diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 862c780..2d6e729 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9424,7 +9424,7 @@ index b876c48..27f60c6 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..1a11674 100644 +index f962f76..fa8cdcb 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10434,7 +10434,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3142,10 +3678,29 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3678,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -10447,7 +10447,7 @@ index f962f76..1a11674 100644 + +######################################## +## -+## Setattr of directories on new filesystems ++## Getattr all file opbjects on new filesystems +## that have not yet been labeled. +## +## @@ -10456,17 +10456,36 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_setattr_isid_type_dirs',` ++interface(`files_getattr_isid_type',` + gen_require(` + type unlabeled_t; ') - allow $1 file_t:dir getattr; ++ allow $1 unlabeled_t:dir_file_class_set getattr; ++') ++ ++######################################## ++## ++## Setattr of directories on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_isid_type_dirs',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ + allow $1 unlabeled_t:dir setattr; ') ######################################## -@@ -3161,10 +3716,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3735,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -10479,7 +10498,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3180,10 +3735,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3754,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -10492,7 +10511,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3199,10 +3754,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3773,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -10505,7 +10524,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3218,10 +3773,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3792,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -10574,7 +10593,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3237,10 +3848,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +3867,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -10587,7 +10606,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3256,10 +3867,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +3886,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -10619,7 +10638,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3275,10 +3905,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +3924,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -10632,7 +10651,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3294,10 +3924,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +3943,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -10645,7 +10664,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3313,10 +3943,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +3962,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -10658,7 +10677,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3332,10 +3962,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +3981,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -10671,7 +10690,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3351,10 +3981,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4000,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -10684,7 +10703,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3370,10 +4000,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4019,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -10697,7 +10716,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3389,10 +4019,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4038,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -10710,7 +10729,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3408,10 +4038,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4057,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -10723,7 +10742,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3427,10 +4057,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4076,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -10736,7 +10755,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3446,10 +4076,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4095,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -10749,7 +10768,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3465,10 +4095,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4114,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -10781,7 +10800,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3484,10 +4133,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4152,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -10794,7 +10813,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3503,10 +4152,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4171,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -10807,7 +10826,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -3814,20 +4463,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4482,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10851,7 +10870,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -4217,6 +4884,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +4903,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11024,7 +11043,7 @@ index f962f76..1a11674 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5072,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5091,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -11051,7 +11070,7 @@ index f962f76..1a11674 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5105,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -11090,7 +11109,7 @@ index f962f76..1a11674 100644 ## ## # -@@ -4289,6 +5162,7 @@ interface(`files_search_tmp',` +@@ -4289,6 +5181,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -11098,7 +11117,7 @@ index f962f76..1a11674 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5199,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5218,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -11106,7 +11125,7 @@ index f962f76..1a11674 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5209,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5228,7 @@ interface(`files_list_tmp',` ## ## ## @@ -11115,7 +11134,7 @@ index f962f76..1a11674 100644 ## ## # -@@ -4346,6 +5221,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,6 +5240,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -11141,7 +11160,7 @@ index f962f76..1a11674 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4361,6 +5255,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4361,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -11149,12 +11168,13 @@ index f962f76..1a11674 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5297,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,25 +5316,33 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## +-## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -11163,76 +11183,48 @@ index f962f76..1a11674 100644 +## This is added to support java policy. +##

+##
-+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_execmod_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file execmod; -+') -+ -+######################################## -+## - ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4456,7 +5377,7 @@ interface(`files_rw_generic_tmp_sockets',` - - ######################################## - ## --## Set the attributes of all tmp directories. -+## Relabel a dir from the type used in /tmp. - ## ## ## -@@ -4464,17 +5385,17 @@ interface(`files_rw_generic_tmp_sockets',` + ## Domain allowed access. ## ## # --interface(`files_setattr_all_tmp_dirs',` -+interface(`files_relabelfrom_tmp_dirs',` +-interface(`files_manage_generic_tmp_files',` ++interface(`files_execmod_tmp',` gen_require(` -- attribute tmpfile; -+ type tmp_t; +- type tmp_t; ++ attribute tmpfile; ') -- allow $1 tmpfile:dir { search_dir_perms setattr }; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) +- manage_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file execmod; ') ######################################## ## --## List all tmp directories. -+## Relabel a file from the type used in /tmp. +-## Read symbolic links in the tmp directory (/tmp). ++## Manage temporary files and directories in /tmp. ## ## ## -@@ -4482,18 +5403,108 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4428,17 +5350,35 @@ interface(`files_manage_generic_tmp_files',` ## ## # --interface(`files_list_all_tmp',` -+interface(`files_relabelfrom_tmp_files',` +-interface(`files_read_generic_tmp_symlinks',` ++interface(`files_manage_generic_tmp_files',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) +- read_lnk_files_pattern($1, tmp_t, tmp_t) ++ manage_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Relabel to and from all temporary --## directory types. -+## Set the attributes of all tmp directories. +-## Read and write generic named sockets in the tmp directory (/tmp). ++## Read symbolic links in the tmp directory (/tmp). +## +## +## @@ -11240,17 +11232,25 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_setattr_all_tmp_dirs',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` -+ attribute tmpfile; ++ type tmp_t; + ') + -+ allow $1 tmpfile:dir { search_dir_perms setattr }; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) +') + +######################################## +## -+## Allow caller to read inherited tmp files. ++## Read and write generic named sockets in the tmp directory (/tmp). + ## + ## + ## +@@ -4456,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',` + + ######################################## + ## ++## Relabel a dir from the type used in /tmp. +## +## +## @@ -11258,17 +11258,17 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_read_inherited_tmp_files',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` -+ attribute tmpfile; ++ type tmp_t; + ') + -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) +') + +######################################## +## -+## Allow caller to append inherited tmp files. ++## Relabel a file from the type used in /tmp. +## +## +## @@ -11276,17 +11276,42 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_append_inherited_tmp_files',` ++interface(`files_relabelfrom_tmp_files',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++') ++ ++######################################## ++## + ## Set the attributes of all tmp directories. + ## + ## +@@ -4474,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',` + + ######################################## + ## ++## Allow caller to read inherited tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_inherited_tmp_files',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:file append_inherited_file_perms; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; +') + +######################################## +## -+## Allow caller to read and write inherited tmp files. ++## Allow caller to append inherited tmp files. +## +## +## @@ -11294,17 +11319,17 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_append_inherited_tmp_files',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; +') + +######################################## +## -+## List all tmp directories. ++## Allow caller to read and write inherited tmp files. +## +## +## @@ -11312,22 +11337,20 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_list_all_tmp',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:dir list_dir_perms; ++ allow $1 tmpfile:file rw_inherited_file_perms; +') + +######################################## +## -+## Relabel to and from all temporary -+## directory types. + ## List all tmp directories. ## ## - ## -@@ -4519,7 +5530,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11336,7 +11359,7 @@ index f962f76..1a11674 100644 ## ## # -@@ -4579,7 +5590,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -11345,7 +11368,7 @@ index f962f76..1a11674 100644 ## ## # -@@ -4611,6 +5622,44 @@ interface(`files_read_all_tmp_files',` +@@ -4611,6 +5641,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11390,7 +11413,7 @@ index f962f76..1a11674 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5713,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5732,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11407,7 +11430,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -5241,6 +6300,24 @@ interface(`files_list_var',` +@@ -5241,6 +6319,24 @@ interface(`files_list_var',` ######################################## ## @@ -11432,7 +11455,7 @@ index f962f76..1a11674 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5527,6 +6604,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6623,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -11458,7 +11481,7 @@ index f962f76..1a11674 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6692,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6711,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11484,7 +11507,7 @@ index f962f76..1a11674 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6756,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6775,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11493,7 +11516,7 @@ index f962f76..1a11674 100644 ## ## ## -@@ -5649,12 +6764,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6783,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11509,7 +11532,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -5672,6 +6788,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6807,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11517,7 +11540,7 @@ index f962f76..1a11674 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6815,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6834,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11545,7 +11568,7 @@ index f962f76..1a11674 100644 ## ## ## -@@ -5706,13 +6842,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6861,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11562,7 +11585,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -5731,7 +6866,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6885,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11571,7 +11594,7 @@ index f962f76..1a11674 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6899,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6918,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11579,7 +11602,7 @@ index f962f76..1a11674 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6913,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +6932,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11588,7 +11611,7 @@ index f962f76..1a11674 100644 ## ## ## -@@ -5787,13 +6921,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +6940,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11623,7 +11646,7 @@ index f962f76..1a11674 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +6963,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +6982,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11641,7 +11664,7 @@ index f962f76..1a11674 100644 ') ######################################## -@@ -5834,9 +6987,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7006,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11652,7 +11675,7 @@ index f962f76..1a11674 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7029,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7048,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11662,7 +11685,7 @@ index f962f76..1a11674 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7051,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7070,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11672,7 +11695,7 @@ index f962f76..1a11674 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7088,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7107,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11682,7 +11705,7 @@ index f962f76..1a11674 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7127,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7146,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11691,7 +11714,7 @@ index f962f76..1a11674 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7147,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7166,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11740,7 +11763,7 @@ index f962f76..1a11674 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,27 +7211,27 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,12 +7230,31 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11753,64 +11776,47 @@ index f962f76..1a11674 100644 ## -## Domain allowed access. +## Domain to not audit. - ## - ## - # --interface(`files_list_pids',` ++## ++## ++# +interface(`files_dontaudit_search_all_pids',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) ++ ') ++ + dontaudit $1 pidfile:dir search_dir_perms; - ') - - ######################################## - ## --## Read generic process ID files. ++') ++ ++######################################## ++## +## List the contents of the runtime process +## ID directories (/var/run). - ## - ## - ## -@@ -6053,12 +7239,31 @@ interface(`files_list_pids',` ++## ++## ++## ++## Domain allowed access. ## ## # --interface(`files_read_generic_pids',` -+interface(`files_list_pids',` - gen_require(` +@@ -6039,7 +7263,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+') -+ -+######################################## -+## -+## Read generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ + list_dirs_pattern($1, var_t, var_run_t) + ') + +@@ -6058,7 +7282,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7283,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7302,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11819,7 +11825,7 @@ index f962f76..1a11674 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7345,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7364,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11827,7 +11833,7 @@ index f962f76..1a11674 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7373,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7392,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11852,7 +11858,7 @@ index f962f76..1a11674 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7404,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7423,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11861,29 +11867,497 @@ index f962f76..1a11674 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,6 +7471,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7490,43 @@ interface(`files_dontaudit_ioctl_all_pids',` + + ######################################## + ## +-## Read all process ID files. ++## Relable all pid directories + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` ++interface(`files_relabel_all_pid_dirs',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) ++ relabel_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Delete all process IDs. ++## Delete all pid sockets + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 pidfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process ID directories. ++## Create all pid sockets + ## + ## + ## +@@ -6305,42 +7534,35 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` ++interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content ++## Create all pid named pipes + ## + ## + ## +-## Domain alloed access. ++## Domain allowed access. + ## + ## + # +-interface(`files_manage_all_pids',` ++interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:fifo_file create_fifo_file_perms; + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all pid named pipes + ## + ## + ## +@@ -6348,18 +7570,18 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_pid_pipes',` + gen_require(` +- attribute polymember; ++ attribute pidfile; + ') + +- allow $1 polymember:dir mounton; ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). ++## manage all pidfile directories ++## in the /var/run directory. + ## + ## + ## +@@ -6367,37 +7589,40 @@ interface(`files_mounton_all_poly_members',` + ## + ## + # +-interface(`files_search_spool',` ++interface(`files_manage_all_pid_dirs',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- search_dirs_pattern($1, var_t, var_spool_t) ++ manage_dirs_pattern($1,pidfile,pidfile) + ') + ++ + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. ++## Read all process ID files. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_search_spool',` ++interface(`files_read_all_pids',` + gen_require(` +- type var_spool_t; ++ attribute pidfile; ++ type var_t; + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. ++## Relable all pid files + ## + ## + ## +@@ -6405,18 +7630,17 @@ interface(`files_dontaudit_search_spool',` + ## + ## + # +-interface(`files_list_spool',` ++interface(`files_relabel_all_pid_files',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- list_dirs_pattern($1, var_t, var_spool_t) ++ relabel_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). ++## Execute generic programs in /var/run in the caller domain. + ## + ## + ## +@@ -6424,18 +7648,18 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` ++interface(`files_exec_generic_pid_files',` + gen_require(` +- type var_t, var_spool_t; ++ type var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ exec_files_pattern($1, var_run_t, var_run_t) + ') + + ######################################## + ## +-## Read generic spool files. ++## manage all pidfiles ++## in the /var/run directory. + ## + ## + ## +@@ -6443,19 +7667,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` ++interface(`files_manage_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) ++ manage_files_pattern($1,pidfile,pidfile) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. ++## Mount filesystems on all polyinstantiation ++## member directories. + ## + ## + ## +@@ -6463,55 +7686,130 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` ++interface(`files_mounton_all_poly_members',` + gen_require(` +- type var_t, var_spool_t; ++ attribute polymember; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) ++ allow $1 polymember:dir mounton; + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. ++## Delete all process IDs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## ++# ++interface(`files_delete_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. ++## ++## + ## +-## Type to which the created node will be transitioned. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Make the specified type a file ++## used for spool files. ++## ++## ++##

++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_spool_filetrans()
  • ++##
++##

++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

++##

++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

++##
++## + ## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. ++## Type of the file to be used as a ++## spool file. + ## + ## +-## ++## ++# ++interface(`files_spool_file',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 spoolfile; ++') ++ ++######################################## ++## ++## Create all spool sockets ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`files_spool_filetrans',` ++interface(`files_create_all_spool_sockets',` + gen_require(` +- type var_t, var_spool_t; ++ attribute spoolfile; + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 spoolfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. ++## Delete all spool sockets + ## + ## + ## +@@ -6519,64 +7817,767 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` ++interface(`files_delete_all_spool_sockets',` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; ++ attribute spoolfile; + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') ++ allow $1 spoolfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Unconfined access to files. ++## Relabel to and from all spool ++## directory types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_unconfined',` ++interface(`files_relabel_all_spool_dirs',` + gen_require(` +- attribute files_unconfined_type; ++ attribute spoolfile; ++ type var_t; + ') - ######################################## - ## -+## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ relabel_dirs_pattern($1, pidfile, pidfile) +- typeattribute $1 files_unconfined_type; ++ relabel_dirs_pattern($1, spoolfile, spoolfile) +') + +######################################## +## -+## Delete all pid sockets ++## Search the contents of generic spool ++## directories (/var/spool). +## +## +## @@ -11891,35 +12365,37 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_delete_all_pid_sockets',` ++interface(`files_search_spool',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ allow $1 pidfile:sock_file delete_sock_file_perms; ++ search_dirs_pattern($1, var_t, var_spool_t) +') + +######################################## +## -+## Create all pid sockets ++## Do not audit attempts to search generic ++## spool directories. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_create_all_pid_sockets',` ++interface(`files_dontaudit_search_spool',` + gen_require(` -+ attribute pidfile; ++ type var_spool_t; + ') + -+ allow $1 pidfile:sock_file create_sock_file_perms; ++ dontaudit $1 var_spool_t:dir search_dir_perms; +') + +######################################## +## -+## Create all pid named pipes ++## List the contents of generic spool ++## (/var/spool) directories. +## +## +## @@ -11927,17 +12403,18 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_create_all_pid_pipes',` ++interface(`files_list_spool',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ allow $1 pidfile:fifo_file create_fifo_file_perms; ++ list_dirs_pattern($1, var_t, var_spool_t) +') + +######################################## +## -+## Delete all pid named pipes ++## Create, read, write, and delete generic ++## spool directories (/var/spool). +## +## +## @@ -11945,18 +12422,18 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_delete_all_pid_pipes',` ++interface(`files_manage_generic_spool_dirs',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## manage all pidfile directories -+## in the /var/run directory. ++## Read generic spool files. +## +## +## @@ -11964,37 +12441,19 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_manage_all_pid_dirs',` ++interface(`files_read_generic_spool',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ manage_dirs_pattern($1,pidfile,pidfile) -+') -+ -+ -+######################################## -+## - ## Read all process ID files. - ## - ## -@@ -6261,12 +7593,86 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; -+ type var_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## Relable all pid files ++## Create, read, write, and delete generic ++## spool files. +## +## +## @@ -12002,55 +12461,55 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_relabel_all_pid_files',` ++interface(`files_manage_generic_spool',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ relabel_files_pattern($1, pidfile, pidfile) ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## Execute generic programs in /var/run in the caller domain. ++## Create objects in the spool directory ++## with a private type with a type transition. +## +## +## +## Domain allowed access. +## +## -+# -+interface(`files_exec_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## -+## manage all pidfiles -+## in the /var/run directory. -+## -+## ++## +## -+## Domain allowed access. ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++## ++## ++## The name of the object being created. +## +## +# -+interface(`files_manage_all_pids',` ++interface(`files_spool_filetrans',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ manage_files_pattern($1,pidfile,pidfile) ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) +') + +######################################## +## -+## Mount filesystems on all polyinstantiation -+## member directories. ++## Allow access to manage all polyinstantiated ++## directories on the system. +## +## +## @@ -12058,158 +12517,67 @@ index f962f76..1a11674 100644 +## +## +# -+interface(`files_mounton_all_poly_members',` ++interface(`files_polyinstantiate_all',` + gen_require(` -+ attribute polymember; ++ attribute polydir, polymember, polyparent; ++ type poly_t; + ') + -+ allow $1 polymember:dir mounton; - ') - - ######################################## -@@ -6286,8 +7692,8 @@ interface(`files_delete_all_pids',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) -@@ -6311,36 +7717,80 @@ interface(`files_delete_all_pid_dirs',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content -+## Make the specified type a file -+## used for spool files. -+## -+## -+##

-+## Make the specified type usable for spool files. -+## This will also make the type usable for files, making -+## calls to files_type() redundant. Failure to use this interface -+## for a spool file may result in problems with -+## purging spool files. -+##

-+##

-+## Related interfaces: -+##

-+##
    -+##
  • files_spool_filetrans()
  • -+##
-+##

-+## Example usage with a domain that can create and -+## write its spool file in the system spool file -+## directories (/var/spool): -+##

-+##

-+## type myspoolfile_t; -+## files_spool_file(myfile_spool_t) -+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; -+## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

-+##
-+## -+## -+## Type of the file to be used as a -+## spool file. -+## -+## -+## -+# -+interface(`files_spool_file',` -+ gen_require(` -+ attribute spoolfile; -+ ') ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) + -+ files_type($1) -+ typeattribute $1 spoolfile; -+') ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; + -+######################################## -+## -+## Create all spool sockets - ## - ## - ## --## Domain alloed access. -+## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` -+interface(`files_create_all_spool_sockets',` - gen_require(` -- attribute pidfile; -+ attribute spoolfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 spoolfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all spool sockets - ## - ## - ## -@@ -6348,12 +7798,33 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_spool_sockets',` - gen_require(` -- attribute polymember; -+ attribute spoolfile; - ') - -- allow $1 polymember:dir mounton; -+ allow $1 spoolfile:sock_file delete_sock_file_perms; ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) ++ allow $1 polyparent:dir { getattr mounton }; ++ ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') +') + +######################################## +## -+## Relabel to and from all spool -+## directory types. ++## Unconfined access to files. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_relabel_all_spool_dirs',` ++interface(`files_unconfined',` + gen_require(` -+ attribute spoolfile; -+ type var_t; ++ attribute files_unconfined_type; + ') + -+ relabel_dirs_pattern($1, spoolfile, spoolfile) - ') - - ######################################## -@@ -6580,3 +8051,514 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') ++ typeattribute $1 files_unconfined_type; ++') + +######################################## +## @@ -12720,7 +13088,7 @@ index f962f76..1a11674 100644 + ') + + allow $1 etc_t:service status; -+') + ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..dfcd2ad 100644 --- a/policy/modules/kernel/files.te @@ -15922,7 +16290,7 @@ index 7be4ddf..4d4c577 100644 -# This module currently does not have any file contexts. +/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 6d0811d..6947c0a 100644 +index 6d0811d..f67bd8f 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -16216,7 +16584,37 @@ index 6d0811d..6947c0a 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; -@@ -690,7 +711,9 @@ interface(`selinux_compute_user_contexts',` +@@ -677,6 +698,29 @@ interface(`selinux_compute_relabel_context',` + + ######################################## + ## ++## Allows caller to setcheckreqprot ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`selinux_setcheckreqprot',` ++ gen_require(` ++ type security_t; ++ ') ++ ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; ++ allow $1 security_t:dir list_dir_perms; ++ allow $1 security_t:file rw_file_perms; ++ allow $1 security_t:security setcheckreqprot; ++') ++ ++######################################## ++## + ## Allows caller to compute possible contexts for a user. + ## + ## +@@ -690,7 +734,9 @@ interface(`selinux_compute_user_contexts',` type security_t; ') @@ -16226,7 +16624,7 @@ index 6d0811d..6947c0a 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; -@@ -712,4 +735,29 @@ interface(`selinux_unconfined',` +@@ -712,4 +758,28 @@ interface(`selinux_unconfined',` ') typeattribute $1 selinux_unconfined_type; @@ -16255,7 +16653,6 @@ index 6d0811d..6947c0a 100644 + fs_type($1) + mls_trusted_object($1) ') -+ diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index e0a973b..0fcd621 100644 --- a/policy/modules/kernel/selinux.te @@ -28866,7 +29263,7 @@ index 79a45f6..9a14d49 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..a627baf 100644 +index 17eda24..fdd335a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29533,15 +29930,18 @@ index 17eda24..a627baf 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,6 +719,7 @@ mls_process_read_up(initrc_t) +@@ -387,8 +719,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) +mls_socket_write_to_clearance(initrc_t) selinux_get_enforce_mode(initrc_t) ++selinux_setcheckreqprot(initrc_t) -@@ -398,6 +731,7 @@ term_use_all_terms(initrc_t) + storage_getattr_fixed_disk_dev(initrc_t) + storage_setattr_fixed_disk_dev(initrc_t) +@@ -398,6 +732,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29549,7 +29949,7 @@ index 17eda24..a627baf 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +750,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +751,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29573,7 +29973,7 @@ index 17eda24..a627baf 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +783,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +784,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29581,7 +29981,7 @@ index 17eda24..a627baf 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +817,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +818,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -29592,7 +29992,7 @@ index 17eda24..a627baf 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +841,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +842,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29601,7 +30001,7 @@ index 17eda24..a627baf 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +856,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +857,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -29609,7 +30009,7 @@ index 17eda24..a627baf 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +877,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +878,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -29617,7 +30017,7 @@ index 17eda24..a627baf 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +887,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +888,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -29662,7 +30062,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -559,14 +932,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +933,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29694,7 +30094,7 @@ index 17eda24..a627baf 100644 ') ') -@@ -577,6 +967,39 @@ ifdef(`distro_suse',` +@@ -577,6 +968,39 @@ ifdef(`distro_suse',` ') ') @@ -29734,7 +30134,7 @@ index 17eda24..a627baf 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1012,8 @@ optional_policy(` +@@ -589,6 +1013,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29743,7 +30143,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -610,6 +1035,7 @@ optional_policy(` +@@ -610,6 +1036,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29751,7 +30151,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -626,6 +1052,17 @@ optional_policy(` +@@ -626,6 +1053,17 @@ optional_policy(` ') optional_policy(` @@ -29769,7 +30169,7 @@ index 17eda24..a627baf 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1079,13 @@ optional_policy(` +@@ -642,9 +1080,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29783,7 +30183,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -657,15 +1098,11 @@ optional_policy(` +@@ -657,15 +1099,11 @@ optional_policy(` ') optional_policy(` @@ -29801,7 +30201,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -686,6 +1123,15 @@ optional_policy(` +@@ -686,6 +1124,15 @@ optional_policy(` ') optional_policy(` @@ -29817,7 +30217,7 @@ index 17eda24..a627baf 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1172,7 @@ optional_policy(` +@@ -726,6 +1173,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -29825,7 +30225,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -743,7 +1190,13 @@ optional_policy(` +@@ -743,7 +1191,13 @@ optional_policy(` ') optional_policy(` @@ -29840,7 +30240,7 @@ index 17eda24..a627baf 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1219,10 @@ optional_policy(` +@@ -766,6 +1220,10 @@ optional_policy(` ') optional_policy(` @@ -29851,7 +30251,7 @@ index 17eda24..a627baf 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1232,20 @@ optional_policy(` +@@ -775,10 +1233,20 @@ optional_policy(` ') optional_policy(` @@ -29872,7 +30272,7 @@ index 17eda24..a627baf 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1254,10 @@ optional_policy(` +@@ -787,6 +1255,10 @@ optional_policy(` ') optional_policy(` @@ -29883,7 +30283,7 @@ index 17eda24..a627baf 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1279,6 @@ optional_policy(` +@@ -808,8 +1280,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29892,7 +30292,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -818,6 +1287,10 @@ optional_policy(` +@@ -818,6 +1288,10 @@ optional_policy(` ') optional_policy(` @@ -29903,7 +30303,7 @@ index 17eda24..a627baf 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1300,12 @@ optional_policy(` +@@ -827,10 +1301,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29916,7 +30316,7 @@ index 17eda24..a627baf 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,12 +1332,35 @@ optional_policy(` +@@ -857,21 +1333,60 @@ optional_policy(` ') optional_policy(` @@ -29953,7 +30353,13 @@ index 17eda24..a627baf 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -872,6 +1370,18 @@ optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) + ') + ++ optional_policy(` ++ authconfig_domtrans(initrc_t) ++ ') ++ optional_policy(` mono_domtrans(initrc_t) ') @@ -29972,7 +30378,7 @@ index 17eda24..a627baf 100644 ') optional_policy(` -@@ -887,6 +1397,10 @@ optional_policy(` +@@ -887,6 +1402,10 @@ optional_policy(` ') optional_policy(` @@ -29983,7 +30389,7 @@ index 17eda24..a627baf 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1411,218 @@ optional_policy(` +@@ -897,3 +1416,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -31294,7 +31700,7 @@ index 73bb3c0..5b9420f 100644 + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..9d8f729 100644 +index 808ba93..57a68da 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -31430,7 +31836,7 @@ index 808ba93..9d8f729 100644 ') ######################################## -@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',` +@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -31447,10 +31853,12 @@ index 808ba93..9d8f729 100644 +# +interface(`libs_filetrans_named_content',` + gen_require(` ++ type lib_t; + type ld_so_cache_t; + type ldconfig_cache_t; + ') + ++ files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug") + files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 589f30d..3c2bcc4 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -42699,10 +42699,10 @@ index 0000000..b694afc +') + diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..7995fce 100644 +index 6ffaba2..7128926 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,68 @@ +@@ -1,38 +1,71 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -42760,7 +42760,7 @@ index 6ffaba2..7995fce 100644 -/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) - +- -/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) @@ -42771,6 +42771,7 @@ index 6ffaba2..7995fce 100644 -/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) -/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ +ifdef(`distro_redhat',` +/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) @@ -42795,12 +42796,15 @@ index 6ffaba2..7995fce 100644 +/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0) + +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + ++/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++ +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) + ++/usr/libexec/WebKitPluginProcess -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++ +ifdef(`distro_redhat',` +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') @@ -75168,10 +75172,10 @@ index c8bdea2..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..8ee9185 100644 +index 6cf79c4..e7fe8c7 100644 --- a/rhcs.te +++ b/rhcs.te -@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) +@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) ## gen_tunable(fenced_can_ssh, false) @@ -75196,10 +75200,18 @@ index 6cf79c4..8ee9185 100644 +## +gen_tunable(cluster_use_execmem, false) + ++## ++##

++## Determine whether haproxy can ++## connect to all TCP ports. ++##

++##
++gen_tunable(haproxy_connect_any, false) ++ attribute cluster_domain; attribute cluster_log; attribute cluster_pid; -@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t; +@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t; init_script_file(foghorn_initrc_exec_t) rhcs_domain_template(gfs_controld) @@ -75487,7 +75499,7 @@ index 6cf79c4..8ee9185 100644 ') ##################################### -@@ -79,9 +349,11 @@ optional_policy(` +@@ -79,9 +357,11 @@ optional_policy(` # dlm_controld local policy # @@ -75500,7 +75512,7 @@ index 6cf79c4..8ee9185 100644 stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -75533,7 +75545,7 @@ index 6cf79c4..8ee9185 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -75544,7 +75556,7 @@ index 6cf79c4..8ee9185 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) +@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) corenet_sendrecv_zented_server_packets(fenced_t) corenet_tcp_bind_zented_port(fenced_t) @@ -75553,7 +75565,7 @@ index 6cf79c4..8ee9185 100644 corenet_tcp_sendrecv_zented_port(fenced_t) corenet_sendrecv_http_client_packets(fenced_t) -@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -75564,7 +75576,7 @@ index 6cf79c4..8ee9185 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -75573,7 +75585,7 @@ index 6cf79c4..8ee9185 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +467,8 @@ optional_policy(` +@@ -182,7 +475,8 @@ optional_policy(` ') optional_policy(` @@ -75583,7 +75595,7 @@ index 6cf79c4..8ee9185 100644 ') optional_policy(` -@@ -190,12 +476,12 @@ optional_policy(` +@@ -190,12 +484,12 @@ optional_policy(` ') optional_policy(` @@ -75599,7 +75611,7 @@ index 6cf79c4..8ee9185 100644 ') optional_policy(` -@@ -203,6 +489,13 @@ optional_policy(` +@@ -203,6 +497,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -75613,7 +75625,7 @@ index 6cf79c4..8ee9185 100644 ####################################### # # foghorn local policy -@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -75634,7 +75646,7 @@ index 6cf79c4..8ee9185 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -75643,7 +75655,7 @@ index 6cf79c4..8ee9185 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -75676,16 +75688,27 @@ index 6cf79c4..8ee9185 100644 +corenet_tcp_connect_commplex_link_port(haproxy_t) +corenet_tcp_connect_commplex_main_port(haproxy_t) +corenet_tcp_bind_commplex_main_port(haproxy_t) ++corenet_tcp_bind_http_port(haproxy_t) ++corenet_tcp_bind_http_cache_port(haproxy_t) + +corenet_tcp_connect_fmpro_internal_port(haproxy_t) ++corenet_tcp_connect_http_port(haproxy_t) ++corenet_tcp_connect_http_cache_port(haproxy_t) +corenet_tcp_connect_rtp_media_port(haproxy_t) + +sysnet_dns_name_resolve(haproxy_t) + ++tunable_policy(`haproxy_connect_any',` ++ corenet_tcp_connect_all_ports(haproxy_t) ++ corenet_tcp_bind_all_ports(haproxy_t) ++ corenet_sendrecv_all_packets(haproxy_t) ++ corenet_tcp_sendrecv_all_ports(haproxy_t) ++') ++ ###################################### # # qdiskd local policy -@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 38141db..4b20053 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -578,6 +578,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jan 24 2014 Miroslav Grepl 3.13.1-18 +- Add haproxy_connect_any boolean +- Allow haproxy also to use http cache port by default +- Fix /usr/lib/firefox/plugin-container decl +- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications +- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t +- Fix type in docker.te +- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory +- Adding a new service script to enable setcheckreqprot +- Add interface to getattr on an isid_type for any type of file +- Allow initrc_t domtrans to authconfig if unconfined is enabled +type in docker.te +- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container + * Thu Jan 23 2014 Miroslav Grepl 3.13.1-17 - init calling needs to be optional in domain.te - Allow docker and mount on devpts chr_file