diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2c662e8..cf980ca 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5565,7 +5565,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..3812e33 100644 +index b191055..bb7bad0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5639,7 +5639,7 @@ index b191055..3812e33 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -83,56 +106,71 @@ network_port(agentx, udp,705,s0, tcp,705,s0) +@@ -83,56 +106,72 @@ network_port(agentx, udp,705,s0, tcp,705,s0) network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) @@ -5710,6 +5710,7 @@ index b191055..3812e33 100644 network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) +network_port(gear, tcp,43273,s0, udp,43273,s0) ++network_port(geneve, tcp,6080,s0) network_port(gdomap, tcp,538,s0, udp,538,s0) network_port(gds_db, tcp,3050,s0, udp,3050,s0) network_port(giftd, tcp,1213,s0) @@ -5720,7 +5721,7 @@ index b191055..3812e33 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +178,55 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +179,55 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5791,7 +5792,7 @@ index b191055..3812e33 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +234,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +235,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5934,7 +5935,7 @@ index b191055..3812e33 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +359,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +360,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5961,7 +5962,7 @@ index b191055..3812e33 100644 ######################################## # -@@ -333,6 +408,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +409,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5970,7 +5971,7 @@ index b191055..3812e33 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +422,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +423,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -14445,7 +14446,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..d7111b8 100644 +index 8416beb..a250b32 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15453,7 +15454,32 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -2485,6 +3021,7 @@ interface(`fs_read_nfs_files',` +@@ -2398,6 +2934,24 @@ interface(`fs_getattr_nfs',` + + ######################################## + ## ++## Set the attributes of nfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_setattr_nfs_dirs',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:dir setattr; ++') ++ ++######################################## ++## + ## Search directories on a NFS filesystem. + ## + ## +@@ -2485,6 +3039,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -15461,7 +15487,7 @@ index 8416beb..d7111b8 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3060,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3078,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -15469,7 +15495,7 @@ index 8416beb..d7111b8 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3087,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3105,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -15514,7 +15540,7 @@ index 8416beb..d7111b8 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3145,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3163,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -15523,7 +15549,7 @@ index 8416beb..d7111b8 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3165,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3183,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -15566,7 +15592,7 @@ index 8416beb..d7111b8 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3215,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3233,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -15575,7 +15601,7 @@ index 8416beb..d7111b8 100644 ') ######################################## -@@ -2627,7 +3239,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3257,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -15584,7 +15610,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -2719,6 +3331,47 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3349,47 @@ interface(`fs_search_rpc',` ######################################## ## @@ -15632,7 +15658,7 @@ index 8416beb..d7111b8 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3394,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3412,7 @@ interface(`fs_search_removable',` ## ## ## @@ -15641,7 +15667,7 @@ index 8416beb..d7111b8 100644 ## ## # -@@ -2777,7 +3430,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3448,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -15650,7 +15676,7 @@ index 8416beb..d7111b8 100644 ## ## # -@@ -2970,6 +3623,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3641,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -15658,7 +15684,7 @@ index 8416beb..d7111b8 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3664,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3682,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -15666,7 +15692,7 @@ index 8416beb..d7111b8 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3705,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3723,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -15674,7 +15700,7 @@ index 8416beb..d7111b8 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +3793,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +3811,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -15699,7 +15725,7 @@ index 8416beb..d7111b8 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,6 +3937,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +3955,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -15724,7 +15750,7 @@ index 8416beb..d7111b8 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3975,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3993,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -15749,7 +15775,7 @@ index 8416beb..d7111b8 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +4102,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4120,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -15758,7 +15784,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3429,7 +4139,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4157,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -15767,7 +15793,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3447,7 +4157,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4175,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -15776,7 +15802,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3743,25 +4453,61 @@ interface(`fs_getattr_rpc_pipefs',` +@@ -3743,25 +4471,61 @@ interface(`fs_getattr_rpc_pipefs',` ######################################### ## @@ -15844,7 +15870,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3769,17 +4515,17 @@ interface(`fs_rw_rpc_named_pipes',` +@@ -3769,17 +4533,17 @@ interface(`fs_rw_rpc_named_pipes',` ## ## # @@ -15865,7 +15891,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3787,17 +4533,17 @@ interface(`fs_mount_tmpfs',` +@@ -3787,17 +4551,17 @@ interface(`fs_mount_tmpfs',` ## ## # @@ -15886,7 +15912,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3805,12 +4551,12 @@ interface(`fs_remount_tmpfs',` +@@ -3805,12 +4569,12 @@ interface(`fs_remount_tmpfs',` ## ## # @@ -15901,7 +15927,7 @@ index 8416beb..d7111b8 100644 ') ######################################## -@@ -3908,7 +4654,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +4672,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -15910,7 +15936,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3916,17 +4662,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +4680,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -15931,7 +15957,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3934,17 +4680,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +4698,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -15952,7 +15978,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3952,17 +4698,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +4716,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -15992,7 +16018,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -3970,31 +4735,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +4753,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -16048,7 +16074,7 @@ index 8416beb..d7111b8 100644 ') ######################################## -@@ -4105,7 +4887,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +4905,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -16057,7 +16083,7 @@ index 8416beb..d7111b8 100644 ') ######################################## -@@ -4165,6 +4947,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +4965,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -16082,7 +16108,7 @@ index 8416beb..d7111b8 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5002,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5020,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -16091,7 +16117,7 @@ index 8416beb..d7111b8 100644 ## ## ## -@@ -4221,6 +5021,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5039,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -16152,7 +16178,7 @@ index 8416beb..d7111b8 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5132,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5150,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -16197,7 +16223,7 @@ index 8416beb..d7111b8 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5189,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5207,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -16223,7 +16249,7 @@ index 8416beb..d7111b8 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5414,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5432,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -16232,7 +16258,7 @@ index 8416beb..d7111b8 100644 ') ######################################## -@@ -4549,7 +5462,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5480,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -16241,7 +16267,7 @@ index 8416beb..d7111b8 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5509,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5527,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -16268,7 +16294,7 @@ index 8416beb..d7111b8 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +5604,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +5622,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -16294,7 +16320,7 @@ index 8416beb..d7111b8 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +5864,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +5882,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -35708,7 +35734,7 @@ index 4e94884..7ab6191 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..0bdf67e 100644 +index 59b04c1..75844b4 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -35895,7 +35921,7 @@ index 59b04c1..0bdf67e 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +325,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,13 +325,23 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -35915,7 +35941,12 @@ index 59b04c1..0bdf67e 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +379,6 @@ files_read_etc_files(klogd_t) ++term_search_ptys(audisp_remote_t) ++ + ######################################## + # + # klogd local policy +@@ -326,7 +381,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -35923,7 +35954,7 @@ index 59b04c1..0bdf67e 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +407,12 @@ optional_policy(` +@@ -355,13 +409,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -35940,7 +35971,7 @@ index 59b04c1..0bdf67e 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,11 +420,15 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,11 +422,15 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -35957,7 +35988,7 @@ index 59b04c1..0bdf67e 100644 files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -@@ -389,30 +444,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +446,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -36008,7 +36039,7 @@ index 59b04c1..0bdf67e 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +494,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +496,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -36017,7 +36048,7 @@ index 59b04c1..0bdf67e 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +506,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +508,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -36051,7 +36082,7 @@ index 59b04c1..0bdf67e 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +545,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +547,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -36069,7 +36100,7 @@ index 59b04c1..0bdf67e 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +567,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +569,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -36085,7 +36116,7 @@ index 59b04c1..0bdf67e 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +599,7 @@ optional_policy(` +@@ -497,6 +601,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -36093,7 +36124,7 @@ index 59b04c1..0bdf67e 100644 ') optional_policy(` -@@ -507,15 +610,40 @@ optional_policy(` +@@ -507,15 +612,40 @@ optional_policy(` ') optional_policy(` @@ -36134,7 +36165,7 @@ index 59b04c1..0bdf67e 100644 ') optional_policy(` -@@ -526,3 +654,26 @@ optional_policy(` +@@ -526,3 +656,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e56d9f6..fcb9f3d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1354,6 +1354,19 @@ index 8d42c97..2377f8f 100644 optional_policy(` unconfined_domain(ada_t) +diff --git a/afs.fc b/afs.fc +index 8926c16..29817e9 100644 +--- a/afs.fc ++++ b/afs.fc +@@ -3,6 +3,8 @@ + /etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) + /etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) + ++/usr/afs(/.*)? gen_context(system_u:object_r:afs_files_t,s0) ++ + /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) + /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) + /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) diff --git a/afs.if b/afs.if index 3b41be6..97d99f9 100644 --- a/afs.if @@ -1405,7 +1418,7 @@ index 3b41be6..97d99f9 100644 afs_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index 90ce637..2e9f5d9 100644 +index 90ce637..07db31b 100644 --- a/afs.te +++ b/afs.te @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) @@ -1439,7 +1452,20 @@ index 90ce637..2e9f5d9 100644 ######################################## # # AFS bossserver local policy -@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) +@@ -105,8 +119,11 @@ can_exec(afs_bosserver_t, afs_bosserver_exec_t) + + manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) + manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) ++filetrans_pattern(afs_bosserver_t, afs_files_t, afs_config_t, dir, "local") + +-allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; ++manage_files_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t) ++manage_dirs_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t) ++filetrans_pattern(afs_bosserver_t, afs_files_t, afs_dbdir_t, dir, "db") + + allow afs_bosserver_t afs_fsserver_t:process signal_perms; + domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) +@@ -125,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) kernel_read_kernel_sysctls(afs_bosserver_t) @@ -1447,7 +1473,7 @@ index 90ce637..2e9f5d9 100644 corenet_all_recvfrom_netlabel(afs_bosserver_t) corenet_udp_sendrecv_generic_if(afs_bosserver_t) corenet_udp_sendrecv_generic_node(afs_bosserver_t) -@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) +@@ -136,10 +152,13 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) files_list_home(afs_bosserver_t) @@ -1455,7 +1481,14 @@ index 90ce637..2e9f5d9 100644 seutil_read_config(afs_bosserver_t) -@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms }; ++optional_policy(` ++ kerberos_read_config(afs_bosserver_t) ++') ++ + ######################################## + # + # fileserver local policy +@@ -151,9 +170,6 @@ allow afs_fsserver_t self:process { setsched signal_perms }; allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; @@ -1465,7 +1498,7 @@ index 90ce637..2e9f5d9 100644 manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t) +@@ -175,12 +191,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t) corenet_all_recvfrom_unlabeled(afs_fsserver_t) corenet_all_recvfrom_netlabel(afs_fsserver_t) @@ -1482,7 +1515,7 @@ index 90ce637..2e9f5d9 100644 corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) corenet_tcp_bind_afs_fs_port(afs_fsserver_t) -@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) +@@ -190,7 +208,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) files_read_etc_runtime_files(afs_fsserver_t) files_list_home(afs_fsserver_t) @@ -1490,7 +1523,7 @@ index 90ce637..2e9f5d9 100644 files_list_pids(afs_fsserver_t) files_dontaudit_search_mnt(afs_fsserver_t) -@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) +@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) kernel_read_kernel_sysctls(afs_kaserver_t) @@ -1498,7 +1531,7 @@ index 90ce637..2e9f5d9 100644 corenet_all_recvfrom_netlabel(afs_kaserver_t) corenet_udp_sendrecv_generic_if(afs_kaserver_t) corenet_udp_sendrecv_generic_node(afs_kaserver_t) -@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) +@@ -239,7 +255,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) files_list_home(afs_kaserver_t) @@ -1506,7 +1539,7 @@ index 90ce637..2e9f5d9 100644 seutil_read_config(afs_kaserver_t) -@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t) +@@ -253,16 +268,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t) allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; @@ -1523,7 +1556,7 @@ index 90ce637..2e9f5d9 100644 corenet_all_recvfrom_netlabel(afs_ptserver_t) corenet_tcp_sendrecv_generic_if(afs_ptserver_t) corenet_udp_sendrecv_generic_if(afs_ptserver_t) -@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) +@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) corenet_udp_bind_afs_pt_port(afs_ptserver_t) corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) @@ -1532,7 +1565,7 @@ index 90ce637..2e9f5d9 100644 userdom_dontaudit_use_user_terminals(afs_ptserver_t) ######################################## -@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t) +@@ -284,16 +297,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t) allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; @@ -1549,7 +1582,7 @@ index 90ce637..2e9f5d9 100644 corenet_all_recvfrom_netlabel(afs_vlserver_t) corenet_tcp_sendrecv_generic_if(afs_vlserver_t) corenet_udp_sendrecv_generic_if(afs_vlserver_t) -@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) +@@ -314,8 +323,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) allow afs_domain self:udp_socket create_socket_perms; @@ -12019,10 +12052,10 @@ index 0000000..7567038 +/var/run/cgdcbxd\.pid -- gen_context(system_u:object_r:cgdcbxd_var_run_t,s0) diff --git a/cgdcbxd.if b/cgdcbxd.if new file mode 100644 -index 0000000..651a34b +index 0000000..1efacf1 --- /dev/null +++ b/cgdcbxd.if -@@ -0,0 +1,104 @@ +@@ -0,0 +1,99 @@ + +## policy for cgdcbxd + @@ -12098,11 +12131,6 @@ index 0000000..651a34b +## Domain allowed access. +##
+## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`cgdcbxd_admin',` @@ -14116,10 +14144,10 @@ index bbdd396..8328b95 100644 + rhcs_rw_cluster_tmpfs(cmirrord_t) +') diff --git a/cobbler.fc b/cobbler.fc -index 973d208..3d2a715 100644 +index 973d208..6ce8803 100644 --- a/cobbler.fc +++ b/cobbler.fc -@@ -4,11 +4,14 @@ +@@ -4,11 +4,15 @@ /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) @@ -14127,6 +14155,7 @@ index 973d208..3d2a715 100644 /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/boot(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) /var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) /var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) @@ -14323,10 +14352,10 @@ index 0000000..bb87537 +/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) diff --git a/cockpit.if b/cockpit.if new file mode 100644 -index 0000000..a8a678a +index 0000000..eb2739a --- /dev/null +++ b/cockpit.if -@@ -0,0 +1,189 @@ +@@ -0,0 +1,184 @@ +## policy for cockpit + +######################################## @@ -14479,11 +14508,6 @@ index 0000000..a8a678a +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`cockpit_admin',` @@ -19678,7 +19702,7 @@ index b25b01d..6b7d687 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..bbf96d9 100644 +index 001b502..28bb02c 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -19765,10 +19789,12 @@ index 001b502..bbf96d9 100644 optional_policy(` consoletype_exec(ctdbd_t) ') -@@ -106,9 +129,11 @@ optional_policy(` +@@ -106,9 +129,13 @@ optional_policy(` ') optional_policy(` ++ samba_winbind_signull(ctdbd_t) ++ samba_unconfined_net_signull(ctdbd_t) + samba_signull_smbd(ctdbd_t) samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) @@ -25065,10 +25091,10 @@ index 0000000..1714fa6 +/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) diff --git a/dnssec.if b/dnssec.if new file mode 100644 -index 0000000..457d4dd +index 0000000..a846ce0 --- /dev/null +++ b/dnssec.if -@@ -0,0 +1,85 @@ +@@ -0,0 +1,104 @@ + +## policy for dnssec_trigger + @@ -25133,6 +25159,25 @@ index 0000000..457d4dd + +######################################## +## ++## Send signull to dnssec_trigger. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`dnssec_trigger_signull',` ++ gen_require(` ++ type dnssec_trigger_t; ++ ') ++ ++ allow $1 dnssec_trigger_t:process signull; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an dnssec_trigger environment +## @@ -25156,10 +25201,10 @@ index 0000000..457d4dd +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..6d795fe +index 0000000..225fcfd --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,81 @@ +@@ -0,0 +1,82 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -25193,6 +25238,7 @@ index 0000000..6d795fe + +manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) +manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) ++allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms; +files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) + +manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t) @@ -26627,10 +26673,10 @@ index 0000000..eac30a3 +/var/lib/etcd(/.*)? gen_context(system_u:object_r:etcd_var_lib_t,s0) diff --git a/etcd.if b/etcd.if new file mode 100644 -index 0000000..d5386d9 +index 0000000..d1a05a6 --- /dev/null +++ b/etcd.if -@@ -0,0 +1,166 @@ +@@ -0,0 +1,161 @@ +## A highly-available key value store for shared configuration. + +######################################## @@ -26764,11 +26810,6 @@ index 0000000..d5386d9 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`etcd_admin',` @@ -29616,10 +29657,10 @@ index 0000000..a97f14f +/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0) diff --git a/geoclue.if b/geoclue.if new file mode 100644 -index 0000000..9e17d3e +index 0000000..cf9f7bf --- /dev/null +++ b/geoclue.if -@@ -0,0 +1,158 @@ +@@ -0,0 +1,153 @@ + +## Geoclue is a D-Bus service that provides location information + @@ -29750,11 +29791,6 @@ index 0000000..9e17d3e +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`geoclue_admin',` @@ -30704,10 +30740,10 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..c46100b +index 0000000..918eb52 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,271 @@ +@@ -0,0 +1,277 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -30860,6 +30896,8 @@ index 0000000..c46100b +corenet_tcp_connect_all_unreserved_ports(glusterd_t) +corenet_tcp_connect_all_ephemeral_ports(glusterd_t) +corenet_tcp_connect_ssh_port(glusterd_t) ++corenet_tcp_connect_all_rpc_ports(glusterd_t) ++corenet_tcp_connect_all_ports(glusterd_t) + +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) @@ -30951,6 +30989,10 @@ index 0000000..c46100b +') + +optional_policy(` ++ mount_domtrans_showmount(glusterd_t) ++') ++ ++optional_policy(` + samba_domtrans_smbd(glusterd_t) + samba_systemctl(glusterd_t) + samba_signal_smbd(glusterd_t) @@ -35142,10 +35184,10 @@ index 0000000..0ca97b8 \ No newline at end of file diff --git a/hostapd.if b/hostapd.if new file mode 100644 -index 0000000..1f16431 +index 0000000..d0016da --- /dev/null +++ b/hostapd.if -@@ -0,0 +1,106 @@ +@@ -0,0 +1,101 @@ + +## policy for hostapd + @@ -35221,11 +35263,6 @@ index 0000000..1f16431 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`hostapd_admin',` @@ -35912,6 +35949,99 @@ index c6450df..a28aa13 100644 optional_policy(` unconfined_domain(inetd_child_t) +diff --git a/inn.fc b/inn.fc +index 8c0a48b..b9eabf1 100644 +--- a/inn.fc ++++ b/inn.fc +@@ -3,6 +3,8 @@ + + /etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/innd.* -- gen_context(system_u:object_r:innd_unit_file_t,s0) ++ + /usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) + /usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) + /usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0) +@@ -13,42 +15,43 @@ + + /var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) + +-/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) +- +-/var/log/news.* -- gen_context(system_u:object_r:innd_log_t,s0) ++/usr/libexec/news/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/archive -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/expire -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/inews -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/newsinnconfval -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/innd -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/sm -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/libexec/news/rc.news -- gen_context(system_u:object_r:innd_exec_t,s0) ++ ++/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) + + /var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) + /var/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) diff --git a/inn.if b/inn.if index eb87f23..d3d32c3 100644 --- a/inn.if @@ -35983,10 +36113,20 @@ index eb87f23..d3d32c3 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te -index d39f0cc..cb277f0 100644 +index d39f0cc..889dfd5 100644 --- a/inn.te +++ b/inn.te -@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t) +@@ -15,6 +15,9 @@ files_config_file(innd_etc_t) + type innd_initrc_exec_t; + init_script_file(innd_initrc_exec_t) + ++type innd_unit_file_t; ++systemd_unit_file(innd_unit_file_t) ++ + type innd_log_t; + logging_log_file(innd_log_t) + +@@ -26,6 +29,7 @@ files_pid_file(innd_var_run_t) type news_spool_t; files_mountpoint(news_spool_t) @@ -35994,7 +36134,21 @@ index d39f0cc..cb277f0 100644 ######################################## # -@@ -54,7 +55,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) +@@ -43,10 +47,9 @@ allow innd_t self:tcp_socket { accept listen }; + read_files_pattern(innd_t, innd_etc_t, innd_etc_t) + read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) + +-allow innd_t innd_log_t:dir setattr_dir_perms; +-append_files_pattern(innd_t, innd_log_t, innd_log_t) +-create_files_pattern(innd_t, innd_log_t, innd_log_t) +-setattr_files_pattern(innd_t, innd_log_t, innd_log_t) ++manage_files_pattern(innd_t, innd_log_t, innd_log_t) ++manage_dirs_pattern(innd_t, innd_log_t, innd_log_t) ++logging_log_filetrans(innd_t, innd_var_run_t, { dir file }) + + manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) + manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) +@@ -54,7 +57,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) @@ -36003,7 +36157,7 @@ index d39f0cc..cb277f0 100644 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -65,7 +66,6 @@ can_exec(innd_t, innd_exec_t) +@@ -65,7 +68,6 @@ can_exec(innd_t, innd_exec_t) kernel_read_kernel_sysctls(innd_t) kernel_read_system_state(innd_t) @@ -36011,11 +36165,13 @@ index d39f0cc..cb277f0 100644 corenet_all_recvfrom_netlabel(innd_t) corenet_tcp_sendrecv_generic_if(innd_t) corenet_tcp_sendrecv_generic_node(innd_t) -@@ -91,18 +91,16 @@ fs_search_auto_mountpoints(innd_t) +@@ -91,18 +93,18 @@ fs_search_auto_mountpoints(innd_t) files_list_spool(innd_t) files_read_etc_runtime_files(innd_t) -files_read_usr_files(innd_t) ++ ++inn_exec_config(innd_t) auth_use_nsswitch(innd_t) @@ -36241,10 +36397,10 @@ index 0000000..db194ec + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..de83173 +index 0000000..71bde7d --- /dev/null +++ b/ipa.if -@@ -0,0 +1,150 @@ +@@ -0,0 +1,155 @@ +## Policy for IPA services. + +######################################## @@ -36310,6 +36466,11 @@ index 0000000..de83173 +## Domain allowed to transition. +## +## ++## ++## ++## Role allowed access. ++## ++## +# +interface(`ipa_run_helper',` + gen_require(` @@ -37161,7 +37322,7 @@ index 59ad3b3..bd02cc8 100644 + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) diff --git a/jabber.if b/jabber.if -index 7eb3811..b52a6ae 100644 +index 7eb3811..d5d5ae7 100644 --- a/jabber.if +++ b/jabber.if @@ -1,29 +1,76 @@ @@ -37319,7 +37480,7 @@ index 7eb3811..b52a6ae 100644 ## ## ## -@@ -66,20 +137,26 @@ interface(`jabber_tcp_connect',` +@@ -66,20 +137,27 @@ interface(`jabber_tcp_connect',` ## ## ## @@ -37336,6 +37497,7 @@ index 7eb3811..b52a6ae 100644 - type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; + type jabberd_t, jabberd_var_lib_t; + type jabberd_initrc_exec_t, jabberd_router_t; ++ type jabberd_lock_t; ') - allow $1 jabberd_domain:process { ptrace signal_perms }; @@ -37352,7 +37514,7 @@ index 7eb3811..b52a6ae 100644 init_labeled_script_domtrans($1, jabberd_initrc_exec_t) domain_system_change_exemption($1) -@@ -97,7 +174,4 @@ interface(`jabber_admin',` +@@ -97,7 +175,4 @@ interface(`jabber_admin',` files_search_var_lib($1) admin_pattern($1, jabberd_var_lib_t) @@ -39021,10 +39183,10 @@ index 0000000..9a19f91 +/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0) diff --git a/keepalived.if b/keepalived.if new file mode 100644 -index 0000000..f0e0e3a +index 0000000..bd7e7fa --- /dev/null +++ b/keepalived.if -@@ -0,0 +1,85 @@ +@@ -0,0 +1,80 @@ + +## keepalived - load-balancing and high-availability service + @@ -39082,11 +39244,6 @@ index 0000000..f0e0e3a +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`keepalived_admin',` @@ -55910,7 +56067,7 @@ index 86dc29d..7380935 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..eab3fe0 100644 +index 55f2009..35ca860 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -55987,11 +56144,11 @@ index 55f2009..eab3fe0 100644 +can_exec(NetworkManager_t, NetworkManager_exec_t) +#wicd +can_exec(NetworkManager_t, wpa_cli_exec_t) - ++ +list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) +read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) -+ + +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) @@ -56107,7 +56264,7 @@ index 55f2009..eab3fe0 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +203,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +203,34 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -56118,7 +56275,8 @@ index 55f2009..eab3fe0 100644 -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) -- ++term_use_unallocated_ttys(NetworkManager_t) + -userdom_write_user_tmp_sockets(NetworkManager_t) +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) @@ -56145,7 +56303,7 @@ index 55f2009..eab3fe0 100644 ') optional_policy(` -@@ -196,10 +244,6 @@ optional_policy(` +@@ -196,10 +246,6 @@ optional_policy(` ') optional_policy(` @@ -56156,7 +56314,7 @@ index 55f2009..eab3fe0 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,17 +254,16 @@ optional_policy(` +@@ -210,17 +256,16 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -56179,7 +56337,7 @@ index 55f2009..eab3fe0 100644 ') optional_policy(` -@@ -231,10 +274,11 @@ optional_policy(` +@@ -231,10 +276,15 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -56188,11 +56346,15 @@ index 55f2009..eab3fe0 100644 optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) ++ dnssec_trigger_signull(NetworkManager_t) ++') ++ ++optional_policy(` + fcoe_dgram_send_fcoemon(NetworkManager_t) ') optional_policy(` -@@ -246,10 +290,26 @@ optional_policy(` +@@ -246,10 +296,26 @@ optional_policy(` ') optional_policy(` @@ -56219,7 +56381,7 @@ index 55f2009..eab3fe0 100644 ') optional_policy(` -@@ -257,15 +317,19 @@ optional_policy(` +@@ -257,15 +323,19 @@ optional_policy(` ') optional_policy(` @@ -56241,7 +56403,7 @@ index 55f2009..eab3fe0 100644 ') optional_policy(` -@@ -274,10 +338,17 @@ optional_policy(` +@@ -274,10 +344,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -56259,7 +56421,7 @@ index 55f2009..eab3fe0 100644 ') optional_policy(` -@@ -286,9 +357,12 @@ optional_policy(` +@@ -286,9 +363,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -56272,7 +56434,7 @@ index 55f2009..eab3fe0 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +370,7 @@ optional_policy(` +@@ -296,7 +376,7 @@ optional_policy(` ') optional_policy(` @@ -56281,7 +56443,7 @@ index 55f2009..eab3fe0 100644 ') optional_policy(` -@@ -307,6 +381,7 @@ optional_policy(` +@@ -307,6 +387,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -56289,7 +56451,7 @@ index 55f2009..eab3fe0 100644 ') optional_policy(` -@@ -320,14 +395,20 @@ optional_policy(` +@@ -320,14 +401,20 @@ optional_policy(` ') optional_policy(` @@ -56300,22 +56462,22 @@ index 55f2009..eab3fe0 100644 + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t) + systemd_hostnamed_manage_config(NetworkManager_t) -+') -+ -+optional_policy(` -+ ssh_exec(NetworkManager_t) ') optional_policy(` - # unconfined_dgram_send(NetworkManager_t) - unconfined_stream_connect(NetworkManager_t) ++ ssh_exec(NetworkManager_t) ++') ++ ++optional_policy(` + udev_exec(NetworkManager_t) + udev_read_db(NetworkManager_t) + udev_read_pid_files(NetworkManager_t) ') optional_policy(` -@@ -357,6 +438,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -56767,7 +56929,7 @@ index 46e55c3..afe399a 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3a6b035..b9887c1 100644 +index 3a6b035..ff6d218 100644 --- a/nis.te +++ b/nis.te @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0) @@ -56988,7 +57150,7 @@ index 3a6b035..b9887c1 100644 corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -264,31 +269,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) +@@ -264,31 +269,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) corenet_udp_sendrecv_all_ports(ypserv_t) corenet_tcp_bind_generic_node(ypserv_t) corenet_udp_bind_generic_node(ypserv_t) @@ -57002,6 +57164,7 @@ index 3a6b035..b9887c1 100644 corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) +corenet_sendrecv_generic_server_packets(ypserv_t) ++corenet_tcp_connect_portmap_port(ypserv_t) -corecmd_exec_bin(ypserv_t) +dev_read_sysfs(ypserv_t) @@ -57026,7 +57189,7 @@ index 3a6b035..b9887c1 100644 nis_domtrans_ypxfr(ypserv_t) -@@ -310,8 +311,8 @@ optional_policy(` +@@ -310,8 +312,8 @@ optional_policy(` # ypxfr local policy # @@ -57037,7 +57200,7 @@ index 3a6b035..b9887c1 100644 allow ypxfr_t self:tcp_socket create_stream_socket_perms; allow ypxfr_t self:udp_socket create_socket_perms; allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; -@@ -326,7 +327,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +@@ -326,7 +328,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) @@ -57045,7 +57208,7 @@ index 3a6b035..b9887c1 100644 corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -336,23 +336,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) +@@ -336,23 +337,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) corenet_udp_sendrecv_all_ports(ypxfr_t) corenet_tcp_bind_generic_node(ypxfr_t) corenet_udp_bind_generic_node(ypxfr_t) @@ -57073,37 +57236,29 @@ index 3a6b035..b9887c1 100644 sysnet_read_config(ypxfr_t) diff --git a/nova.fc b/nova.fc new file mode 100644 -index 0000000..d6de5b6 +index 0000000..b5fab0e --- /dev/null +++ b/nova.fc -@@ -0,0 +1,33 @@ -+ -+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0) -+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0) -+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0) -+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0) -+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0) -+/usr/bin/nova-conductor -- gen_context(system_u:object_r:nova_conductor_exec_t,s0) -+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0) -+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0) -+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0) -+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0) -+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0) -+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0) -+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0) -+ -+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0) +@@ -0,0 +1,25 @@ ++/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-api -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-conductor -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-network -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-cells -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-novncproxy -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-serialproxy -- gen_context(system_u:object_r:nova_exec_t,s0) ++/usr/bin/nova-api-metadata -- gen_context(system_u:object_r:nova_exec_t,s0) ++ ++/usr/lib/systemd/system/openstack-nova-* -- gen_context(system_u:object_r:nova_unit_file_t,s0) + +/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0) + @@ -57112,10 +57267,10 @@ index 0000000..d6de5b6 +/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) diff --git a/nova.if b/nova.if new file mode 100644 -index 0000000..ce897e2 +index 0000000..e328327 --- /dev/null +++ b/nova.if -@@ -0,0 +1,59 @@ +@@ -0,0 +1,47 @@ +## openstack-nova + +###################################### @@ -57150,37 +57305,25 @@ index 0000000..ce897e2 +# +template(`nova_domain_template',` + gen_require(` -+ attribute nova_domain; -+ ') -+ -+ type nova_$1_t, nova_domain; -+ type nova_$1_exec_t; -+ init_daemon_domain(nova_$1_t, nova_$1_exec_t) -+ -+ type nova_$1_unit_file_t; -+ systemd_unit_file(nova_$1_unit_file_t) ++ type nova_t; ++ type nova_exec_t; ++ type nova_unit_file_t; ++ type nova_tmp_t; + -+ type nova_$1_tmp_t; -+ files_tmp_file(nova_$1_tmp_t) -+ -+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) -+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) -+ manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) -+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) -+ fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) -+ can_exec(nova_$1_t, nova_$1_tmp_t) -+ -+ kernel_read_system_state(nova_$1_t) ++ ') + -+ logging_send_syslog_msg(nova_$1_t) ++ typealias nova_t alias nova_$1_t; ++ typealias nova_exec_t alias nova_$1_exec_t; ++ typealias nova_unit_file_t alias nova_$1_unit_file_t; ++ typealias nova_tmp_t alias nova_$1_tmp_t; + +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..2d92a3d +index 0000000..6c813d7 --- /dev/null +++ b/nova.te -@@ -0,0 +1,339 @@ +@@ -0,0 +1,199 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -57215,6 +57358,24 @@ index 0000000..2d92a3d +typeattribute nova_network_t nova_sudo_domain; +typeattribute nova_volume_t nova_sudo_domain; + ++type nova_t; ++type nova_exec_t; ++init_daemon_domain(nova_t, nova_exec_t) ++typeattribute nova_t nova_domain; ++ ++type nova_unit_file_t; ++systemd_unit_file(nova_unit_file_t) ++ ++type nova_tmp_t; ++files_tmp_file(nova_tmp_t) ++ ++manage_dirs_pattern(nova_t, nova_tmp_t, nova_tmp_t) ++manage_files_pattern(nova_t, nova_tmp_t, nova_tmp_t) ++manage_lnk_files_pattern(nova_t, nova_tmp_t, nova_tmp_t) ++files_tmp_filetrans(nova_t, nova_tmp_t, { lnk_file file dir }) ++fs_tmpfs_filetrans(nova_t, nova_tmp_t, { lnk_file file dir }) ++can_exec(nova_t, nova_tmp_t) ++ +type nova_log_t; +logging_log_file(nova_log_t) + @@ -57230,10 +57391,14 @@ index 0000000..2d92a3d +# nova general domain local policy +# + -+allow nova_domain self:process signal_perms; ++allow nova_domain self:capability { dac_override net_admin net_bind_service }; ++allow nova_domain self:process { getcap setcap signal_perms setfscreate }; +allow nova_domain self:fifo_file rw_fifo_file_perms; +allow nova_domain self:tcp_socket create_stream_socket_perms; +allow nova_domain self:unix_stream_socket create_stream_socket_perms; ++allow nova_domain self:udp_socket create_socket_perms; ++allow nova_domain self:key write; ++allow nova_domain self:netlink_route_socket r_netlink_socket_perms; + +manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t) +manage_files_pattern(nova_domain, nova_log_t, nova_log_t) @@ -57244,19 +57409,52 @@ index 0000000..2d92a3d +manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t) +manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t) + -+corenet_tcp_connect_amqp_port(nova_domain) -+corenet_tcp_connect_mysqld_port(nova_domain) -+ +kernel_read_network_state(nova_domain) ++kernel_read_kernel_sysctls(nova_domain) ++ ++kernel_read_system_state(nova_t) ++ ++logging_send_syslog_msg(nova_t) ++ ++miscfiles_read_generic_certs(nova_t) + +corecmd_exec_bin(nova_domain) +corecmd_exec_shell(nova_domain) -+corenet_tcp_connect_mysqld_port(nova_domain) + ++corenet_tcp_bind_generic_node(nova_domain) ++corenet_udp_bind_generic_node(nova_domain) ++# should be add to booleans ++corenet_tcp_connect_all_ports(nova_domain) ++corenet_tcp_bind_all_unreserved_ports(nova_domain) ++corenet_tcp_connect_mysqld_port(nova_domain) ++corenet_tcp_connect_amqp_port(nova_domain) ++corenet_tcp_connect_mysqld_port(nova_domain) ++corenet_tcp_connect_memcache_port(nova_domain) ++corenet_tcp_bind_varnishd_port(nova_domain) ++# should be added to boolean or fixed in the code ++# dnsmasq domtrans does not work since then dnsmasq_t wants ++# to do some stuff with nova_lib, nova_tmp ++# nova-dhcpbridge runs in dnsmasq domain ++corenet_all_recvfrom_netlabel(nova_t) ++corenet_tcp_sendrecv_generic_if(nova_domain) ++corenet_udp_sendrecv_generic_if(nova_domain) ++corenet_raw_sendrecv_generic_if(nova_domain) ++corenet_tcp_sendrecv_generic_node(nova_domain) ++corenet_udp_sendrecv_generic_node(nova_domain) ++corenet_raw_sendrecv_generic_node(nova_domain) ++corenet_tcp_sendrecv_all_ports(nova_domain) ++corenet_udp_sendrecv_all_ports(nova_domain) ++corenet_tcp_bind_dns_port(nova_domain) ++corenet_udp_bind_all_ports(nova_domain) ++corenet_sendrecv_dns_server_packets(nova_domain) ++corenet_sendrecv_dhcpd_server_packets(nova_domain) ++ ++auth_use_nsswitch(nova_t) +auth_read_passwd(nova_domain) + +dev_read_sysfs(nova_domain) +dev_read_urand(nova_domain) ++dev_read_rand(nova_domain) + +fs_getattr_all_fs(nova_domain) + @@ -57270,240 +57468,45 @@ index 0000000..2d92a3d +') + +optional_policy(` -+ sysnet_read_config(nova_domain) -+ sysnet_exec_ifconfig(nova_domain) -+') -+ -+###################################### -+# -+# nova ajax local policy -+# -+ -+#optional_policy(` -+# unconfined_domain(nova_ajax_t) -+#') -+ -+####################################### -+# -+# nova api local policy -+# -+ -+allow nova_api_t self:process setfscreate; -+ -+allow nova_api_t self:key write; -+ -+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms; -+ -+allow nova_api_t self:udp_socket create_socket_perms; -+ -+kernel_read_kernel_sysctls(nova_api_t) -+ -+corenet_tcp_bind_generic_node(nova_api_t) -+corenet_udp_bind_generic_node(nova_api_t) -+# should be add to booleans -+corenet_tcp_connect_all_ports(nova_api_t) -+corenet_tcp_bind_all_unreserved_ports(nova_api_t) -+ -+auth_use_nsswitch(nova_api_t) -+ -+logging_send_syslog_msg(nova_api_t) -+ -+miscfiles_read_certs(nova_api_t) -+ -+optional_policy(` -+ iptables_domtrans(nova_api_t) ++ postgresql_stream_connect(nova_domain) +') + +optional_policy(` -+ ssh_exec_keygen(nova_api_t) ++ sysnet_read_config(nova_domain) ++ sysnet_domtrans_ifconfig(nova_domain) +') + +optional_policy(` -+ gnome_dontaudit_search_config(nova_api_t) ++ iptables_domtrans(nova_domain) +') + -+#optional_policy(` -+# unconfined_domain(nova_api_t) -+#') -+ -+###################################### -+# -+# nova cert local policy -+# -+ -+allow nova_cert_t self:process setfscreate; -+ -+allow nova_cert_t self:udp_socket create_socket_perms; -+ -+auth_use_nsswitch(nova_cert_t) -+ -+miscfiles_read_certs(nova_cert_t) -+ +optional_policy(` -+ postgresql_stream_connect(nova_cert_t) ++ ssh_exec_keygen(nova_domain) +') + -+####################################### -+# -+# nova conductor local policy -+# -+ -+optional_policy(` -+ unconfined_domain(nova_conductor_t) -+') -+ -+####################################### -+# -+# nova compute local policy -+# -+ -+# needs to be re-write since now runs as virtd_t -+ -+allow nova_compute_t self:udp_socket create_socket_perms; -+ -+kernel_read_network_state(nova_compute_t) -+ -+dev_read_rand(nova_compute_t) -+ -+optional_policy(` -+ virt_getattr_exec(nova_compute_t) -+ virt_stream_connect(nova_compute_t) -+') -+ -+###################################### -+# -+# nova console local policy -+# -+ -+allow nova_console_t self:udp_socket create_socket_perms; -+ -+corenet_tcp_connect_memcache_port(nova_console_t) -+ -+auth_use_nsswitch(nova_console_t) -+ -+####################################### -+# -+# nova direct local policy -+# -+ -+#optional_policy(` -+# unconfined_domain(nova_direct_t) -+#') -+ -+####################################### -+# -+# nova network local policy -+# -+ -+allow nova_network_t self:capability { dac_override net_admin net_bind_service }; -+allow nova_network_t self:process { getcap setcap }; -+ -+allow nova_network_t self:netlink_route_socket r_netlink_socket_perms; -+allow nova_network_t self:udp_socket create_socket_perms; -+ -+kernel_read_network_state(nova_network_t) -+kernel_read_kernel_sysctls(nova_network_t) -+ -+# should be added to boolean or fixed in the code -+# dnsmasq domtrans does not work since then dnsmasq_t wants -+# to do some stuff with nova_lib, nova_tmp -+# nova-dhcpbridge runs in dnsmasq domain -+corenet_all_recvfrom_netlabel(nova_network_t) -+corenet_tcp_sendrecv_generic_if(nova_network_t) -+corenet_udp_sendrecv_generic_if(nova_network_t) -+corenet_raw_sendrecv_generic_if(nova_network_t) -+corenet_tcp_sendrecv_generic_node(nova_network_t) -+corenet_udp_sendrecv_generic_node(nova_network_t) -+corenet_raw_sendrecv_generic_node(nova_network_t) -+corenet_tcp_sendrecv_all_ports(nova_network_t) -+corenet_udp_sendrecv_all_ports(nova_network_t) -+corenet_tcp_bind_generic_node(nova_network_t) -+corenet_udp_bind_generic_node(nova_network_t) -+corenet_tcp_bind_dns_port(nova_network_t) -+corenet_udp_bind_all_ports(nova_network_t) -+corenet_sendrecv_dns_server_packets(nova_network_t) -+corenet_sendrecv_dhcpd_server_packets(nova_network_t) -+ -+libs_exec_ldconfig(nova_network_t) -+ -+logging_send_syslog_msg(nova_network_t) -+ +optional_policy(` -+ brctl_domtrans(nova_network_t) ++ gnome_dontaudit_search_config(nova_domain) +') + +optional_policy(` -+ dnsmasq_exec(nova_network_t) -+# dnsmasq_domtrans(nova_network_t) ++ virt_getattr_exec(nova_domain) ++ virt_stream_connect(nova_domain) +') + +optional_policy(` -+ iptables_domtrans(nova_network_t) ++ brctl_domtrans(nova_domain) +') + +optional_policy(` -+ sysnet_domtrans_ifconfig(nova_network_t) ++ dnsmasq_exec(nova_domain) +') + -+#optional_policy(` -+# unconfined_domain(nova_network_t) -+#') -+ -+####################################### -+# -+# nova object store local policy -+# -+ -+allow nova_objectstore_t self:udp_socket create_socket_perms; -+ -+corenet_tcp_bind_generic_node(nova_objectstore_t) -+corenet_udp_bind_generic_node(nova_objectstore_t) -+ +optional_policy(` -+ unconfined_domain(nova_objectstore_t) ++ lvm_domtrans(nova_domain) +') + -+####################################### -+# -+# nova scheduler local policy -+# -+ -+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; -+allow nova_scheduler_t self:udp_socket create_socket_perms; -+ -+auth_read_passwd(nova_scheduler_t) -+ -+init_read_utmp(nova_scheduler_t) -+ -+miscfiles_read_certs(nova_scheduler_t) -+ -+####################################### -+# -+# nova vncproxy local policy -+# -+ -+allow nova_vncproxy_t self:udp_socket create_socket_perms; -+ -+corenet_udp_bind_generic_node(nova_vncproxy_t) -+corenet_tcp_bind_generic_node(nova_vncproxy_t) -+ -+corenet_tcp_bind_varnishd_port(nova_vncproxy_t) -+ -+####################################### -+# -+# nova volume local policy -+# -+ -+allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms; -+ -+allow nova_volume_t self:udp_socket create_socket_perms; -+ -+kernel_read_kernel_sysctls(nova_volume_t) -+ -+logging_send_syslog_msg(nova_volume_t) -+ +optional_policy(` -+ lvm_domtrans(nova_volume_t) ++ lvm_domtrans(nova_domain) +') + +####################################### @@ -61251,10 +61254,10 @@ index 0000000..5a2f97e +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..a60155c +index 0000000..c20cac3 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,721 @@ +@@ -0,0 +1,697 @@ + +## policy for openshift + @@ -61349,12 +61352,7 @@ index 0000000..a60155c +## +# +interface(`openshift_search_cache',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ allow $1 openshift_cache_t:dir search_dir_perms; -+ files_search_var($1) ++ refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## @@ -61368,12 +61366,7 @@ index 0000000..a60155c +## +# +interface(`openshift_read_cache_files',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, openshift_cache_t, openshift_cache_t) ++ refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## @@ -61388,12 +61381,7 @@ index 0000000..a60155c +## +# +interface(`openshift_manage_cache_files',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, openshift_cache_t, openshift_cache_t) ++ refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## @@ -61408,12 +61396,7 @@ index 0000000..a60155c +## +# +interface(`openshift_manage_cache_dirs',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t) ++ refpolicywarn(`$0($*) has been deprecated.') +') + + @@ -61714,7 +61697,6 @@ index 0000000..a60155c + gen_require(` + attribute openshift_domain; + type openshift_initrc_exec_t; -+ type openshift_cache_t; + type openshift_log_t; + type openshift_var_lib_t; + type openshift_var_run_t; @@ -61731,9 +61713,6 @@ index 0000000..a60155c + role_transition $2 openshift_initrc_exec_t system_r; + allow $2 system_r; + -+ files_search_var($1) -+ admin_pattern($1, openshift_cache_t) -+ + logging_search_logs($1) + admin_pattern($1, openshift_log_t) + @@ -81018,7 +80997,7 @@ index 5bc878b..5736203 100644 + unconfined_domain_noaudit(realmd_consolehelper_t) ') diff --git a/redis.fc b/redis.fc -index e240ac9..638d6b4 100644 +index e240ac9..953767b 100644 --- a/redis.fc +++ b/redis.fc @@ -1,9 +1,11 @@ @@ -81028,7 +81007,7 @@ index e240ac9..638d6b4 100644 +/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) -/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) -+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) ++/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) -/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) +/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) @@ -85170,10 +85149,10 @@ index 0000000..504b6e1 +/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0) diff --git a/rolekit.if b/rolekit.if new file mode 100644 -index 0000000..b694846 +index 0000000..b11fb8f --- /dev/null +++ b/rolekit.if -@@ -0,0 +1,125 @@ +@@ -0,0 +1,120 @@ +## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. + +######################################## @@ -85271,11 +85250,6 @@ index 0000000..b694846 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`rolekit_admin',` @@ -85448,7 +85422,7 @@ index a6fb30c..38a2f09 100644 +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index 0bf13c2..8236a71 100644 +index 0bf13c2..50f25de 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -85804,7 +85778,7 @@ index 0bf13c2..8236a71 100644 ## ## ## -@@ -366,27 +403,46 @@ interface(`rpc_manage_nfs_state_data',` +@@ -366,31 +403,50 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) @@ -85857,6 +85831,20 @@ index 0bf13c2..8236a71 100644 attribute rpc_domain; type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; +- type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t; ++ type nfsd_rw_t, gssd_keytab_t; + ') + + allow $1 rpc_domain:process { ptrace signal_perms }; +@@ -411,7 +467,7 @@ interface(`rpc_admin',` + admin_pattern($1, rpcd_var_run_t) + + files_list_all($1) +- admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) ++ admin_pattern($1, nfsd_rw_t ) + + files_list_tmp($1) + admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te index 2da9fca..876a4e7 100644 --- a/rpc.te @@ -86523,7 +86511,7 @@ index ebe91fc..913587c 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..8f213aa 100644 +index ef3b225..415a50b 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -87063,7 +87051,7 @@ index ef3b225..8f213aa 100644 ## ## ## -@@ -617,22 +752,56 @@ interface(`rpm_pid_filetrans_rpm_pid',` +@@ -617,22 +752,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` ## ## ## @@ -87124,6 +87112,7 @@ index ef3b225..8f213aa 100644 + + type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; + type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; ++ type rpm_var_run_t; + ') + + allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; @@ -87131,7 +87120,7 @@ index ef3b225..8f213aa 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) -@@ -641,9 +810,6 @@ interface(`rpm_admin',` +@@ -641,9 +811,6 @@ interface(`rpm_admin',` admin_pattern($1, rpm_file_t) @@ -88901,7 +88890,7 @@ index b8b66ff..a93346e 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 50d07fb..556b25d 100644 +index 50d07fb..3ca1c49 100644 --- a/samba.if +++ b/samba.if @@ -1,8 +1,12 @@ @@ -89343,8 +89332,28 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -490,7 +607,7 @@ interface(`samba_domtrans_smbd',` +@@ -488,9 +605,27 @@ interface(`samba_domtrans_smbd',` + domtrans_pattern($1, smbd_exec_t, smbd_t) + ') ++######################################## ++## ++## Set attributes of samba_share directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_setattr_samba_share_dirs',` ++ gen_require(` ++ type samba_share_t; ++ ') ++ ++ allow $1 samba_share_t:dir setattr_dir_perms; ++') ++ ###################################### ## -## Send generic signals to smbd. @@ -89352,7 +89361,7 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -505,10 +622,26 @@ interface(`samba_signal_smbd',` +@@ -505,10 +640,26 @@ interface(`samba_signal_smbd',` allow $1 smbd_t:process signal; ') @@ -89381,7 +89390,7 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -526,7 +659,7 @@ interface(`samba_dontaudit_use_fds',` +@@ -526,7 +677,7 @@ interface(`samba_dontaudit_use_fds',` ######################################## ## @@ -89390,7 +89399,7 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -544,7 +677,7 @@ interface(`samba_write_smbmount_tcp_sockets',` +@@ -544,7 +695,7 @@ interface(`samba_write_smbmount_tcp_sockets',` ######################################## ## @@ -89399,44 +89408,54 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -560,49 +693,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` - allow $1 smbmount_t:tcp_socket { read write }; - ') +@@ -562,47 +713,63 @@ interface(`samba_rw_smbmount_tcp_sockets',` --######################################## -+####################################### + ######################################## ## -## Execute winbind helper in the -## winbind helper domain. -+## Allow to getattr on winbind binary. ++## Allow send signull to winbind ## ## --## + ## -## Domain allowed to transition. --## -+## -+## Domain allowed to transition. -+## ++## Domain allowed access. + ## ## # -interface(`samba_domtrans_winbind_helper',` -- gen_require(` ++interface(`samba_winbind_signull',` + gen_require(` - type winbind_helper_t, winbind_helper_exec_t; -- ') -+interface(`samba_getattr_winbind',` -+ gen_require(` -+ type winbind_exec_t; -+ ') ++ type winbind_t; + ') - corecmd_search_bin($1) - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -+ allow $1 winbind_exec_t:file getattr; ++ allow $1 winbind_t:process signull; ') --####################################### -+######################################## + ####################################### ## -## Get attributes of winbind executable files. ++## Allow to getattr on winbind binary. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_getattr_winbind',` ++ gen_require(` ++ type winbind_exec_t; ++ ') ++ ++ allow $1 winbind_exec_t:file getattr; ++') ++ ++######################################## ++## +## Execute winbind_helper in the winbind_helper domain. ## ## @@ -89468,7 +89487,7 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -618,16 +749,16 @@ interface(`samba_getattr_winbind_exec',` +@@ -618,16 +785,16 @@ interface(`samba_getattr_winbind_exec',` # interface(`samba_run_winbind_helper',` gen_require(` @@ -89488,7 +89507,7 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -637,17 +768,16 @@ interface(`samba_run_winbind_helper',` +@@ -637,17 +804,16 @@ interface(`samba_run_winbind_helper',` # interface(`samba_read_winbind_pid',` gen_require(` @@ -89510,7 +89529,7 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -657,17 +787,61 @@ interface(`samba_read_winbind_pid',` +@@ -657,17 +823,79 @@ interface(`samba_read_winbind_pid',` # interface(`samba_stream_connect_winbind',` gen_require(` @@ -89572,12 +89591,30 @@ index 50d07fb..556b25d 100644 + +######################################## +## ++## Allow send signull to samba_unconfined_net ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_unconfined_net_signull',` ++ gen_require(` ++ type samba_uncofined_net_t; ++ ') ++ ++ allow $1 samba_uncofined_net_t:process signull; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an samba environment ## ## ## -@@ -676,7 +850,7 @@ interface(`samba_stream_connect_winbind',` +@@ -676,7 +904,7 @@ interface(`samba_stream_connect_winbind',` ## ## ## @@ -89586,17 +89623,16 @@ index 50d07fb..556b25d 100644 ## ## ## -@@ -689,11 +863,29 @@ interface(`samba_admin',` +@@ -689,11 +917,30 @@ interface(`samba_admin',` type samba_etc_t, samba_share_t, samba_initrc_exec_t; type swat_var_run_t, swat_tmp_t, winbind_log_t; type winbind_var_run_t, winbind_tmp_t; - type smbd_keytab_t; + type smbd_keytab_t, samba_unit_file_t; + type samba_unconfined_script_t; - ') - -- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { nmbd_t smbd_t }) ++ type samba_unconfined_script_exec_t; ++ ') ++ + allow $1 smbd_t:process signal_perms; + ps_process_pattern($1, smbd_t) + @@ -89604,8 +89640,10 @@ index 50d07fb..556b25d 100644 + allow $1 smbd_t:process ptrace; + allow $1 nmbd_t:process ptrace; + allow $1 samba_unconfined_script_t:process ptrace; -+ ') -+ + ') + +- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { nmbd_t smbd_t }) + allow $1 nmbd_t:process signal_perms; + ps_process_pattern($1, nmbd_t) + @@ -89619,7 +89657,7 @@ index 50d07fb..556b25d 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -703,23 +895,34 @@ interface(`samba_admin',` +@@ -703,23 +950,34 @@ interface(`samba_admin',` files_list_etc($1) admin_pattern($1, { samba_etc_t smbd_keytab_t }) @@ -89666,7 +89704,7 @@ index 50d07fb..556b25d 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..9303cc1 100644 +index 2b7c441..b74b683 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -89959,7 +89997,7 @@ index 2b7c441..9303cc1 100644 ') optional_policy(` -@@ -249,46 +259,58 @@ optional_policy(` +@@ -249,46 +259,59 @@ optional_policy(` ') optional_policy(` @@ -89983,6 +90021,7 @@ index 2b7c441..9303cc1 100644 +allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search net_admin }; dontaudit smbd_t self:capability sys_tty_config; -allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; ++dontaudit smbd_t self:capability2 block_suspend; +allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow smbd_t self:process setrlimit; allow smbd_t self:fd use; @@ -90031,7 +90070,7 @@ index 2b7c441..9303cc1 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -298,65 +320,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -298,65 +321,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -90128,7 +90167,7 @@ index 2b7c441..9303cc1 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) -@@ -366,44 +395,53 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +396,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -90194,7 +90233,7 @@ index 2b7c441..9303cc1 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +457,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +458,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -90217,7 +90256,7 @@ index 2b7c441..9303cc1 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +469,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +470,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -90225,7 +90264,7 @@ index 2b7c441..9303cc1 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,15 +477,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,15 +478,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -90245,7 +90284,7 @@ index 2b7c441..9303cc1 100644 ') optional_policy(` -@@ -466,6 +490,7 @@ optional_policy(` +@@ -466,6 +491,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -90253,7 +90292,7 @@ index 2b7c441..9303cc1 100644 ') optional_policy(` -@@ -474,11 +499,30 @@ optional_policy(` +@@ -474,11 +500,30 @@ optional_policy(` ') optional_policy(` @@ -90284,7 +90323,7 @@ index 2b7c441..9303cc1 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +532,10 @@ optional_policy(` +@@ -488,6 +533,10 @@ optional_policy(` ') optional_policy(` @@ -90295,7 +90334,7 @@ index 2b7c441..9303cc1 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +547,48 @@ optional_policy(` +@@ -499,9 +548,48 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -90345,7 +90384,7 @@ index 2b7c441..9303cc1 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +599,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +600,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -90360,7 +90399,7 @@ index 2b7c441..9303cc1 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +615,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +616,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -90384,7 +90423,7 @@ index 2b7c441..9303cc1 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +631,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +632,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -90453,7 +90492,7 @@ index 2b7c441..9303cc1 100644 ') optional_policy(` -@@ -606,16 +681,22 @@ optional_policy(` +@@ -606,16 +682,22 @@ optional_policy(` ######################################## # @@ -90480,7 +90519,7 @@ index 2b7c441..9303cc1 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +708,13 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +709,13 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -90499,7 +90538,7 @@ index 2b7c441..9303cc1 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +722,23 @@ optional_policy(` +@@ -644,22 +723,23 @@ optional_policy(` ######################################## # @@ -90531,7 +90570,7 @@ index 2b7c441..9303cc1 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +747,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +748,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -90567,7 +90606,7 @@ index 2b7c441..9303cc1 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +774,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +775,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -90659,7 +90698,7 @@ index 2b7c441..9303cc1 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +853,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +854,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -90683,7 +90722,7 @@ index 2b7c441..9303cc1 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +867,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +868,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -90726,7 +90765,7 @@ index 2b7c441..9303cc1 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +897,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +898,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -90740,7 +90779,7 @@ index 2b7c441..9303cc1 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +920,20 @@ optional_policy(` +@@ -840,17 +921,20 @@ optional_policy(` # Winbind local policy # @@ -90766,7 +90805,7 @@ index 2b7c441..9303cc1 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +943,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +944,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -90777,7 +90816,7 @@ index 2b7c441..9303cc1 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +954,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +955,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -90830,7 +90869,7 @@ index 2b7c441..9303cc1 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +996,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +997,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -90889,7 +90928,7 @@ index 2b7c441..9303cc1 100644 ') optional_policy(` -@@ -959,31 +1057,35 @@ optional_policy(` +@@ -959,31 +1058,35 @@ optional_policy(` # Winbind helper local policy # @@ -90932,7 +90971,7 @@ index 2b7c441..9303cc1 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1099,38 @@ optional_policy(` +@@ -997,25 +1100,38 @@ optional_policy(` ######################################## # @@ -91058,10 +91097,10 @@ index 0000000..b7db254 +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..a2cb772 +index 0000000..1e7c447 --- /dev/null +++ b/sandbox.if -@@ -0,0 +1,85 @@ +@@ -0,0 +1,80 @@ + +## policy for sandbox + @@ -91110,11 +91149,6 @@ index 0000000..a2cb772 +## Domain allowed access +## +## -+## -+## -+## The role to be allowed the sandbox domain. -+## -+## +# +interface(`sandbox_dyntransition',` + gen_require(` @@ -99711,10 +99745,10 @@ index 49d688d..f07cc80 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..79e43aa +index 0000000..6d897bc --- /dev/null +++ b/swift.fc -@@ -0,0 +1,35 @@ +@@ -0,0 +1,36 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -99725,6 +99759,7 @@ index 0000000..79e43aa +/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-reconciler -- gen_context(system_u:object_r:swift_exec_t,s0) + +/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -102676,10 +102711,28 @@ index 97cd155..49321a5 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f..529c97a 100644 +index 585a77f..9b0ab2b 100644 --- a/tmpreaper.te +++ b/tmpreaper.te -@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.7.1) +@@ -5,9 +5,25 @@ policy_module(tmpreaper, 1.7.1) + # Declarations + # + ++## ++##

++## Determine whether tmpreaper can use ++## nfs file systems. ++##

++## ++gen_tunable(tmpreaper_use_nfs, false) ++ ++## ++##

++## Determine whether tmpreaper can use samba_share files ++##

++## ++gen_tunable(tmpreaper_use_samba, false) ++ type tmpreaper_t; type tmpreaper_exec_t; init_system_domain(tmpreaper_t, tmpreaper_exec_t) @@ -102687,7 +102740,7 @@ index 585a77f..529c97a 100644 ######################################## # -@@ -19,6 +20,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; +@@ -19,6 +35,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; kernel_list_unlabeled(tmpreaper_t) kernel_read_system_state(tmpreaper_t) @@ -102695,7 +102748,7 @@ index 585a77f..529c97a 100644 dev_read_urand(tmpreaper_t) -@@ -27,15 +29,19 @@ corecmd_exec_shell(tmpreaper_t) +@@ -27,15 +44,19 @@ corecmd_exec_shell(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) @@ -102719,7 +102772,7 @@ index 585a77f..529c97a 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -45,7 +51,6 @@ init_use_inherited_script_ptys(tmpreaper_t) +@@ -45,7 +66,6 @@ init_use_inherited_script_ptys(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -102727,7 +102780,7 @@ index 585a77f..529c97a 100644 miscfiles_delete_man_pages(tmpreaper_t) ifdef(`distro_debian',` -@@ -53,10 +58,13 @@ ifdef(`distro_debian',` +@@ -53,10 +73,23 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -102739,10 +102792,20 @@ index 585a77f..529c97a 100644 + userdom_delete_all_user_home_content_sock_files(tmpreaper_t) userdom_delete_all_user_home_content_symlinks(tmpreaper_t) + userdom_setattr_all_user_home_content_dirs(tmpreaper_t) ++') ++ ++tunable_policy(`tmpreaper_use_nfs',` ++ fs_setattr_nfs_dirs(tmpreaper_t) ++') ++ ++ optional_policy(` ++ tunable_policy(`tmpreaper_use_samba',` ++ samba_setattr_samba_share_dirs(tmpreaper_t) ++ ') ') optional_policy(` -@@ -64,6 +72,7 @@ optional_policy(` +@@ -64,6 +97,7 @@ optional_policy(` ') optional_policy(` @@ -102750,7 +102813,7 @@ index 585a77f..529c97a 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -79,7 +88,19 @@ optional_policy(` +@@ -79,7 +113,19 @@ optional_policy(` ') optional_policy(` @@ -102771,7 +102834,7 @@ index 585a77f..529c97a 100644 ') optional_policy(` -@@ -89,3 +110,8 @@ optional_policy(` +@@ -89,3 +135,8 @@ optional_policy(` optional_policy(` rpm_manage_cache(tmpreaper_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 1b2c317..792dfe9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 135%{?dist} +Release: 136%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,29 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jul 14 2015 Lukas Vrabec 3.13.1-136 +- Add samba_unconfined_script_exec_t to samba_admin header. +- Add jabberd_lock_t label to jabberd_admin header. +- Add rpm_var_run_t label to rpm_admin header. +- Make all interfaces related to openshift_cache_t as deprecated. +- Remove non exits nfsd_ro_t label. +- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config +- Fix *_admin intefaces where body is not consistent with header. +- Allow networkmanager read rfcomm port. +- Fix nova_domain_template interface, Fix typo bugs in nova policy +- Create nova sublabels. +- Merge all nova_* labels under one nova_t. +- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" +- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. +- Fix label openstack-nova-metadata-api binary file +- Allow nova_t to bind on geneve tcp port, and all udp ports +- Label swift-container-reconciler binary as swift_t. +- Allow glusterd to execute showmount in the showmount domain. +- Allow NetworkManager_t send signull to dnssec_trigger_t. +- Add support for openstack-nova-* packages. +- Allow audisp-remote searching devpts. +- Label 6080 tcp port as geneve + * Thu Jul 09 2015 Lukas Vrabec 3.13.1-135 - Update mta_filetrans_named_content() interface to cover more db files. - Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."