named sockets in the tmp directory (/tmp). ## ## -@@ -4456,6 +5451,42 @@ interface(`files_rw_generic_tmp_sockets',` + ## +@@ -4676,17 +5459,17 @@ interface(`files_purge_tmp',` + ## + ## + # +-interface(`files_setattr_usr_dirs',` ++interface(`files_rw_generic_tmp_sockets',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') + +- allow $1 usr_t:dir setattr; ++ rw_sock_files_pattern($1, tmp_t, tmp_t) + ') ######################################## ## +-## Search the content of /usr. +## Relabel a dir from the type used in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4694,18 +5477,17 @@ interface(`files_setattr_usr_dirs',` + ## + ## + # +-interface(`files_search_usr',` +interface(`files_relabelfrom_tmp_dirs',` -+ gen_require(` + gen_require(` +- type usr_t; + type tmp_t; -+ ') -+ + ') + +- allow $1 usr_t:dir search_dir_perms; + relabelfrom_dirs_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic +-## directories in /usr. +## Relabel a file from the type used in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4713,35 +5495,35 @@ interface(`files_search_usr',` + ## + ## + # +-interface(`files_list_usr',` +interface(`files_relabelfrom_tmp_files',` -+ gen_require(` + gen_require(` +- type usr_t; + type tmp_t; -+ ') -+ + ') + +- allow $1 usr_t:dir list_dir_perms; + relabelfrom_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## - ## Set the attributes of all tmp directories. + ') + + ######################################## + ## +-## Do not audit write of /usr dirs ++## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5505,60 @@ interface(`files_setattr_all_tmp_dirs',` + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_write_usr_dirs',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- dontaudit $1 usr_t:dir write; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; + ') ######################################## ## +-## Add and remove entries from /usr directories. +## Allow caller to read inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4749,36 +5531,35 @@ interface(`files_dontaudit_write_usr_dirs',` + ## + ## + # +-interface(`files_rw_usr_dirs',` +interface(`files_read_inherited_tmp_files',` -+ gen_require(` + gen_require(` +- type usr_t; + attribute tmpfile; -+ ') -+ + ') + +- allow $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file { append read_inherited_file_perms }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to add and remove +-## entries from /usr directories. +## Allow caller to append inherited tmp files. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_rw_usr_dirs',` +interface(`files_append_inherited_tmp_files',` -+ gen_require(` + gen_require(` +- type usr_t; + attribute tmpfile; -+ ') -+ + ') + +- dontaudit $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file append_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete generic directories in /usr in the caller domain. +## Allow caller to read and write inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4786,17 +5567,17 @@ interface(`files_dontaudit_rw_usr_dirs',` + ## + ## + # +-interface(`files_delete_usr_dirs',` +interface(`files_rw_inherited_tmp_file',` -+ gen_require(` + gen_require(` +- type usr_t; + attribute tmpfile; -+ ') -+ + ') + +- delete_dirs_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## List all tmp directories. - ## - ## -@@ -4519,7 +5604,7 @@ interface(`files_relabel_all_tmp_dirs',` + ') + + ######################################## + ## +-## Delete generic files in /usr in the caller domain. ++## List all tmp directories. ## ## ## --## Domain not to audit. -+## Domain to not audit. +@@ -4804,73 +5585,59 @@ interface(`files_delete_usr_dirs',` ## ## # -@@ -4579,7 +5664,7 @@ interface(`files_relabel_all_tmp_files',` +-interface(`files_delete_usr_files',` ++interface(`files_list_all_tmp',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- delete_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:dir list_dir_perms; + ') + + ######################################## + ## +-## Get the attributes of files in /usr. ++## Relabel to and from all temporary ++## directory types. ## ## ## --## Domain not to audit. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## # -@@ -4611,6 +5696,44 @@ interface(`files_read_all_tmp_files',` +-interface(`files_getattr_usr_files',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; + ') + +- getattr_files_pattern($1, usr_t, usr_t) ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) + ') ######################################## ## -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_tmp_file_leaks',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do allow attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## +-## Read generic files in /usr. ++## Do not audit attempts to get the attributes ++## of all tmp files. + ## +-## +-##

+-## Allow the specified domain to read generic +-## files in /usr. These files are various program +-## files that do not have more specific SELinux types. +-## Some examples of these files are: +-##

+-##
    +-##
  • /usr/include/*
  • +-##
  • /usr/share/doc/*
  • +-##
  • /usr/share/info/*
  • +-##
+-##

+-## Generally, it is safe for many domains to have +-## this access. +-##

+-##
+ ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# -+interface(`files_rw_tmp_file_leaks',` -+ gen_require(` + ##
+ ## +-## + # +-interface(`files_read_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` +- type usr_t; + attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create an object in the tmp directories, with a private - ## type using a type transition. - ## -@@ -4664,6 +5787,16 @@ interface(`files_purge_tmp',` - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) - ') + ') - ######################################## -@@ -5112,6 +6245,24 @@ interface(`files_create_kernel_symbol_table',` +- allow $1 usr_t:dir list_dir_perms; +- read_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file getattr; + ') ######################################## ## -+## Dontaudit getattr attempts on the system.map file -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaduit_getattr_kernel_symbol_table',` -+ gen_require(` -+ type system_map_t; -+ ') -+ -+ dontaudit $1 system_map_t:file getattr; -+') -+ -+######################################## -+## - ## Read system.map in the /boot directory. +-## Execute generic programs in /usr in the caller domain. ++## Allow attempts to get the attributes ++## of all tmp files. ## ## -@@ -5241,6 +6392,24 @@ interface(`files_list_var',` + ## +@@ -4878,55 +5645,58 @@ interface(`files_read_usr_files',` + ## + ## + # +-interface(`files_exec_usr_files',` ++interface(`files_getattr_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir list_dir_perms; +- exec_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file getattr; + ') ######################################## ## -+## Do not audit listing of the var directory (/var). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_list_var',` -+ gen_require(` -+ type var_t; -+ ') -+ -+ dontaudit $1 var_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete directories - ## in the /var directory. +-## dontaudit write of /usr files ++## Relabel to and from all temporary ++## file types. ## -@@ -5328,7 +6497,7 @@ interface(`files_dontaudit_rw_var_files',` - type var_t; + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_write_usr_files',` ++interface(`files_relabel_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; ') -- dontaudit $1 var_t:file rw_file_perms; -+ dontaudit $1 var_t:file rw_inherited_file_perms; +- dontaudit $1 usr_t:file write; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) ') ######################################## -@@ -5527,6 +6696,25 @@ interface(`files_rw_var_lib_dirs',` - - ######################################## ## -+## Create directories in /var/lib -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_lib_dirs',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ allow $1 var_lib_t:dir { create rw_dir_perms }; -+') -+ -+ -+######################################## -+## - ## Create objects in the /var/lib directory +-## Create, read, write, and delete files in the /usr directory. ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. ## ## -@@ -5596,6 +6784,25 @@ interface(`files_read_var_lib_symlinks',` - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - -+######################################## -+## -+## manage generic symbolic links -+## in the /var/lib directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_var_lib_symlinks',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') -@@ -5641,7 +6848,7 @@ interface(`files_manage_mounttab',` +- manage_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:sock_file getattr; + ') ######################################## ## --## Set the attributes of the generic lock directories. -+## List generic lock directories. +-## Relabel a file to the type used in /usr. ++## Read all tmp files. ## ## ## -@@ -5649,12 +6856,13 @@ interface(`files_manage_mounttab',` +@@ -4934,67 +5704,70 @@ interface(`files_manage_usr_files',` ## ## # --interface(`files_setattr_lock_dirs',` -+interface(`files_list_locks',` +-interface(`files_relabelto_usr_files',` ++interface(`files_read_all_tmp_files',` gen_require(` - type var_t, var_lock_t; +- type usr_t; ++ attribute tmpfile; ') -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) +- relabelto_files_pattern($1, usr_t, usr_t) ++ read_files_pattern($1, tmpfile, tmpfile) ') ######################################## -@@ -5672,6 +6880,7 @@ interface(`files_search_locks',` - type var_t, var_lock_t; + ## +-## Relabel a file from the type used in /usr. ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_relabelfrom_usr_files',` ++interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -+ files_search_pids($1) - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) +- relabelfrom_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; ') -@@ -5698,7 +6907,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## --## List generic lock directories. -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. +-## Read symbolic links in /usr. ++## Do allow attempts to read or write ++## all leaked tmpfiles files. ## ## ## -@@ -5706,13 +6934,12 @@ interface(`files_dontaudit_search_locks',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_list_locks',` -+interface(`files_setattr_lock_dirs',` +-interface(`files_read_usr_symlinks',` ++interface(`files_rw_tmp_file_leaks',` gen_require(` -- type var_t, var_lock_t; -+ type var_lock_t; +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_lock_t:dir setattr; +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## -@@ -5731,7 +6958,7 @@ interface(`files_rw_lock_dirs',` - type var_t, var_lock_t; + ## +-## Create objects in the /usr directory ++## Create an object in the tmp directories, with a private ++## type using a type transition. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + ## +-## The type of the object to be created ++## The type of the object to be created. + ## + ## +-## ++## + ## +-## The object class. ++## The object class of the object being created. + ## + ## + ## +@@ -5003,35 +5776,50 @@ interface(`files_read_usr_symlinks',` + ##
+ ## + # +-interface(`files_usr_filetrans',` ++interface(`files_tmp_filetrans',` + gen_require(` +- type usr_t; ++ type tmp_t; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - rw_dirs_pattern($1, var_t, var_lock_t) +- filetrans_pattern($1, usr_t, $2, $3, $4) ++ filetrans_pattern($1, tmp_t, $2, $3, $4) ') -@@ -5764,7 +6991,6 @@ interface(`files_create_lock_dirs',` - ## Domain allowed access. + ######################################## + ## +-## Do not audit attempts to search /usr/src. ++## Delete the contents of /tmp. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. ## ## --## # - interface(`files_relabel_all_lock_dirs',` +-interface(`files_dontaudit_search_src',` ++interface(`files_purge_tmp',` gen_require(` -@@ -5779,7 +7005,7 @@ interface(`files_relabel_all_lock_dirs',` +- type src_t; ++ attribute tmpfile; + ') + +- dontaudit $1 src_t:dir search_dir_perms; ++ allow $1 tmpfile:dir list_dir_perms; ++ delete_dirs_pattern($1, tmpfile, tmpfile) ++ delete_files_pattern($1, tmpfile, tmpfile) ++ delete_lnk_files_pattern($1, tmpfile, tmpfile) ++ delete_fifo_files_pattern($1, tmpfile, tmpfile) ++ delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) + ') ######################################## ## --## Get the attributes of generic lock files. -+## Relabel to and from all lock file types. +-## Get the attributes of files in /usr/src. ++## Set the attributes of the /usr directory. ## ## ## -@@ -5787,13 +7013,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5039,20 +5827,17 @@ interface(`files_dontaudit_search_src',` ## ## # --interface(`files_getattr_generic_locks',` -+interface(`files_relabel_all_lock_files',` +-interface(`files_getattr_usr_src_files',` ++interface(`files_setattr_usr_dirs',` gen_require(` -+ attribute lockfile; - type var_t, var_lock_t; +- type usr_t, src_t; ++ type usr_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Get the attributes of generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) ++ allow $1 usr_t:dir setattr; ') -@@ -5809,13 +7055,12 @@ interface(`files_getattr_generic_locks',` + + ######################################## + ## +-## Read files in /usr/src. ++## Search the content of /usr. + ## + ## + ## +@@ -5060,20 +5845,18 @@ interface(`files_getattr_usr_src_files',` + ## ## # - interface(`files_delete_generic_locks',` -- gen_require(` -+ gen_require(` - type var_t, var_lock_t; -- ') -+ ') +-interface(`files_read_usr_src_files',` ++interface(`files_search_usr',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; + ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) + allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; ') ######################################## -@@ -5834,9 +7079,7 @@ interface(`files_manage_generic_locks',` - type var_t, var_lock_t; + ## +-## Execute programs in /usr/src in the caller domain. ++## List the contents of generic ++## directories in /usr. + ## + ## + ## +@@ -5081,38 +5864,35 @@ interface(`files_read_usr_src_files',` + ## + ## + # +-interface(`files_exec_usr_src_files',` ++interface(`files_list_usr',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) - manage_files_pattern($1, var_lock_t, var_lock_t) +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) ++ allow $1 usr_t:dir list_dir_perms; ') -@@ -5878,8 +7121,7 @@ interface(`files_read_all_locks',` - type var_t, var_lock_t; + ######################################## + ## +-## Install a system.map into the /boot directory. ++## Do not audit write of /usr dirs + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_create_kernel_symbol_table',` ++interface(`files_dontaudit_write_usr_dirs',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7143,7 @@ interface(`files_manage_all_locks',` - type var_t, var_lock_t; - ') +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ dontaudit $1 usr_t:dir write; + ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7180,7 @@ interface(`files_lock_filetrans',` - type var_t, var_lock_t; + ######################################## + ## +-## Read system.map in the /boot directory. ++## Add and remove entries from /usr directories. + ## + ## + ## +@@ -5120,37 +5900,36 @@ interface(`files_create_kernel_symbol_table',` + ## + ## + # +-interface(`files_read_kernel_symbol_table',` ++interface(`files_rw_usr_dirs',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - filetrans_pattern($1, var_lock_t, $2, $3, $4) +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) ++ allow $1 usr_t:dir rw_dir_perms; ') -@@ -5979,7 +7219,7 @@ interface(`files_setattr_pid_dirs',` - type var_run_t; + ######################################## + ## +-## Delete a system.map in the /boot directory. ++## Do not audit attempts to add and remove ++## entries from /usr directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_delete_kernel_symbol_table',` ++interface(`files_dontaudit_rw_usr_dirs',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:dir setattr; +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) ++ dontaudit $1 usr_t:dir rw_dir_perms; ') -@@ -5999,10 +7239,48 @@ interface(`files_search_pids',` - type var_t, var_run_t; - ') - -+ allow $1 var_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) - ') - -+###################################### -+## -+## Add and remove entries from pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:dir rw_dir_perms; -+') -+ -+####################################### -+## -+## Create generic pid directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; -+') -+ - ######################################## - ## - ## Do not audit attempts to search -@@ -6025,6 +7303,25 @@ interface(`files_dontaudit_search_pids',` - - ######################################## - ## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). - ## -@@ -6039,7 +7336,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - ') - -@@ -6058,7 +7355,7 @@ interface(`files_read_generic_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) - ') -@@ -6078,7 +7375,7 @@ interface(`files_write_generic_pid_pipes',` - type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:fifo_file write; - ') - -@@ -6140,7 +7437,6 @@ interface(`files_pid_filetrans',` - ') - - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) - ') - -@@ -6169,6 +7465,24 @@ interface(`files_pid_filetrans_lock_dir',` - ######################################## ## -+## rw generic pid files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Read and write generic process ID files. +-## Search the contents of /var. ++## Delete generic directories in /usr in the caller domain. ## ## -@@ -6182,7 +7496,7 @@ interface(`files_rw_generic_pids',` - type var_t, var_run_t; + ## +@@ -5158,35 +5937,35 @@ interface(`files_delete_kernel_symbol_table',` + ## + ## + # +-interface(`files_search_var',` ++interface(`files_delete_usr_dirs',` + gen_require(` +- type var_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) +- allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, usr_t, usr_t) ') -@@ -6249,55 +7563,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read all process ID files. -+## Relable all pid directories +-## Do not audit attempts to write to /var. ++## Delete generic files in /usr in the caller domain. ## ## ## - ## Domain allowed access. +-## Domain to not audit. ++## Domain allowed access. ## ## --## # --interface(`files_read_all_pids',` -+interface(`files_relabel_all_pid_dirs',` +-interface(`files_dontaudit_write_var_dirs',` ++interface(`files_delete_usr_files',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type var_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) -+ relabel_dirs_pattern($1, pidfile, pidfile) +- dontaudit $1 var_t:dir write; ++ delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Delete all process IDs. -+## Delete all pid sockets +-## Allow attempts to write to /var.dirs ++## Get the attributes of files in /usr. ## ## ## - ## Domain allowed access. +@@ -5194,36 +5973,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## --## # --interface(`files_delete_all_pids',` -+interface(`files_delete_all_pid_sockets',` +-interface(`files_write_var_dirs',` ++interface(`files_getattr_usr_files',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+ allow $1 pidfile:sock_file delete_sock_file_perms; +- allow $1 var_t:dir write; ++ getattr_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Delete all process ID directories. -+## Create all pid sockets +-## Do not audit attempts to search +-## the contents of /var. ++## Read generic files in /usr. ## ++## ++##

++## Allow the specified domain to read generic ++## files in /usr. These files are various program ++## files that do not have more specific SELinux types. ++## Some examples of these files are: ++##

++##
    ++##
  • /usr/include/*
  • ++##
  • /usr/share/doc/*
  • ++##
  • /usr/share/info/*
  • ++##
++##

++## Generally, it is safe for many domains to have ++## this access. ++##

++##
## ## -@@ -6305,42 +7607,35 @@ interface(`files_delete_all_pids',` +-## Domain to not audit. ++## Domain allowed access. ## ## ++## # --interface(`files_delete_all_pid_dirs',` -+interface(`files_create_all_pid_sockets',` +-interface(`files_dontaudit_search_var',` ++interface(`files_read_usr_files',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:sock_file create_sock_file_perms; +- dontaudit $1 var_t:dir search_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ read_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content -+## Create all pid named pipes +-## List the contents of /var. ++## Execute generic programs in /usr in the caller domain. ## ## ## --## Domain alloed access. -+## Domain allowed access. +@@ -5231,36 +6029,37 @@ interface(`files_dontaudit_search_var',` ## ## # --interface(`files_manage_all_pids',` -+interface(`files_create_all_pid_pipes',` +-interface(`files_list_var',` ++interface(`files_exec_usr_files',` gen_require(` - attribute pidfile; +- type var_t; ++ type usr_t; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:fifo_file create_fifo_file_perms; +- allow $1 var_t:dir list_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ exec_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all pid named pipes +-## Create, read, write, and delete directories +-## in the /var directory. ++## dontaudit write of /usr files ## ## ## -@@ -6348,18 +7643,18 @@ interface(`files_manage_all_pids',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_pid_pipes',` +-interface(`files_manage_var_dirs',` ++interface(`files_dontaudit_write_usr_files',` gen_require(` -- attribute polymember; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- allow $1 polymember:dir mounton; -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; +- allow $1 var_t:dir manage_dir_perms; ++ dontaudit $1 usr_t:file write; ') ######################################## ## --## Search the contents of generic spool --## directories (/var/spool). -+## manage all pidfile directories -+## in the /var/run directory. +-## Read files in the /var directory. ++## Create, read, write, and delete files in the /usr directory. ## ## ## -@@ -6367,37 +7662,40 @@ interface(`files_mounton_all_poly_members',` +@@ -5268,17 +6067,17 @@ interface(`files_manage_var_dirs',` ## ## # --interface(`files_search_spool',` -+interface(`files_manage_all_pid_dirs',` +-interface(`files_read_var_files',` ++interface(`files_manage_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- search_dirs_pattern($1, var_t, var_spool_t) -+ manage_dirs_pattern($1,pidfile,pidfile) +- read_files_pattern($1, var_t, var_t) ++ manage_files_pattern($1, usr_t, usr_t) ') -+ ######################################## ## --## Do not audit attempts to search generic --## spool directories. -+## Read all process ID files. +-## Append files in the /var directory. ++## Relabel a file to the type used in /usr. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5286,17 +6085,17 @@ interface(`files_read_var_files',` ## ## -+## # --interface(`files_dontaudit_search_spool',` -+interface(`files_read_all_pids',` +-interface(`files_append_var_files',` ++interface(`files_relabelto_usr_files',` gen_require(` -- type var_spool_t; -+ attribute pidfile; -+ type var_t; +- type var_t; ++ type usr_t; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) +- append_files_pattern($1, var_t, var_t) ++ relabelto_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## List the contents of generic spool --## (/var/spool) directories. -+## Relable all pid files +-## Read and write files in the /var directory. ++## Relabel a file from the type used in /usr. ## ## ## -@@ -6405,18 +7703,17 @@ interface(`files_dontaudit_search_spool',` +@@ -5304,73 +6103,86 @@ interface(`files_append_var_files',` ## ## # --interface(`files_list_spool',` -+interface(`files_relabel_all_pid_files',` +-interface(`files_rw_var_files',` ++interface(`files_relabelfrom_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -+ relabel_files_pattern($1, pidfile, pidfile) +- rw_files_pattern($1, var_t, var_t) ++ relabelfrom_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete generic --## spool directories (/var/spool). -+## Execute generic programs in /var/run in the caller domain. +-## Do not audit attempts to read and write +-## files in the /var directory. ++## Read symbolic links in /usr. ## ## ## -@@ -6424,18 +7721,18 @@ interface(`files_list_spool',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_manage_generic_spool_dirs',` -+interface(`files_exec_generic_pid_files',` +-interface(`files_dontaudit_rw_var_files',` ++interface(`files_read_usr_symlinks',` gen_require(` -- type var_t, var_spool_t; -+ type var_run_t; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) -+ exec_files_pattern($1, var_run_t, var_run_t) +- dontaudit $1 var_t:file rw_file_perms; ++ read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Read generic spool files. -+## manage all pidfiles -+## in the /var/run directory. +-## Create, read, write, and delete files in the /var directory. ++## Create objects in the /usr directory ## ## ## -@@ -6443,19 +7740,18 @@ interface(`files_manage_generic_spool_dirs',` + ## Domain allowed access. ## ## - # --interface(`files_read_generic_spool',` -+interface(`files_manage_all_pids',` ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_var_files',` ++interface(`files_usr_filetrans',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) -+ manage_files_pattern($1,pidfile,pidfile) +- manage_files_pattern($1, var_t, var_t) ++ filetrans_pattern($1, usr_t, $2, $3, $4) ') ######################################## ## --## Create, read, write, and delete generic --## spool files. -+## Mount filesystems on all polyinstantiation -+## member directories. +-## Read symbolic links in the /var directory. ++## Do not audit attempts to search /usr/src. ## ## ## -@@ -6463,55 +7759,43 @@ interface(`files_read_generic_spool',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_manage_generic_spool',` -+interface(`files_mounton_all_poly_members',` +-interface(`files_read_var_symlinks',` ++interface(`files_dontaudit_search_src',` gen_require(` -- type var_t, var_spool_t; -+ attribute polymember; +- type var_t; ++ type src_t; ') -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) -+ allow $1 polymember:dir mounton; +- read_lnk_files_pattern($1, var_t, var_t) ++ dontaudit $1 src_t:dir search_dir_perms; ') ######################################## ## --## Create objects in the spool directory --## with a private type with a type transition. -+## Delete all process IDs. +-## Create, read, write, and delete symbolic +-## links in the /var directory. ++## Get the attributes of files in /usr/src. + ## + ## + ## +@@ -5378,50 +6190,41 @@ interface(`files_read_var_symlinks',` + ## + ## + # +-interface(`files_manage_var_symlinks',` ++interface(`files_getattr_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_lnk_files_pattern($1, var_t, var_t) ++ getattr_files_pattern($1, src_t, src_t) ++ ++ # /usr/src/linux symlink: ++ read_lnk_files_pattern($1, usr_t, src_t) + ') + + ######################################## + ## +-## Create objects in the /var directory ++## Read files in /usr/src. ## ## ## ## Domain allowed access. ## ## --## +-## -## --## Type to which the created node will be transitioned. +-## The type of the object to be created -## -## --## +-## -## --## Object class(es) (single or set including {}) for which this --## the transition will occur. +-## The object class. -## -## -## @@ -12318,216 +12711,1997 @@ index f962f76..51c5d2c 100644 -## The name of the object being created. -##
-## -+## # --interface(`files_spool_filetrans',` -+interface(`files_delete_all_pids',` +-interface(`files_var_filetrans',` ++interface(`files_read_usr_src_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; -+ type var_t, var_run_t; +- type var_t; ++ type usr_t, src_t; ') -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +- filetrans_pattern($1, var_t, $2, $3, $4) ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; ') ######################################## ## --## Allow access to manage all polyinstantiated --## directories on the system. -+## Delete all process ID directories. +-## Get the attributes of the /var/lib directory. ++## Execute programs in /usr/src in the caller domain. ## ## ## -@@ -6519,53 +7803,68 @@ interface(`files_spool_filetrans',` +@@ -5429,69 +6232,56 @@ interface(`files_var_filetrans',` ## ## # --interface(`files_polyinstantiate_all',` -+interface(`files_delete_all_pid_dirs',` +-interface(`files_getattr_var_lib_dirs',` ++interface(`files_exec_usr_src_files',` gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; -+ attribute pidfile; -+ type var_t, var_run_t; +- type var_t, var_lib_t; ++ type usr_t, src_t; ') -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -+ files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) -+') +- getattr_dirs_pattern($1, var_t, var_lib_t) ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) + ') -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -+######################################## -+## -+## Make the specified type a file -+## used for spool files. -+## -+## -+##

-+## Make the specified type usable for spool files. -+## This will also make the type usable for files, making -+## calls to files_type() redundant. Failure to use this interface -+## for a spool file may result in problems with -+## purging spool files. -+##

-+##

-+## Related interfaces: -+##

-+##
    -+##
  • files_spool_filetrans()
  • -+##
-+##

-+## Example usage with a domain that can create and -+## write its spool file in the system spool file -+## directories (/var/spool): -+##

-+##

-+## type myspoolfile_t; -+## files_spool_file(myfile_spool_t) -+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; -+## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

-+##
-+## -+## -+## Type of the file to be used as a -+## spool file. -+## -+## -+## -+# -+interface(`files_spool_file',` -+ gen_require(` -+ attribute spoolfile; + ######################################## + ## +-## Search the /var/lib directory. ++## Install a system.map into the /boot directory. + ## +-## +-##

+-## Search the /var/lib directory. This is +-## necessary to access files or directories under +-## /var/lib that have a private type. For example, a +-## domain accessing a private library file in the +-## /var/lib directory: +-##

+-##

+-## allow mydomain_t mylibfile_t:file read_file_perms; +-## files_search_var_lib(mydomain_t) +-##

+-##
+ ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_search_var_lib',` ++interface(`files_create_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; ') -+ -+ files_type($1) -+ typeattribute $1 spoolfile; + +- search_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') ######################################## ## --## Unconfined access to files. -+## Create all spool sockets +-## Do not audit attempts to search the +-## contents of /var/lib. ++## Dontaudit getattr attempts on the system.map file ## ## ## -@@ -6573,10 +7872,784 @@ interface(`files_polyinstantiate_all',` + ## Domain to not audit. ## ## +-## # --interface(`files_unconfined',` -+interface(`files_create_all_spool_sockets',` +-interface(`files_dontaudit_search_var_lib',` ++interface(`files_dontaduit_getattr_kernel_symbol_table',` gen_require(` -- attribute files_unconfined_type; -+ attribute spoolfile; +- type var_lib_t; ++ type system_map_t; ') -- typeattribute $1 files_unconfined_type; -+ allow $1 spoolfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## -+## Delete all spool sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_spool_sockets',` -+ gen_require(` -+ attribute spoolfile; -+ ') -+ -+ allow $1 spoolfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Relabel to and from all spool -+## directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabel_all_spool_dirs',` -+ gen_require(` -+ attribute spoolfile; -+ type var_t; -+ ') -+ -+ relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ +- dontaudit $1 var_lib_t:dir search_dir_perms; ++ dontaudit $1 system_map_t:file getattr; + ') + + ######################################## + ## +-## List the contents of the /var/lib directory. ++## Read system.map in the /boot directory. + ## + ## + ## +@@ -5499,17 +6289,18 @@ interface(`files_dontaudit_search_var_lib',` + ## + ## + # +-interface(`files_list_var_lib',` ++interface(`files_read_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- list_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) + ') + +-########################################### +######################################## -+## -+## Search the contents of generic spool -+## directories (/var/spool). -+## -+## -+## + ## +-## Read-write /var/lib directories ++## Delete a system.map in the /boot directory. + ## + ## + ## +@@ -5517,70 +6308,54 @@ interface(`files_list_var_lib',` + ## + ## + # +-interface(`files_rw_var_lib_dirs',` ++interface(`files_delete_kernel_symbol_table',` + gen_require(` +- type var_lib_t; ++ type boot_t, system_map_t; + ') + +- rw_dirs_pattern($1, var_lib_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) + ') + + ######################################## + ## +-## Create objects in the /var/lib directory ++## Search the contents of /var. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_var_lib_filetrans',` ++interface(`files_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## + ## +-## Read generic files in /var/lib. ++## Do not audit attempts to write to /var. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_var_lib_files',` ++interface(`files_dontaudit_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_lib_t:dir list_dir_perms; +- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ dontaudit $1 var_t:dir write; + ') + + ######################################## + ## +-## Read generic symbolic links in /var/lib ++## Allow attempts to write to /var.dirs + ## + ## + ## +@@ -5588,41 +6363,36 @@ interface(`files_read_var_lib_files',` + ## + ## + # +-interface(`files_read_var_lib_symlinks',` ++interface(`files_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ allow $1 var_t:dir write; + ') + +-# cjp: the next two interfaces really need to be fixed +-# in some way. They really neeed their own types. +- + ######################################## + ## +-## Create, read, write, and delete the +-## pseudorandom number generator seed. ++## Do not audit attempts to search ++## the contents of /var. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_urandom_seed',` ++interface(`files_dontaudit_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ dontaudit $1 var_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Allow domain to manage mount tables +-## necessary for rpcd, nfsd, etc. ++## List the contents of /var. + ## + ## + ## +@@ -5630,36 +6400,36 @@ interface(`files_manage_urandom_seed',` + ## + ## + # +-interface(`files_manage_mounttab',` ++interface(`files_list_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ allow $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Set the attributes of the generic lock directories. ++## Do not audit listing of the var directory (/var). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_setattr_lock_dirs',` ++interface(`files_dontaudit_list_var',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ dontaudit $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Search the locks directory (/var/lock). ++## Create, read, write, and delete directories ++## in the /var directory. + ## + ## + ## +@@ -5667,38 +6437,35 @@ interface(`files_setattr_lock_dirs',` + ## + ## + # +-interface(`files_search_locks',` ++interface(`files_manage_var_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_t:dir manage_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## locks directory (/var/lock). ++## Read files in the /var directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_locks',` ++interface(`files_read_var_files',` + gen_require(` +- type var_lock_t; ++ type var_t; + ') + +- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_lock_t:dir search_dir_perms; ++ read_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## List generic lock directories. ++## Append files in the /var directory. + ## + ## + ## +@@ -5706,19 +6473,17 @@ interface(`files_dontaudit_search_locks',` + ## + ## + # +-interface(`files_list_locks',` ++interface(`files_append_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ append_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Add and remove entries in the /var/lock +-## directories. ++## Read and write files in the /var directory. + ## + ## + ## +@@ -5726,60 +6491,54 @@ interface(`files_list_locks',` + ## + ## + # +-interface(`files_rw_lock_dirs',` ++interface(`files_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- rw_dirs_pattern($1, var_t, var_lock_t) ++ rw_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create lock directories ++## Do not audit attempts to read and write ++## files in the /var directory. + ## + ## +-## +-## Domain allowed access ++## ++## Domain to not audit. + ## + ## + # +-interface(`files_create_lock_dirs',` ++interface(`files_dontaudit_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- create_dirs_pattern($1, var_lock_t, var_lock_t) ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Relabel to and from all lock directory types. ++## Create, read, write, and delete files in the /var directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_lock_dirs',` ++interface(`files_manage_var_files',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- relabel_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Read symbolic links in the /var directory. + ## + ## + ## +@@ -5787,20 +6546,18 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_read_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) ++ read_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Delete generic lock files. ++## Create, read, write, and delete symbolic ++## links in the /var directory. + ## + ## + ## +@@ -5808,165 +6565,156 @@ interface(`files_getattr_generic_locks',` + ## + ## + # +-interface(`files_delete_generic_locks',` ++interface(`files_manage_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ manage_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## lock files. ++## Create objects in the /var directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_generic_locks',` ++interface(`files_var_filetrans',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) ++ filetrans_pattern($1, var_t, $2, $3, $4) + ') + + ######################################## + ## +-## Delete all lock files. ++## Get the attributes of the /var/lib directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_locks',` ++interface(`files_getattr_var_lib_dirs',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, lockfile, lockfile) ++ getattr_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Read all lock files. ++## Search the /var/lib directory. + ## ++## ++##

++## Search the /var/lib directory. This is ++## necessary to access files or directories under ++## /var/lib that have a private type. For example, a ++## domain accessing a private library file in the ++## /var/lib directory: ++##

++##

++## allow mydomain_t mylibfile_t:file read_file_perms; ++## files_search_var_lib(mydomain_t) ++##

++##
+ ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_read_all_locks',` ++interface(`files_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) ++ search_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## manage all lock files. ++## Do not audit attempts to search the ++## contents of /var/lib. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## ++## + # +-interface(`files_manage_all_locks',` ++interface(`files_dontaudit_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) ++ dontaudit $1 var_lib_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create an object in the locks directory, with a private +-## type using a type transition. ++## List the contents of the /var/lib directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_lock_filetrans',` ++interface(`files_list_var_lib',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) ++ list_dirs_pattern($1, var_t, var_lib_t) + ') + +-######################################## ++########################################### + ## +-## Do not audit attempts to get the attributes +-## of the /var/run directory. ++## Read-write /var/lib directories + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_pid_dirs',` ++interface(`files_rw_var_lib_dirs',` + gen_require(` +- type var_run_t; ++ type var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; ++ rw_dirs_pattern($1, var_lib_t, var_lib_t) + ') + + ######################################## + ## +-## Set the attributes of the /var/run directory. ++## Create directories in /var/lib + ## + ## + ## +@@ -5974,59 +6722,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## + ## + # +-interface(`files_setattr_pid_dirs',` ++interface(`files_create_var_lib_dirs',` + gen_require(` +- type var_run_t; ++ type var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; ++ allow $1 var_lib_t:dir { create rw_dir_perms }; + ') + ++ + ######################################## + ## +-## Search the contents of runtime process +-## ID directories (/var/run). ++## Create objects in the /var/lib directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_search_pids',` ++interface(`files_var_lib_filetrans',` + gen_require(` +- type var_t, var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_run_t) ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## + ## +-## Do not audit attempts to search +-## the /var/run directory. ++## Read generic files in /var/lib. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_pids',` ++interface(`files_read_var_lib_files',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; ++ allow $1 var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). ++## Read generic symbolic links in /var/lib + ## + ## + ## +@@ -6034,18 +6794,18 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_read_var_lib_symlinks',` + gen_require(` +- type var_t, var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) ++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## Read generic process ID files. ++## manage generic symbolic links ++## in the /var/lib directory. + ## + ## + ## +@@ -6053,19 +6813,21 @@ interface(`files_list_pids',` + ## + ## + # +-interface(`files_read_generic_pids',` ++interface(`files_manage_var_lib_symlinks',` + gen_require(` +- type var_t, var_run_t; ++ type var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) + ') + ++# cjp: the next two interfaces really need to be fixed ++# in some way. They really neeed their own types. ++ + ######################################## + ## +-## Write named generic process ID pipes ++## Create, read, write, and delete the ++## pseudorandom number generator seed. + ## + ## + ## +@@ -6073,58 +6835,1243 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` ++interface(`files_manage_urandom_seed',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++######################################## ++## ++## Allow domain to manage mount tables ++## necessary for rpcd, nfsd, etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_mounttab',` ++ gen_require(` ++ type var_t, var_lib_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++######################################## ++## ++## List generic lock directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Search the locks directory (/var/lock). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the ++## locks directory (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_lock_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/lock directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_lock_dirs',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ allow $1 var_lock_t:dir setattr; ++') ++ ++######################################## ++## ++## Add and remove entries in the /var/lock ++## directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ rw_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Create lock directories ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_create_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ create_dirs_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Relabel to and from all lock directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_lock_dirs',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_dirs_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Relabel to and from all lock file types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_lock_files',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Get the attributes of generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 var_lock_t:dir list_dir_perms; ++ getattr_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Delete generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Delete all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_delete_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ delete_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Read all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 lockfile:dir list_dir_perms; ++ read_files_pattern($1, lockfile, lockfile) ++ read_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## manage all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, lockfile, lockfile) ++ manage_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Create an object in the locks directory, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_lock_filetrans',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ filetrans_pattern($1, var_lock_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir getattr; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_run_t:dir setattr; ++') ++ ++######################################## ++## ++## Search the contents of runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_run_t) ++') ++ ++###################################### ++## ++## Add and remove entries from pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:dir rw_dir_perms; ++') ++ ++####################################### ++## ++## Create generic pid directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search ++## the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_pids',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search ++## the all /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of the runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++') ++ ++######################################## ++## ++## Read generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ read_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Write named generic process ID pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_pipes',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_run_t:fifo_file write; ++') ++ ++######################################## ++## ++## Create an object in the process ID directory, with a private type. ++## ++## ++##

++## Create an object in the process ID directory (e.g., /var/run) ++## with a private type. Typically this is used for creating ++## private PID files in /var/run with the private type instead ++## of the general PID file type. To accomplish this goal, ++## either the program must be SELinux-aware, or use this interface. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_pid_file()
  • ++##
++##

++## Example usage with a domain that can create and ++## write its PID file with a private PID file type in the ++## /var/run directory: ++##

++##

++## type mypidfile_t; ++## files_pid_file(mypidfile_t) ++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ++## files_pid_filetrans(mydomain_t, mypidfile_t, file) ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++## ++# ++interface(`files_pid_filetrans',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_run_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Create a generic lock directory within the run directories ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_pid_filetrans_lock_dir',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ files_pid_filetrans($1, var_lock_t, dir, $2) ++') ++ ++######################################## ++## ++## rw generic pid files inherited from another process ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read and write generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ rw_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of ++## daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to write to daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file write; ++') ++ ++######################################## ++## ++## Do not audit attempts to ioctl daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_ioctl_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file ioctl; ++') ++ ++######################################## ++## ++## Relable all pid directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Delete all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ++') ++ ++######################################## ++## ++## Delete all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++') ++ ++######################################## ++## ++## manage all pidfile directories ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_dirs_pattern($1,pidfile,pidfile) ++') ++ ++ ++######################################## ++## ++## Read all process ID files. ++## ++## ++## +## Domain allowed access. +## +## ++## +# -+interface(`files_search_spool',` ++interface(`files_read_all_pids',` + gen_require(` -+ type var_t, var_spool_t; ++ attribute pidfile; ++ type var_t; + ') + -+ search_dirs_pattern($1, var_t, var_spool_t) ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Relable all pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_files',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Execute generic programs in /var/run in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_exec_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ exec_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## manage all pidfiles ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_files_pattern($1,pidfile,pidfile) ++') ++ ++######################################## ++## ++## Mount filesystems on all polyinstantiation ++## member directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_all_poly_members',` ++ gen_require(` ++ attribute polymember; ++ ') ++ ++ allow $1 polymember:dir mounton; ++') ++ ++######################################## ++## ++## Delete all process IDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_delete_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Make the specified type a file ++## used for spool files. ++## ++## ++##

++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_spool_filetrans()
  • ++##
++##

++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

++##

++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

++##
++## ++## ++## Type of the file to be used as a ++## spool file. ++## ++## ++## ++# ++interface(`files_spool_file',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 spoolfile; ++') ++ ++######################################## ++## ++## Create all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Relabel to and from all spool ++## directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_all_spool_dirs',` ++ gen_require(` ++ attribute spoolfile; ++ type var_t; ++ ') ++ ++ relabel_dirs_pattern($1, spoolfile, spoolfile) +') + +######################################## +## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Do not audit attempts to search generic +## spool directories. +## @@ -12549,12 +14723,39 @@ index f962f76..51c5d2c 100644 +## +## List the contents of generic spool +## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## + ##
+-## +-##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

+-##

+-## Related interfaces: +-##

+-##
    +-##
  • files_pid_file()
  • +-##
+-##

+-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

+-##

+-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +-##

+-##
+ ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`files_list_spool',` + gen_require(` @@ -12570,10 +14771,12 @@ index f962f76..51c5d2c 100644 +## spool directories (/var/spool). +##
+## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`files_manage_generic_spool_dirs',` + gen_require(` @@ -12589,7 +14792,8 @@ index f962f76..51c5d2c 100644 +## Read generic spool files. +##
+## -+## + ## +-## The object class of the object being created. +## Domain allowed access. +## +## @@ -12642,14 +14846,19 @@ index f962f76..51c5d2c 100644 +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# + ## + ## + ## +@@ -6132,44 +8079,165 @@ interface(`files_write_generic_pid_pipes',` + ## The name of the object being created. + ##
+ ## +-## + # +-interface(`files_pid_filetrans',` +- gen_require(` +- type var_t, var_run_t; +- ') +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; @@ -12776,296 +14985,401 @@ index f962f76..51c5d2c 100644 + gen_require(` + type default_t; + ') -+ + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_run_t, $2, $3, $4) + allow $1 default_t:dir create; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create a generic lock directory within the run directories +## Create, default_t objects with an automatic +## type transition. -+## -+## + ## + ## +-## +-## Domain allowed access +## +## Domain allowed access. -+## -+## + ## + ## +-## +## -+## + ## +-## The name of the object being created. +## The class of the object being created. -+## -+## -+# + ## + ## + # +-interface(`files_pid_filetrans_lock_dir',` +- gen_require(` +- type var_lock_t; +- ') +interface(`files_root_filetrans_default',` + gen_require(` + type root_t, default_t; + ') -+ + +- files_pid_filetrans($1, var_lock_t, dir, $2) + filetrans_pattern($1, root_t, default_t, $2) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write generic process ID files. +## manage generic symbolic links +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6177,20 +8245,18 @@ interface(`files_pid_filetrans_lock_dir',` + ## + ## + # +-interface(`files_rw_generic_pids',` +interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) + manage_lnk_files_pattern($1,var_run_t,var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. +## Do not audit attempts to getattr +## all tmpfs files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6198,19 +8264,17 @@ interface(`files_rw_generic_pids',` + ## + ## + # +-interface(`files_dontaudit_getattr_all_pids',` +interface(`files_dontaudit_getattr_tmpfs_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute tmpfsfile; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file getattr; + allow $1 tmpfsfile:file getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to write to daemon runtime data files. +## Allow read write all tmpfs files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6218,18 +8282,17 @@ interface(`files_dontaudit_getattr_all_pids',` + ## + ## + # +-interface(`files_dontaudit_write_all_pids',` +interface(`files_rw_tmpfs_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute tmpfsfile; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file write; + allow $1 tmpfsfile:file { read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to ioctl daemon runtime data files. +## Do not audit attempts to read security files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6237,41 +8300,43 @@ interface(`files_dontaudit_write_all_pids',` + ## + ## + # +-interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_read_security_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute security_file_type; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file ioctl; + dontaudit $1 security_file_type:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read all process ID files. +## rw any files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +## +## Object type. +## +## -+# + # +-interface(`files_read_all_pids',` +interface(`files_rw_all_inherited_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## Allow any file point to be the entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# + ## + ## + ## +@@ -6280,67 +8345,55 @@ interface(`files_read_all_pids',` + ## + ## + # +-interface(`files_delete_all_pids',` +interface(`files_entrypoint_all_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 file_type:file entrypoint; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Do not audit attempts to rw inherited file perms +## of non security files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_dontaudit_all_non_security_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Do not audit attempts to read or write +## all leaked files. -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_dontaudit_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute file_type; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Allow domain to create_file_ass all types -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6348,37 +8401,37 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_create_as_is_all_files',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute file_type; + class kernel_service create_files_as; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 file_type:kernel_service create_files_as; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## Do not audit attempts to check the +## access on all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_search_spool',` +interface(`files_dontaudit_all_access_check',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute file_type; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set audit_access; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. +## Do not audit attempts to write to all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6386,132 +8439,206 @@ interface(`files_search_spool',` + ## + ## + # +-interface(`files_dontaudit_search_spool',` +interface(`files_dontaudit_write_all_files',` -+ gen_require(` + gen_require(` +- type var_spool_t; + attribute file_type; -+ ') -+ + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; + dontaudit $1 file_type:dir_file_class_set write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Allow domain to delete to all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_list_spool',` +interface(`files_delete_all_non_security_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Allow domain to delete to all dirs -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_delete_all_non_security_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Transition named content in the var_run_t directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access. + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type etc_t; + type mnt_t; + type usr_t; @@ -13074,8 +15388,10 @@ index f962f76..51c5d2c 100644 + type var_run_t; + type var_lock_t; + type tmp_t; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -13112,13 +15428,16 @@ index f962f76..51c5d2c 100644 + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Make the specified type a +## base file. -+## + ## +-## +## +##

+## Identify file type as base file type. Tools will use this attribute, @@ -13126,35 +15445,51 @@ index f962f76..51c5d2c 100644 +##

+##
+## -+## + ## +-## Domain allowed access. +## Type to be used as a base files. -+## -+## + ## + ## +## -+# + # +-interface(`files_manage_generic_spool',` +interface(`files_base_file',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + files_type($1) + typeattribute $1 base_file_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Make the specified type a +## base read only file. -+## + ## +-## +-## +-## Domain allowed access. +-## +-## +-## +## +##

+## Make the specified type readable for all domains. +##

+##
+## -+## + ## +-## Type to which the created node will be transitioned. +## Type to be used as a base read only files. -+## -+## + ## + ## +-## +## +# +interface(`files_ro_base_file',` @@ -13170,10 +15505,13 @@ index f962f76..51c5d2c 100644 +## Read all ro base files. +##
+## -+## + ## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +## Domain allowed access. -+## -+## + ## + ## +-## +## +# +interface(`files_read_all_base_ro_files',` @@ -13191,54 +15529,104 @@ index f962f76..51c5d2c 100644 +## Execute all base ro files. +##
+## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## + ## + ## +## -+# + # +-interface(`files_spool_filetrans',` +interface(`files_exec_all_base_ro_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_ro_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + can_exec($1, base_ro_file_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Allow the specified domain to modify the systemd configuration of +## any file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6519,53 +8646,17 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` +interface(`files_config_all_files',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute file_type; -+ ') -+ + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') + allow $1 file_type:service all_service_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Get the status of etc_t files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6573,10 +8664,10 @@ interface(`files_polyinstantiate_all',` + ## + ## + # +-interface(`files_unconfined',` +interface(`files_status_etc',` -+ gen_require(` + gen_require(` +- attribute files_unconfined_type; + type etc_t; -+ ') -+ + ') + +- typeattribute $1 files_unconfined_type; + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te @@ -19006,7 +21394,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..0ad95e4 100644 +index 2522ca6..d58ced2 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1) @@ -19159,7 +21547,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -122,11 +170,19 @@ optional_policy(` +@@ -122,11 +170,25 @@ optional_policy(` ') optional_policy(` @@ -19178,10 +21566,16 @@ index 2522ca6..0ad95e4 100644 + +optional_policy(` + dbus_role_template(sysadm, sysadm_r, sysadm_t) ++ ++ optional_policy(` ++ systemd_dbus_chat_timedated(sysadm_t) ++ systemd_dbus_chat_hostnamed(sysadm_t) ++ systemd_dbus_chat_localed(sysadm_t) ++ ') ') optional_policy(` -@@ -140,6 +196,10 @@ optional_policy(` +@@ -140,6 +202,10 @@ optional_policy(` ') optional_policy(` @@ -19192,7 +21586,7 @@ index 2522ca6..0ad95e4 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +216,10 @@ optional_policy(` +@@ -156,6 +222,10 @@ optional_policy(` ') optional_policy(` @@ -19203,7 +21597,7 @@ index 2522ca6..0ad95e4 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -175,6 +239,13 @@ optional_policy(` +@@ -175,6 +245,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -19217,7 +21611,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -182,15 +253,20 @@ optional_policy(` +@@ -182,15 +259,20 @@ optional_policy(` ') optional_policy(` @@ -19229,19 +21623,19 @@ index 2522ca6..0ad95e4 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') optional_policy(` -@@ -210,22 +286,20 @@ optional_policy(` +@@ -210,22 +292,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -19270,7 +21664,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -237,14 +311,27 @@ optional_policy(` +@@ -237,14 +317,27 @@ optional_policy(` ') optional_policy(` @@ -19298,7 +21692,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -252,10 +339,20 @@ optional_policy(` +@@ -252,10 +345,20 @@ optional_policy(` ') optional_policy(` @@ -19319,7 +21713,7 @@ index 2522ca6..0ad95e4 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +363,41 @@ optional_policy(` +@@ -266,35 +369,41 @@ optional_policy(` ') optional_policy(` @@ -19368,7 +21762,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -308,6 +411,7 @@ optional_policy(` +@@ -308,6 +417,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -19376,7 +21770,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -315,12 +419,20 @@ optional_policy(` +@@ -315,12 +425,20 @@ optional_policy(` ') optional_policy(` @@ -19398,7 +21792,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -345,7 +457,18 @@ optional_policy(` +@@ -345,7 +463,18 @@ optional_policy(` ') optional_policy(` @@ -19418,7 +21812,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -356,19 +479,11 @@ optional_policy(` +@@ -356,19 +485,11 @@ optional_policy(` ') optional_policy(` @@ -19439,7 +21833,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -380,10 +495,6 @@ optional_policy(` +@@ -380,10 +501,6 @@ optional_policy(` ') optional_policy(` @@ -19450,7 +21844,7 @@ index 2522ca6..0ad95e4 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +502,9 @@ optional_policy(` +@@ -391,6 +508,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -19460,7 +21854,7 @@ index 2522ca6..0ad95e4 100644 ') optional_policy(` -@@ -398,31 +512,34 @@ optional_policy(` +@@ -398,31 +518,34 @@ optional_policy(` ') optional_policy(` @@ -19501,7 +21895,7 @@ index 2522ca6..0ad95e4 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +552,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +558,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19512,7 +21906,7 @@ index 2522ca6..0ad95e4 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +572,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +578,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -33091,7 +35485,7 @@ index b50c5fe..e55a556 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..b144ffe 100644 +index 4e94884..8de26ad 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -33250,12 +35644,7 @@ index 4e94884..b144ffe 100644 + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Relabel the syslog pid sock_file. @@ -33270,14 +35659,15 @@ index 4e94884..b144ffe 100644 + gen_require(` + type syslogd_var_run_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Connect to the syslog control unix stream socket. @@ -33292,13 +35682,43 @@ index 4e94884..b144ffe 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') ######################################## -@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',` +@@ -571,6 +715,25 @@ interface(`logging_read_audit_config',` + + ######################################## + ## ++## dontaudit search of auditd log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`logging_dontaudit_search_audit_logs',` ++ gen_require(` ++ type auditd_log_t; ++ ') ++ ++ dontaudit $1 auditd_log_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## dontaudit search of auditd configuration files. + ## + ## +@@ -609,6 +772,25 @@ interface(`logging_read_syslog_config',` ######################################## ## @@ -33324,7 +35744,7 @@ index 4e94884..b144ffe 100644 ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -722,6 +904,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -33350,7 +35770,7 @@ index 4e94884..b144ffe 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +977,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -33377,7 +35797,7 @@ index 4e94884..b144ffe 100644 ') ######################################## -@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1078,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -33386,7 +35806,7 @@ index 4e94884..b144ffe 100644 ') ######################################## -@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1104,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -33431,7 +35851,7 @@ index 4e94884..b144ffe 100644 ## Write generic log files. ## ## -@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1162,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -33456,7 +35876,7 @@ index 4e94884..b144ffe 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1259,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -33474,7 +35894,7 @@ index 4e94884..b144ffe 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1284,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -33508,7 +35928,7 @@ index 4e94884..b144ffe 100644 ') ######################################## -@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1339,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -33526,7 +35946,7 @@ index 4e94884..b144ffe 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1369,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -33535,7 +35955,7 @@ index 4e94884..b144ffe 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1380,54 @@ interface(`logging_admin',` +@@ -1085,3 +1399,54 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f447195..0f72f5b 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9084,7 +9084,7 @@ index 531a8f2..67b6c3d 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..ad2dccc 100644 +index 1241123..a0b7423 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9182,7 +9182,17 @@ index 1241123..ad2dccc 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -257,7 +268,7 @@ init_use_script_ptys(ndc_t) +@@ -242,6 +253,9 @@ corenet_tcp_bind_generic_node(ndc_t) + corenet_tcp_connect_rndc_port(ndc_t) + corenet_sendrecv_rndc_client_packets(ndc_t) + ++dev_read_rand(ndc_t) ++dev_read_urand(ndc_t) ++ + domain_use_interactive_fds(ndc_t) + + files_search_pids(ndc_t) +@@ -257,7 +271,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -26659,7 +26669,7 @@ index 50d0084..94e1936 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..fed8792 100644 +index cf0e567..2b435ed 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -26687,9 +26697,11 @@ index cf0e567..fed8792 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -94,22 +92,33 @@ auth_use_nsswitch(fail2ban_t) +@@ -93,23 +91,35 @@ auth_use_nsswitch(fail2ban_t) + logging_read_all_logs(fail2ban_t) logging_send_syslog_msg(fail2ban_t) ++logging_dontaudit_search_audit_logs(fail2ban_t) -miscfiles_read_localization(fail2ban_t) +mta_send_mail(fail2ban_t) @@ -26725,7 +26737,7 @@ index cf0e567..fed8792 100644 iptables_domtrans(fail2ban_t) ') -@@ -118,6 +127,10 @@ optional_policy(` +@@ -118,6 +128,10 @@ optional_policy(` ') optional_policy(` @@ -26736,7 +26748,7 @@ index cf0e567..fed8792 100644 shorewall_domtrans(fail2ban_t) ') -@@ -131,22 +144,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -131,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -26761,9 +26773,10 @@ index cf0e567..fed8792 100644 + logging_getattr_all_logs(fail2ban_client_t) logging_search_all_logs(fail2ban_client_t) - --miscfiles_read_localization(fail2ban_client_t) - +-miscfiles_read_localization(fail2ban_client_t) ++logging_dontaudit_search_audit_logs(fail2ban_client_t) + userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) + @@ -27484,10 +27497,10 @@ index 5010f04..3b73741 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index 92a6479..e37a473 100644 +index 92a6479..addf8a6 100644 --- a/fprintd.te +++ b/fprintd.te -@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t) +@@ -20,23 +20,26 @@ files_type(fprintd_var_lib_t) allow fprintd_t self:capability sys_nice; allow fprintd_t self:process { getsched setsched signal sigkill }; allow fprintd_t self:fifo_file rw_fifo_file_perms; @@ -27496,8 +27509,11 @@ index 92a6479..e37a473 100644 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t) + kernel_read_system_state(fprintd_t) + ++corecmd_exec_bin(fprintd_t) ++ dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) +dev_read_urand(fprintd_t) @@ -27514,7 +27530,7 @@ index 92a6479..e37a473 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +55,17 @@ optional_policy(` +@@ -54,8 +57,17 @@ optional_policy(` ') ') @@ -29431,10 +29447,10 @@ index 9eacb2c..2f3fa34 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index 5cd0909..f07f415 100644 +index 5cd0909..e405249 100644 --- a/glance.te +++ b/glance.te -@@ -5,10 +5,16 @@ policy_module(glance, 1.1.0) +@@ -5,10 +5,23 @@ policy_module(glance, 1.1.0) # Declarations # @@ -29445,6 +29461,13 @@ index 5cd0909..f07f415 100644 +## +gen_tunable(glance_use_fusefs, false) + ++## ++##

++## Allow glance domain to use executable memory and executable stack ++##

++##
++gen_tunable(glance_use_execmem, false) ++ attribute glance_domain; -type glance_registry_t, glance_domain; @@ -29453,7 +29476,7 @@ index 5cd0909..f07f415 100644 init_daemon_domain(glance_registry_t, glance_registry_exec_t) type glance_registry_initrc_exec_t; -@@ -17,13 +23,21 @@ init_script_file(glance_registry_initrc_exec_t) +@@ -17,13 +30,21 @@ init_script_file(glance_registry_initrc_exec_t) type glance_registry_tmp_t; files_tmp_file(glance_registry_tmp_t) @@ -29477,7 +29500,7 @@ index 5cd0909..f07f415 100644 type glance_log_t; logging_log_file(glance_log_t) -@@ -41,6 +55,7 @@ files_pid_file(glance_var_run_t) +@@ -41,6 +62,7 @@ files_pid_file(glance_var_run_t) # Common local policy # @@ -29485,7 +29508,7 @@ index 5cd0909..f07f415 100644 allow glance_domain self:fifo_file rw_fifo_file_perms; allow glance_domain self:unix_stream_socket create_stream_socket_perms; allow glance_domain self:tcp_socket { accept listen }; -@@ -56,29 +71,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -56,29 +78,40 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) @@ -29523,7 +29546,9 @@ index 5cd0909..f07f415 100644 + fs_getattr_fusefs(glance_domain) +') + -+ ++tunable_policy(`glance_use_execmem',` ++ allow glance_domain self:process { execmem execstack }; ++') + +optional_policy(` + mysql_read_db_lnk_files(glance_domain) @@ -29532,7 +29557,7 @@ index 5cd0909..f07f415 100644 ######################################## # # Registry local policy -@@ -88,8 +112,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm +@@ -88,8 +121,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) @@ -29547,7 +29572,7 @@ index 5cd0909..f07f415 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +138,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +147,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -47842,7 +47867,7 @@ index f42896c..1e1a679 100644 +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..8f217ea 100644 +index ed81cac..837a43a 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -47994,11 +48019,13 @@ index ed81cac..8f217ea 100644 ') -####################################### --## ++###################################### + ## -## Read mta mail home files. --## --## --## ++## Dontaudit read and write an leaked file descriptors + ## + ## + ## -## Domain allowed access. -## -## @@ -48085,15 +48112,13 @@ index ed81cac..8f217ea 100644 -') - -######################################## -+###################################### - ## +-## -## Create specified objects in user home -## directories with the generic mail -## home rw type. -+## Dontaudit read and write an leaked file descriptors - ## - ## - ## +-## +-## +-## -## Domain allowed access. -## -## @@ -48782,7 +48807,7 @@ index ed81cac..8f217ea 100644 ## ## ## -@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1051,200 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -48813,6 +48838,29 @@ index ed81cac..8f217ea 100644 + +###################################### +## ++## ALlow domain to append mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_append_home',` ++ gen_require(` ++ type mail_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ append_files_pattern($1, mail_home_t, mail_home_t) ++ ++ ifdef(`distro_redhat',` ++ userdom_search_admin_dir($1) ++ ') ++') ++ ++###################################### ++## +## ALlow domain to read mail content in the homedir +## +## @@ -48961,7 +49009,7 @@ index ed81cac..8f217ea 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..4cf1204 100644 +index ff1d68c..45bdd6f 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -49278,7 +49326,7 @@ index ff1d68c..4cf1204 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,40 +368,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,44 +368,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -49302,50 +49350,53 @@ index ff1d68c..4cf1204 100644 - fs_manage_cifs_dirs(mailserver_delivery) - fs_manage_cifs_files(mailserver_delivery) - fs_read_cifs_symlinks(mailserver_delivery) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mailserver_delivery) -- fs_manage_nfs_files(mailserver_delivery) -- fs_read_nfs_symlinks(mailserver_delivery) --') -- - optional_policy(` -- arpwatch_search_data(mailserver_delivery) ++optional_policy(` + dovecot_manage_spool(mailserver_delivery) + dovecot_domtrans_deliver(mailserver_delivery) ') - optional_policy(` -- dovecot_manage_spool(mailserver_delivery) -- dovecot_domtrans_deliver(mailserver_delivery) +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mailserver_delivery) +- fs_manage_nfs_files(mailserver_delivery) +- fs_read_nfs_symlinks(mailserver_delivery) ++optional_policy(` + logwatch_search_cache_dir(mailserver_delivery) ') optional_policy(` +- arpwatch_search_data(mailserver_delivery) + # so MTA can access /var/lib/mailman/mail/wrapper - files_search_var_lib(mailserver_delivery) - - mailman_domtrans(mailserver_delivery) -@@ -372,6 +395,17 @@ optional_policy(` ++ files_search_var_lib(mailserver_delivery) ++ ++ mailman_domtrans(mailserver_delivery) ++ mailman_read_data_symlinks(mailserver_delivery) ') optional_policy(` +- dovecot_manage_spool(mailserver_delivery) +- dovecot_domtrans_deliver(mailserver_delivery) + mailman_manage_data_files(mailserver_domain) + mailman_domtrans(mailserver_domain) + mailman_append_log(mailserver_domain) + mailman_read_log(mailserver_domain) + ') + + optional_policy(` +- files_search_var_lib(mailserver_delivery) ++ mta_filetrans_home_content(mailserver_domain) ++ mta_filetrans_admin_home_content(mailserver_domain) ++ mta_read_home(mailserver_domain) ++ mta_append_home(mailserver_domain) +') -+ + +- mailman_domtrans(mailserver_delivery) +- mailman_read_data_symlinks(mailserver_delivery) +optional_policy(` + pcp_read_lib_files(mailserver_delivery) -+') -+ -+optional_policy(` - postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -381,24 +415,49 @@ optional_policy(` + optional_policy(` +@@ -381,24 +422,49 @@ optional_policy(` ######################################## # @@ -56564,10 +56615,10 @@ index 57c0161..dae3360 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..6871201 100644 +index 5b2cb0d..09484a9 100644 --- a/nut.te +++ b/nut.te -@@ -22,139 +22,162 @@ type nut_upsdrvctl_t, nut_domain; +@@ -22,139 +22,150 @@ type nut_upsdrvctl_t, nut_domain; type nut_upsdrvctl_exec_t; init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) @@ -56596,9 +56647,11 @@ index 5b2cb0d..6871201 100644 -allow nut_domain nut_conf_t:dir list_dir_perms; -allow nut_domain nut_conf_t:file read_file_perms; -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; -- --manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) --manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) ++allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; + ++# pid file + manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) + manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(nut_domain) @@ -56606,7 +56659,8 @@ index 5b2cb0d..6871201 100644 -logging_send_syslog_msg(nut_domain) - -miscfiles_read_localization(nut_domain) -+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; ++manage_sock_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(nut_domain, nut_var_run_t, dir) ######################################## # @@ -56636,19 +56690,13 @@ index 5b2cb0d..6871201 100644 -corenet_sendrecv_ups_server_packets(nut_upsd_t) -corenet_tcp_bind_ups_port(nut_upsd_t) -+# pid file -+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) - --corenet_sendrecv_generic_server_packets(nut_upsd_t) --corenet_tcp_bind_generic_port(nut_upsd_t) +kernel_read_kernel_sysctls(nut_upsd_t) --files_read_usr_files(nut_upsd_t) +-corenet_sendrecv_generic_server_packets(nut_upsd_t) +corenet_tcp_bind_ups_port(nut_upsd_t) -+corenet_tcp_bind_generic_port(nut_upsd_t) + corenet_tcp_bind_generic_port(nut_upsd_t) +- +-files_read_usr_files(nut_upsd_t) +corenet_tcp_bind_all_nodes(nut_upsd_t) auth_use_nsswitch(nut_upsd_t) @@ -56668,14 +56716,8 @@ index 5b2cb0d..6871201 100644 +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; +allow nut_upsmon_t self:tcp_socket create_socket_perms; -+ -+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) -+# pid file -+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -+manage_sock_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) @@ -56732,20 +56774,15 @@ index 5b2cb0d..6871201 100644 +allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; -+ + +-manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) +can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) +read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) + -+# pid file -+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) - manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) --files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) -+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) -+ +kernel_read_kernel_sysctls(nut_upsdrvctl_t) - ++ +# /sbin/upsdrvctl executes other drivers corecmd_exec_bin(nut_upsdrvctl_t) @@ -60310,7 +60347,7 @@ index 0000000..0493b99 +') diff --git a/osad.fc b/osad.fc new file mode 100644 -index 0000000..1e1eceb +index 0000000..cf911d5 --- /dev/null +++ b/osad.fc @@ -0,0 +1,7 @@ @@ -60318,7 +60355,7 @@ index 0000000..1e1eceb + +/usr/sbin/osad -- gen_context(system_u:object_r:osad_exec_t,s0) + -+/var/log/osad -- gen_context(system_u:object_r:osad_log_t,s0) ++/var/log/osad.* -- gen_context(system_u:object_r:osad_log_t,s0) + +/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0) diff --git a/osad.if b/osad.if @@ -60494,10 +60531,10 @@ index 0000000..05648bd +') diff --git a/osad.te b/osad.te new file mode 100644 -index 0000000..a40fcc3 +index 0000000..310d672 --- /dev/null +++ b/osad.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,48 @@ +policy_module(osad, 1.0.0) + +######################################## @@ -60522,20 +60559,23 @@ index 0000000..a40fcc3 +# +# osad local policy +# ++ +allow osad_t self:process setpgid; + +manage_files_pattern(osad_t, osad_log_t, osad_log_t) -+logging_log_filetrans(osad_t, osad_log_t, { file }) ++logging_log_filetrans(osad_t, osad_log_t, file) + +manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t) -+files_pid_filetrans(osad_t, osad_var_run_t, { file}) ++files_pid_filetrans(osad_t, osad_var_run_t, file) + +kernel_read_system_state(osad_t) + -+auth_read_passwd(osad_t) ++corenet_tcp_connect_http_port(osad_t) + +dev_read_urand(osad_t) + ++auth_use_nsswitch(osad_t) ++ +optional_policy(` + gnome_dontaudit_search_config(osad_t) +') @@ -78960,7 +79000,7 @@ index c8bdea2..e6bcb25 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..e975469 100644 +index 6cf79c4..dacec90 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -79471,7 +79511,7 @@ index 6cf79c4..e975469 100644 +# bug in haproxy and process vs pid owner +allow haproxy_t self:capability { dac_override kill }; + -+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource }; ++allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource net_admin net_raw }; +allow haproxy_t self:capability2 block_suspend; +allow haproxy_t self:process { fork setrlimit signal_perms }; +allow haproxy_t self:fifo_file rw_fifo_file_perms; @@ -86741,10 +86781,10 @@ index 0000000..a2cb772 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..62a9666 +index 0000000..eb990f6 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,63 @@ +@@ -0,0 +1,64 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -86801,6 +86841,7 @@ index 0000000..62a9666 + +files_read_config_files(sandbox_domain) +files_read_var_files(sandbox_domain) ++files_read_all_mountpoint_symlinks(sandbox_domain) +files_dontaudit_search_all_dirs(sandbox_domain) + +fs_dontaudit_getattr_all_fs(sandbox_domain) @@ -102410,7 +102451,7 @@ index facdee8..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..8cfc7f4 100644 +index f03dcf5..67904c0 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,212 @@ @@ -103877,7 +103918,7 @@ index f03dcf5..8cfc7f4 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1138,307 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1138,308 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -103967,6 +104008,7 @@ index f03dcf5..8cfc7f4 100644 +kernel_read_all_sysctls(svirt_sandbox_domain) +kernel_rw_net_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) ++kernel_dontaudit_access_check_proc(svirt_sandbox_domain) + +corecmd_exec_all_executables(svirt_sandbox_domain) + @@ -104322,7 +104364,7 @@ index f03dcf5..8cfc7f4 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1451,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1452,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -104337,7 +104379,7 @@ index f03dcf5..8cfc7f4 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1469,8 @@ optional_policy(` +@@ -1192,9 +1470,8 @@ optional_policy(` ######################################## # @@ -104348,7 +104390,7 @@ index f03dcf5..8cfc7f4 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1483,216 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1484,216 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -107851,7 +107893,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..6a63c90 100644 +index 7f496c6..f2b5fa6 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -108041,15 +108083,16 @@ index 7f496c6..6a63c90 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +161,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) -kernel_read_all_sysctls(zabbix_agent_t) kernel_read_system_state(zabbix_agent_t) - --corecmd_read_all_executables(zabbix_agent_t) - +-corecmd_read_all_executables(zabbix_agent_t) ++kernel_read_network_state(zabbix_agent_t) + corenet_all_recvfrom_unlabeled(zabbix_agent_t) corenet_all_recvfrom_netlabel(zabbix_agent_t) -corenet_tcp_sendrecv_generic_if(zabbix_agent_t) @@ -108060,7 +108103,7 @@ index 7f496c6..6a63c90 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +184,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9d68c96..41aeac8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 64%{?dist} +Release: 65%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -600,6 +600,26 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 18 2014 Lukas Vrabec 3.13.1-65 +- Allow sysadm to dbus chat with systemd +- Add logging_dontaudit_search_audit_logs() +- Add new files_read_all_mountpoint_symlinks() +- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo. +- Allow ndc to read random and urandom device (#1110397) +- Allow zabbix to read system network state +- Allow fprintd to execute usr_t/bin_t +- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t +- Add glance_use_execmem boolean to have glance configured to use Ceph/rbd +- Dontaudit search audit logs for fail2ban +- Allow mailserver_domain domains to create mail home content with right labeling +- Dontaudit svirt_sandbox_domain doing access checks on /proc +- Fix files_pid_filetrans() calling in nut.te to reflect allow rules. +- Use nut_domain attribute for files_pid_filetrans() for nut domains. +- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs +- Fix nut domains only have type transition on dirs in /run/nut directory. +- Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt() +- Clean up osad policy. Remove additional interfaces/rules + * Mon Jul 14 2014 Lukas Vrabec 3.13.1-64 - Allow systemd domains to check lvm status - Allow getty to execute plymouth.#1112870