diff --git a/container-selinux.tgz b/container-selinux.tgz index d4438ea..4bef662 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0876b45..c754c80 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -877,7 +877,7 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..7c036a8 100644 +index a94b169..7c61322 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -121,6 +121,60 @@ common x_device @@ -941,10 +941,19 @@ index a94b169..7c036a8 100644 # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } -@@ -393,62 +447,31 @@ class system +@@ -379,6 +433,7 @@ class security + setsecparam + setcheckreqprot + read_policy ++ validate_trans + } + + +@@ -393,62 +448,32 @@ class system syslog_mod syslog_console module_request ++ module_load + # these are overloaded userspace + # permissions from systemd + halt @@ -1020,7 +1029,7 @@ index a94b169..7c036a8 100644 # # Define the access vector interpretation for controlling # changes to passwd information. -@@ -690,6 +713,8 @@ class nscd +@@ -690,6 +715,8 @@ class nscd shmemhost getserv shmemserv @@ -1029,7 +1038,7 @@ index a94b169..7c036a8 100644 } # Define the access vector interpretation for controlling -@@ -831,6 +856,38 @@ inherits socket +@@ -831,6 +858,38 @@ inherits socket attach_queue } @@ -1068,7 +1077,7 @@ index a94b169..7c036a8 100644 class x_pointer inherits x_device -@@ -865,3 +922,28 @@ inherits database +@@ -865,3 +924,28 @@ inherits database implement execute } @@ -2300,7 +2309,7 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..48ab7f8 100644 +index 03ec5ca..102ccff 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -58,6 +58,7 @@ template(`su_restricted_domain_template', ` @@ -2335,7 +2344,7 @@ index 03ec5ca..48ab7f8 100644 optional_policy(` cron_read_pipes($1_su_t) ') -@@ -172,14 +168,6 @@ template(`su_role_template',` +@@ -172,15 +168,8 @@ template(`su_role_template',` role $2 types $1_su_t; allow $3 $1_su_t:process signal; @@ -2348,9 +2357,11 @@ index 03ec5ca..48ab7f8 100644 - allow $1_su_t self:key { search write }; - allow $1_su_t $3:key search; ++ allow $1_su_t self:netlink_selinux_socket create_socket_perms; # Transition from the user domain to this domain. -@@ -194,125 +182,16 @@ template(`su_role_template',` + domtrans_pattern($3, su_exec_t, $1_su_t) +@@ -194,125 +183,16 @@ template(`su_role_template',` allow $3 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) @@ -11235,7 +11246,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..e06a46c 100644 +index f962f76..fa12587 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13199,7 +13210,33 @@ index f962f76..e06a46c 100644 ') ######################################## -@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4126,6 +5028,25 @@ interface(`files_kernel_modules_filetrans',` + + ######################################## + ## ++## Load kernel module files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_load_kernel_modules',` ++ gen_require(` ++ type modules_object_t; ++ ') ++ ++ files_read_kernel_modules($1) ++ allow $1 modules_object_t:system module_load; ++') ++ ++######################################## ++## + ## List world-readable directories. + ## + ## +@@ -4217,174 +5138,275 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13346,91 +13383,61 @@ index f962f76..e06a46c 100644 ## -## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_search_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') - -- dontaudit $1 tmp_t:dir search_dir_perms; ++ + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +################################### - ## --## Read the tmp directory (/tmp). ++## +## Create files in /etc with the type used for +## the manageable system config files. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## The type of the process performing this action. +## - ## - # --interface(`files_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir list_dir_perms; ++ + filetrans_pattern($1, etc_t, system_conf_t, file) - ') - --######################################## ++') ++ +###################################### - ## --## Do not audit listing of the tmp directory (/tmp). ++## +## Manage manageable system db files in /var/lib. - ## - ## --## --## Domain not to audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') - -- dontaudit $1 tmp_t:dir list_dir_perms; ++ + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) - ') - --######################################## ++') ++ +##################################### - ## --## Remove entries from the tmp directory. ++## +## File name transition for system db files in /var/lib. ## ## @@ -13456,24 +13463,24 @@ index f962f76..e06a46c 100644 +## +## ## --## Domain allowed access. +-## Domain to not audit. +## Type of the file to associate. ## ## # --interface(`files_delete_tmp_dir_entry',` +-interface(`files_dontaudit_search_tmp',` +interface(`files_associate_tmp',` gen_require(` type tmp_t; ') -- allow $1 tmp_t:dir del_entry_dir_perms; +- dontaudit $1 tmp_t:dir search_dir_perms; + allow $1 tmp_t:filesystem associate; ') ######################################## ## --## Read files in the tmp directory (/tmp). +-## Read the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system @@ -13486,42 +13493,43 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_generic_tmp_files',` +-interface(`files_list_tmp',` +interface(`files_associate_rootfs',` gen_require(` - type tmp_t; + type root_t; ') -- read_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmp_t:dir list_dir_perms; + allow $1 root_t:filesystem associate; ') ######################################## ## --## Manage temporary directories in /tmp. +-## Do not audit listing of the tmp directory (/tmp). +## Get the attributes of the tmp directory (/tmp). ## ## ## -@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',` +-## Domain not to audit. ++## Domain allowed access. ## ## # --interface(`files_manage_generic_tmp_dirs',` +-interface(`files_dontaudit_list_tmp',` +interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- manage_dirs_pattern($1, tmp_t, tmp_t) +- dontaudit $1 tmp_t:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') ######################################## ## --## Manage temporary files and directories in /tmp. +-## Remove entries from the tmp directory. +## Do not audit attempts to check the +## access on tmp files ## @@ -13532,20 +13540,20 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_manage_generic_tmp_files',` +-interface(`files_delete_tmp_dir_entry',` +interface(`files_dontaudit_access_check_tmp',` gen_require(` - type tmp_t; + type etc_t; ') -- manage_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmp_t:dir del_entry_dir_perms; + dontaudit $1 tmp_t:dir_file_class_set audit_access; ') ######################################## ## --## Read symbolic links in the tmp directory (/tmp). +-## Read files in the tmp directory (/tmp). +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). ## @@ -13556,34 +13564,34 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_generic_tmp_symlinks',` +-interface(`files_read_generic_tmp_files',` +interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- read_lnk_files_pattern($1, tmp_t, tmp_t) +- read_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir getattr; ') ######################################## ## --## Read and write generic named sockets in the tmp directory (/tmp). +-## Manage temporary directories in /tmp. +## Search the tmp directory (/tmp). ## ## ## -@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',` +@@ -4392,35 +5414,37 @@ interface(`files_read_generic_tmp_files',` ## ## # --interface(`files_rw_generic_tmp_sockets',` +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_search_tmp',` gen_require(` type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) +- manage_dirs_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; @@ -13591,7 +13599,7 @@ index f962f76..e06a46c 100644 ######################################## ## --## Set the attributes of all tmp directories. +-## Manage temporary files and directories in /tmp. +## Do not audit attempts to search the tmp directory (/tmp). ## ## @@ -13601,44 +13609,40 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_setattr_all_tmp_dirs',` +-interface(`files_manage_generic_tmp_files',` +interface(`files_dontaudit_search_tmp',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + type tmp_t; ') -- allow $1 tmpfile:dir { search_dir_perms setattr }; +- manage_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir search_dir_perms; ') ######################################## ## --## List all tmp directories. +-## Read symbolic links in the tmp directory (/tmp). +## Read the tmp directory (/tmp). ## ## ## -@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4428,53 +5452,55 @@ interface(`files_manage_generic_tmp_files',` ## ## # --interface(`files_list_all_tmp',` +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_list_tmp',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; -+ read_lnk_files_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; ') ######################################## ## --## Relabel to and from all temporary --## directory types. +-## Read and write generic named sockets in the tmp directory (/tmp). +## Do not audit listing of the tmp directory (/tmp). ## ## @@ -13647,38 +13651,33 @@ index f962f76..e06a46c 100644 +## Domain to not audit. ## ## --## # --interface(`files_relabel_all_tmp_dirs',` +-interface(`files_rw_generic_tmp_sockets',` +interface(`files_dontaudit_list_tmp',` gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; + type tmp_t; ') -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) +- rw_sock_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir list_dir_perms; ') -######################################## +####################################### ## --## Do not audit attempts to get the attributes --## of all tmp files. +-## Set the attributes of all tmp directories. +## Allow read and write to the tmp directory (/tmp). ## ## -## --## Domain not to audit. +-## Domain allowed access. -## +## +## Domain not to audit. +## ## # --interface(`files_dontaudit_getattr_all_tmp_files',` +-interface(`files_setattr_all_tmp_dirs',` - gen_require(` - attribute tmpfile; - ') @@ -13687,31 +13686,30 @@ index f962f76..e06a46c 100644 + type tmp_t; + ') -- dontaudit $1 tmpfile:file getattr; +- allow $1 tmpfile:dir { search_dir_perms setattr }; + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; ') ######################################## ## --## Allow attempts to get the attributes --## of all tmp files. +-## List all tmp directories. +## Remove entries from the tmp directory. ## ## ## -@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4482,118 +5508,116 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # --interface(`files_getattr_all_tmp_files',` +-interface(`files_list_all_tmp',` +interface(`files_delete_tmp_dir_entry',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- allow $1 tmpfile:file getattr; +- allow $1 tmpfile:dir list_dir_perms; + files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; ') @@ -13719,7 +13717,7 @@ index f962f76..e06a46c 100644 ######################################## ## -## Relabel to and from all temporary --## file types. +-## directory types. +## Read files in the tmp directory (/tmp). ## ## @@ -13729,7 +13727,7 @@ index f962f76..e06a46c 100644 ## -## # --interface(`files_relabel_all_tmp_files',` +-interface(`files_relabel_all_tmp_dirs',` +interface(`files_read_generic_tmp_files',` gen_require(` - attribute tmpfile; @@ -13738,14 +13736,14 @@ index f962f76..e06a46c 100644 ') - allow $1 var_t:dir search_dir_perms; -- relabel_files_pattern($1, tmpfile, tmpfile) +- relabel_dirs_pattern($1, tmpfile, tmpfile) + read_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Do not audit attempts to get the attributes --## of all tmp sock_file. +-## of all tmp files. +## Manage temporary directories in /tmp. ## ## @@ -13755,20 +13753,21 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_dontaudit_getattr_all_tmp_sockets',` +-interface(`files_dontaudit_getattr_all_tmp_files',` +interface(`files_manage_generic_tmp_dirs',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- dontaudit $1 tmpfile:sock_file getattr; +- dontaudit $1 tmpfile:file getattr; + manage_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Read all tmp files. +-## Allow attempts to get the attributes +-## of all tmp files. +## Allow shared library text relocations in tmp files. ## +## @@ -13785,21 +13784,93 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_all_tmp_files',` +-interface(`files_getattr_all_tmp_files',` +interface(`files_execmod_tmp',` gen_require(` attribute tmpfile; ') -- read_files_pattern($1, tmpfile, tmpfile) +- allow $1 tmpfile:file getattr; + allow $1 tmpfile:file execmod; ') ######################################## ## +-## Relabel to and from all temporary +-## file types. ++## Manage temporary files and directories in /tmp. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ manage_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Read symbolic links in the tmp directory (/tmp). + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Read all tmp files. ++## Read and write generic named sockets in the tmp directory (/tmp). + ## + ## + ## +@@ -4601,51 +5625,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` + ## + ## + # +-interface(`files_read_all_tmp_files',` ++interface(`files_rw_generic_tmp_sockets',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- read_files_pattern($1, tmpfile, tmpfile) ++ rw_sock_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## -## Create an object in the tmp directories, with a private -## type using a type transition. -+## Manage temporary files and directories in /tmp. ++## Relabel a dir from the type used in /tmp. ## ## ## @@ -13823,28 +13894,28 @@ index f962f76..e06a46c 100644 -## # -interface(`files_tmp_filetrans',` -+interface(`files_manage_generic_tmp_files',` ++interface(`files_relabelfrom_tmp_dirs',` gen_require(` type tmp_t; ') - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ manage_files_pattern($1, tmp_t, tmp_t) ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Delete the contents of /tmp. -+## Read symbolic links in the tmp directory (/tmp). ++## Relabel a file from the type used in /tmp. ## ## ## -@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',` +@@ -4653,22 +5661,17 @@ interface(`files_tmp_filetrans',` ## ## # -interface(`files_purge_tmp',` -+interface(`files_read_generic_tmp_symlinks',` ++interface(`files_relabelfrom_tmp_files',` gen_require(` - attribute tmpfile; + type tmp_t; @@ -13856,80 +13927,80 @@ index f962f76..e06a46c 100644 - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Set the attributes of the /usr directory. -+## Read and write generic named sockets in the tmp directory (/tmp). ++## Set the attributes of all tmp directories. ## ## ## -@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',` +@@ -4676,17 +5679,17 @@ interface(`files_purge_tmp',` ## ## # -interface(`files_setattr_usr_dirs',` -+interface(`files_rw_generic_tmp_sockets',` ++interface(`files_setattr_all_tmp_dirs',` gen_require(` - type usr_t; -+ type tmp_t; ++ attribute tmpfile; ') - allow $1 usr_t:dir setattr; -+ rw_sock_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## ## -## Search the content of /usr. -+## Relabel a dir from the type used in /tmp. ++## Allow caller to read inherited tmp files. ## ## ## -@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4694,18 +5697,17 @@ interface(`files_setattr_usr_dirs',` ## ## # -interface(`files_search_usr',` -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_read_inherited_tmp_files',` gen_require(` - type usr_t; -+ type tmp_t; ++ attribute tmpfile; ') - allow $1 usr_t:dir search_dir_perms; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file { append read_inherited_file_perms }; ') ######################################## ## -## List the contents of generic -## directories in /usr. -+## Relabel a file from the type used in /tmp. ++## Allow caller to append inherited tmp files. ## ## ## -@@ -4713,35 +5642,35 @@ interface(`files_search_usr',` +@@ -4713,35 +5715,35 @@ interface(`files_search_usr',` ## ## # -interface(`files_list_usr',` -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_append_inherited_tmp_files',` gen_require(` - type usr_t; -+ type tmp_t; ++ attribute tmpfile; ') - allow $1 usr_t:dir list_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## ## -## Do not audit write of /usr dirs -+## Set the attributes of all tmp directories. ++## Allow caller to read and write inherited tmp files. ## ## ## @@ -13939,43 +14010,44 @@ index f962f76..e06a46c 100644 ## # -interface(`files_dontaudit_write_usr_dirs',` -+interface(`files_setattr_all_tmp_dirs',` ++interface(`files_rw_inherited_tmp_file',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir write; -+ allow $1 tmpfile:dir { search_dir_perms setattr }; ++ allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Add and remove entries from /usr directories. -+## Allow caller to read inherited tmp files. ++## List all tmp directories. ## ## ## -@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4749,54 +5751,59 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # -interface(`files_rw_usr_dirs',` -+interface(`files_read_inherited_tmp_files',` ++interface(`files_list_all_tmp',` gen_require(` - type usr_t; + attribute tmpfile; ') - allow $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## -## Do not audit attempts to add and remove -## entries from /usr directories. -+## Allow caller to append inherited tmp files. ++## Relabel to and from all temporary ++## directory types. ## ## ## @@ -13983,67 +14055,73 @@ index f962f76..e06a46c 100644 +## Domain allowed access. ## ## ++## # -interface(`files_dontaudit_rw_usr_dirs',` -+interface(`files_append_inherited_tmp_files',` ++interface(`files_relabel_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ++ type var_t; ') - dontaudit $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file append_inherited_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Delete generic directories in /usr in the caller domain. -+## Allow caller to read and write inherited tmp files. ++## Do not audit attempts to get the attributes ++## of all tmp files. ## ## ## -@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_delete_usr_dirs',` -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_dirs_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ dontaudit $1 tmpfile:file getattr; ') ######################################## ## -## Delete generic files in /usr in the caller domain. -+## List all tmp directories. ++## Allow attempts to get the attributes ++## of all tmp files. ## ## ## -@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',` +@@ -4804,73 +5811,58 @@ interface(`files_delete_usr_dirs',` ## ## # -interface(`files_delete_usr_files',` -+interface(`files_list_all_tmp',` ++interface(`files_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:dir list_dir_perms; ++ allow $1 tmpfile:file getattr; ') ######################################## ## -## Get the attributes of files in /usr. +## Relabel to and from all temporary -+## directory types. ++## file types. ## ## ## @@ -14053,7 +14131,7 @@ index f962f76..e06a46c 100644 +## # -interface(`files_getattr_usr_files',` -+interface(`files_relabel_all_tmp_dirs',` ++interface(`files_relabel_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; @@ -14062,14 +14140,14 @@ index f962f76..e06a46c 100644 - getattr_files_pattern($1, usr_t, usr_t) + allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) ++ relabel_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Read generic files in /usr. +## Do not audit attempts to get the attributes -+## of all tmp files. ++## of all tmp sock_file. ## -## -##

@@ -14097,7 +14175,7 @@ index f962f76..e06a46c 100644 -## # -interface(`files_read_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` - type usr_t; + attribute tmpfile; @@ -14106,23 +14184,22 @@ index f962f76..e06a46c 100644 - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file getattr; ++ dontaudit $1 tmpfile:sock_file getattr; ') ######################################## ##

-## Execute generic programs in /usr in the caller domain. -+## Allow attempts to get the attributes -+## of all tmp files. ++## Read all tmp files. ## ## ## -@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',` +@@ -4878,19 +5870,18 @@ interface(`files_read_usr_files',` ## ## # -interface(`files_exec_usr_files',` -+interface(`files_getattr_all_tmp_files',` ++interface(`files_read_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; @@ -14131,109 +14208,35 @@ index f962f76..e06a46c 100644 - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file getattr; - ') - - ######################################## - ## --## dontaudit write of /usr files -+## Relabel to and from all temporary -+## file types. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_write_usr_files',` -+interface(`files_relabel_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; - ') - -- dontaudit $1 usr_t:file write; -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /usr directory. -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_sockets',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- manage_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:sock_file getattr; - ') - - ######################################## - ## --## Relabel a file to the type used in /usr. -+## Read all tmp files. - ## - ## - ## -@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',` - ## - ## - # --interface(`files_relabelto_usr_files',` -+interface(`files_read_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- relabelto_files_pattern($1, usr_t, usr_t) + read_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## --## Relabel a file from the type used in /usr. +-## dontaudit write of /usr files +## Do not audit attempts to read or write +## all leaked tmpfiles files. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -4898,71 +5889,70 @@ interface(`files_exec_usr_files',` ## ## # --interface(`files_relabelfrom_usr_files',` +-interface(`files_dontaudit_write_usr_files',` +interface(`files_dontaudit_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') -- relabelfrom_files_pattern($1, usr_t, usr_t) +- dontaudit $1 usr_t:file write; + dontaudit $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## --## Read symbolic links in /usr. +-## Create, read, write, and delete files in the /usr directory. +## Do allow attempts to read or write +## all leaked tmpfiles files. ## @@ -14244,20 +14247,20 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_usr_symlinks',` +-interface(`files_manage_usr_files',` +interface(`files_rw_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') -- read_lnk_files_pattern($1, usr_t, usr_t) +- manage_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## --## Create objects in the /usr directory +-## Relabel a file to the type used in /usr. +## Create an object in the tmp directories, with a private +## type using a type transition. ## @@ -14266,56 +14269,67 @@ index f962f76..e06a46c 100644 ## Domain allowed access. ## ## --## +-# +-interface(`files_relabelto_usr_files',` +- gen_require(` +- type usr_t; +- ') +- +- relabelto_files_pattern($1, usr_t, usr_t) +-') +- +-######################################## +-## +-## Relabel a file from the type used in /usr. +-## +-## +## ## --## The type of the object to be created +-## Domain allowed access. +## The type of the object to be created. - ## - ## --## ++## ++## +## - ## --## The object class. ++## +## The object class of the object being created. - ## - ## - ## -@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',` ++## ++## ++## ++## ++## The name of the object being created. ## ## # --interface(`files_usr_filetrans',` +-interface(`files_relabelfrom_usr_files',` +interface(`files_tmp_filetrans',` gen_require(` - type usr_t; + type tmp_t; ') -- filetrans_pattern($1, usr_t, $2, $3, $4) +- relabelfrom_files_pattern($1, usr_t, usr_t) + filetrans_pattern($1, tmp_t, $2, $3, $4) ') ######################################## ## --## Do not audit attempts to search /usr/src. +-## Read symbolic links in /usr. +## Delete the contents of /tmp. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -4970,68 +5960,69 @@ interface(`files_relabelfrom_usr_files',` ## ## # --interface(`files_dontaudit_search_src',` +-interface(`files_read_usr_symlinks',` +interface(`files_purge_tmp',` gen_require(` -- type src_t; +- type usr_t; + attribute tmpfile; ') -- dontaudit $1 src_t:dir search_dir_perms; +- read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:dir list_dir_perms; + delete_dirs_pattern($1, tmpfile, tmpfile) + delete_files_pattern($1, tmpfile, tmpfile) @@ -14336,81 +14350,92 @@ index f962f76..e06a46c 100644 ######################################## ## --## Get the attributes of files in /usr/src. +-## Create objects in the /usr directory +## Set the attributes of the /usr directory. ## ## ## -@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',` + ## Domain allowed access. ## ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## # --interface(`files_getattr_usr_src_files',` +-interface(`files_usr_filetrans',` +interface(`files_setattr_usr_dirs',` gen_require(` -- type usr_t, src_t; -+ type usr_t; + type usr_t; ') -- getattr_files_pattern($1, src_t, src_t) -- -- # /usr/src/linux symlink: -- read_lnk_files_pattern($1, usr_t, src_t) +- filetrans_pattern($1, usr_t, $2, $3, $4) + allow $1 usr_t:dir setattr; ') ######################################## ## --## Read files in /usr/src. +-## Do not audit attempts to search /usr/src. +## Search the content of /usr. ## ## ## -@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_read_usr_src_files',` +-interface(`files_dontaudit_search_src',` +interface(`files_search_usr',` gen_require(` -- type usr_t, src_t; +- type src_t; + type usr_t; ') - allow $1 usr_t:dir search_dir_perms; -- read_files_pattern($1, { usr_t src_t }, src_t) -- read_lnk_files_pattern($1, { usr_t src_t }, src_t) -- allow $1 src_t:dir list_dir_perms; +- dontaudit $1 src_t:dir search_dir_perms; ++ allow $1 usr_t:dir search_dir_perms; ') ######################################## ## --## Execute programs in /usr/src in the caller domain. +-## Get the attributes of files in /usr/src. +## List the contents of generic +## directories in /usr. ## ## ## -@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',` +@@ -5039,41 +6030,35 @@ interface(`files_dontaudit_search_src',` ## ## # --interface(`files_exec_usr_src_files',` +-interface(`files_getattr_usr_src_files',` +interface(`files_list_usr',` gen_require(` - type usr_t, src_t; + type usr_t; ') -- list_dirs_pattern($1, usr_t, src_t) -- exec_files_pattern($1, src_t, src_t) -- read_lnk_files_pattern($1, src_t, src_t) +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) + allow $1 usr_t:dir list_dir_perms; ') ######################################## ## --## Install a system.map into the /boot directory. +-## Read files in /usr/src. +## Do not audit write of /usr dirs ## ## @@ -14420,44 +14445,47 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_create_kernel_symbol_table',` +-interface(`files_read_usr_src_files',` +interface(`files_dontaudit_write_usr_dirs',` gen_require(` -- type boot_t, system_map_t; +- type usr_t, src_t; + type usr_t; ') -- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -- allow $1 system_map_t:file { create_file_perms rw_file_perms }; +- allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; + dontaudit $1 usr_t:dir write; ') ######################################## ## --## Read system.map in the /boot directory. +-## Execute programs in /usr/src in the caller domain. +## Add and remove entries from /usr directories. ## ## ## -@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5081,38 +6066,36 @@ interface(`files_read_usr_src_files',` ## ## # --interface(`files_read_kernel_symbol_table',` +-interface(`files_exec_usr_src_files',` +interface(`files_rw_usr_dirs',` gen_require(` -- type boot_t, system_map_t; +- type usr_t, src_t; + type usr_t; ') -- allow $1 boot_t:dir list_dir_perms; -- read_files_pattern($1, boot_t, system_map_t) +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) + allow $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Delete a system.map in the /boot directory. +-## Install a system.map into the /boot directory. +## Do not audit attempts to add and remove +## entries from /usr directories. ## @@ -14468,89 +14496,89 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_delete_kernel_symbol_table',` +-interface(`files_create_kernel_symbol_table',` +interface(`files_dontaudit_rw_usr_dirs',` gen_require(` - type boot_t, system_map_t; + type usr_t; ') -- allow $1 boot_t:dir list_dir_perms; -- delete_files_pattern($1, boot_t, system_map_t) +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; + dontaudit $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Search the contents of /var. +-## Read system.map in the /boot directory. +## Delete generic directories in /usr in the caller domain. ## ## ## -@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5120,18 +6103,17 @@ interface(`files_create_kernel_symbol_table',` ## ## # --interface(`files_search_var',` +-interface(`files_read_kernel_symbol_table',` +interface(`files_delete_usr_dirs',` gen_require(` -- type var_t; +- type boot_t, system_map_t; + type usr_t; ') -- allow $1 var_t:dir search_dir_perms; +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) + delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## ## --## Do not audit attempts to write to /var. +-## Delete a system.map in the /boot directory. +## Delete generic files in /usr in the caller domain. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5139,18 +6121,17 @@ interface(`files_read_kernel_symbol_table',` ## ## # --interface(`files_dontaudit_write_var_dirs',` +-interface(`files_delete_kernel_symbol_table',` +interface(`files_delete_usr_files',` gen_require(` -- type var_t; +- type boot_t, system_map_t; + type usr_t; ') -- dontaudit $1 var_t:dir write; +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) + delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Allow attempts to write to /var.dirs +-## Search the contents of /var. +## Get the attributes of files in /usr. ## ## ## -@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5158,35 +6139,55 @@ interface(`files_delete_kernel_symbol_table',` ## ## # --interface(`files_write_var_dirs',` +-interface(`files_search_var',` +interface(`files_getattr_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir write; +- allow $1 var_t:dir search_dir_perms; + getattr_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Do not audit attempts to search --## the contents of /var. +-## Do not audit attempts to write to /var. +## Read generic files in /usr. ## +## @@ -14578,14 +14606,14 @@ index f962f76..e06a46c 100644 ## +## # --interface(`files_dontaudit_search_var',` +-interface(`files_dontaudit_write_var_dirs',` +interface(`files_read_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- dontaudit $1 var_t:dir search_dir_perms; +- dontaudit $1 var_t:dir write; + allow $1 usr_t:dir list_dir_perms; + read_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) @@ -14593,23 +14621,23 @@ index f962f76..e06a46c 100644 ######################################## ## --## List the contents of /var. +-## Allow attempts to write to /var.dirs +## Execute generic programs in /usr in the caller domain. ## ## ## -@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',` +@@ -5194,18 +6195,19 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # --interface(`files_list_var',` +-interface(`files_write_var_dirs',` +interface(`files_exec_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir list_dir_perms; +- allow $1 var_t:dir write; + allow $1 usr_t:dir list_dir_perms; + exec_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) @@ -14617,121 +14645,119 @@ index f962f76..e06a46c 100644 ######################################## ## --## Create, read, write, and delete directories --## in the /var directory. +-## Do not audit attempts to search +-## the contents of /var. +## dontaudit write of /usr files ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5213,17 +6215,17 @@ interface(`files_write_var_dirs',` ## ## # --interface(`files_manage_var_dirs',` +-interface(`files_dontaudit_search_var',` +interface(`files_dontaudit_write_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir manage_dir_perms; +- dontaudit $1 var_t:dir search_dir_perms; + dontaudit $1 usr_t:file write; ') ######################################## ## --## Read files in the /var directory. +-## List the contents of /var. +## Create, read, write, and delete files in the /usr directory. ## ## ## -@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',` +@@ -5231,18 +6233,17 @@ interface(`files_dontaudit_search_var',` ## ## # --interface(`files_read_var_files',` +-interface(`files_list_var',` +interface(`files_manage_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- read_files_pattern($1, var_t, var_t) +- allow $1 var_t:dir list_dir_perms; + manage_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Append files in the /var directory. +-## Create, read, write, and delete directories +-## in the /var directory. +## Relabel a file to the type used in /usr. ## ## ## -@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',` +@@ -5250,17 +6251,17 @@ interface(`files_list_var',` ## ## # --interface(`files_append_var_files',` +-interface(`files_manage_var_dirs',` +interface(`files_relabelto_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- append_files_pattern($1, var_t, var_t) +- allow $1 var_t:dir manage_dir_perms; + relabelto_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Read and write files in the /var directory. +-## Read files in the /var directory. +## Relabel a file from the type used in /usr. ## ## ## -@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',` +@@ -5268,17 +6269,17 @@ interface(`files_manage_var_dirs',` ## ## # --interface(`files_rw_var_files',` +-interface(`files_read_var_files',` +interface(`files_relabelfrom_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- rw_files_pattern($1, var_t, var_t) +- read_files_pattern($1, var_t, var_t) + relabelfrom_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Do not audit attempts to read and write --## files in the /var directory. +-## Append files in the /var directory. +## Read symbolic links in /usr. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5286,36 +6287,50 @@ interface(`files_read_var_files',` ## ## # --interface(`files_dontaudit_rw_var_files',` +-interface(`files_append_var_files',` +interface(`files_read_usr_symlinks',` gen_require(` - type var_t; + type usr_t; ') -- dontaudit $1 var_t:file rw_file_perms; +- append_files_pattern($1, var_t, var_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete files in the /var directory. +-## Read and write files in the /var directory. +## Create objects in the /usr directory ## ## @@ -14755,60 +14781,59 @@ index f962f76..e06a46c 100644 +## +## # --interface(`files_manage_var_files',` +-interface(`files_rw_var_files',` +interface(`files_usr_filetrans',` gen_require(` - type var_t; + type usr_t; ') -- manage_files_pattern($1, var_t, var_t) +- rw_files_pattern($1, var_t, var_t) + filetrans_pattern($1, usr_t, $2, $3, $4) ') ######################################## ## --## Read symbolic links in the /var directory. +-## Do not audit attempts to read and write +-## files in the /var directory. +## Do not audit attempts to search /usr/src. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5323,17 +6338,17 @@ interface(`files_rw_var_files',` ## ## # --interface(`files_read_var_symlinks',` +-interface(`files_dontaudit_rw_var_files',` +interface(`files_dontaudit_search_src',` gen_require(` - type var_t; + type src_t; ') -- read_lnk_files_pattern($1, var_t, var_t) +- dontaudit $1 var_t:file rw_file_perms; + dontaudit $1 src_t:dir search_dir_perms; ') ######################################## ## --## Create, read, write, and delete symbolic --## links in the /var directory. +-## Create, read, write, and delete files in the /var directory. +## Get the attributes of files in /usr/src. ## ## ## -@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',` +@@ -5341,17 +6356,20 @@ interface(`files_dontaudit_rw_var_files',` ## ## # --interface(`files_manage_var_symlinks',` +-interface(`files_manage_var_files',` +interface(`files_getattr_usr_src_files',` gen_require(` - type var_t; + type usr_t, src_t; ') -- manage_lnk_files_pattern($1, var_t, var_t) +- manage_files_pattern($1, var_t, var_t) + getattr_files_pattern($1, src_t, src_t) + + # /usr/src/linux symlink: @@ -14817,11 +14842,61 @@ index f962f76..e06a46c 100644 ######################################## ## --## Create objects in the /var directory +-## Read symbolic links in the /var directory. +## Read files in /usr/src. ## ## ## +@@ -5359,18 +6377,20 @@ interface(`files_manage_var_files',` + ## + ## + # +-interface(`files_read_var_symlinks',` ++interface(`files_read_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- read_lnk_files_pattern($1, var_t, var_t) ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete symbolic +-## links in the /var directory. ++## Execute programs in /usr/src in the caller domain. + ## + ## + ## +@@ -5378,120 +6398,94 @@ interface(`files_read_var_symlinks',` + ## + ## + # +-interface(`files_manage_var_symlinks',` ++interface(`files_exec_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_lnk_files_pattern($1, var_t, var_t) ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) + ') + + ######################################## + ## +-## Create objects in the /var directory ++## Install a system.map into the /boot directory. + ## + ## + ## ## Domain allowed access. ## ## @@ -14842,47 +14917,44 @@ index f962f76..e06a46c 100644 -## # -interface(`files_var_filetrans',` -+interface(`files_read_usr_src_files',` ++interface(`files_create_kernel_symbol_table',` gen_require(` - type var_t; -+ type usr_t, src_t; ++ type boot_t, system_map_t; ') - filetrans_pattern($1, var_t, $2, $3, $4) -+ allow $1 usr_t:dir search_dir_perms; -+ read_files_pattern($1, { usr_t src_t }, src_t) -+ read_lnk_files_pattern($1, { usr_t src_t }, src_t) -+ allow $1 src_t:dir list_dir_perms; ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') ######################################## ## -## Get the attributes of the /var/lib directory. -+## Execute programs in /usr/src in the caller domain. ++## Dontaudit getattr attempts on the system.map file ## ## ## -@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_getattr_var_lib_dirs',` -+interface(`files_exec_usr_src_files',` ++interface(`files_dontaduit_getattr_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; -+ type usr_t, src_t; ++ type system_map_t; ') - getattr_dirs_pattern($1, var_t, var_lib_t) -+ list_dirs_pattern($1, usr_t, src_t) -+ exec_files_pattern($1, src_t, src_t) -+ read_lnk_files_pattern($1, src_t, src_t) ++ dontaudit $1 system_map_t:file getattr; ') ######################################## ## -## Search the /var/lib directory. -+## Install a system.map into the /boot directory. ++## Read system.map in the /boot directory. ## -## -##

@@ -14905,92 +14977,93 @@ index f962f76..e06a46c 100644 -## # -interface(`files_search_var_lib',` -+interface(`files_create_kernel_symbol_table',` ++interface(`files_read_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; + type boot_t, system_map_t; ') - search_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -+ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) ') ######################################## ##

-## Do not audit attempts to search the -## contents of /var/lib. -+## Dontaudit getattr attempts on the system.map file ++## Delete a system.map in the /boot directory. ## ## ## - ## Domain to not audit. +-## Domain to not audit. ++## Domain allowed access. ## ## -## # -interface(`files_dontaudit_search_var_lib',` -+interface(`files_dontaduit_getattr_kernel_symbol_table',` ++interface(`files_delete_kernel_symbol_table',` gen_require(` - type var_lib_t; -+ type system_map_t; ++ type boot_t, system_map_t; ') - dontaudit $1 var_lib_t:dir search_dir_perms; -+ dontaudit $1 system_map_t:file getattr; ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) ') ######################################## ## -## List the contents of the /var/lib directory. -+## Read system.map in the /boot directory. ++## Search the contents of /var. ## ## ## -@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,88 +6493,72 @@ interface(`files_dontaudit_search_var_lib',` ## ## # -interface(`files_list_var_lib',` -+interface(`files_read_kernel_symbol_table',` ++interface(`files_search_var',` gen_require(` - type var_t, var_lib_t; -+ type boot_t, system_map_t; ++ type var_t; ') - list_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ read_files_pattern($1, boot_t, system_map_t) ++ allow $1 var_t:dir search_dir_perms; ') -########################################### +######################################## ## -## Read-write /var/lib directories -+## Delete a system.map in the /boot directory. ++## Do not audit attempts to write to /var. ## ## ## -@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_rw_var_lib_dirs',` -+interface(`files_delete_kernel_symbol_table',` ++interface(`files_dontaudit_write_var_dirs',` gen_require(` - type var_lib_t; -+ type boot_t, system_map_t; ++ type var_t; ') - rw_dirs_pattern($1, var_lib_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ delete_files_pattern($1, boot_t, system_map_t) ++ dontaudit $1 var_t:dir write; ') ######################################## ## -## Create objects in the /var/lib directory -+## Search the contents of /var. ++## Allow attempts to write to /var.dirs ## ## ## @@ -15014,20 +15087,22 @@ index f962f76..e06a46c 100644 -## # -interface(`files_var_lib_filetrans',` -+interface(`files_search_var',` ++interface(`files_write_var_dirs',` gen_require(` - type var_t, var_lib_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; +- allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lib_t, $2, $3, $4) ++ allow $1 var_t:dir write; ') ######################################## ## -## Read generic files in /var/lib. -+## Do not audit attempts to write to /var. ++## Do not audit attempts to search ++## the contents of /var. ## ## ## @@ -15037,7 +15112,7 @@ index f962f76..e06a46c 100644 ## # -interface(`files_read_var_lib_files',` -+interface(`files_dontaudit_write_var_dirs',` ++interface(`files_dontaudit_search_var',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15045,29 +15120,29 @@ index f962f76..e06a46c 100644 - allow $1 var_lib_t:dir list_dir_perms; - read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ dontaudit $1 var_t:dir write; ++ dontaudit $1 var_t:dir search_dir_perms; ') ######################################## ## -## Read generic symbolic links in /var/lib -+## Allow attempts to write to /var.dirs ++## List the contents of /var. ## ## ## -@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6566,36 @@ interface(`files_read_var_lib_files',` ## ## # -interface(`files_read_var_lib_symlinks',` -+interface(`files_write_var_dirs',` ++interface(`files_list_var',` gen_require(` - type var_t, var_lib_t; + type var_t; ') - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ allow $1 var_t:dir write; ++ allow $1 var_t:dir list_dir_perms; ') -# cjp: the next two interfaces really need to be fixed @@ -15077,8 +15152,7 @@ index f962f76..e06a46c 100644 ## -## Create, read, write, and delete the -## pseudorandom number generator seed. -+## Do not audit attempts to search -+## the contents of /var. ++## Do not audit listing of the var directory (/var). ## ## ## @@ -15088,7 +15162,7 @@ index f962f76..e06a46c 100644 ## # -interface(`files_manage_urandom_seed',` -+interface(`files_dontaudit_search_var',` ++interface(`files_dontaudit_list_var',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15096,23 +15170,24 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -+ dontaudit $1 var_t:dir search_dir_perms; ++ dontaudit $1 var_t:dir list_dir_perms; ') ######################################## ## -## Allow domain to manage mount tables -## necessary for rpcd, nfsd, etc. -+## List the contents of /var. ++## Create, read, write, and delete directories ++## in the /var directory. ## ## ## -@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',` +@@ -5630,18 +6603,17 @@ interface(`files_manage_urandom_seed',` ## ## # -interface(`files_manage_mounttab',` -+interface(`files_list_var',` ++interface(`files_manage_var_dirs',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15120,46 +15195,44 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -+ allow $1 var_t:dir list_dir_perms; ++ allow $1 var_t:dir manage_dir_perms; ') ######################################## ## -## Set the attributes of the generic lock directories. -+## Do not audit listing of the var directory (/var). ++## Read files in the /var directory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5649,17 +6621,17 @@ interface(`files_manage_mounttab',` ## ## # -interface(`files_setattr_lock_dirs',` -+interface(`files_dontaudit_list_var',` ++interface(`files_read_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - setattr_dirs_pattern($1, var_t, var_lock_t) -+ dontaudit $1 var_t:dir list_dir_perms; ++ read_files_pattern($1, var_t, var_t) ') ######################################## ## -## Search the locks directory (/var/lock). -+## Create, read, write, and delete directories -+## in the /var directory. ++## Append files in the /var directory. ## ## ## -@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,58 +6639,54 @@ interface(`files_setattr_lock_dirs',` ## ## # -interface(`files_search_locks',` -+interface(`files_manage_var_dirs',` ++interface(`files_append_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15167,14 +15240,14 @@ index f962f76..e06a46c 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_t:dir manage_dir_perms; ++ append_files_pattern($1, var_t, var_t) ') ######################################## ## -## Do not audit attempts to search the -## locks directory (/var/lock). -+## Read files in the /var directory. ++## Read and write files in the /var directory. ## ## ## @@ -15184,7 +15257,7 @@ index f962f76..e06a46c 100644 ## # -interface(`files_dontaudit_search_locks',` -+interface(`files_read_var_files',` ++interface(`files_rw_var_files',` gen_require(` - type var_lock_t; + type var_t; @@ -15192,22 +15265,24 @@ index f962f76..e06a46c 100644 - dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_lock_t:dir search_dir_perms; -+ read_files_pattern($1, var_t, var_t) ++ rw_files_pattern($1, var_t, var_t) ') ######################################## ## -## List generic lock directories. -+## Append files in the /var directory. ++## Do not audit attempts to read and write ++## files in the /var directory. ## ## ## -@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_list_locks',` -+interface(`files_append_var_files',` ++interface(`files_dontaudit_rw_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15215,23 +15290,23 @@ index f962f76..e06a46c 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_lock_t) -+ append_files_pattern($1, var_t, var_t) ++ dontaudit $1 var_t:file rw_inherited_file_perms; ') ######################################## ## -## Add and remove entries in the /var/lock -## directories. -+## Read and write files in the /var directory. ++## Create, read, write, and delete files in the /var directory. ## ## ## -@@ -5726,60 +6638,54 @@ interface(`files_list_locks',` +@@ -5726,81 +6694,88 @@ interface(`files_list_locks',` ## ## # -interface(`files_rw_lock_dirs',` -+interface(`files_rw_var_files',` ++interface(`files_manage_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15239,25 +15314,24 @@ index f962f76..e06a46c 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - rw_dirs_pattern($1, var_t, var_lock_t) -+ rw_files_pattern($1, var_t, var_t) ++ manage_files_pattern($1, var_t, var_t) ') ######################################## ## -## Create lock directories -+## Do not audit attempts to read and write -+## files in the /var directory. ++## Read symbolic links in the /var directory. ## ## -## -## Domain allowed access +## -+## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`files_create_lock_dirs',` -+interface(`files_dontaudit_rw_var_files',` ++interface(`files_read_var_symlinks',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15266,13 +15340,14 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_lock_t, var_lock_t) -+ dontaudit $1 var_t:file rw_inherited_file_perms; ++ read_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## -## Relabel to and from all lock directory types. -+## Create, read, write, and delete files in the /var directory. ++## Create, read, write, and delete symbolic ++## links in the /var directory. ## ## ## @@ -15282,7 +15357,7 @@ index f962f76..e06a46c 100644 -## # -interface(`files_relabel_all_lock_dirs',` -+interface(`files_manage_var_files',` ++interface(`files_manage_var_symlinks',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; @@ -15292,63 +15367,12 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Get the attributes of generic lock files. -+## Read symbolic links in the /var directory. - ## - ## - ## -@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',` - ## - ## - # --interface(`files_getattr_generic_locks',` -+interface(`files_read_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 var_lock_t:dir list_dir_perms; -- getattr_files_pattern($1, var_lock_t, var_lock_t) -+ read_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Delete generic lock files. -+## Create, read, write, and delete symbolic -+## links in the /var directory. - ## - ## - ## -@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',` - ## - ## - # --interface(`files_delete_generic_locks',` -+interface(`files_manage_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) + manage_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## --## Create, read, write, and delete generic --## lock files. +-## Get the attributes of generic lock files. +## Create objects in the /var directory ## ## @@ -15372,7 +15396,7 @@ index f962f76..e06a46c 100644 +## +## # --interface(`files_manage_generic_locks',` +-interface(`files_getattr_generic_locks',` +interface(`files_var_filetrans',` gen_require(` - type var_t, var_lock_t; @@ -15381,68 +15405,65 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -- manage_files_pattern($1, var_lock_t, var_lock_t) +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) + filetrans_pattern($1, var_t, $2, $3, $4) ') + ######################################## ## --## Delete all lock files. +-## Delete generic lock files. +## Relabel dirs in the /var directory. ## ## ## - ## Domain allowed access. +@@ -5808,20 +6783,16 @@ interface(`files_getattr_generic_locks',` ## ## --## # --interface(`files_delete_all_locks',` +-interface(`files_delete_generic_locks',` +interface(`files_relabel_var_dirs',` gen_require(` -- attribute lockfile; - type var_t, var_lock_t; + type var_t; ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, lockfile, lockfile) +- delete_files_pattern($1, var_lock_t, var_lock_t) + allow $1 var_t:dir relabel_dir_perms; ') ######################################## ## --## Read all lock files. +-## Create, read, write, and delete generic +-## lock files. +## Get the attributes of the /var/lib directory. ## ## ## -@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',` +@@ -5829,65 +6800,69 @@ interface(`files_delete_generic_locks',` ## ## # --interface(`files_read_all_locks',` +-interface(`files_manage_generic_locks',` +interface(`files_getattr_var_lib_dirs',` gen_require(` -- attribute lockfile; - type var_t, var_lock_t; + type var_t, var_lib_t; ') +- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- allow $1 lockfile:dir list_dir_perms; -- read_files_pattern($1, lockfile, lockfile) -- read_lnk_files_pattern($1, lockfile, lockfile) +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) + getattr_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## --## manage all lock files. +-## Delete all lock files. +## Search the /var/lib directory. ## +## @@ -15463,9 +15484,10 @@ index f962f76..e06a46c 100644 ## Domain allowed access. ## ## +-## +## # --interface(`files_manage_all_locks',` +-interface(`files_delete_all_locks',` +interface(`files_search_var_lib',` gen_require(` - attribute lockfile; @@ -15473,140 +15495,143 @@ index f962f76..e06a46c 100644 + type var_t, var_lib_t; ') +- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -- manage_lnk_files_pattern($1, lockfile, lockfile) +- delete_files_pattern($1, lockfile, lockfile) + search_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## --## Create an object in the locks directory, with a private --## type using a type transition. +-## Read all lock files. +## Do not audit attempts to search the +## contents of /var/lib. ## ## ## -## Domain allowed access. --## --## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. +## Domain to not audit. ## ## +## # --interface(`files_lock_filetrans',` +-interface(`files_read_all_locks',` +interface(`files_dontaudit_search_var_lib',` gen_require(` +- attribute lockfile; - type var_t, var_lock_t; + type var_lib_t; ') -- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_lock_t, $2, $3, $4) +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) + dontaudit $1 var_lib_t:dir search_dir_perms; ') ######################################## ## --## Do not audit attempts to get the attributes --## of the /var/run directory. +-## manage all lock files. +## List the contents of the /var/lib directory. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5895,78 +6870,1372 @@ interface(`files_read_all_locks',` ## ## # --interface(`files_dontaudit_getattr_pid_dirs',` +-interface(`files_manage_all_locks',` +interface(`files_list_var_lib',` gen_require(` -- type var_run_t; +- attribute lockfile; +- type var_t, var_lock_t; + type var_t, var_lib_t; ') -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir getattr; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) + list_dirs_pattern($1, var_t, var_lib_t) ') -######################################## +########################################### ## --## Set the attributes of the /var/run directory. +-## Create an object in the locks directory, with a private +-## type using a type transition. +## Read-write /var/lib directories ## ## ## -@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## Domain allowed access. ## ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## # --interface(`files_setattr_pid_dirs',` +-interface(`files_lock_filetrans',` +interface(`files_rw_var_lib_dirs',` gen_require(` -- type var_run_t; +- type var_t, var_lock_t; + type var_lib_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir setattr; +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) + rw_dirs_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## --## Search the contents of runtime process --## ID directories (/var/run). +-## Do not audit attempts to get the attributes +-## of the /var/run directory. +## Create directories in /var/lib ## ## ## -@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_search_pids',` +-interface(`files_dontaudit_getattr_pid_dirs',` +interface(`files_create_var_lib_dirs',` gen_require(` -- type var_t, var_run_t; +- type var_run_t; + type var_lib_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_run_t) +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; + allow $1 var_lib_t:dir { create rw_dir_perms }; ') + ######################################## ## --## Do not audit attempts to search --## the /var/run directory. +-## Set the attributes of the /var/run directory. +## Create objects in the /var/lib directory - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. +## +## @@ -15623,37 +15648,30 @@ index f962f76..e06a46c 100644 +## +## +## The name of the object being created. - ## - ## - # --interface(`files_dontaudit_search_pids',` ++## ++## ++# +interface(`files_var_lib_filetrans',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_lib_t, $2, $3, $4) - ') - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). ++') ++ ++######################################## ++## +## Read generic files in /var/lib. - ## - ## - ## -@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_read_var_lib_files',` - gen_require(` ++ gen_require(` + type var_t, var_lib_t; + ') + @@ -16774,11 +16792,9 @@ index f962f76..e06a46c 100644 +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) ++ type var_t, var_run_t; ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) @@ -16931,34 +16947,39 @@ index f962f76..e06a46c 100644 +## +## List the contents of generic spool +## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5974,19 +8243,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## + ## + # +-interface(`files_setattr_pid_dirs',` +interface(`files_list_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; + list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## --## Read generic process ID files. +-## Search the contents of runtime process +-## ID directories (/var/run). +## Create, read, write, and delete generic +## spool directories (/var/spool). ## ## ## -@@ -6053,19 +8243,18 @@ interface(`files_list_pids',` +@@ -5994,39 +8262,38 @@ interface(`files_setattr_pid_dirs',` ## ## # --interface(`files_read_generic_pids',` +-interface(`files_search_pids',` +interface(`files_manage_generic_spool_dirs',` gen_require(` - type var_t, var_run_t; @@ -16966,67 +16987,74 @@ index f962f76..e06a46c 100644 ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) +- search_dirs_pattern($1, var_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## --## Write named generic process ID pipes +-## Do not audit attempts to search +-## the /var/run directory. +## Read generic spool files. ## ## ## -@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_write_generic_pid_pipes',` +-interface(`files_dontaudit_search_pids',` +interface(`files_read_generic_spool',` gen_require(` - type var_run_t; + type var_t, var_spool_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; + list_dirs_pattern($1, var_t, var_spool_t) + read_files_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## --## Create an object in the process ID directory, with a private type. +-## List the contents of the runtime process +-## ID directories (/var/run). +## Create, read, write, and delete generic +## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6034,38 +8301,55 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` +interface(`files_manage_generic_spool',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic process ID files. +## Create objects in the spool directory +## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## Type to which the created node will be transitioned. @@ -17043,33 +17071,43 @@ index f962f76..e06a46c 100644 +## The name of the object being created. +## +## -+# + # +-interface(`files_read_generic_pids',` +interface(`files_spool_filetrans',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write named generic process ID pipes +## Allow access to manage all polyinstantiated +## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6073,43 +8357,75 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_polyinstantiate_all',` -+ gen_require(` + gen_require(` +- type var_run_t; + attribute polydir, polymember, polyparent; + type poly_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + # Need to give access to /selinux/member + selinux_compute_member($1) + @@ -17106,10 +17144,11 @@ index f962f76..e06a46c 100644 + corecmd_exec_bin($1) + seutil_domtrans_setfiles($1) + ') -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Unconfined access to files. +## +## @@ -17158,7 +17197,7 @@ index f962f76..e06a46c 100644 ##

## ## -@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,80 +8433,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ## ## @@ -17345,7 +17384,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8591,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -17369,7 +17408,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8609,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -17392,7 +17431,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8627,119 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17562,7 +17601,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8747,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17587,7 +17626,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6386,132 +8748,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8767,227 @@ interface(`files_search_spool',` ## ## # @@ -17861,7 +17900,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8995,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17919,7 +17958,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +9013,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -23004,7 +23043,7 @@ index e100d88..342fb1e 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..5deb336 100644 +index 8dbab4c..c4d3183 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -23299,7 +23338,20 @@ index 8dbab4c..5deb336 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) { +@@ -388,8 +480,12 @@ optional_policy(` + if( ! secure_mode_insmod ) { + allow can_load_kernmodule self:capability sys_module; + ++ files_load_kernel_modules(can_load_kernmodule) ++ + # load_module() calls stop_machine() which + # calls sched_setscheduler() ++ # gt: there seems to be no trace of the above, at ++ # least in kernel versions greater than 2.6.37... + allow can_load_kernmodule self:capability sys_nice; + kernel_setsched(can_load_kernmodule) + } +@@ -399,14 +495,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -37826,7 +37878,7 @@ index 79a45f6..6126f21 100644 + allow $1 init_var_lib_t:dir search_dir_perms; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..136864b 100644 +index 17eda24..3395ea6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38006,10 +38058,11 @@ index 17eda24..136864b 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +212,25 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +212,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) ++kernel_stream_connect(init_t) +kernel_rw_stream_socket_perms(init_t) +kernel_rw_unix_dgram_sockets(init_t) +kernel_mounton_systemd_ProtectKernelTunables(init_t) @@ -38033,7 +38086,7 @@ index 17eda24..136864b 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +238,26 @@ domain_signal_all_domains(init_t) +@@ -139,14 +239,26 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -38062,7 +38115,7 @@ index 17eda24..136864b 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +266,73 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +267,73 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -38141,7 +38194,7 @@ index 17eda24..136864b 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +341,275 @@ ifdef(`distro_gentoo',` +@@ -186,29 +342,275 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38426,7 +38479,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -216,7 +617,30 @@ optional_policy(` +@@ -216,7 +618,30 @@ optional_policy(` ') optional_policy(` @@ -38458,7 +38511,7 @@ index 17eda24..136864b 100644 ') ######################################## -@@ -225,9 +649,9 @@ optional_policy(` +@@ -225,9 +650,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38470,7 +38523,7 @@ index 17eda24..136864b 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +682,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +683,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38487,7 +38540,7 @@ index 17eda24..136864b 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +707,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +708,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38530,7 +38583,7 @@ index 17eda24..136864b 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +744,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +745,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38542,7 +38595,7 @@ index 17eda24..136864b 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +756,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +757,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38553,7 +38606,7 @@ index 17eda24..136864b 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +767,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +768,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38563,7 +38616,7 @@ index 17eda24..136864b 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +776,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +777,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38571,7 +38624,7 @@ index 17eda24..136864b 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +783,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +784,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38579,7 +38632,7 @@ index 17eda24..136864b 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +791,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +792,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38597,7 +38650,7 @@ index 17eda24..136864b 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +809,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +810,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38611,7 +38664,7 @@ index 17eda24..136864b 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +824,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +825,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38625,7 +38678,7 @@ index 17eda24..136864b 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +837,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +838,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38636,7 +38689,7 @@ index 17eda24..136864b 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +850,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +851,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38644,7 +38697,7 @@ index 17eda24..136864b 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +869,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +870,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38668,7 +38721,7 @@ index 17eda24..136864b 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +902,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +903,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38676,7 +38729,7 @@ index 17eda24..136864b 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +936,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +937,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38687,7 +38740,7 @@ index 17eda24..136864b 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +960,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +961,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38696,7 +38749,7 @@ index 17eda24..136864b 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +975,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +976,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38704,7 +38757,7 @@ index 17eda24..136864b 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +996,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +997,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38712,7 +38765,7 @@ index 17eda24..136864b 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1006,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1007,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38757,7 +38810,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -559,14 +1051,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1052,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38789,7 +38842,7 @@ index 17eda24..136864b 100644 ') ') -@@ -577,6 +1086,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1087,39 @@ ifdef(`distro_suse',` ') ') @@ -38829,7 +38882,7 @@ index 17eda24..136864b 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1131,8 @@ optional_policy(` +@@ -589,6 +1132,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38838,7 +38891,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -610,6 +1154,7 @@ optional_policy(` +@@ -610,6 +1155,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38846,7 +38899,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -626,6 +1171,17 @@ optional_policy(` +@@ -626,6 +1172,17 @@ optional_policy(` ') optional_policy(` @@ -38864,7 +38917,7 @@ index 17eda24..136864b 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1198,13 @@ optional_policy(` +@@ -642,9 +1199,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38878,7 +38931,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -657,15 +1217,11 @@ optional_policy(` +@@ -657,15 +1218,11 @@ optional_policy(` ') optional_policy(` @@ -38896,7 +38949,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -686,6 +1242,15 @@ optional_policy(` +@@ -686,6 +1243,15 @@ optional_policy(` ') optional_policy(` @@ -38912,7 +38965,7 @@ index 17eda24..136864b 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1291,7 @@ optional_policy(` +@@ -726,6 +1292,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38920,7 +38973,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -743,7 +1309,13 @@ optional_policy(` +@@ -743,7 +1310,13 @@ optional_policy(` ') optional_policy(` @@ -38935,7 +38988,7 @@ index 17eda24..136864b 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1338,10 @@ optional_policy(` +@@ -766,6 +1339,10 @@ optional_policy(` ') optional_policy(` @@ -38946,7 +38999,7 @@ index 17eda24..136864b 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1351,20 @@ optional_policy(` +@@ -775,10 +1352,20 @@ optional_policy(` ') optional_policy(` @@ -38967,7 +39020,7 @@ index 17eda24..136864b 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1373,10 @@ optional_policy(` +@@ -787,6 +1374,10 @@ optional_policy(` ') optional_policy(` @@ -38978,7 +39031,7 @@ index 17eda24..136864b 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1398,6 @@ optional_policy(` +@@ -808,8 +1399,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38987,7 +39040,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -818,6 +1406,10 @@ optional_policy(` +@@ -818,6 +1407,10 @@ optional_policy(` ') optional_policy(` @@ -38998,7 +39051,7 @@ index 17eda24..136864b 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1419,12 @@ optional_policy(` +@@ -827,10 +1420,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39011,7 +39064,7 @@ index 17eda24..136864b 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1451,62 @@ optional_policy(` +@@ -857,21 +1452,62 @@ optional_policy(` ') optional_policy(` @@ -39075,7 +39128,7 @@ index 17eda24..136864b 100644 ') optional_policy(` -@@ -887,6 +1522,10 @@ optional_policy(` +@@ -887,6 +1523,10 @@ optional_policy(` ') optional_policy(` @@ -39086,7 +39139,7 @@ index 17eda24..136864b 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1536,218 @@ optional_policy(` +@@ -897,3 +1537,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -47656,10 +47709,10 @@ index a392fc4..98c5f23 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..a0ed66f +index 0000000..db8e9dc --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,72 @@ +@@ -0,0 +1,81 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -47680,6 +47733,10 @@ index 0000000..a0ed66f +/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hwdb_exec_t,s0) + ++/usr/lib/systemd/systemd-bootchart -- gen_context(system_u:object_r:systemd_bootchart_exec_t,s0) ++ ++/usr/lib/systemd/systemd-initctl -- gen_context(system_u:object_r:systemd_initctl_exec_t,s0) ++ +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) @@ -47691,6 +47748,8 @@ index 0000000..a0ed66f +/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0) +/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0) +/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0) ++/usr/lib/systemd/system/systemd-bootchart.*\.service -- gen_context(system_u:object_r:systemd_bootchart_unit_file_t,s0) ++ +/usr/lib/systemd/system/.*halt.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*hibernate.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*power.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) @@ -47731,6 +47790,9 @@ index 0000000..a0ed66f +/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) +/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) +/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) ++ ++/var/run/log/bootchart.* -- gen_context(system_u:object_r:systemd_bootchart_var_run_t,s0) ++ +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 @@ -49543,10 +49605,10 @@ index 0000000..86e3d01 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0c415d2 +index 0000000..b06bf32 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,980 @@ +@@ -0,0 +1,1016 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49601,6 +49663,16 @@ index 0000000..0c415d2 +type systemd_networkd_var_run_t; +files_pid_file(systemd_networkd_var_run_t) + ++systemd_domain_template(systemd_initctl) ++ ++systemd_domain_template(systemd_bootchart) ++ ++type systemd_bootchart_unit_file_t; ++systemd_unit_file(systemd_bootchart_unit_file_t) ++ ++type systemd_bootchart_var_run_t; ++files_pid_file(systemd_bootchart_var_run_t) ++ +systemd_domain_template(systemd_resolved) + +type systemd_resolved_var_run_t; @@ -50527,6 +50599,32 @@ index 0000000..0c415d2 +files_read_kernel_modules(systemd_modules_load_t) +modutils_read_module_config(systemd_modules_load_t) + ++ ++####################################### ++# ++# systemd_modules_load domain ++# ++ ++allow systemd_bootchart_t self:capability2 wake_alarm; ++ ++kernel_dgram_send(systemd_bootchart_t) ++kernel_rw_kernel_sysctl(systemd_bootchart_t) ++dev_list_sysfs(systemd_bootchart_t) ++ ++domain_read_all_domains_state(systemd_bootchart_t) ++ ++manage_files_pattern(systemd_bootchart_t, systemd_bootchart_var_run_t, systemd_bootchart_var_run_t) ++logging_syslogd_pid_filetrans(systemd_bootchart_t, systemd_bootchart_var_run_t, file) ++ ++####################################### ++# ++# systemd_modules_load domain ++# ++ ++kernel_dgram_send(systemd_initctl_t) ++ ++init_rw_initctl(systemd_initctl_t) ++init_stream_connectto(systemd_initctl_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e..49fd32e 100644 --- a/policy/modules/system/udev.fc diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 2345806..326f2f1 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -57726,7 +57726,7 @@ index 0000000..79f1250 + +fs_getattr_xattr_fs(naemon_t) diff --git a/nagios.fc b/nagios.fc -index d78dfc3..40e1c77 100644 +index d78dfc3..c781b72 100644 --- a/nagios.fc +++ b/nagios.fc @@ -1,88 +1,113 @@ @@ -57774,13 +57774,13 @@ index d78dfc3..40e1c77 100644 + +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) +/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) -+ + +ifdef(`distro_debian',` +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +') +/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0) +/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) - ++ +# admin plugins /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) @@ -57792,106 +57792,132 @@ index d78dfc3..40e1c77 100644 /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) -+# mail plugins -+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) - -+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) -+ -+# system plugins - /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +- +-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - -+# services plugins - /usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +- +-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - +- -/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) +- +-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +- +-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) +-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) +- +-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++# mail plugins ++/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++ ++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++ ++# system plugins ++/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++ ++# services plugins ++/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++ +# openshift plugins +/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) +/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) - --/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) --/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++ +# label all nagios plugin as unconfined by default +/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) - --/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) --/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) ++ +# eventhandlers +/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) +/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) - --/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++ diff --git a/nagios.if b/nagios.if index 0641e97..f3b1111 100644 --- a/nagios.if @@ -89271,7 +89297,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..1271bf3 100644 +index d32e1a2..7239c98 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -89310,13 +89336,14 @@ index d32e1a2..1271bf3 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) +kernel_read_net_sysctls(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) +kernel_read_sysctl(rhsmcertd_t) ++kernel_signull(rhsmcertd_t) + +corenet_tcp_connect_http_port(rhsmcertd_t) +corenet_tcp_connect_http_cache_port(rhsmcertd_t) @@ -114709,7 +114736,7 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..b5b9ca5 100644 +index f03dcf5..482c24b 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,411 @@ @@ -115789,7 +115816,7 @@ index f03dcf5..b5b9ca5 100644 +dev_read_sysfs(virtlogd_t) + +logging_send_syslog_msg(virtlogd_t) -+ + +auth_use_nsswitch(virtlogd_t) + +manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t) @@ -116045,7 +116072,7 @@ index f03dcf5..b5b9ca5 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; - ++ +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -116133,10 +116160,10 @@ index f03dcf5..b5b9ca5 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -116301,7 +116328,7 @@ index f03dcf5..b5b9ca5 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1268,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1268,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116328,8 +116355,7 @@ index f03dcf5..b5b9ca5 100644 + hal_dbus_chat(virtd_lxc_t) + ') +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + container_exec_lib(virtd_lxc_t) +') @@ -116341,7 +116367,8 @@ index f03dcf5..b5b9ca5 100644 +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -116374,89 +116401,7 @@ index f03dcf5..b5b9ca5 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -116546,28 +116491,112 @@ index f03dcf5..b5b9ca5 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` +tunable_policy(`virt_sandbox_share_apache_content',` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) + ') +') -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + ssh_use_ptys(svirt_sandbox_domain) +') + +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -116597,11 +116626,9 @@ index f03dcf5..b5b9ca5 100644 + fs_mount_fusefs(svirt_sandbox_domain) + fs_unmount_fusefs(svirt_sandbox_domain) + fs_exec_fusefs_files(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + container_read_share_files(svirt_sandbox_domain) + container_exec_share_files(svirt_sandbox_domain) + container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) @@ -116618,16 +116645,7 @@ index f03dcf5..b5b9ca5 100644 # +virt_sandbox_domain_template(container) +typealias container_t alias svirt_lxc_net_t; -+virt_default_capabilities(container_t) -+dontaudit container_t self:capability fsetid; -+dontaudit container_t self:capability2 block_suspend ; -+allow container_t self:process { execstack execmem }; -+manage_chr_files_pattern(container_t, container_file_t, container_file_t) -+manage_blk_files_pattern(container_t, container_file_t, container_file_t) -+ -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow container_t self:capability sys_admin; -+') ++# Policy moved to container-selinux policy package -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -dontaudit svirt_lxc_net_t self:capability2 block_suspend; @@ -116640,12 +116658,18 @@ index f03dcf5..b5b9ca5 100644 -allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; -- ++######################################## ++# ++# container_t local policy ++# ++virt_sandbox_domain_template(svirt_qemu_net) ++typeattribute svirt_qemu_net_t sandbox_net_domain; + -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_mknod',` -+ allow container_t self:capability mknod; -+') ++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++dontaudit svirt_qemu_net_t self:capability2 block_suspend; ++allow svirt_qemu_net_t self:process { execstack execmem }; -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -116657,118 +116681,63 @@ index f03dcf5..b5b9ca5 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_all_caps',` -+ allow container_t self:capability all_capability_perms; -+ allow container_t self:capability2 all_capability2_perms; ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms; ++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; +') -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -corenet_udp_bind_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_all_ports(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_netlink',` -+ allow container_t self:netlink_socket create_socket_perms; -+ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+ allow container_t self:netlink_kobject_uevent_socket create_socket_perms; -+ allow container_t self:netlink_connector_socket create_socket_perms; -+ allow container_t self:netlink_crypto_socket create_socket_perms; -+ allow container_t self:netlink_fib_lookup_socket create_socket_perms; -+ allow container_t self:netlink_generic_socket create_socket_perms; -+ allow container_t self:netlink_iscsi_socket create_socket_perms; -+ allow container_t self:netlink_netfilter_socket create_socket_perms; -+ allow container_t self:netlink_rdma_socket create_socket_perms; -+ allow container_t self:netlink_scsitransport_socket create_socket_perms; -+', ` -+ logging_dontaudit_send_audit_msgs(container_t) -+') ++manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) -+allow container_t virt_lxc_var_run_t:dir list_dir_perms; -+allow container_t virt_lxc_var_run_t:file read_file_perms; ++term_use_generic_ptys(svirt_qemu_net_t) ++term_use_ptmx(svirt_qemu_net_t) -dev_getattr_mtrr_dev(svirt_lxc_net_t) -dev_read_rand(svirt_lxc_net_t) -dev_read_sysfs(svirt_lxc_net_t) -dev_read_urand(svirt_lxc_net_t) -+kernel_read_irq_sysctls(container_t) -+kernel_read_messages(container_t) ++dev_rw_kvm(svirt_qemu_net_t) -files_read_kernel_modules(svirt_lxc_net_t) -+dev_read_sysfs(container_t) -+dev_read_mtrr(container_t) -+dev_read_rand(container_t) -+dev_read_urand(container_t) ++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -fs_mount_cgroup(svirt_lxc_net_t) -fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) -+files_read_kernel_modules(container_t) ++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) ++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -auth_use_nsswitch(svirt_lxc_net_t) -+fs_noxattr_type(container_file_t) ++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) -logging_send_audit_msgs(svirt_lxc_net_t) -+term_pty(container_file_t) ++kernel_read_irq_sysctls(svirt_qemu_net_t) -userdom_use_user_ptys(svirt_lxc_net_t) -+logging_send_syslog_msg(container_t) ++dev_read_sysfs(svirt_qemu_net_t) ++dev_getattr_mtrr_dev(svirt_qemu_net_t) ++dev_read_rand(svirt_qemu_net_t) ++dev_read_urand(svirt_qemu_net_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_audit',` -+ logging_send_audit_msgs(container_t) - ') +-') ++files_read_kernel_modules(svirt_qemu_net_t) -####################################### -+userdom_use_user_ptys(container_t) -+ -+######################################## - # +-# -# Prot exec local policy -+# container_t local policy - # -+virt_sandbox_domain_template(svirt_qemu_net) -+typeattribute svirt_qemu_net_t sandbox_net_domain; -+ -+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+dontaudit svirt_qemu_net_t self:capability2 block_suspend; -+allow svirt_qemu_net_t self:process { execstack execmem }; -+ -+tunable_policy(`virt_sandbox_use_netlink',` -+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms; -+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; -+') -+ -+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) -+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) -+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) -+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) -+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) -+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) -+ -+term_use_generic_ptys(svirt_qemu_net_t) -+term_use_ptmx(svirt_qemu_net_t) -+ -+dev_rw_kvm(svirt_qemu_net_t) -+ -+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; -+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+ -+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) -+ -+kernel_read_irq_sysctls(svirt_qemu_net_t) -+ -+dev_read_sysfs(svirt_qemu_net_t) -+dev_getattr_mtrr_dev(svirt_qemu_net_t) -+dev_read_rand(svirt_qemu_net_t) -+dev_read_urand(svirt_qemu_net_t) -+ -+files_read_kernel_modules(svirt_qemu_net_t) -+ +-# +fs_noxattr_type(container_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) @@ -116781,7 +116750,8 @@ index f03dcf5..b5b9ca5 100644 +rpm_read_db(svirt_qemu_net_t) + +logging_send_syslog_msg(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(svirt_qemu_net_t) +') @@ -116802,7 +116772,7 @@ index f03dcf5..b5b9ca5 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1629,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1570,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116817,7 +116787,7 @@ index f03dcf5..b5b9ca5 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1647,7 @@ optional_policy(` +@@ -1192,7 +1588,7 @@ optional_policy(` ######################################## # @@ -116826,7 +116796,7 @@ index f03dcf5..b5b9ca5 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1656,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1597,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -117000,7 +116970,7 @@ index f03dcf5..b5b9ca5 100644 + +######################################## +# -+# container_t local policy ++# svirt_kvm_net_t local policy +# +virt_sandbox_domain_template(svirt_kvm_net) +typeattribute svirt_kvm_net_t sandbox_net_domain; diff --git a/selinux-policy.spec b/selinux-policy.spec index 7b4a618..ad19431 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 236%{?dist} +Release: 237%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,20 @@ exit 0 %endif %changelog +* Wed Feb 08 2017 Lukas Vrabec - 3.13.1-237 +- Merge pull request #187 from rhatdan/container-selinux +- Allow rhsmcertd domain signull kernel. +- Allow container-selinux to handle all policy for container processes +- Fix label for nagios plugins in nagios file conxtext file +- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 +- Add SELinux support for systemd-initctl daemon +- Add SELinux support for systemd-bootchart +- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 +- Add module_load permission to can_load_kernmodule +- Add module_load permission to class system +- Add the validate_trans access vector to the security class +- Restore connecto permssions for init_t + * Thu Feb 02 2017 Lukas Vrabec - 3.13.1-236 - Allow kdumpgui domain to read nvme device - Add amanda_tmpfs_t label. BZ(1243752)