From 0399c8ba5430d9b981f8aa5ff125a0ec55a88a74 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 18 2014 13:22:06 +0000 Subject: - Allow du running in logwatch_t read hwdata. - Allow sys_admin capability for antivirus domians. - Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc. - Add support for pnp4nagios. - Add missing labeling for /var/lib/cockpit. - Label resolv.conf as docker_share_t under docker so we can read within a container - Remove labeling for rabbitmqctl - setfscreate in pki.te is not capability class. - Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd. - Allow wine domains to create cache dirs. - Allow newaliases to systemd inhibit pipes. - Add fixes for pki-tomcat scriptlet handling. - Allow user domains to manage all gnome home content - Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b560742..24cc48b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9590,7 +9590,7 @@ index b876c48..b2aed45 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..d79969b 100644 +index f962f76..693ce96 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -9846,7 +9846,50 @@ index f962f76..d79969b 100644 allow $1 non_security_file_type:file mounton; ') -@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',` +@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',` + + ######################################## + ## ++## Get the attributes of all chr files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_all_chr_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ getattr_chr_files_pattern($1, file_type, file_type) ++') ++ ++######################################## ++## ++## Get the attributes of all blk files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_all_blk_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ getattr_blk_files_pattern($1, file_type, file_type) ++') ++ ++######################################## ++## + ## Do not audit attempts to get the attributes + ## of all files. + ## +@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',` ######################################## ## @@ -9910,7 +9953,7 @@ index f962f76..d79969b 100644 ## Read all files. ## ## -@@ -683,12 +906,125 @@ interface(`files_read_non_security_files',` +@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -9921,122 +9964,303 @@ index f962f76..d79969b 100644 ######################################## ## +-## Read all directories on the filesystem, except +-## the listed exceptions. +## Read/Write all inherited non-security files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The types to be excluded. Each type or attribute +-## must be negated by the caller. +-## +-## ++## + # +-interface(`files_read_all_dirs_except',` ++interface(`files_rw_inherited_non_security_files',` + gen_require(` +- attribute file_type; ++ attribute non_security_file_type; + ') + +- allow $1 { file_type $2 }:dir list_dir_perms; ++ allow $1 non_security_file_type:file { read write }; + ') + + ######################################## + ## +-## Read all files on the filesystem, except +-## the listed exceptions. ++## Manage all non-security files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The types to be excluded. Each type or attribute +-## must be negated by the caller. +-## +-## ++## + # +-interface(`files_read_all_files_except',` ++interface(`files_manage_non_security_files',` + gen_require(` +- attribute file_type; ++ attribute non_security_file_type; + ') + +- read_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ manage_files_pattern($1, non_security_file_type, non_security_file_type) ++ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) + ') + + ######################################## + ## +-## Read all symbolic links on the filesystem, except +-## the listed exceptions. ++## Relabel all non-security files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The types to be excluded. Each type or attribute +-## must be negated by the caller. +-## +-## ++## + # +-interface(`files_read_all_symlinks_except',` ++interface(`files_relabel_non_security_files',` + gen_require(` +- attribute file_type; ++ attribute non_security_file_type; + ') + +- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ relabel_files_pattern($1, non_security_file_type, non_security_file_type) ++ allow $1 { non_security_file_type }:dir list_dir_perms; ++ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ ++ # satisfy the assertions: ++ seutil_relabelto_bin_policy($1) + ') + + ######################################## + ## +-## Get the attributes of all symbolic links. ++## Search all base file dirs. + ## + ## + ## +@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',` + ## + ## + # +-interface(`files_getattr_all_symlinks',` ++interface(`files_search_base_file_types',` + gen_require(` +- attribute file_type; ++ attribute base_file_type; + ') + +- getattr_lnk_files_pattern($1, file_type, file_type) ++ allow $1 base_file_type:dir search_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all symbolic links. ++## Relabel all base file types. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_symlinks',` ++interface(`files_relabel_base_file_types',` + gen_require(` +- attribute file_type; ++ attribute base_file_type; + ') + +- dontaudit $1 file_type:lnk_file getattr; ++ allow $1 base_file_type:dir list_dir_perms; ++ relabel_dirs_pattern($1, base_file_type , base_file_type ) ++ relabel_files_pattern($1, base_file_type , base_file_type ) ++ relabel_lnk_files_pattern($1, base_file_type , base_file_type ) ++ relabel_fifo_files_pattern($1, base_file_type , base_file_type ) ++ relabel_sock_files_pattern($1, base_file_type , base_file_type ) ++ relabel_blk_files_pattern($1, base_file_type , base_file_type ) ++ relabel_chr_files_pattern($1, base_file_type , base_file_type ) + ') + + ######################################## + ## +-## Do not audit attempts to read all symbolic links. ++## Read all directories on the filesystem, except ++## the listed exceptions. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. ++## ++## ++## ++## ++## The types to be excluded. Each type or attribute ++## must be negated by the caller. + ## + ## + # +-interface(`files_dontaudit_read_all_symlinks',` ++interface(`files_read_all_dirs_except',` + gen_require(` + attribute file_type; + ') + +- dontaudit $1 file_type:lnk_file read; ++ allow $1 { file_type $2 }:dir list_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of non security symbolic links. ++## Read all files on the filesystem, except ++## the listed exceptions. +## +## +## +## Domain allowed access. +## +## -+## ++## ++## ++## The types to be excluded. Each type or attribute ++## must be negated by the caller. ++## ++## +# -+interface(`files_rw_inherited_non_security_files',` ++interface(`files_read_all_files_except',` + gen_require(` -+ attribute non_security_file_type; ++ attribute file_type; + ') + -+ allow $1 non_security_file_type:file { read write }; ++ read_files_pattern($1, { file_type $2 }, { file_type $2 }) +') + +######################################## +## -+## Manage all non-security files. ++## Read all symbolic links on the filesystem, except ++## the listed exceptions. +## +## +## +## Domain allowed access. +## +## -+## ++## ++## ++## The types to be excluded. Each type or attribute ++## must be negated by the caller. ++## ++## +# -+interface(`files_manage_non_security_files',` ++interface(`files_read_all_symlinks_except',` + gen_require(` -+ attribute non_security_file_type; ++ attribute file_type; + ') + -+ manage_files_pattern($1, non_security_file_type, non_security_file_type) -+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ++ read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) +') + +######################################## +## -+## Relabel all non-security files. ++## Get the attributes of all symbolic links. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_relabel_non_security_files',` ++interface(`files_getattr_all_symlinks',` + gen_require(` -+ attribute non_security_file_type; ++ attribute file_type; + ') + -+ relabel_files_pattern($1, non_security_file_type, non_security_file_type) -+ allow $1 { non_security_file_type }:dir list_dir_perms; -+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ -+ # satisfy the assertions: -+ seutil_relabelto_bin_policy($1) ++ getattr_lnk_files_pattern($1, file_type, file_type) +') + +######################################## +## -+## Search all base file dirs. ++## Do not audit attempts to get the attributes ++## of all symbolic links. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_search_base_file_types',` ++interface(`files_dontaudit_getattr_all_symlinks',` + gen_require(` -+ attribute base_file_type; ++ attribute file_type; + ') + -+ allow $1 base_file_type:dir search_dir_perms; ++ dontaudit $1 file_type:lnk_file getattr; +') + +######################################## +## -+## Relabel all base file types. ++## Do not audit attempts to read all symbolic links. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_relabel_base_file_types',` ++interface(`files_dontaudit_read_all_symlinks',` + gen_require(` -+ attribute base_file_type; ++ attribute file_type; + ') + -+ allow $1 base_file_type:dir list_dir_perms; -+ relabel_dirs_pattern($1, base_file_type , base_file_type ) -+ relabel_files_pattern($1, base_file_type , base_file_type ) -+ relabel_lnk_files_pattern($1, base_file_type , base_file_type ) -+ relabel_fifo_files_pattern($1, base_file_type , base_file_type ) -+ relabel_sock_files_pattern($1, base_file_type , base_file_type ) -+ relabel_blk_files_pattern($1, base_file_type , base_file_type ) -+ relabel_chr_files_pattern($1, base_file_type , base_file_type ) ++ dontaudit $1 file_type:lnk_file read; +') + +######################################## +## - ## Read all directories on the filesystem, except - ## the listed exceptions. ++## Do not audit attempts to get the attributes ++## of non security symbolic links. ## -@@ -953,6 +1289,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` + ## + ## +@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -10062,29 +10286,24 @@ index f962f76..d79969b 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,8 +1346,8 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## --## Do not audit attempts to get the attributes --## of non security named sockets. +## Do not audit attempts to read +## of all named sockets. - ## - ## - ## -@@ -1000,12 +1355,50 @@ interface(`files_dontaudit_getattr_all_sockets',` - ## - ## - # --interface(`files_dontaudit_getattr_non_security_sockets',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_read_all_sockets',` - gen_require(` -- attribute non_security_file_type; ++ gen_require(` + attribute file_type; - ') - -- dontaudit $1 non_security_file_type:sock_file getattr; ++ ') ++ + dontaudit $1 file_type:sock_file read; +') + @@ -10109,25 +10328,10 @@ index f962f76..d79969b 100644 + +######################################## +## -+## Do not audit attempts to get the attributes -+## of non security named sockets. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_non_security_sockets',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:sock_file getattr; - ') - - ######################################## -@@ -1073,10 +1466,8 @@ interface(`files_relabel_all_files',` + ## Do not audit attempts to get the attributes + ## of non security named sockets. + ## +@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -10140,7 +10344,7 @@ index f962f76..d79969b 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1573,6 @@ interface(`files_list_all',` +@@ -1182,24 +1609,6 @@ interface(`files_list_all',` ######################################## ## @@ -10165,7 +10369,7 @@ index f962f76..d79969b 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1816,6 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -10175,7 +10379,7 @@ index f962f76..d79969b 100644 ') ############################################# -@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',` +@@ -1601,6 +2007,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## @@ -10200,7 +10404,7 @@ index f962f76..d79969b 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1691,6 +2079,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1691,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -10225,11 +10429,144 @@ index f962f76..d79969b 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1709,6 +2115,60 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1709,98 +2151,79 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## +-## List the contents of the root directory. +## Do not audit attempts to unmount all mount points. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_root',` ++interface(`files_dontaudit_unmount_all_mountpoints',` + gen_require(` +- type root_t; ++ attribute mountpoint; + ') + +- allow $1 root_t:dir list_dir_perms; +- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ++ dontaudit $1 mountpoint:filesystem unmount; + ') + + ######################################## + ## +-## Do not audit attempts to write to / dirs. ++## Read all mountpoint symbolic links. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_write_root_dirs',` ++interface(`files_read_all_mountpoint_symlinks',` + gen_require(` +- type root_t; ++ attribute mountpoint; + ') + +- dontaudit $1 root_t:dir write; ++ allow $1 mountpoint:lnk_file read_lnk_file_perms; + ') + +-################### ++######################################## + ## +-## Do not audit attempts to write +-## files in the root directory. ++## Write all file type directories. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_rw_root_dir',` ++interface(`files_write_all_dirs',` + gen_require(` +- type root_t; ++ attribute file_type; + ') + +- dontaudit $1 root_t:dir rw_dir_perms; ++ allow $1 file_type:dir write; + ') + + ######################################## + ## +-## Create an object in the root directory, with a private +-## type using a type transition. ++## List the contents of the root directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_root_filetrans',` ++interface(`files_list_root',` + gen_require(` + type root_t; + ') + +- filetrans_pattern($1, root_t, $2, $3, $4) ++ allow $1 root_t:dir list_dir_perms; ++ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; + ') +- + ######################################## + ## +-## Do not audit attempts to read files in +-## the root directory. ++## Do not audit attempts to write to / dirs. + ## + ## + ## +@@ -1808,17 +2231,127 @@ interface(`files_root_filetrans',` + ## + ## + # +-interface(`files_dontaudit_read_root_files',` ++interface(`files_write_root_dirs',` + gen_require(` + type root_t; + ') + +- dontaudit $1 root_t:file { getattr read }; ++ allow $1 root_t:dir write; + ') + + ######################################## + ## +-## Do not audit attempts to read or write ++## Do not audit attempts to write to / dirs. +## +## +## @@ -10237,85 +10574,91 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_dontaudit_unmount_all_mountpoints',` ++interface(`files_dontaudit_write_root_dirs',` + gen_require(` -+ attribute mountpoint; ++ type root_t; + ') + -+ dontaudit $1 mountpoint:filesystem unmount; ++ dontaudit $1 root_t:dir write; +') + -+######################################## ++################### +## -+## Read all mountpoint symbolic links. ++## Do not audit attempts to write ++## files in the root directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_read_all_mountpoint_symlinks',` ++interface(`files_dontaudit_rw_root_dir',` + gen_require(` -+ attribute mountpoint; ++ type root_t; + ') + -+ allow $1 mountpoint:lnk_file read_lnk_file_perms; ++ dontaudit $1 root_t:dir rw_dir_perms; +') + +######################################## +## -+## Write all file type directories. ++## Do not audit attempts to check the ++## access on root directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_write_all_dirs',` ++interface(`files_dontaudit_access_check_root',` + gen_require(` -+ attribute file_type; ++ type root_t; + ') + -+ allow $1 file_type:dir write; ++ dontaudit $1 root_t:dir_file_class_set audit_access; +') + ++ +######################################## +## - ## List the contents of the root directory. - ## - ## -@@ -1725,6 +2185,23 @@ interface(`files_list_root',` - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; - ') -+######################################## -+## -+## Do not audit attempts to write to / dirs. ++## Create an object in the root directory, with a private ++## type using a type transition. +## +## +## -+## Domain to not audit. ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. +## +## +# -+interface(`files_write_root_dirs',` ++interface(`files_root_filetrans',` + gen_require(` + type root_t; + ') + -+ allow $1 root_t:dir write; ++ filetrans_pattern($1, root_t, $2, $3, $4) +') - - ######################################## - ## -@@ -1765,6 +2242,26 @@ interface(`files_dontaudit_rw_root_dir',` - - ######################################## - ## -+## Do not audit attempts to check the -+## access on root directory. ++ ++######################################## ++## ++## Do not audit attempts to read files in ++## the root directory. +## +## +## @@ -10323,21 +10666,21 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_dontaudit_access_check_root',` ++interface(`files_dontaudit_read_root_files',` + gen_require(` + type root_t; + ') + -+ dontaudit $1 root_t:dir_file_class_set audit_access; ++ dontaudit $1 root_t:file { getattr read }; +') + -+ +######################################## +## - ## Create an object in the root directory, with a private - ## type using a type transition. ++## Do not audit attempts to read or write + ## files in the root directory. ## -@@ -1892,25 +2389,25 @@ interface(`files_delete_root_dir_entry',` + ## +@@ -1892,25 +2425,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -10369,7 +10712,7 @@ index f962f76..d79969b 100644 ## ## ## -@@ -1923,7 +2420,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2456,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -10378,7 +10721,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -1946,6 +2443,42 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2479,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10421,7 +10764,7 @@ index f962f76..d79969b 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2714,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2750,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10446,7 +10789,7 @@ index f962f76..d79969b 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3196,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3232,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10471,7 +10814,7 @@ index f962f76..d79969b 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3285,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3321,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10479,7 +10822,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -2724,7 +3294,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3330,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10488,7 +10831,7 @@ index f962f76..d79969b 100644 ## ## # -@@ -2780,6 +3350,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3386,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10514,7 +10857,7 @@ index f962f76..d79969b 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3387,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3423,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10539,7 +10882,7 @@ index f962f76..d79969b 100644 ## Execute generic files in /etc. ## ## -@@ -2963,26 +3570,8 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3606,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10561,14 +10904,10 @@ index f962f76..d79969b 100644 - -######################################## -## --## Read files in /etc that are dynamically --## created on boot, such as mtab. -+## Read files in /etc that are dynamically -+## created on boot, such as mtab. + ## Read files in /etc that are dynamically + ## created on boot, such as mtab. ## - ## - ##

-@@ -3021,9 +3610,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3646,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ##

@@ -10579,7 +10918,7 @@ index f962f76..d79969b 100644 ## ## ## -@@ -3031,18 +3618,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3654,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10601,7 +10940,7 @@ index f962f76..d79969b 100644 ## ## ## -@@ -3060,6 +3646,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3682,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -10628,7 +10967,7 @@ index f962f76..d79969b 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3683,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3719,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10636,7 +10975,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3098,6 +3705,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3741,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10644,84 +10983,110 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3142,10 +3750,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,34 +3786,34 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir getattr; -+') -+ -+######################################## -+## -+## Getattr all file opbjects on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_isid_type',` -+ gen_require(` -+ type unlabeled_t; ') - allow $1 file_t:dir getattr; -+ allow $1 unlabeled_t:dir_file_class_set getattr; -+') -+ -+######################################## -+## -+## Setattr of directories on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_isid_type_dirs',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir setattr; ++ allow $1 unlabeled_t:dir getattr; ') ######################################## -@@ -3161,10 +3807,10 @@ interface(`files_getattr_isid_type_dirs',` + ## +-## Do not audit attempts to search directories on new filesystems ++## Getattr all file opbjects on new filesystems + ## that have not yet been labeled. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## # - interface(`files_dontaudit_search_isid_type_dirs',` +-interface(`files_dontaudit_search_isid_type_dirs',` ++interface(`files_getattr_isid_type',` gen_require(` - type file_t; + type unlabeled_t; ') - dontaudit $1 file_t:dir search_dir_perms; -+ dontaudit $1 unlabeled_t:dir search_dir_perms; ++ allow $1 unlabeled_t:dir_file_class_set getattr; ') ######################################## -@@ -3180,10 +3826,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` - # - interface(`files_list_isid_type_dirs',` - gen_require(` -- type file_t; -+ type unlabeled_t; + ## +-## List the contents of directories on new filesystems ++## Setattr of directories on new filesystems + ## that have not yet been labeled. + ## + ## +@@ -3178,17 +3822,55 @@ interface(`files_dontaudit_search_isid_type_dirs',` + ## + ## + # +-interface(`files_list_isid_type_dirs',` ++interface(`files_setattr_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; ') - allow $1 file_t:dir list_dir_perms; -+ allow $1 unlabeled_t:dir list_dir_perms; ++ allow $1 unlabeled_t:dir setattr; ') ######################################## -@@ -3199,10 +3845,10 @@ interface(`files_list_isid_type_dirs',` + ## +-## Read and write directories on new filesystems ++## Do not audit attempts to search directories on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_isid_type_dirs',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ dontaudit $1 unlabeled_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of directories on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_isid_type_dirs',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Read and write directories on new filesystems + ## that have not yet been labeled. + ## + ## +@@ -3199,10 +3881,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -10734,7 +11099,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3218,10 +3864,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3900,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -10777,8 +11142,9 @@ index f962f76..d79969b 100644 +interface(`files_mounton_isid',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- delete_dirs_pattern($1, file_t, file_t) + allow $1 unlabeled_t:dir mounton; +') + @@ -10796,14 +11162,13 @@ index f962f76..d79969b 100644 +interface(`files_relabelfrom_isid_type',` + gen_require(` + type unlabeled_t; - ') - -- delete_dirs_pattern($1, file_t, file_t) ++ ') ++ + dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; ') ######################################## -@@ -3237,10 +3939,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +3975,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -10816,7 +11181,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3256,10 +3958,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +3994,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -10848,7 +11213,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3275,10 +3996,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +4032,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -10861,7 +11226,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3294,10 +4015,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +4051,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -10874,7 +11239,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3313,10 +4034,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4070,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -10887,7 +11252,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3332,10 +4053,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4089,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -10900,7 +11265,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3351,10 +4072,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4108,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -10913,7 +11278,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3370,10 +4091,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4127,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -10926,7 +11291,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3389,10 +4110,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4146,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -10939,7 +11304,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3408,10 +4129,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4165,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -10952,7 +11317,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3427,10 +4148,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4184,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -10965,7 +11330,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3446,10 +4167,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4203,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -10978,7 +11343,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3465,10 +4186,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4222,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -11010,7 +11375,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3484,10 +4224,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4260,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -11023,7 +11388,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3503,10 +4243,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4279,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -11036,7 +11401,7 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -3552,6 +4292,27 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3552,6 +4328,27 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## @@ -11064,7 +11429,7 @@ index f962f76..d79969b 100644 ## Search home directories root (/home). ## ## -@@ -3814,20 +4575,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4611,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -11108,98 +11473,64 @@ index f962f76..d79969b 100644 ') ######################################## -@@ -4217,174 +4996,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +5032,175 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') --######################################## +####################################### - ## --## Allow the specified type to associate --## to a filesystem with the type of the --## temporary directory (/tmp). ++## +## Read manageable system configuration files in /etc - ## --## --## --## Type of the file to associate. --## ++## +## +## +## Domain allowed access. +## - ## - # --interface(`files_associate_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:filesystem associate; ++ + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) - ') - --######################################## ++') ++ +###################################### - ## --## Get the attributes of the tmp directory (/tmp). ++## +## Manage manageable system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_getattr_tmp_dirs',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir getattr; ++ + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) - ') - --######################################## ++') ++ +##################################### - ## --## Do not audit attempts to get the --## attributes of the tmp directory (/tmp). ++## +## File name transition for system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_getattr_tmp_dirs',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t, usr_t; + ') - -- dontaudit $1 tmp_t:dir getattr; ++ + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -11220,129 +11551,87 @@ index f962f76..d79969b 100644 + filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") + filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") + filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") - ') - --######################################## ++') ++ +###################################### - ## --## Search the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_search_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') - -- allow $1 tmp_t:dir search_dir_perms; ++ + relabelto_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +###################################### - ## --## Do not audit attempts to search the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_search_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') - -- dontaudit $1 tmp_t:dir search_dir_perms; ++ + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +################################### - ## --## Read the tmp directory (/tmp). ++## +## Create files in /etc with the type used for +## the manageable system config files. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## The type of the process performing this action. +## - ## - # --interface(`files_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir list_dir_perms; ++ + filetrans_pattern($1, etc_t, system_conf_t, file) - ') - --######################################## ++') ++ +###################################### - ## --## Do not audit listing of the tmp directory (/tmp). ++## +## Manage manageable system db files in /var/lib. - ## - ## --## --## Domain not to audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') - -- dontaudit $1 tmp_t:dir list_dir_perms; ++ + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) - ') - --######################################## ++') ++ +##################################### - ## --## Remove entries from the tmp directory. ++## +## File name transition for system db files in /var/lib. - ## - ## ++## ++## +## +## Domain allowed access. +## @@ -11357,106 +11646,67 @@ index f962f76..d79969b 100644 + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") +') + -+######################################## -+## + ######################################## + ## + ## Allow the specified type to associate +@@ -4239,6 +5223,26 @@ interface(`files_associate_tmp',` + + ######################################## + ## +## Allow the specified type to associate +## to a filesystem with the type of the -+## temporary directory (/tmp). ++## / file system +## +## - ## --## Domain allowed access. ++## +## Type of the file to associate. - ## - ## - # --interface(`files_delete_tmp_dir_entry',` -+interface(`files_associate_tmp',` - gen_require(` ++## ++## ++# ++interface(`files_associate_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:filesystem associate; ++') ++ ++######################################## ++## + ## Get the attributes of the tmp directory (/tmp). + ## + ## +@@ -4252,17 +5256,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') -- allow $1 tmp_t:dir del_entry_dir_perms; -+ allow $1 tmp_t:filesystem associate; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') ######################################## ## --## Read files in the tmp directory (/tmp). -+## Allow the specified type to associate -+## to a filesystem with the type of the -+## / file system - ## --## -+## - ## --## Domain allowed access. -+## Type of the file to associate. - ## - ## - # --interface(`files_read_generic_tmp_files',` -+interface(`files_associate_rootfs',` - gen_require(` -- type tmp_t; -+ type root_t; - ') - -- read_files_pattern($1, tmp_t, tmp_t) -+ allow $1 root_t:filesystem associate; - ') - - ######################################## - ## --## Manage temporary directories in /tmp. -+## Get the attributes of the tmp directory (/tmp). - ## - ## - ## -@@ -4392,53 +5215,56 @@ interface(`files_read_generic_tmp_files',` - ## - ## - # --interface(`files_manage_generic_tmp_dirs',` -+interface(`files_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - -- manage_dirs_pattern($1, tmp_t, tmp_t) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir getattr; - ') - - ######################################## - ## --## Manage temporary files and directories in /tmp. +## Do not audit attempts to check the +## access on tmp files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_manage_generic_tmp_files',` ++## ++## ++# +interface(`files_dontaudit_access_check_tmp',` - gen_require(` -- type tmp_t; ++ gen_require(` + type etc_t; - ') - -- manage_files_pattern($1, tmp_t, tmp_t) ++ ') ++ + dontaudit $1 tmp_t:dir_file_class_set audit_access; - ') - - ######################################## - ## --## Read symbolic links in the tmp directory (/tmp). -+## Do not audit attempts to get the -+## attributes of the tmp directory (/tmp). ++') ++ ++######################################## ++## + ## Do not audit attempts to get the + ## attributes of the tmp directory (/tmp). ## ## ## @@ -11465,221 +11715,85 @@ index f962f76..d79969b 100644 ## ## # --interface(`files_read_generic_tmp_symlinks',` -+interface(`files_dontaudit_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - -- read_lnk_files_pattern($1, tmp_t, tmp_t) -+ dontaudit $1 tmp_t:dir getattr; - ') - - ######################################## - ## --## Read and write generic named sockets in the tmp directory (/tmp). -+## Search the tmp directory (/tmp). - ## - ## - ## -@@ -4446,35 +5272,37 @@ interface(`files_read_generic_tmp_symlinks',` - ## - ## - # --interface(`files_rw_generic_tmp_sockets',` -+interface(`files_search_tmp',` - gen_require(` +@@ -4289,6 +5313,8 @@ interface(`files_search_tmp',` type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir search_dir_perms; - ') - - ######################################## - ## --## Set the attributes of all tmp directories. -+## Do not audit attempts to search the tmp directory (/tmp). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` -+interface(`files_dontaudit_search_tmp',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir { search_dir_perms setattr }; -+ dontaudit $1 tmp_t:dir search_dir_perms; + allow $1 tmp_t:dir search_dir_perms; ') - ######################################## - ## --## List all tmp directories. -+## Read the tmp directory (/tmp). - ## - ## - ## -@@ -4482,59 +5310,55 @@ interface(`files_setattr_all_tmp_dirs',` - ## - ## - # --interface(`files_list_all_tmp',` -+interface(`files_list_tmp',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; +@@ -4325,6 +5351,7 @@ interface(`files_list_tmp',` + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir list_dir_perms; + allow $1 tmp_t:dir list_dir_perms; ') - ######################################## - ## --## Relabel to and from all temporary --## directory types. -+## Do not audit listing of the tmp directory (/tmp). +@@ -4334,7 +5361,7 @@ interface(`files_list_tmp',` ## ## ## --## Domain allowed access. +-## Domain not to audit. +## Domain to not audit. ## ## --## # --interface(`files_relabel_all_tmp_dirs',` -+interface(`files_dontaudit_list_tmp',` - gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) -+ dontaudit $1 tmp_t:dir list_dir_perms; +@@ -4346,14 +5373,33 @@ interface(`files_dontaudit_list_tmp',` + dontaudit $1 tmp_t:dir list_dir_perms; ') -######################################## +####################################### ## --## Do not audit attempts to get the attributes --## of all tmp files. +-## Remove entries from the tmp directory. +## Allow read and write to the tmp directory (/tmp). ## ## -## --## Domain not to audit. +-## Domain allowed access. -## +## +## Domain not to audit. +## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` -- gen_require(` -- attribute tmpfile; -- ') ++## ++# +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; + ') - -- dontaudit $1 tmpfile:file getattr; ++ + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; - ') - - ######################################## - ## --## Allow attempts to get the attributes --## of all tmp files. ++') ++ ++######################################## ++## +## Remove entries from the tmp directory. - ## - ## - ## -@@ -4542,110 +5366,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` - ## ++## ++## ++## ++## Domain allowed access. ++## ## # --interface(`files_getattr_all_tmp_files',` -+interface(`files_delete_tmp_dir_entry',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; + interface(`files_delete_tmp_dir_entry',` +@@ -4361,6 +5407,7 @@ interface(`files_delete_tmp_dir_entry',` + type tmp_t; ') -- allow $1 tmpfile:file getattr; + files_search_tmp($1) -+ allow $1 tmp_t:dir del_entry_dir_perms; - ') - - ######################################## - ## --## Relabel to and from all temporary --## file types. -+## Read files in the tmp directory (/tmp). - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_tmp_files',` -+interface(`files_read_generic_tmp_files',` - gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_files_pattern($1, tmpfile, tmpfile) -+ read_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir del_entry_dir_perms; ') - ######################################## - ## --## Do not audit attempts to get the attributes --## of all tmp sock_file. -+## Manage temporary directories in /tmp. - ## - ## - ## --## Domain not to audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_sockets',` -+interface(`files_manage_generic_tmp_dirs',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- dontaudit $1 tmpfile:sock_file getattr; -+ manage_dirs_pattern($1, tmp_t, tmp_t) - ') +@@ -4402,6 +5449,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## --## Read all tmp files. +## Allow shared library text relocations in tmp files. - ## ++## +## +##

+## Allow shared library text relocations in tmp files. @@ -11688,2239 +11802,48 @@ index f962f76..d79969b 100644 +## This is added to support java policy. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`files_read_all_tmp_files',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_execmod_tmp',` - gen_require(` - attribute tmpfile; - ') - -- read_files_pattern($1, tmpfile, tmpfile) ++ gen_require(` ++ attribute tmpfile; ++ ') ++ + allow $1 tmpfile:file execmod; - ') - - ######################################## - ## --## Create an object in the tmp directories, with a private --## type using a type transition. -+## Manage temporary files and directories in /tmp. ++') ++ ++######################################## ++## + ## Manage temporary files and directories in /tmp. ## ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_tmp_filetrans',` -+interface(`files_manage_generic_tmp_files',` - gen_require(` - type tmp_t; - ') - -- filetrans_pattern($1, tmp_t, $2, $3, $4) -+ manage_files_pattern($1, tmp_t, tmp_t) - ') +@@ -4456,6 +5529,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Delete the contents of /tmp. -+## Read symbolic links in the tmp directory (/tmp). - ## - ## - ## -@@ -4653,22 +5465,17 @@ interface(`files_tmp_filetrans',` - ## - ## - # --interface(`files_purge_tmp',` -+interface(`files_read_generic_tmp_symlinks',` - gen_require(` -- attribute tmpfile; ++## Relabel a dir from the type used in /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_tmp_dirs',` ++ gen_require(` + type tmp_t; - ') - -- allow $1 tmpfile:dir list_dir_perms; -- delete_dirs_pattern($1, tmpfile, tmpfile) -- delete_files_pattern($1, tmpfile, tmpfile) -- delete_lnk_files_pattern($1, tmpfile, tmpfile) -- delete_fifo_files_pattern($1, tmpfile, tmpfile) -- delete_sock_files_pattern($1, tmpfile, tmpfile) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Set the attributes of the /usr directory. -+## Read and write generic named sockets in the tmp directory (/tmp). - ## - ## - ## -@@ -4676,17 +5483,17 @@ interface(`files_purge_tmp',` - ## - ## - # --interface(`files_setattr_usr_dirs',` -+interface(`files_rw_generic_tmp_sockets',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- allow $1 usr_t:dir setattr; -+ rw_sock_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Search the content of /usr. -+## Relabel a dir from the type used in /tmp. - ## - ## - ## -@@ -4694,18 +5501,17 @@ interface(`files_setattr_usr_dirs',` - ## - ## - # --interface(`files_search_usr',` -+interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- allow $1 usr_t:dir search_dir_perms; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## List the contents of generic --## directories in /usr. -+## Relabel a file from the type used in /tmp. - ## - ## - ## -@@ -4713,35 +5519,35 @@ interface(`files_search_usr',` - ## - ## - # --interface(`files_list_usr',` -+interface(`files_relabelfrom_tmp_files',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- allow $1 usr_t:dir list_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Do not audit write of /usr dirs -+## Set the attributes of all tmp directories. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_write_usr_dirs',` -+interface(`files_setattr_all_tmp_dirs',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- dontaudit $1 usr_t:dir write; -+ allow $1 tmpfile:dir { search_dir_perms setattr }; - ') - - ######################################## - ## --## Add and remove entries from /usr directories. -+## Allow caller to read inherited tmp files. - ## - ## - ## -@@ -4749,36 +5555,35 @@ interface(`files_dontaudit_write_usr_dirs',` - ## - ## - # --interface(`files_rw_usr_dirs',` -+interface(`files_read_inherited_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- allow $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; - ') - - ######################################## - ## --## Do not audit attempts to add and remove --## entries from /usr directories. -+## Allow caller to append inherited tmp files. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_rw_usr_dirs',` -+interface(`files_append_inherited_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- dontaudit $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file append_inherited_file_perms; - ') - - ######################################## - ## --## Delete generic directories in /usr in the caller domain. -+## Allow caller to read and write inherited tmp files. - ## - ## - ## -@@ -4786,17 +5591,17 @@ interface(`files_dontaudit_rw_usr_dirs',` - ## - ## - # --interface(`files_delete_usr_dirs',` -+interface(`files_rw_inherited_tmp_file',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- delete_dirs_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Delete generic files in /usr in the caller domain. -+## List all tmp directories. - ## - ## - ## -@@ -4804,73 +5609,59 @@ interface(`files_delete_usr_dirs',` - ## - ## - # --interface(`files_delete_usr_files',` -+interface(`files_list_all_tmp',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- delete_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:dir list_dir_perms; - ') - - ######################################## - ## --## Get the attributes of files in /usr. -+## Relabel to and from all temporary -+## directory types. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_getattr_usr_files',` -+interface(`files_relabel_all_tmp_dirs',` - gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; - ') - -- getattr_files_pattern($1, usr_t, usr_t) --') -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) -+') - - ######################################## - ## --## Read generic files in /usr. -+## Do not audit attempts to get the attributes -+## of all tmp files. - ## --## --##

--## Allow the specified domain to read generic --## files in /usr. These files are various program --## files that do not have more specific SELinux types. --## Some examples of these files are: --##

--##
    --##
  • /usr/include/*
    • --##
  • /usr/share/doc/*
    • --##
  • /usr/share/info/*
    • --##
--##

--## Generally, it is safe for many domains to have --## this access. --##

--## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## --## - # --interface(`files_read_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- allow $1 usr_t:dir list_dir_perms; -- read_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file getattr; - ') - - ######################################## - ## --## Execute generic programs in /usr in the caller domain. -+## Allow attempts to get the attributes -+## of all tmp files. - ## - ## - ## -@@ -4878,55 +5669,58 @@ interface(`files_read_usr_files',` - ## - ## - # --interface(`files_exec_usr_files',` -+interface(`files_getattr_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- allow $1 usr_t:dir list_dir_perms; -- exec_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file getattr; - ') - - ######################################## - ## --## dontaudit write of /usr files -+## Relabel to and from all temporary -+## file types. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_write_usr_files',` -+interface(`files_relabel_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; - ') - -- dontaudit $1 usr_t:file write; -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /usr directory. -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_sockets',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- manage_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:sock_file getattr; - ') - - ######################################## - ## --## Relabel a file to the type used in /usr. -+## Read all tmp files. - ## - ## - ## -@@ -4934,67 +5728,70 @@ interface(`files_manage_usr_files',` - ## - ## - # --interface(`files_relabelto_usr_files',` -+interface(`files_read_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- relabelto_files_pattern($1, usr_t, usr_t) -+ read_files_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Relabel a file from the type used in /usr. -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_relabelfrom_usr_files',` -+interface(`files_dontaudit_tmp_file_leaks',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- relabelfrom_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read symbolic links in /usr. -+## Do allow attempts to read or write -+## all leaked tmpfiles files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_usr_symlinks',` -+interface(`files_rw_tmp_file_leaks',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Create objects in the /usr directory -+## Create an object in the tmp directories, with a private -+## type using a type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## - ## --## The type of the object to be created -+## The type of the object to be created. - ## - ## --## -+## - ## --## The object class. -+## The object class of the object being created. - ## - ## - ## -@@ -5003,35 +5800,50 @@ interface(`files_read_usr_symlinks',` - ## - ## - # --interface(`files_usr_filetrans',` -+interface(`files_tmp_filetrans',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- filetrans_pattern($1, usr_t, $2, $3, $4) -+ filetrans_pattern($1, tmp_t, $2, $3, $4) - ') - - ######################################## - ## --## Do not audit attempts to search /usr/src. -+## Delete the contents of /tmp. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_src',` -+interface(`files_purge_tmp',` - gen_require(` -- type src_t; -+ attribute tmpfile; - ') - -- dontaudit $1 src_t:dir search_dir_perms; -+ allow $1 tmpfile:dir list_dir_perms; -+ delete_dirs_pattern($1, tmpfile, tmpfile) -+ delete_files_pattern($1, tmpfile, tmpfile) -+ delete_lnk_files_pattern($1, tmpfile, tmpfile) -+ delete_fifo_files_pattern($1, tmpfile, tmpfile) -+ delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) - ') - - ######################################## - ## --## Get the attributes of files in /usr/src. -+## Set the attributes of the /usr directory. - ## - ## - ## -@@ -5039,20 +5851,17 @@ interface(`files_dontaudit_search_src',` - ## - ## - # --interface(`files_getattr_usr_src_files',` -+interface(`files_setattr_usr_dirs',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; - ') - -- getattr_files_pattern($1, src_t, src_t) -- -- # /usr/src/linux symlink: -- read_lnk_files_pattern($1, usr_t, src_t) -+ allow $1 usr_t:dir setattr; - ') - - ######################################## - ## --## Read files in /usr/src. -+## Search the content of /usr. - ## - ## - ## -@@ -5060,20 +5869,18 @@ interface(`files_getattr_usr_src_files',` - ## - ## - # --interface(`files_read_usr_src_files',` -+interface(`files_search_usr',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; - ') - - allow $1 usr_t:dir search_dir_perms; -- read_files_pattern($1, { usr_t src_t }, src_t) -- read_lnk_files_pattern($1, { usr_t src_t }, src_t) -- allow $1 src_t:dir list_dir_perms; - ') - - ######################################## - ## --## Execute programs in /usr/src in the caller domain. -+## List the contents of generic -+## directories in /usr. - ## - ## - ## -@@ -5081,38 +5888,35 @@ interface(`files_read_usr_src_files',` - ## - ## - # --interface(`files_exec_usr_src_files',` -+interface(`files_list_usr',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; - ') - -- list_dirs_pattern($1, usr_t, src_t) -- exec_files_pattern($1, src_t, src_t) -- read_lnk_files_pattern($1, src_t, src_t) -+ allow $1 usr_t:dir list_dir_perms; - ') - - ######################################## - ## --## Install a system.map into the /boot directory. -+## Do not audit write of /usr dirs - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_create_kernel_symbol_table',` -+interface(`files_dontaudit_write_usr_dirs',` - gen_require(` -- type boot_t, system_map_t; -+ type usr_t; - ') - -- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -- allow $1 system_map_t:file { create_file_perms rw_file_perms }; -+ dontaudit $1 usr_t:dir write; - ') - - ######################################## - ## --## Read system.map in the /boot directory. -+## Add and remove entries from /usr directories. - ## - ## - ## -@@ -5120,37 +5924,36 @@ interface(`files_create_kernel_symbol_table',` - ## - ## - # --interface(`files_read_kernel_symbol_table',` -+interface(`files_rw_usr_dirs',` - gen_require(` -- type boot_t, system_map_t; -+ type usr_t; - ') - -- allow $1 boot_t:dir list_dir_perms; -- read_files_pattern($1, boot_t, system_map_t) -+ allow $1 usr_t:dir rw_dir_perms; - ') - - ######################################## - ## --## Delete a system.map in the /boot directory. -+## Do not audit attempts to add and remove -+## entries from /usr directories. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_delete_kernel_symbol_table',` -+interface(`files_dontaudit_rw_usr_dirs',` - gen_require(` -- type boot_t, system_map_t; -+ type usr_t; - ') - -- allow $1 boot_t:dir list_dir_perms; -- delete_files_pattern($1, boot_t, system_map_t) -+ dontaudit $1 usr_t:dir rw_dir_perms; - ') - - ######################################## - ## --## Search the contents of /var. -+## Delete generic directories in /usr in the caller domain. - ## - ## - ## -@@ -5158,35 +5961,35 @@ interface(`files_delete_kernel_symbol_table',` - ## - ## - # --interface(`files_search_var',` -+interface(`files_delete_usr_dirs',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to write to /var. -+## Delete generic files in /usr in the caller domain. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_write_var_dirs',` -+interface(`files_delete_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:dir write; -+ delete_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Allow attempts to write to /var.dirs -+## Get the attributes of files in /usr. - ## - ## - ## -@@ -5194,36 +5997,55 @@ interface(`files_dontaudit_write_var_dirs',` - ## - ## - # --interface(`files_write_var_dirs',` -+interface(`files_getattr_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir write; -+ getattr_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to search --## the contents of /var. -+## Read generic files in /usr. - ## -+## -+##

-+## Allow the specified domain to read generic -+## files in /usr. These files are various program -+## files that do not have more specific SELinux types. -+## Some examples of these files are: -+##

-+##
    -+##
  • /usr/include/*
    • -+##
  • /usr/share/doc/*
    • -+##
  • /usr/share/info/*
    • -+##
-+##

-+## Generally, it is safe for many domains to have -+## this access. -+##

-+## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_search_var',` -+interface(`files_read_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:dir search_dir_perms; -+ allow $1 usr_t:dir list_dir_perms; -+ read_files_pattern($1, usr_t, usr_t) -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## List the contents of /var. -+## Execute generic programs in /usr in the caller domain. - ## - ## - ## -@@ -5231,36 +6053,37 @@ interface(`files_dontaudit_search_var',` - ## - ## - # --interface(`files_list_var',` -+interface(`files_exec_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir list_dir_perms; -+ allow $1 usr_t:dir list_dir_perms; -+ exec_files_pattern($1, usr_t, usr_t) -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Create, read, write, and delete directories --## in the /var directory. -+## dontaudit write of /usr files - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_var_dirs',` -+interface(`files_dontaudit_write_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir manage_dir_perms; -+ dontaudit $1 usr_t:file write; - ') - - ######################################## - ## --## Read files in the /var directory. -+## Create, read, write, and delete files in the /usr directory. - ## - ## - ## -@@ -5268,17 +6091,17 @@ interface(`files_manage_var_dirs',` - ## - ## - # --interface(`files_read_var_files',` -+interface(`files_manage_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- read_files_pattern($1, var_t, var_t) -+ manage_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Append files in the /var directory. -+## Relabel a file to the type used in /usr. - ## - ## - ## -@@ -5286,17 +6109,17 @@ interface(`files_read_var_files',` - ## - ## - # --interface(`files_append_var_files',` -+interface(`files_relabelto_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- append_files_pattern($1, var_t, var_t) -+ relabelto_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Read and write files in the /var directory. -+## Relabel a file from the type used in /usr. - ## - ## - ## -@@ -5304,73 +6127,86 @@ interface(`files_append_var_files',` - ## - ## - # --interface(`files_rw_var_files',` -+interface(`files_relabelfrom_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- rw_files_pattern($1, var_t, var_t) -+ relabelfrom_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to read and write --## files in the /var directory. -+## Read symbolic links in /usr. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_rw_var_files',` -+interface(`files_read_usr_symlinks',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:file rw_file_perms; -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /var directory. -+## Create objects in the /usr directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`files_manage_var_files',` -+interface(`files_usr_filetrans',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- manage_files_pattern($1, var_t, var_t) -+ filetrans_pattern($1, usr_t, $2, $3, $4) - ') - - ######################################## - ## --## Read symbolic links in the /var directory. -+## Do not audit attempts to search /usr/src. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_var_symlinks',` -+interface(`files_dontaudit_search_src',` - gen_require(` -- type var_t; -+ type src_t; - ') - -- read_lnk_files_pattern($1, var_t, var_t) -+ dontaudit $1 src_t:dir search_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete symbolic --## links in the /var directory. -+## Get the attributes of files in /usr/src. - ## - ## - ## -@@ -5378,50 +6214,41 @@ interface(`files_read_var_symlinks',` - ## - ## - # --interface(`files_manage_var_symlinks',` -+interface(`files_getattr_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- manage_lnk_files_pattern($1, var_t, var_t) -+ getattr_files_pattern($1, src_t, src_t) -+ -+ # /usr/src/linux symlink: -+ read_lnk_files_pattern($1, usr_t, src_t) - ') - - ######################################## - ## --## Create objects in the /var directory -+## Read files in /usr/src. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created --## --## --## --## --## The object class. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_var_filetrans',` -+interface(`files_read_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- filetrans_pattern($1, var_t, $2, $3, $4) -+ allow $1 usr_t:dir search_dir_perms; -+ read_files_pattern($1, { usr_t src_t }, src_t) -+ read_lnk_files_pattern($1, { usr_t src_t }, src_t) -+ allow $1 src_t:dir list_dir_perms; - ') - - ######################################## - ## --## Get the attributes of the /var/lib directory. -+## Execute programs in /usr/src in the caller domain. - ## - ## - ## -@@ -5429,69 +6256,56 @@ interface(`files_var_filetrans',` - ## - ## - # --interface(`files_getattr_var_lib_dirs',` -+interface(`files_exec_usr_src_files',` - gen_require(` -- type var_t, var_lib_t; -+ type usr_t, src_t; - ') - -- getattr_dirs_pattern($1, var_t, var_lib_t) -+ list_dirs_pattern($1, usr_t, src_t) -+ exec_files_pattern($1, src_t, src_t) -+ read_lnk_files_pattern($1, src_t, src_t) - ') - - ######################################## - ## --## Search the /var/lib directory. -+## Install a system.map into the /boot directory. - ## --## --##

--## Search the /var/lib directory. This is --## necessary to access files or directories under --## /var/lib that have a private type. For example, a --## domain accessing a private library file in the --## /var/lib directory: --##

--##

--## allow mydomain_t mylibfile_t:file read_file_perms; --## files_search_var_lib(mydomain_t) --##

--## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_search_var_lib',` -+interface(`files_create_kernel_symbol_table',` - gen_require(` -- type var_t, var_lib_t; -+ type boot_t, system_map_t; - ') - -- search_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -+ allow $1 system_map_t:file { create_file_perms rw_file_perms }; - ') - - ######################################## - ## --## Do not audit attempts to search the --## contents of /var/lib. -+## Dontaudit getattr attempts on the system.map file - ## - ## - ## - ## Domain to not audit. - ## - ## --## - # --interface(`files_dontaudit_search_var_lib',` -+interface(`files_dontaduit_getattr_kernel_symbol_table',` - gen_require(` -- type var_lib_t; -+ type system_map_t; - ') - -- dontaudit $1 var_lib_t:dir search_dir_perms; -+ dontaudit $1 system_map_t:file getattr; - ') - - ######################################## - ## --## List the contents of the /var/lib directory. -+## Read system.map in the /boot directory. - ## - ## - ## -@@ -5499,17 +6313,18 @@ interface(`files_dontaudit_search_var_lib',` - ## - ## - # --interface(`files_list_var_lib',` -+interface(`files_read_kernel_symbol_table',` - gen_require(` -- type var_t, var_lib_t; -+ type boot_t, system_map_t; - ') - -- list_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ read_files_pattern($1, boot_t, system_map_t) - ') - --########################################### -+######################################## - ## --## Read-write /var/lib directories -+## Delete a system.map in the /boot directory. - ## - ## - ## -@@ -5517,70 +6332,54 @@ interface(`files_list_var_lib',` - ## - ## - # --interface(`files_rw_var_lib_dirs',` -+interface(`files_delete_kernel_symbol_table',` - gen_require(` -- type var_lib_t; -+ type boot_t, system_map_t; - ') - -- rw_dirs_pattern($1, var_lib_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ delete_files_pattern($1, boot_t, system_map_t) - ') - - ######################################## - ## --## Create objects in the /var/lib directory -+## Search the contents of /var. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created --## --## --## --## --## The object class. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_var_lib_filetrans',` -+interface(`files_search_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_lib_t, $2, $3, $4) - ') - - ######################################## - ## --## Read generic files in /var/lib. -+## Do not audit attempts to write to /var. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_var_lib_files',` -+interface(`files_dontaudit_write_var_dirs',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_lib_t:dir list_dir_perms; -- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ dontaudit $1 var_t:dir write; - ') - - ######################################## - ## --## Read generic symbolic links in /var/lib -+## Allow attempts to write to /var.dirs - ## - ## - ## -@@ -5588,41 +6387,36 @@ interface(`files_read_var_lib_files',` - ## - ## - # --interface(`files_read_var_lib_symlinks',` -+interface(`files_write_var_dirs',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ allow $1 var_t:dir write; - ') - --# cjp: the next two interfaces really need to be fixed --# in some way. They really neeed their own types. -- - ######################################## - ## --## Create, read, write, and delete the --## pseudorandom number generator seed. -+## Do not audit attempts to search -+## the contents of /var. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_urandom_seed',` -+interface(`files_dontaudit_search_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_lib_t, var_lib_t) -+ dontaudit $1 var_t:dir search_dir_perms; - ') - - ######################################## - ## --## Allow domain to manage mount tables --## necessary for rpcd, nfsd, etc. -+## List the contents of /var. - ## - ## - ## -@@ -5630,36 +6424,36 @@ interface(`files_manage_urandom_seed',` - ## - ## - # --interface(`files_manage_mounttab',` -+interface(`files_list_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_lib_t, var_lib_t) -+ allow $1 var_t:dir list_dir_perms; - ') - - ######################################## - ## --## Set the attributes of the generic lock directories. -+## Do not audit listing of the var directory (/var). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_setattr_lock_dirs',` -+interface(`files_dontaudit_list_var',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ dontaudit $1 var_t:dir list_dir_perms; - ') - - ######################################## - ## --## Search the locks directory (/var/lock). -+## Create, read, write, and delete directories -+## in the /var directory. - ## - ## - ## -@@ -5667,38 +6461,35 @@ interface(`files_setattr_lock_dirs',` - ## - ## - # --interface(`files_search_locks',` -+interface(`files_manage_var_dirs',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_t:dir manage_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to search the --## locks directory (/var/lock). -+## Read files in the /var directory. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_locks',` -+interface(`files_read_var_files',` - gen_require(` -- type var_lock_t; -+ type var_t; - ') - -- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_lock_t:dir search_dir_perms; -+ read_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## List generic lock directories. -+## Append files in the /var directory. - ## - ## - ## -@@ -5706,19 +6497,17 @@ interface(`files_dontaudit_search_locks',` - ## - ## - # --interface(`files_list_locks',` -+interface(`files_append_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ append_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Add and remove entries in the /var/lock --## directories. -+## Read and write files in the /var directory. - ## - ## - ## -@@ -5726,60 +6515,54 @@ interface(`files_list_locks',` - ## - ## - # --interface(`files_rw_lock_dirs',` -+interface(`files_rw_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- rw_dirs_pattern($1, var_t, var_lock_t) -+ rw_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Create lock directories -+## Do not audit attempts to read and write -+## files in the /var directory. - ## - ## --## --## Domain allowed access -+## -+## Domain to not audit. - ## - ## - # --interface(`files_create_lock_dirs',` -+interface(`files_dontaudit_rw_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- create_dirs_pattern($1, var_lock_t, var_lock_t) -+ dontaudit $1 var_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Relabel to and from all lock directory types. -+## Create, read, write, and delete files in the /var directory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_lock_dirs',` -+interface(`files_manage_var_files',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- relabel_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Get the attributes of generic lock files. -+## Read symbolic links in the /var directory. - ## - ## - ## -@@ -5787,20 +6570,18 @@ interface(`files_relabel_all_lock_dirs',` - ## - ## - # --interface(`files_getattr_generic_locks',` -+interface(`files_read_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 var_lock_t:dir list_dir_perms; -- getattr_files_pattern($1, var_lock_t, var_lock_t) -+ read_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Delete generic lock files. -+## Create, read, write, and delete symbolic -+## links in the /var directory. - ## - ## - ## -@@ -5808,165 +6589,156 @@ interface(`files_getattr_generic_locks',` - ## - ## - # --interface(`files_delete_generic_locks',` -+interface(`files_manage_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ manage_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## lock files. -+## Create objects in the /var directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`files_manage_generic_locks',` -+interface(`files_var_filetrans',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -- manage_files_pattern($1, var_lock_t, var_lock_t) -+ filetrans_pattern($1, var_t, $2, $3, $4) - ') - - ######################################## - ## --## Delete all lock files. -+## Get the attributes of the /var/lib directory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_delete_all_locks',` -+interface(`files_getattr_var_lib_dirs',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, lockfile, lockfile) -+ getattr_dirs_pattern($1, var_t, var_lib_t) - ') - - ######################################## - ## --## Read all lock files. -+## Search the /var/lib directory. - ## -+## -+##

-+## Search the /var/lib directory. This is -+## necessary to access files or directories under -+## /var/lib that have a private type. For example, a -+## domain accessing a private library file in the -+## /var/lib directory: -+##

-+##

-+## allow mydomain_t mylibfile_t:file read_file_perms; -+## files_search_var_lib(mydomain_t) -+##

-+## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_read_all_locks',` -+interface(`files_search_var_lib',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- allow $1 lockfile:dir list_dir_perms; -- read_files_pattern($1, lockfile, lockfile) -- read_lnk_files_pattern($1, lockfile, lockfile) -+ search_dirs_pattern($1, var_t, var_lib_t) - ') - - ######################################## - ## --## manage all lock files. -+## Do not audit attempts to search the -+## contents of /var/lib. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## -+## - # --interface(`files_manage_all_locks',` -+interface(`files_dontaudit_search_var_lib',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_lib_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -- manage_lnk_files_pattern($1, lockfile, lockfile) -+ dontaudit $1 var_lib_t:dir search_dir_perms; - ') - - ######################################## - ## --## Create an object in the locks directory, with a private --## type using a type transition. -+## List the contents of the /var/lib directory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_lock_filetrans',` -+interface(`files_list_var_lib',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_lock_t, $2, $3, $4) -+ list_dirs_pattern($1, var_t, var_lib_t) - ') - --######################################## -+########################################### - ## --## Do not audit attempts to get the attributes --## of the /var/run directory. -+## Read-write /var/lib directories - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_pid_dirs',` -+interface(`files_rw_var_lib_dirs',` - gen_require(` -- type var_run_t; -+ type var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir getattr; -+ rw_dirs_pattern($1, var_lib_t, var_lib_t) - ') - - ######################################## - ## --## Set the attributes of the /var/run directory. -+## Create directories in /var/lib - ## - ## - ## -@@ -5974,59 +6746,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` - ## - ## - # --interface(`files_setattr_pid_dirs',` -+interface(`files_create_var_lib_dirs',` - gen_require(` -- type var_run_t; -+ type var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir setattr; -+ allow $1 var_lib_t:dir { create rw_dir_perms }; - ') - -+ - ######################################## - ## --## Search the contents of runtime process --## ID directories (/var/run). -+## Create objects in the /var/lib directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`files_search_pids',` -+interface(`files_var_lib_filetrans',` - gen_require(` -- type var_t, var_run_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_run_t) -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_lib_t, $2, $3, $4) - ') - - ######################################## - ## --## Do not audit attempts to search --## the /var/run directory. -+## Read generic files in /var/lib. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_pids',` -+interface(`files_read_var_lib_files',` - gen_require(` -- type var_run_t; -+ type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; -+ allow $1 var_lib_t:dir list_dir_perms; -+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). -+## Read generic symbolic links in /var/lib - ## - ## - ## -@@ -6034,18 +6818,18 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` -+interface(`files_read_var_lib_symlinks',` - gen_require(` -- type var_t, var_run_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - - ######################################## - ## --## Read generic process ID files. -+## manage generic symbolic links -+## in the /var/lib directory. - ## - ## - ## -@@ -6053,19 +6837,1172 @@ interface(`files_list_pids',` - ## - ## - # --interface(`files_read_generic_pids',` -+interface(`files_manage_var_lib_symlinks',` - gen_require(` -+ type var_lib_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ -+# cjp: the next two interfaces really need to be fixed -+# in some way. They really neeed their own types. -+ -+######################################## -+## -+## Create, read, write, and delete the -+## pseudorandom number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_urandom_seed',` -+ gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+######################################## -+## -+## Allow domain to manage mount tables -+## necessary for rpcd, nfsd, etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_mounttab',` -+ gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+######################################## -+## -+## List generic lock directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Search the locks directory (/var/lock). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ search_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search the -+## locks directory (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_lock_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_lock_dirs',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ allow $1 var_lock_t:dir setattr; -+') -+ -+######################################## -+## -+## Add and remove entries in the /var/lock -+## directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_lock_dirs',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ rw_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Create lock directories -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_create_lock_dirs',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ create_dirs_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Relabel to and from all lock directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_lock_dirs',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_dirs_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Relabel to and from all lock file types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_lock_files',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Get the attributes of generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ allow $1 var_lock_t:dir list_dir_perms; -+ getattr_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Delete generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ manage_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Delete all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_delete_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ delete_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Read all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; + ') + -+ files_search_locks($1) -+ allow $1 lockfile:dir list_dir_perms; -+ read_files_pattern($1, lockfile, lockfile) -+ read_lnk_files_pattern($1, lockfile, lockfile) ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) +') + +######################################## +## -+## manage all lock files. ++## Relabel a file from the type used in /tmp. +## +## +## @@ -13928,76 +11851,42 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_manage_all_locks',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; ++ type tmp_t; + ') + -+ files_search_locks($1) -+ manage_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, lockfile, lockfile) -+ manage_lnk_files_pattern($1, lockfile, lockfile) ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) +') + +######################################## +## -+## Create an object in the locks directory, with a private -+## type using a type transition. + ## Set the attributes of all tmp directories. + ## + ## +@@ -4474,6 +5583,60 @@ interface(`files_setattr_all_tmp_dirs',` + + ######################################## + ## ++## Allow caller to read inherited tmp files. +## +## +## +## Domain allowed access. +## +## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_lock_filetrans',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ filetrans_pattern($1, var_lock_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of the /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## +# -+interface(`files_dontaudit_getattr_pid_dirs',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` -+ type var_run_t; ++ attribute tmpfile; + ') + -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_run_t:dir getattr; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; +') + +######################################## +## -+## Set the attributes of the /var/run directory. ++## Allow caller to append inherited tmp files. +## +## +## @@ -14005,19 +11894,17 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_setattr_pid_dirs',` ++interface(`files_append_inherited_tmp_files',` + gen_require(` -+ type var_run_t; ++ attribute tmpfile; + ') + -+ files_search_pids($1) -+ allow $1 var_run_t:dir setattr; ++ allow $1 tmpfile:file append_inherited_file_perms; +') + +######################################## +## -+## Search the contents of runtime process -+## ID directories (/var/run). ++## Allow caller to read and write inherited tmp files. +## +## +## @@ -14025,238 +11912,163 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_search_pids',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` -+ type var_t, var_run_t; ++ attribute tmpfile; + ') + -+ allow $1 var_t:lnk_file read_lnk_file_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ search_dirs_pattern($1, var_t, var_run_t) -+') -+ -+###################################### -+## -+## Add and remove entries from pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:dir rw_dir_perms; -+') -+ -+####################################### -+## -+## Create generic pid directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; ++ allow $1 tmpfile:file rw_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to search -+## the /var/run directory. -+## -+## -+## + ## List all tmp directories. + ## + ## +@@ -4519,7 +5682,7 @@ interface(`files_relabel_all_tmp_dirs',` + ## + ## + ## +-## Domain not to audit. +## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_pids',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_run_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## + ## + ## + # +@@ -4579,7 +5742,7 @@ interface(`files_relabel_all_tmp_files',` + ## + ## + ## +-## Domain not to audit. +## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of the runtime process -+## ID directories (/var/run). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+') -+ -+######################################## -+## -+## Read generic process ID files. + ## + ## + # +@@ -4611,6 +5774,44 @@ interface(`files_read_all_tmp_files',` + + ######################################## + ## ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_read_generic_pids',` ++interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` -+ type var_t, var_run_t; ++ attribute tmpfile; + ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ read_files_pattern($1, var_run_t, var_run_t) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; +') + +######################################## +## -+## Write named generic process ID pipes ++## Do allow attempts to read or write ++## all leaked tmpfiles files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_write_generic_pid_pipes',` ++interface(`files_rw_tmp_file_leaks',` + gen_require(` -+ type var_run_t; ++ attribute tmpfile; + ') + -+ files_search_pids($1) -+ allow $1 var_run_t:fifo_file write; ++ allow $1 tmpfile:file rw_inherited_file_perms; +') + +######################################## +## -+## Create an object in the process ID directory, with a private type. + ## Create an object in the tmp directories, with a private + ## type using a type transition. + ## +@@ -4664,6 +5865,16 @@ interface(`files_purge_tmp',` + delete_lnk_files_pattern($1, tmpfile, tmpfile) + delete_fifo_files_pattern($1, tmpfile, tmpfile) + delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) + ') + + ######################################## +@@ -5112,6 +6323,24 @@ interface(`files_create_kernel_symbol_table',` + + ######################################## + ## ++## Dontaudit getattr attempts on the system.map file +## -+## -+##

-+## Create an object in the process ID directory (e.g., /var/run) -+## with a private type. Typically this is used for creating -+## private PID files in /var/run with the private type instead -+## of the general PID file type. To accomplish this goal, -+## either the program must be SELinux-aware, or use this interface. -+##

-+##

-+## Related interfaces: -+##

-+##
    -+##
  • files_pid_file()
    • -+##
-+##

-+## Example usage with a domain that can create and -+## write its PID file with a private PID file type in the -+## /var/run directory: -+##

-+##

-+## type mypidfile_t; -+## files_pid_file(mypidfile_t) -+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -+## files_pid_filetrans(mydomain_t, mypidfile_t, file) -+##

-+## +## +## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. ++## Domain to not audit. +## +## -+## +# -+interface(`files_pid_filetrans',` ++interface(`files_dontaduit_getattr_kernel_symbol_table',` + gen_require(` -+ type var_t, var_run_t; ++ type system_map_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_run_t, $2, $3, $4) ++ dontaudit $1 system_map_t:file getattr; +') + +######################################## +## -+## Create a generic lock directory within the run directories + ## Read system.map in the /boot directory. + ## + ## +@@ -5241,6 +6470,24 @@ interface(`files_list_var',` + + ######################################## + ## ++## Do not audit listing of the var directory (/var). +## +## -+## -+## Domain allowed access -+## -+## -+## +## -+## The name of the object being created. ++## Domain to not audit. +## +## +# -+interface(`files_pid_filetrans_lock_dir',` ++interface(`files_dontaudit_list_var',` + gen_require(` -+ type var_lock_t; ++ type var_t; + ') + -+ files_pid_filetrans($1, var_lock_t, dir, $2) ++ dontaudit $1 var_t:dir list_dir_perms; +') + +######################################## +## -+## rw generic pid files inherited from another process + ## Create, read, write, and delete directories + ## in the /var directory. + ## +@@ -5328,7 +6575,7 @@ interface(`files_dontaudit_rw_var_files',` + type var_t; + ') + +- dontaudit $1 var_t:file rw_file_perms; ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -5527,6 +6774,25 @@ interface(`files_rw_var_lib_dirs',` + + ######################################## + ## ++## Create directories in /var/lib +## +## +## @@ -14264,17 +12076,28 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_rw_inherited_generic_pid_files',` ++interface(`files_create_var_lib_dirs',` + gen_require(` -+ type var_run_t; ++ type var_lib_t; + ') + -+ allow $1 var_run_t:file rw_inherited_file_perms; ++ allow $1 var_lib_t:dir { create rw_dir_perms }; +') + ++ ++######################################## ++## + ## Create objects in the /var/lib directory + ## + ## +@@ -5596,6 +6862,25 @@ interface(`files_read_var_lib_symlinks',` + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + +######################################## +## -+## Read and write generic process ID files. ++## manage generic symbolic links ++## in the /var/lib directory. +## +## +## @@ -14282,20 +12105,57 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_rw_generic_pids',` ++interface(`files_manage_var_lib_symlinks',` + gen_require(` -+ type var_t, var_run_t; ++ type var_lib_t; + ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ rw_files_pattern($1, var_run_t, var_run_t) ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) +') + -+######################################## -+## -+## Do not audit attempts to get the attributes of -+## daemon runtime data files. + # cjp: the next two interfaces really need to be fixed + # in some way. They really neeed their own types. + +@@ -5641,7 +6926,7 @@ interface(`files_manage_mounttab',` + + ######################################## + ## +-## Set the attributes of the generic lock directories. ++## List generic lock directories. + ## + ## + ## +@@ -5649,12 +6934,13 @@ interface(`files_manage_mounttab',` + ## + ## + # +-interface(`files_setattr_lock_dirs',` ++interface(`files_list_locks',` + gen_require(` + type var_t, var_lock_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) + ') + + ######################################## +@@ -5672,6 +6958,7 @@ interface(`files_search_locks',` + type var_t, var_lock_t; + ') + ++ files_search_pids($1) + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_lock_t) + ') +@@ -5698,7 +6985,26 @@ interface(`files_dontaudit_search_locks',` + + ######################################## + ## +-## List generic lock directories. ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). +## +## +## @@ -14303,94 +12163,281 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_dontaudit_getattr_all_pids',` ++interface(`files_dontaudit_rw_inherited_locks',` + gen_require(` -+ attribute pidfile; -+ type var_run_t; ++ type var_lock_t; + ') + -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file getattr; ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/lock directory. + ## + ## + ## +@@ -5706,13 +7012,12 @@ interface(`files_dontaudit_search_locks',` + ## + ## + # +-interface(`files_list_locks',` ++interface(`files_setattr_lock_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_lock_t:dir setattr; + ') + + ######################################## +@@ -5731,7 +7036,7 @@ interface(`files_rw_lock_dirs',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + rw_dirs_pattern($1, var_t, var_lock_t) + ') + +@@ -5764,7 +7069,6 @@ interface(`files_create_lock_dirs',` + ## Domain allowed access. + ## + ## +-## + # + interface(`files_relabel_all_lock_dirs',` + gen_require(` +@@ -5779,7 +7083,7 @@ interface(`files_relabel_all_lock_dirs',` + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Relabel to and from all lock file types. + ## + ## + ## +@@ -5787,13 +7091,33 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_relabel_all_lock_files',` + gen_require(` ++ attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) +') + +######################################## +## -+## Do not audit attempts to write to daemon runtime data files. ++## Get the attributes of generic lock files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_write_all_pids',` ++interface(`files_getattr_generic_locks',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_lock_t; + ') + -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file write; -+') -+ -+######################################## ++ files_search_locks($1) + allow $1 var_lock_t:dir list_dir_perms; + getattr_files_pattern($1, var_lock_t, var_lock_t) + ') +@@ -5809,13 +7133,12 @@ interface(`files_getattr_generic_locks',` + ## + # + interface(`files_delete_generic_locks',` +- gen_require(` ++ gen_require(` + type var_t, var_lock_t; +- ') ++ ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) + ') + + ######################################## +@@ -5834,9 +7157,7 @@ interface(`files_manage_generic_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) ++ files_search_locks($1) + manage_files_pattern($1, var_lock_t, var_lock_t) + ') + +@@ -5878,8 +7199,7 @@ interface(`files_read_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + allow $1 lockfile:dir list_dir_perms; + read_files_pattern($1, lockfile, lockfile) + read_lnk_files_pattern($1, lockfile, lockfile) +@@ -5901,8 +7221,7 @@ interface(`files_manage_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + manage_dirs_pattern($1, lockfile, lockfile) + manage_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, lockfile, lockfile) +@@ -5939,8 +7258,7 @@ interface(`files_lock_filetrans',` + type var_t, var_lock_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + filetrans_pattern($1, var_lock_t, $2, $3, $4) + ') + +@@ -5979,7 +7297,7 @@ interface(`files_setattr_pid_dirs',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:dir setattr; + ') + +@@ -5999,10 +7317,48 @@ interface(`files_search_pids',` + type var_t, var_run_t; + ') + ++ allow $1 var_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_run_t) + ') + ++###################################### +## -+## Do not audit attempts to ioctl daemon runtime data files. ++## Add and remove entries from pid directories. +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`files_dontaudit_ioctl_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ type var_run_t; -+ ') ++interface(`files_rw_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') + -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file ioctl; ++ allow $1 var_run_t:dir rw_dir_perms; +') + -+######################################## ++####################################### +## -+## Relable all pid directories ++## Create generic pid directory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') + -+ relabel_dirs_pattern($1, pidfile, pidfile) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; +') + -+######################################## -+## -+## Delete all pid sockets + ######################################## + ## + ## Do not audit attempts to search +@@ -6025,6 +7381,25 @@ interface(`files_dontaudit_search_pids',` + + ######################################## + ## ++## Do not audit attempts to search ++## the all /var/run directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_delete_all_pid_sockets',` ++interface(`files_dontaudit_search_all_pids',` + gen_require(` + attribute pidfile; + ') + -+ allow $1 pidfile:sock_file delete_sock_file_perms; ++ dontaudit $1 pidfile:dir search_dir_perms; +') + +######################################## +## -+## Create all pid sockets + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6039,7 +7414,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + ') + +@@ -6058,7 +7433,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6078,7 +7453,7 @@ interface(`files_write_generic_pid_pipes',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:fifo_file write; + ') + +@@ -6140,7 +7515,6 @@ interface(`files_pid_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, var_run_t, $2, $3, $4) + ') + +@@ -6169,6 +7543,24 @@ interface(`files_pid_filetrans_lock_dir',` + + ######################################## + ## ++## rw generic pid files inherited from another process +## +## +## @@ -14398,216 +12445,412 @@ index f962f76..d79969b 100644 +## +## +# -+interface(`files_create_all_pid_sockets',` ++interface(`files_rw_inherited_generic_pid_files',` + gen_require(` -+ attribute pidfile; ++ type var_run_t; + ') + -+ allow $1 pidfile:sock_file create_sock_file_perms; ++ allow $1 var_run_t:file rw_inherited_file_perms; +') + +######################################## +## + ## Read and write generic process ID files. + ## + ## +@@ -6182,7 +7574,7 @@ interface(`files_rw_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6249,55 +7641,43 @@ interface(`files_dontaudit_ioctl_all_pids',` + + ######################################## + ## +-## Read all process ID files. ++## Relable all pid directories + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` ++interface(`files_relabel_all_pid_dirs',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) ++ relabel_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Delete all process IDs. ++## Delete all pid sockets + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 pidfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process ID directories. ++## Create all pid sockets + ## + ## + ## +@@ -6305,42 +7685,35 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` ++interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Create all pid named pipes -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6348,18 +7721,18 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_pid_pipes',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute pidfile; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## manage all pidfile directories +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6367,37 +7740,40 @@ interface(`files_mounton_all_poly_members',` + ## + ## + # +-interface(`files_search_spool',` +interface(`files_manage_all_pid_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + manage_dirs_pattern($1,pidfile,pidfile) -+') -+ + ') + + -+######################################## -+## + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. +## Read all process ID files. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## + ## + ## +## -+# + # +-interface(`files_dontaudit_search_spool',` +interface(`files_read_all_pids',` -+ gen_require(` + gen_require(` +- type var_spool_t; + attribute pidfile; + type var_t; -+ ') -+ + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## ++ read_lnk_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Relable all pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6405,18 +7781,17 @@ interface(`files_dontaudit_search_spool',` + ## + ## + # +-interface(`files_list_spool',` +interface(`files_relabel_all_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Execute generic programs in /var/run in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6424,18 +7799,18 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_exec_generic_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6443,19 +7818,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_manage_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + manage_files_pattern($1,pidfile,pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Mount filesystems on all polyinstantiation +## member directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6463,55 +7837,43 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` +interface(`files_mounton_all_poly_members',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute polymember; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + allow $1 polymember:dir mounton; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Delete all process IDs. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +## -+# + # +-interface(`files_spool_filetrans',` +interface(`files_delete_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; + type var_t, var_run_t; -+ ') -+ + ') + + files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Delete all process ID directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6519,53 +7881,68 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` +interface(`files_delete_all_pid_dirs',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute pidfile; - type var_t, var_run_t; ++ type var_t, var_run_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') -+ + +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +######################################## +## +## Make the specified type a file @@ -14650,27 +12893,31 @@ index f962f76..d79969b 100644 +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; -+ ') + ') + + files_type($1) + typeattribute $1 spoolfile; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Create all spool sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6573,10 +7950,819 @@ interface(`files_polyinstantiate_all',` + ## + ## + # +-interface(`files_unconfined',` +interface(`files_create_all_spool_sockets',` -+ gen_require(` + gen_require(` +- attribute files_unconfined_type; + attribute spoolfile; -+ ') -+ + ') + +- typeattribute $1 files_unconfined_type; + allow $1 spoolfile:sock_file create_sock_file_perms; +') + @@ -14749,35 +12996,29 @@ index f962f76..d79969b 100644 + ') + + dontaudit $1 var_spool_t:dir search_dir_perms; - ') - - ######################################## - ## --## Write named generic process ID pipes ++') ++ ++######################################## ++## +## List the contents of generic spool +## (/var/spool) directories. - ## - ## - ## -@@ -6073,43 +8010,189 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_list_spool',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; ++ ') ++ + list_dirs_pattern($1, var_t, var_spool_t) - ') - - ######################################## - ## --## Create an object in the process ID directory, with a private type. ++') ++ ++######################################## ++## +## Create, read, write, and delete generic +## spool directories (/var/spool). +## @@ -14947,40 +13188,17 @@ index f962f76..d79969b 100644 +######################################## +## +## Create a core files in / - ## - ## - ##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

--##

--## Related interfaces: --##

--##
    --##
  • files_pid_file()
    • --##
--##

--## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

--##

--## type mypidfile_t; --## files_pid_file(mypidfile_t) --## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; --## files_pid_filetrans(mydomain_t, mypidfile_t, file) ++##

++## ++##

+## Create a core file in /, - ##

- ## - ## -@@ -6117,14 +8200,82 @@ interface(`files_write_generic_pid_pipes',` - ## Domain allowed access. - ## - ## --## ++##

++## ++## ++## ++## Domain allowed access. ++## ++## +## +# +interface(`files_manage_root_files',` @@ -15050,401 +13268,291 @@ index f962f76..d79969b 100644 +## +## +## - ## --## The type of the object to be created. ++## +## Type of the directory to be transitioned from - ## - ## - ## - ## --## The object class of the object being created. ++## ++## ++## ++## +## The class of the object being created. - ## - ## - ## -@@ -6132,65 +8283,56 @@ interface(`files_write_generic_pid_pipes',` - ## The name of the object being created. - ## - ## --## - # --interface(`files_pid_filetrans',` -- gen_require(` -- type var_t, var_run_t; -- ') ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# +interface(`files_filetrans_lib',` + gen_require(` + type lib_t, lib_t; + ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ + filetrans_pattern($1, $2, lib_t, $3, $4) - ') - - ######################################## - ## --## Create a generic lock directory within the run directories ++') ++ ++######################################## ++## +## manage generic symbolic links +## in the /var/run directory. - ## - ## --## --## Domain allowed access --## --## --## - ## --## The name of the object being created. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_pid_filetrans_lock_dir',` ++## ++## ++# +interface(`files_manage_generic_pids_symlinks',` - gen_require(` -- type var_lock_t; ++ gen_require(` + type var_run_t; - ') - -- files_pid_filetrans($1, var_lock_t, dir, $2) ++ ') ++ + manage_lnk_files_pattern($1,var_run_t,var_run_t) - ') - - ######################################## - ## --## Read and write generic process ID files. ++') ++ ++######################################## ++## +## Do not audit attempts to getattr +## all tmpfs files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_rw_generic_pids',` ++## ++## ++# +interface(`files_dontaudit_getattr_tmpfs_files',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute tmpfsfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- rw_files_pattern($1, var_run_t, var_run_t) ++ ') ++ + allow $1 tmpfsfile:file getattr; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of --## daemon runtime data files. ++') ++ ++######################################## ++## +## Allow read write all tmpfs files - ## - ## - ## -@@ -6198,19 +8340,17 @@ interface(`files_rw_generic_pids',` - ## - ## - # --interface(`files_dontaudit_getattr_all_pids',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_rw_tmpfs_files',` - gen_require(` -- attribute pidfile; -- type var_run_t; ++ gen_require(` + attribute tmpfsfile; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file getattr; ++ ') ++ + allow $1 tmpfsfile:file { read write }; - ') - - ######################################## - ## --## Do not audit attempts to write to daemon runtime data files. ++') ++ ++######################################## ++## +## Do not audit attempts to read security files - ## - ## - ## -@@ -6218,38 +8358,43 @@ interface(`files_dontaudit_getattr_all_pids',` - ## - ## - # --interface(`files_dontaudit_write_all_pids',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_read_security_files',` - gen_require(` -- attribute pidfile; ++ gen_require(` + attribute security_file_type; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file write; ++ ') ++ + dontaudit $1 security_file_type:file read_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to ioctl daemon runtime data files. ++') ++ ++######################################## ++## +## rw any files inherited from another process - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## ++## ++## +## +## +## Object type. +## +## - # --interface(`files_dontaudit_ioctl_all_pids',` ++# +interface(`files_rw_all_inherited_files',` - gen_require(` -- attribute pidfile; -- type var_run_t; ++ gen_require(` + attribute file_type; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file ioctl; ++ ') ++ + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## - ## --## Read all process ID files. ++') ++ ++######################################## ++## +## Allow any file point to be the entrypoint of this domain - ## - ## - ## -@@ -6258,127 +8403,111 @@ interface(`files_dontaudit_ioctl_all_pids',` - ## - ## - # --interface(`files_read_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# +interface(`files_entrypoint_all_files',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute file_type; - ') -- -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) ++ ') + allow $1 file_type:file entrypoint; - ') - - ######################################## - ## --## Delete all process IDs. ++') ++ ++######################################## ++## +## Do not audit attempts to rw inherited file perms +## of non security files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## --## - # --interface(`files_delete_all_pids',` ++## ++## ++# +interface(`files_dontaudit_all_non_security_leaks',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute non_security_file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ ') ++ + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. ++') ++ ++######################################## ++## +## Do not audit attempts to read or write +## all leaked files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_delete_all_pid_dirs',` ++## ++## ++# +interface(`files_dontaudit_leaks',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) ++ ') ++ + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++') ++ ++######################################## ++## +## Allow domain to create_file_ass all types - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` ++## ++## ++# +interface(`files_create_as_is_all_files',` - gen_require(` -- attribute pidfile; ++ gen_require(` + attribute file_type; + class kernel_service create_files_as; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) ++ ') ++ + allow $1 file_type:kernel_service create_files_as; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. ++') ++ ++######################################## ++## +## Do not audit attempts to check the +## access on all files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_mounton_all_poly_members',` ++## ++## ++# +interface(`files_dontaudit_all_access_check',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute file_type; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + dontaudit $1 file_type:dir_file_class_set audit_access; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). ++') ++ ++######################################## ++## +## Do not audit attempts to write to all files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_search_spool',` ++## ++## ++# +interface(`files_dontaudit_write_all_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute file_type; - ') - -- search_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + dontaudit $1 file_type:dir_file_class_set write; - ') - - ######################################## - ## --## Do not audit attempts to search generic --## spool directories. ++') ++ ++######################################## ++## +## Allow domain to delete to all files - ## - ## - ## -@@ -6386,132 +8515,189 @@ interface(`files_search_spool',` - ## - ## - # --interface(`files_dontaudit_search_spool',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_delete_all_non_security_files',` - gen_require(` -- type var_spool_t; ++ gen_require(` + attribute non_security_file_type; - ') - -- dontaudit $1 var_spool_t:dir search_dir_perms; ++ ') ++ + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; - ') - - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. ++') ++ ++######################################## ++## +## Allow domain to delete to all dirs - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_spool',` ++## ++## ++# +interface(`files_delete_all_non_security_dirs',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute non_security_file_type; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). ++') ++ ++######################################## ++## +## Transition named content in the var_run_t directory - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_generic_spool_dirs',` ++## ++## ++# +interface(`files_filetrans_named_content',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + type etc_t; + type mnt_t; + type usr_t; @@ -15453,10 +13561,8 @@ index f962f76..d79969b 100644 + type var_run_t; + type var_lock_t; + type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -15494,15 +13600,13 @@ index f962f76..d79969b 100644 + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") - ') - - ######################################## - ## --## Read generic spool files. ++') ++ ++######################################## ++## +## Make the specified type a +## base file. - ## --## ++## +## +##

+## Identify file type as base file type. Tools will use this attribute, @@ -15510,25 +13614,20 @@ index f962f76..d79969b 100644 +##

+## +## - ## --## Domain allowed access. ++## +## Type to be used as a base files. - ## - ## ++## ++## +## - # --interface(`files_read_generic_spool',` ++# +interface(`files_base_file',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute base_file_type; - ') ++ ') + files_type($1) + typeattribute $1 base_file_type; +') - -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) ++ +######################################## +## +## Make the specified type a @@ -15552,155 +13651,82 @@ index f962f76..d79969b 100644 + ') + files_base_file($1) + typeattribute $1 base_ro_file_type; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. ++') ++ ++######################################## ++## +## Read all ro base files. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_manage_generic_spool',` ++# +interface(`files_read_all_base_ro_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute base_ro_file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) + read_files_pattern($1, base_ro_file_type, base_ro_file_type) + read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. ++') ++ ++######################################## ++## +## Execute all base ro files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## --## --## The name of the object being created. --## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_spool_filetrans',` ++# +interface(`files_exec_all_base_ro_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute base_ro_file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ ') ++ + can_exec($1, base_ro_file_type) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Allow the specified domain to modify the systemd configuration of +## any file. - ## - ## - ## -@@ -6519,53 +8705,17 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_config_all_files',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute file_type; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -- -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') ++ ') ++ + allow $1 file_type:service all_service_perms; - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Get the status of etc_t files - ## - ## - ## -@@ -6573,10 +8723,10 @@ interface(`files_polyinstantiate_all',` - ## - ## - # --interface(`files_unconfined',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_status_etc',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + type etc_t; - ') - -- typeattribute $1 files_unconfined_type; ++ ') ++ + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8a3e7db..5a3fddc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2998,7 +2998,7 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..83590aa +index 0000000..8cc6120 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,273 @@ @@ -3068,7 +3068,7 @@ index 0000000..83590aa +# antivirus domain local policy +# + -+allow antivirus_domain self:capability { dac_override chown kill setgid setuid }; ++allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin }; +dontaudit antivirus_domain self:capability sys_tty_config; +allow antivirus_domain self:process signal_perms; + @@ -13677,10 +13677,10 @@ index 5f306dd..e01156f 100644 ') diff --git a/cockpit.fc b/cockpit.fc new file mode 100644 -index 0000000..b71de28 +index 0000000..bb87537 --- /dev/null +++ b/cockpit.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,10 @@ +# cockpit stuff + +/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) @@ -13689,6 +13689,8 @@ index 0000000..b71de28 +/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++ ++/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) diff --git a/cockpit.if b/cockpit.if new file mode 100644 index 0000000..573dcae @@ -24321,10 +24323,10 @@ index 0000000..fd679a1 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..76eb32e +index 0000000..2a614ed --- /dev/null +++ b/docker.if -@@ -0,0 +1,364 @@ +@@ -0,0 +1,365 @@ + +## The open-source application container engine. + @@ -24622,6 +24624,7 @@ index 0000000..76eb32e + filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") + filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") + filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") + filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") +') + @@ -30749,10 +30752,10 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..c416ef4 100644 +index ab09d61..0734f6b 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,52 +1,78 @@ +@@ -1,52 +1,76 @@ -## GNU network object model environment. +## GNU network object model environment (GNOME) @@ -30843,42 +30846,44 @@ index ab09d61..c416ef4 100644 # template(`gnome_role_template',` - gen_require(` +- attribute gnomedomain, gkeyringd_domain; + gen_require(` - attribute gnomedomain, gkeyringd_domain; ++ attribute gnomedomain, gkeyringd_domain, gnome_home_type; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; -+ type gnome_home_t; -+ type gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t; ++ type gkeyringd_exec_t, gkeyringd_tmp_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; - type gconf_home_t; -+ class dbus send_msg; +- type gconf_home_t; ++ class dbus send_msg; ') ######################################## -@@ -76,12 +102,12 @@ template(`gnome_role_template',` +@@ -74,14 +98,11 @@ template(`gnome_role_template',` + + domtrans_pattern($3, gconfd_exec_t, gconfd_t) - allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") - +- - allow $3 gconfd_t:process { ptrace signal_perms }; + allow $3 gconfd_t:process { signal_perms }; -+ allow $3 gconfd_t:unix_stream_socket connectto; ++ allow $3 gconfd_t:unix_stream_socket connectto; ps_process_pattern($3, gconfd_t) + ######################################## # # Gkeyringd policy -@@ -89,37 +115,85 @@ template(`gnome_role_template',` +@@ -89,37 +110,85 @@ template(`gnome_role_template',` domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; - allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; -+ allow $3 { gnome_home_t gkeyringd_gnome_home_t gkeyringd_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; -+ allow $3 { gnome_home_t gkeyringd_gnome_home_t }:file { relabel_file_perms manage_file_perms }; ++ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; ++ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms }; - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") @@ -30970,7 +30975,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -127,18 +201,18 @@ template(`gnome_role_template',` +@@ -127,18 +196,18 @@ template(`gnome_role_template',` ## ## # @@ -30994,7 +30999,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -146,119 +220,114 @@ interface(`gnome_exec_gconf',` +@@ -146,119 +215,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -31151,7 +31156,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -266,15 +335,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -266,15 +330,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -31178,7 +31183,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -282,57 +357,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -282,57 +352,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -31286,7 +31291,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -340,15 +447,18 @@ interface(`gnome_read_generic_home_content',` +@@ -340,15 +442,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -31310,7 +31315,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -356,22 +466,18 @@ interface(`gnome_manage_config',` +@@ -356,22 +461,18 @@ interface(`gnome_manage_config',` ## ## # @@ -31338,7 +31343,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -379,53 +485,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -379,53 +480,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -31400,7 +31405,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -433,17 +523,18 @@ interface(`gnome_home_filetrans',` +@@ -433,17 +518,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -31423,7 +31428,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -451,23 +542,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -451,23 +537,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -31451,7 +31456,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -475,22 +561,18 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -475,22 +556,18 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -31478,7 +31483,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -498,79 +580,59 @@ interface(`gnome_manage_generic_gconf_home_content',` +@@ -498,79 +575,59 @@ interface(`gnome_manage_generic_gconf_home_content',` ## ## # @@ -31576,7 +31581,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -579,12 +641,12 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -579,12 +636,12 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## ## @@ -31591,7 +31596,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -593,18 +655,18 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -593,18 +650,18 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## # @@ -31616,7 +31621,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -612,46 +674,80 @@ interface(`gnome_gconf_home_filetrans',` +@@ -612,46 +669,80 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -31714,7 +31719,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -659,46 +755,64 @@ interface(`gnome_dbus_chat_gkeyringd',` +@@ -659,46 +750,64 @@ interface(`gnome_dbus_chat_gkeyringd',` ## ## # @@ -31739,22 +31744,22 @@ index ab09d61..c416ef4 100644 ## -## +## - ## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). ++## +## Domain allowed access. +## +## +## -+## + ## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +## The class of the object to be created. -+## -+## + ## + ## +## +## +## The name of the object being created. - ## - ## ++## ++## +# +interface(`gnome_admin_home_gconf_filetrans',` + gen_require(` @@ -31796,7 +31801,7 @@ index ab09d61..c416ef4 100644 ## ## ## -@@ -706,12 +820,985 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -31806,10 +31811,8 @@ index ab09d61..c416ef4 100644 - attribute gkeyringd_domain; - type gnome_keyring_tmp_t; + type gconf_etc_t; - ') - -- files_search_tmp($1) -- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ ') ++ + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) + files_search_etc($1) @@ -31950,9 +31953,10 @@ index ab09d61..c416ef4 100644 +interface(`gnome_list_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) + ') + + files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') + @@ -41933,7 +41937,7 @@ index be0ab84..3ebbcc0 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab65034..28f63b5 100644 +index ab65034..dd17cb0 100644 --- a/logwatch.te +++ b/logwatch.te @@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false) @@ -41981,12 +41985,13 @@ index ab65034..28f63b5 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -100,23 +108,14 @@ libs_read_lib_files(logwatch_t) +@@ -100,23 +108,16 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) -miscfiles_read_localization(logwatch_t) -- ++miscfiles_read_hwdata(logwatch_t) + selinux_dontaudit_getattr_dir(logwatch_t) sysnet_exec_ifconfig(logwatch_t) @@ -42005,7 +42010,7 @@ index ab65034..28f63b5 100644 corenet_sendrecv_smtp_client_packets(logwatch_t) corenet_tcp_connect_smtp_port(logwatch_t) corenet_tcp_sendrecv_smtp_port(logwatch_t) -@@ -160,6 +159,12 @@ optional_policy(` +@@ -160,6 +161,12 @@ optional_policy(` ') optional_policy(` @@ -42018,7 +42023,7 @@ index ab65034..28f63b5 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t) +@@ -187,6 +194,19 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -49813,7 +49818,7 @@ index ed81cac..837a43a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..58ba0ce 100644 +index ff1d68c..c8070da 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -49954,7 +49959,8 @@ index ff1d68c..58ba0ce 100644 init_use_script_ptys(system_mail_t) +init_dontaudit_rw_stream_socket(system_mail_t) -+ + +-userdom_use_user_terminals(system_mail_t) +userdom_use_inherited_user_terminals(system_mail_t) +userdom_dontaudit_list_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) @@ -49964,8 +49970,7 @@ index ff1d68c..58ba0ce 100644 + +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) - --userdom_use_user_terminals(system_mail_t) ++ +logging_append_all_logs(system_mail_t) + +logging_send_syslog_msg(system_mail_t) @@ -50078,7 +50083,18 @@ index ff1d68c..58ba0ce 100644 ') optional_policy(` -@@ -287,42 +331,36 @@ optional_policy(` +@@ -279,6 +323,10 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_write_inhibit_pipes(system_mail_t) ++') ++ ++optional_policy(` + userdom_dontaudit_use_user_ptys(system_mail_t) + + optional_policy(` +@@ -287,42 +335,36 @@ optional_policy(` ') optional_policy(` @@ -50131,7 +50147,7 @@ index ff1d68c..58ba0ce 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,44 +369,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -50201,7 +50217,7 @@ index ff1d68c..58ba0ce 100644 ') optional_policy(` -@@ -381,24 +423,49 @@ optional_policy(` +@@ -381,24 +427,49 @@ optional_policy(` ######################################## # @@ -52385,15 +52401,16 @@ index 0000000..79f1250 + +fs_getattr_xattr_fs(naemon_t) diff --git a/nagios.fc b/nagios.fc -index d78dfc3..02f18ac 100644 +index d78dfc3..40e1c77 100644 --- a/nagios.fc +++ b/nagios.fc -@@ -1,88 +1,109 @@ +@@ -1,88 +1,113 @@ -/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) ++/etc/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) @@ -52423,8 +52440,11 @@ index d78dfc3..02f18ac 100644 +/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) ++/var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++ +/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) + +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) @@ -52806,7 +52826,7 @@ index 0641e97..cad402c 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..6d966d5 100644 +index 7b3e682..a22a321 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -52884,17 +52904,18 @@ index 7b3e682..6d966d5 100644 manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -@@ -110,7 +118,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +@@ -110,7 +118,9 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) +manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file}) ++manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file }) manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -@@ -123,7 +132,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -123,7 +133,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -52902,7 +52923,7 @@ index 7b3e682..6d966d5 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,7 +151,6 @@ domain_read_all_domains_state(nagios_t) +@@ -143,7 +152,6 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -52910,7 +52931,7 @@ index 7b3e682..6d966d5 100644 files_search_spool(nagios_t) fs_getattr_all_fs(nagios_t) -@@ -153,8 +160,6 @@ auth_use_nsswitch(nagios_t) +@@ -153,8 +161,6 @@ auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) @@ -52919,7 +52940,7 @@ index 7b3e682..6d966d5 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -178,35 +183,37 @@ optional_policy(` +@@ -178,35 +184,37 @@ optional_policy(` # # CGI local policy # @@ -52975,7 +52996,7 @@ index 7b3e682..6d966d5 100644 ') ######################################## -@@ -229,9 +236,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +@@ -229,9 +237,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) @@ -52986,7 +53007,7 @@ index 7b3e682..6d966d5 100644 corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -252,8 +259,8 @@ dev_read_urand(nrpe_t) +@@ -252,8 +260,8 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) @@ -52996,7 +53017,7 @@ index 7b3e682..6d966d5 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +269,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,8 +270,6 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -53005,7 +53026,7 @@ index 7b3e682..6d966d5 100644 userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -310,15 +315,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -310,15 +316,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -53024,7 +53045,7 @@ index 7b3e682..6d966d5 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +350,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,6 +351,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -53034,7 +53055,7 @@ index 7b3e682..6d966d5 100644 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) -@@ -357,9 +365,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +366,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -53048,7 +53069,7 @@ index 7b3e682..6d966d5 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -391,6 +401,11 @@ optional_policy(` +@@ -391,6 +402,11 @@ optional_policy(` optional_policy(` mysql_stream_connect(nagios_services_plugin_t) @@ -53060,7 +53081,7 @@ index 7b3e682..6d966d5 100644 ') optional_policy(` -@@ -411,6 +426,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -411,6 +427,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -53068,7 +53089,7 @@ index 7b3e682..6d966d5 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,14 +436,18 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,14 +437,18 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -53089,7 +53110,7 @@ index 7b3e682..6d966d5 100644 ####################################### # # Event local policy -@@ -442,11 +462,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,11 +463,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -65000,10 +65021,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..d9513e4 +index 0000000..0cb8f0a --- /dev/null +++ b/pki.te -@@ -0,0 +1,279 @@ +@@ -0,0 +1,280 @@ +policy_module(pki,10.0.11) + +######################################## @@ -65077,9 +65098,9 @@ index 0000000..d9513e4 +# pki-tomcat local policy +# + -+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; ++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid }; +dontaudit pki_tomcat_t self:capability net_admin; -+allow pki_tomcat_t self:process { signal setsched signull execmem }; ++allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate }; + +allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; +allow pki_tomcat_t self:tcp_socket { accept listen }; @@ -65090,6 +65111,7 @@ index 0000000..d9513e4 +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabelfrom_file_perms; + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) @@ -76487,10 +76509,10 @@ index f47c8e8..3710974 100644 + dbus_connect_system_bus(quota_nld_t) ') diff --git a/rabbitmq.fc b/rabbitmq.fc -index c5ad6de..2bf7656 100644 +index c5ad6de..af2d46f 100644 --- a/rabbitmq.fc +++ b/rabbitmq.fc -@@ -1,10 +1,19 @@ +@@ -1,10 +1,18 @@ /etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0) -/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) @@ -76499,7 +76521,6 @@ index c5ad6de..2bf7656 100644 +/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0) + +/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) -+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmqctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) + +/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) @@ -92206,18 +92227,23 @@ index e2544e1..d3fbd78 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index 7292dc0..103278d 100644 +index 7292dc0..26fc8f4 100644 --- a/slocate.te +++ b/slocate.te -@@ -44,6 +44,7 @@ dev_getattr_all_blk_files(locate_t) +@@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t) dev_getattr_all_chr_files(locate_t) files_list_all(locate_t) +files_list_isid_type_dirs(locate_t) ++files_getattr_isid_type(locate_t) files_dontaudit_read_all_symlinks(locate_t) files_getattr_all_files(locate_t) ++files_getattr_all_chr_files(locate_t) ++files_getattr_all_blk_files(locate_t) files_getattr_all_pipes(locate_t) -@@ -62,7 +63,6 @@ fs_read_noxattr_fs_symlinks(locate_t) + files_getattr_all_sockets(locate_t) + files_read_etc_runtime_files(locate_t) +@@ -62,7 +66,6 @@ fs_read_noxattr_fs_symlinks(locate_t) auth_use_nsswitch(locate_t) @@ -92225,7 +92251,7 @@ index 7292dc0..103278d 100644 ifdef(`enable_mls',` files_dontaudit_getattr_all_dirs(locate_t) -@@ -71,3 +71,8 @@ ifdef(`enable_mls',` +@@ -71,3 +74,8 @@ ifdef(`enable_mls',` optional_policy(` cron_system_entry(locate_t, locate_exec_t) ') @@ -100952,7 +100978,7 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 34a8917..85774c6 100644 +index 34a8917..21add3e 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; @@ -100977,7 +101003,8 @@ index 34a8917..85774c6 100644 # Local policy # - allow usbmuxd_t self:capability { kill setgid setuid }; +-allow usbmuxd_t self:capability { kill setgid setuid }; ++allow usbmuxd_t self:capability { chown kill setgid setuid }; +dontaudit usbmuxd_t self:capability sys_resource; allow usbmuxd_t self:process { signal signull }; allow usbmuxd_t self:fifo_file rw_fifo_file_perms; @@ -104077,7 +104104,7 @@ index facdee8..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..b1e7d75 100644 +index f03dcf5..fe1bceb 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,227 @@ @@ -104378,7 +104405,7 @@ index f03dcf5..b1e7d75 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +230,134 @@ ifdef(`enable_mls',` +@@ -153,299 +230,135 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -104742,6 +104769,7 @@ index f03dcf5..b1e7d75 100644 +allow virt_domain virtd_t:fd use; +dontaudit virt_domain virtd_t:unix_stream_socket { read write }; +allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; ++allow virt_domain virtd_t:tun_socket attach_queue; + +can_exec(virtd_t, qemu_exec_t) +can_exec(virt_domain, qemu_exec_t) @@ -104755,7 +104783,7 @@ index f03dcf5..b1e7d75 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +367,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +368,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -104802,7 +104830,7 @@ index f03dcf5..b1e7d75 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +402,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +403,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -104833,7 +104861,7 @@ index f03dcf5..b1e7d75 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +423,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +424,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -104861,7 +104889,7 @@ index f03dcf5..b1e7d75 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,22 +443,27 @@ dev_rw_vhost(virtd_t) +@@ -555,22 +444,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -104894,7 +104922,7 @@ index f03dcf5..b1e7d75 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -601,15 +494,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +495,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -104914,7 +104942,7 @@ index f03dcf5..b1e7d75 100644 selinux_validate_context(virtd_t) -@@ -620,18 +516,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +517,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -104951,7 +104979,7 @@ index f03dcf5..b1e7d75 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +544,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +545,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -104960,7 +104988,7 @@ index f03dcf5..b1e7d75 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +569,12 @@ optional_policy(` +@@ -665,20 +570,12 @@ optional_policy(` ') optional_policy(` @@ -104981,7 +105009,7 @@ index f03dcf5..b1e7d75 100644 ') optional_policy(` -@@ -691,20 +587,26 @@ optional_policy(` +@@ -691,20 +588,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -105012,7 +105040,7 @@ index f03dcf5..b1e7d75 100644 ') optional_policy(` -@@ -712,11 +614,18 @@ optional_policy(` +@@ -712,11 +615,18 @@ optional_policy(` ') optional_policy(` @@ -105031,7 +105059,7 @@ index f03dcf5..b1e7d75 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,11 +636,19 @@ optional_policy(` +@@ -727,11 +637,19 @@ optional_policy(` ') optional_policy(` @@ -105053,7 +105081,7 @@ index f03dcf5..b1e7d75 100644 kernel_write_xen_state(virtd_t) xen_exec(virtd_t) -@@ -746,44 +663,277 @@ optional_policy(` +@@ -746,44 +664,277 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -105353,7 +105381,7 @@ index f03dcf5..b1e7d75 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +944,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +945,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -105380,7 +105408,7 @@ index f03dcf5..b1e7d75 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +964,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +965,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -105414,7 +105442,7 @@ index f03dcf5..b1e7d75 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1001,20 @@ optional_policy(` +@@ -856,14 +1002,20 @@ optional_policy(` ') optional_policy(` @@ -105436,7 +105464,7 @@ index f03dcf5..b1e7d75 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1039,65 @@ optional_policy(` +@@ -888,49 +1040,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -105520,7 +105548,7 @@ index f03dcf5..b1e7d75 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1109,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1110,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -105540,7 +105568,7 @@ index f03dcf5..b1e7d75 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1130,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1131,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -105564,7 +105592,7 @@ index f03dcf5..b1e7d75 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1155,317 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1156,317 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -106020,7 +106048,7 @@ index f03dcf5..b1e7d75 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1478,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1479,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -106035,7 +106063,7 @@ index f03dcf5..b1e7d75 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1496,8 @@ optional_policy(` +@@ -1192,9 +1497,8 @@ optional_policy(` ######################################## # @@ -106046,7 +106074,7 @@ index f03dcf5..b1e7d75 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1510,219 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1511,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -107573,7 +107601,7 @@ index fd2b6cc..938c4a7 100644 +') + diff --git a/wine.te b/wine.te -index 491b87b..72ce165 100644 +index 491b87b..2a79df4 100644 --- a/wine.te +++ b/wine.te @@ -14,10 +14,11 @@ policy_module(wine, 1.11.0) @@ -107589,7 +107617,7 @@ index 491b87b..72ce165 100644 type wine_exec_t; userdom_user_application_domain(wine_t, wine_exec_t) role wine_roles types wine_t; -@@ -25,56 +26,59 @@ role wine_roles types wine_t; +@@ -25,56 +26,63 @@ role wine_roles types wine_t; type wine_home_t; userdom_user_home_content(wine_home_t) @@ -107601,30 +107629,30 @@ index 491b87b..72ce165 100644 # Local policy # +domain_mmap_low(wine_t) - --allow wine_t self:process { execstack execmem execheap }; --allow wine_t self:fifo_file manage_fifo_file_perms; ++ +optional_policy(` + unconfined_domain(wine_t) +') --can_exec(wine_t, wine_exec_t) +-allow wine_t self:process { execstack execmem execheap }; +-allow wine_t self:fifo_file manage_fifo_file_perms; --userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") +-can_exec(wine_t, wine_exec_t) +######################################## +# +# Common wine domain policy +# +-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") ++allow wine_domain self:process { execstack execmem execheap }; ++allow wine_domain self:fifo_file manage_fifo_file_perms; + -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -+allow wine_domain self:process { execstack execmem execheap }; -+allow wine_domain self:fifo_file manage_fifo_file_perms; ++can_exec(wine_domain, wine_exec_t) -domain_mmap_low(wine_t) -+can_exec(wine_domain, wine_exec_t) -+ +manage_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) @@ -107659,19 +107687,21 @@ index 491b87b..72ce165 100644 optional_policy(` - rtkit_scheduled(wine_t) -+ rtkit_scheduled(wine_domain) ++ gnome_create_generic_cache_dir(wine_domain) ') optional_policy(` - unconfined_domain(wine_t) -+ xserver_read_xdm_pid(wine_domain) -+ xserver_rw_shm(wine_domain) ++ rtkit_scheduled(wine_domain) ') --optional_policy(` + optional_policy(` - xserver_read_xdm_pid(wine_t) - xserver_rw_shm(wine_t) --') ++ xserver_read_xdm_pid(wine_domain) ++ xserver_rw_shm(wine_domain) + ') ++ diff --git a/wireshark.te b/wireshark.te index ff6ef38..436d3bf 100644 --- a/wireshark.te diff --git a/selinux-policy.spec b/selinux-policy.spec index af65997..6ee3ce0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 81%{?dist} +Release: 82%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 18 2014 Miroslav Grepl 3.13.1-82 +- Allow du running in logwatch_t read hwdata. +- Allow sys_admin capability for antivirus domians. +- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc. +- Add support for pnp4nagios. +- Add missing labeling for /var/lib/cockpit. +- Label resolv.conf as docker_share_t under docker so we can read within a container +- Remove labeling for rabbitmqctl +- setfscreate in pki.te is not capability class. +- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd. +- Allow wine domains to create cache dirs. +- Allow newaliases to systemd inhibit pipes. +- Add fixes for pki-tomcat scriptlet handling. +- Allow user domains to manage all gnome home content +- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems +- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems + * Thu Sep 11 2014 Lukas Vrabec 3.13.1-81 - Label /usr/lib/erlang/erts.*/bin files as bin_t - Added changes related to rabbitmq daemon.