From 24f58d74f7900781062cd2c102373b59c6b81f46 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Aug 11 2011 14:42:14 +0000 Subject: - Turn on allow_domain_fd_use boolean on F16 - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Add abrt_handle_event_t domain for ABRT event scripts - Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change - Allow httpd_git_script_t to read passwd data - Allow openvpn to set its process priority when the nice parameter is used --- diff --git a/policy-F16.patch b/policy-F16.patch index 5fd713e..02d58d6 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1966,7 +1966,7 @@ index b4ac57e..ef944a4 100644 logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index b206bf6..bbd902f 100644 +index b206bf6..b11df05 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc @@ -7,6 +7,7 @@ @@ -1977,9 +1977,11 @@ index b206bf6..bbd902f 100644 /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -25,8 +26,12 @@ ifdef(`distro_redhat', ` +@@ -24,9 +25,14 @@ ifdef(`distro_redhat', ` + /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1990,7 +1992,7 @@ index b206bf6..bbd902f 100644 /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -@@ -36,6 +41,8 @@ ifdef(`distro_redhat', ` +@@ -36,6 +42,8 @@ ifdef(`distro_redhat', ` /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -2196,7 +2198,7 @@ index d33daa8..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..fdbf07c 100644 +index 47a8f7d..0d42e00 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -2212,16 +2214,17 @@ index 47a8f7d..fdbf07c 100644 type debuginfo_exec_t; domain_entry_file(rpm_t, debuginfo_exec_t) -@@ -76,6 +77,8 @@ allow rpm_t self:shm create_shm_perms; +@@ -76,6 +77,9 @@ allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; +allow rpm_t self:dir search; +allow rpm_t self:file rw_file_perms;; ++allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -101,13 +104,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) +@@ -101,13 +105,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) @@ -2239,7 +2242,7 @@ index 47a8f7d..fdbf07c 100644 corecmd_exec_all_executables(rpm_t) -@@ -127,6 +133,18 @@ corenet_sendrecv_all_client_packets(rpm_t) +@@ -127,6 +134,18 @@ corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -2258,7 +2261,7 @@ index 47a8f7d..fdbf07c 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -154,8 +172,8 @@ storage_raw_read_fixed_disk(rpm_t) +@@ -154,8 +173,8 @@ storage_raw_read_fixed_disk(rpm_t) term_list_ptys(rpm_t) @@ -2269,7 +2272,7 @@ index 47a8f7d..fdbf07c 100644 auth_dontaudit_read_shadow(rpm_t) auth_use_nsswitch(rpm_t) -@@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) +@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) domain_dontaudit_getattr_all_dgram_sockets(rpm_t) @@ -2283,7 +2286,7 @@ index 47a8f7d..fdbf07c 100644 libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -189,7 +209,7 @@ logging_send_syslog_msg(rpm_t) +@@ -189,7 +210,7 @@ logging_send_syslog_msg(rpm_t) seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) @@ -2292,7 +2295,7 @@ index 47a8f7d..fdbf07c 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -207,6 +227,7 @@ optional_policy(` +@@ -207,6 +228,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -2300,7 +2303,7 @@ index 47a8f7d..fdbf07c 100644 ') optional_policy(` -@@ -214,7 +235,7 @@ optional_policy(` +@@ -214,7 +236,7 @@ optional_policy(` ') optional_policy(` @@ -2309,15 +2312,26 @@ index 47a8f7d..fdbf07c 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -261,6 +282,7 @@ kernel_read_crypto_sysctls(rpm_script_t) +@@ -257,12 +279,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) + fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + can_exec(rpm_script_t, rpm_script_tmpfs_t) + ++allow rpm_script_t rpm_t:netlink_route_socket { read write }; ++ + kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) +kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) ++# needed by rhn_check ++corenet_tcp_connect_http_port(rpm_script_t) ++ dev_list_sysfs(rpm_script_t) -@@ -299,15 +321,17 @@ storage_raw_write_fixed_disk(rpm_script_t) + + # ideally we would not need this +@@ -299,15 +327,17 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -2338,7 +2352,7 @@ index 47a8f7d..fdbf07c 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -332,18 +356,18 @@ logging_send_syslog_msg(rpm_script_t) +@@ -332,18 +362,18 @@ logging_send_syslog_msg(rpm_script_t) miscfiles_read_localization(rpm_script_t) @@ -2360,7 +2374,7 @@ index 47a8f7d..fdbf07c 100644 ') ') -@@ -368,6 +392,11 @@ optional_policy(` +@@ -368,6 +398,11 @@ optional_policy(` ') optional_policy(` @@ -2372,7 +2386,7 @@ index 47a8f7d..fdbf07c 100644 tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -377,8 +406,9 @@ optional_policy(` +@@ -377,8 +412,9 @@ optional_policy(` ') optional_policy(` @@ -3692,10 +3706,10 @@ index 0000000..bacc639 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..9f6478c +index 0000000..22ddda5 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,117 @@ +@@ -0,0 +1,124 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3810,6 +3824,13 @@ index 0000000..9f6478c + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') + ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(chrome_sandbox_t) ++ fs_read_fusefs_files(chrome_sandbox_t) ++ fs_exec_fusefs_files(chrome_sandbox_t) ++ fs_read_fusefs_symlinks(chrome_sandbox_t) ++') ++ +optional_policy(` + sandbox_use_ptys(chrome_sandbox_t) +') @@ -13610,7 +13631,7 @@ index 6a1e4d1..cf3d50b 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..da927bb 100644 +index fae1ab1..1c54937 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -13623,7 +13644,7 @@ index fae1ab1..da927bb 100644 +##

+## +# -+gen_tunable(allow_domain_fd_use, false) ++gen_tunable(allow_domain_fd_use, true) + +## +##

@@ -13908,7 +13929,7 @@ index c19518a..b630279c 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..367d234 100644 +index ff006ea..ff0c14f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -14048,7 +14069,32 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -1848,7 +1934,7 @@ interface(`files_boot_filetrans',` +@@ -1660,6 +1746,24 @@ interface(`files_delete_root_dir_entry',` + + ######################################## + ##

++## Set attributes of the root directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_root_dirs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:dir setattr_dir_perms; ++') ++ ++######################################## ++## + ## Unmount a rootfs filesystem. + ## + ## +@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -14057,7 +14103,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -2372,6 +2458,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -14082,7 +14128,7 @@ index ff006ea..367d234 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2555,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -14091,7 +14137,7 @@ index ff006ea..367d234 100644 ## ## # -@@ -2525,6 +2629,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2647,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -14116,7 +14162,7 @@ index ff006ea..367d234 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2746,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2764,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -14125,7 +14171,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -2680,24 +2802,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2820,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -14150,7 +14196,7 @@ index ff006ea..367d234 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2842,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2860,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -14175,7 +14221,7 @@ index ff006ea..367d234 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2897,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2915,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -14183,7 +14229,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -3364,7 +3487,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3505,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -14192,7 +14238,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -3502,20 +3625,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3643,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -14236,7 +14282,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -3900,6 +4041,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +4059,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -14336,7 +14382,7 @@ index ff006ea..367d234 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4179,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4197,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -14345,7 +14391,7 @@ index ff006ea..367d234 100644 ## ## # -@@ -4017,7 +4251,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4269,7 @@ interface(`files_list_tmp',` ## ## ## @@ -14354,7 +14400,7 @@ index ff006ea..367d234 100644 ## ## # -@@ -4029,6 +4263,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4281,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -14379,7 +14425,7 @@ index ff006ea..367d234 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4337,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4085,6 +4355,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -14412,11 +14458,79 @@ index ff006ea..367d234 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4139,6 +4417,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4139,7 +4435,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## +-## Set the attributes of all tmp directories. +## Relabel a dir from the type used in /tmp. + ## + ## + ## +@@ -4147,17 +4443,17 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir { search_dir_perms setattr }; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## List all tmp directories. ++## Relabel a file from the type used in /tmp. + ## + ## + ## +@@ -4165,33 +4461,69 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## directory types. ++## Set the attributes of all tmp directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` + attribute tmpfile; +- type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ++') ++ ++######################################## ++## ++## List all tmp directories. +## +## +## @@ -14424,38 +14538,37 @@ index ff006ea..367d234 100644 +## +## +# -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_list_all_tmp',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; + ') + -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:dir list_dir_perms; +') + +######################################## +## -+## Relabel a file from the type used in /tmp. ++## Relabel to and from all temporary ++## directory types. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; ++ type var_t; + ') + -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## - ## Set the attributes of all tmp directories. - ## - ## -@@ -4202,7 +4516,7 @@ interface(`files_relabel_all_tmp_dirs',` ++ allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) + ') + +@@ -4202,7 +4534,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -14464,7 +14577,7 @@ index ff006ea..367d234 100644 ## ## # -@@ -4262,7 +4576,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4594,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -14473,7 +14586,7 @@ index ff006ea..367d234 100644 ## ## # -@@ -4318,7 +4632,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4650,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -14482,7 +14595,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -4342,6 +4656,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4674,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -14499,7 +14612,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -4681,7 +5005,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +5023,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -14508,7 +14621,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -5084,7 +5408,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5426,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -14517,7 +14630,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -5219,7 +5543,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5561,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14526,11 +14639,10 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -5304,7 +5628,26 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5646,25 @@ interface(`files_manage_mounttab',` ######################################## ## --## Search the locks directory (/var/lock). +## List generic lock directories. +## +## @@ -14550,11 +14662,10 @@ index ff006ea..367d234 100644 + +######################################## +## -+## Search the locks directory (/var/lock). + ## Search the locks directory (/var/lock). ## ## - ## -@@ -5317,6 +5660,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5678,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -14563,7 +14674,7 @@ index ff006ea..367d234 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5681,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5699,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -14579,7 +14690,7 @@ index ff006ea..367d234 100644 ## ## ## -@@ -5349,12 +5696,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5714,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14591,8 +14702,7 @@ index ff006ea..367d234 100644 + files_search_locks($1) + allow $1 var_lock_t:dir create_dir_perms; +') - -- list_dirs_pattern($1, var_t, var_lock_t) ++ +######################################## +## +## Set the attributes of the /var/lock directory. @@ -14607,12 +14717,13 @@ index ff006ea..367d234 100644 + gen_require(` + type var_lock_t; + ') -+ + +- list_dirs_pattern($1, var_t, var_lock_t) + allow $1 var_lock_t:dir setattr; ') ######################################## -@@ -5373,6 +5738,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5756,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -14620,7 +14731,7 @@ index ff006ea..367d234 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5751,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5769,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -14628,7 +14739,7 @@ index ff006ea..367d234 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5777,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5795,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -14637,7 +14748,7 @@ index ff006ea..367d234 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5793,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5811,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -14654,7 +14765,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -5452,7 +5817,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5835,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -14663,7 +14774,7 @@ index ff006ea..367d234 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5858,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5876,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -14672,7 +14783,7 @@ index ff006ea..367d234 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5880,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5898,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -14681,7 +14792,7 @@ index ff006ea..367d234 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5912,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5930,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -14692,7 +14803,7 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -5608,6 +5973,43 @@ interface(`files_search_pids',` +@@ -5608,6 +5991,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -14736,7 +14847,7 @@ index ff006ea..367d234 100644 ######################################## ## ## Do not audit attempts to search -@@ -5736,7 +6138,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6156,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14745,190 +14856,380 @@ index ff006ea..367d234 100644 ') ######################################## -@@ -5815,6 +6217,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,29 +6235,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## +-## Read all process ID files. +## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` +interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t; + ') + +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + relabel_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5845,42 +6261,35 @@ interface(`files_read_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_pid_sockets',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute pidfile; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 pidfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## Create all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` +interface(`files_create_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 pidfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Create all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5888,20 +6297,17 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5909,56 +6315,59 @@ interface(`files_delete_all_pid_dirs',` + ## + ## + # +-interface(`files_search_spool',` +interface(`files_delete_all_pid_pipes',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. +## manage all pidfile directories +## in the /var/run directory. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_search_spool',` +interface(`files_manage_all_pid_dirs',` -+ gen_require(` + gen_require(` +- type var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; + manage_dirs_pattern($1,pidfile,pidfile) -+') -+ + ') + + -+######################################## -+## - ## Read all process ID files. + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. ++## Read all process ID files. ## ## -@@ -5832,6 +6344,62 @@ interface(`files_read_all_pids',` + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_list_spool',` ++interface(`files_read_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; ++ type var_t; + ') - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) +- list_dirs_pattern($1, var_t, var_spool_t) ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Relable all pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5966,18 +6375,17 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_relabel_all_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Execute generic programs in /var/run in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5985,19 +6393,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_exec_generic_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type var_run_t; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6005,104 +6412,61 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` +interface(`files_manage_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + manage_files_pattern($1,pidfile,pidfile) ') ######################################## -@@ -5900,6 +6468,90 @@ interface(`files_delete_all_pid_dirs',` + ## +-## Create objects in the spool directory +-## with a private type with a type transition. ++## Mount filesystems on all polyinstantiation ++## member directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## + # +-interface(`files_spool_filetrans',` ++interface(`files_mounton_all_poly_members',` + gen_require(` +- type var_t, var_spool_t; ++ attribute polymember; + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3) ++ allow $1 polymember:dir mounton; + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. ++## Delete all process IDs. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_polyinstantiate_all',` ++interface(`files_delete_all_pids',` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; ++ attribute pidfile; ++ type var_t, var_run_t; + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + ') ######################################## ## +-## Unconfined access to files. ++## Delete all process ID directories. + ## + ## + ## +@@ -6110,10 +6474,597 @@ interface(`files_polyinstantiate_all',` + ## + ## + # +-interface(`files_unconfined',` ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ type var_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## +## Make the specified type a file +## used for spool files. +## @@ -15013,19 +15314,220 @@ index ff006ea..367d234 100644 + +######################################## +## - ## Search the contents of generic spool - ## directories (/var/spool). - ## -@@ -6042,7 +6694,7 @@ interface(`files_spool_filetrans',` - ') - - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3) ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++ ++ dontaudit $1 var_spool_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of generic spool ++## (/var/spool) directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool_dirs',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Read generic spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create objects in the spool directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++# ++interface(`files_spool_filetrans',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_spool_t, $2, $3, $4) - ') - - ######################################## -@@ -6117,3 +6769,284 @@ interface(`files_unconfined',` ++') ++ ++######################################## ++## ++## Allow access to manage all polyinstantiated ++## directories on the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_polyinstantiate_all',` ++ gen_require(` ++ attribute polydir, polymember, polyparent; ++ type poly_t; ++ ') ++ ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) ++ ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) ++ allow $1 polyparent:dir { getattr mounton }; ++ ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') ++') ++ ++######################################## ++## ++## Unconfined access to files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_unconfined',` + gen_require(` + attribute files_unconfined_type; + ') typeattribute $1 files_unconfined_type; ') @@ -19987,10 +20489,10 @@ index e88b95f..0eb55db 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..b3631d6 100644 +index 1bd5812..0d7d8d1 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc -@@ -1,11 +1,9 @@ +@@ -1,13 +1,13 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -20002,8 +20504,12 @@ index 1bd5812..b3631d6 100644 - /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) ++ /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -@@ -15,6 +13,19 @@ + /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + +@@ -15,6 +15,19 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -20212,10 +20718,10 @@ index 0b827c5..e03a970 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..d141931 100644 +index 30861ec..e96a565 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te -@@ -5,7 +5,17 @@ policy_module(abrt, 1.2.0) +@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) # Declarations # @@ -20228,13 +20734,21 @@ index 30861ec..d141931 100644 +## +gen_tunable(abrt_anon_write, false) + ++## ++##

++## Allow ABRT to run in abrt_handle_event_t domain ++## to handle ABRT event scripts ++##

++## ++gen_tunable(abrt_handle_event, false) ++ +attribute abrt_domain; + +type abrt_t, abrt_domain; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -32,9 +42,15 @@ files_type(abrt_var_cache_t) +@@ -32,9 +50,24 @@ files_type(abrt_var_cache_t) type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -20244,6 +20758,15 @@ index 30861ec..d141931 100644 + +permissive abrt_dump_oops_t; + ++# type for abrt-handle-event to handle ++# ABRT event scripts ++type abrt_handle_event_t, abrt_domain; ++type abrt_handle_event_exec_t; ++application_domain(abrt_handle_event_t, abrt_handle_event_exec_t) ++role system_r types abrt_handle_event_t; ++ ++permissive abrt_handle_event_t; ++ # type needed to allow all domains # to handle /var/cache/abrt -type abrt_helper_t; @@ -20251,7 +20774,7 @@ index 30861ec..d141931 100644 type abrt_helper_exec_t; application_domain(abrt_helper_t, abrt_helper_exec_t) role system_r types abrt_helper_t; -@@ -43,14 +59,37 @@ ifdef(`enable_mcs',` +@@ -43,14 +76,37 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -20291,7 +20814,7 @@ index 30861ec..d141931 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +98,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +115,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -20299,7 +20822,7 @@ index 30861ec..d141931 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +109,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +126,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -20307,7 +20830,7 @@ index 30861ec..d141931 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +123,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +140,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -20319,7 +20842,7 @@ index 30861ec..d141931 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +161,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -20327,7 +20850,7 @@ index 30861ec..d141931 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -20337,7 +20860,7 @@ index 30861ec..d141931 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +180,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -20346,7 +20869,7 @@ index 30861ec..d141931 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,15 +175,23 @@ fs_read_nfs_files(abrt_t) +@@ -131,15 +192,23 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -20373,7 +20896,7 @@ index 30861ec..d141931 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +202,11 @@ optional_policy(` +@@ -150,6 +219,11 @@ optional_policy(` ') optional_policy(` @@ -20385,7 +20908,7 @@ index 30861ec..d141931 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +224,7 @@ optional_policy(` +@@ -167,6 +241,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -20393,7 +20916,7 @@ index 30861ec..d141931 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +236,18 @@ optional_policy(` +@@ -178,12 +253,35 @@ optional_policy(` ') optional_policy(` @@ -20406,6 +20929,23 @@ index 30861ec..d141931 100644 sssd_stream_connect(abrt_t) ') ++####################################### ++# ++# abrt-handle-event local policy ++# ++ ++allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; ++ ++tunable_policy(`abrt_handle_event',` ++ domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t) ++',` ++ can_exec(abrt_t, abrt_handle_event_exec_t) ++') ++ ++optional_policy(` ++ unconfined_domain(abrt_handle_event_t) ++') ++ ######################################## # -# abrt--helper local policy @@ -20413,7 +20953,7 @@ index 30861ec..d141931 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +264,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -20442,7 +20982,7 @@ index 30861ec..d141931 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +287,126 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +321,126 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -20460,7 +21000,7 @@ index 30861ec..d141931 100644 + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; -+') + ') + +####################################### +# @@ -20495,7 +21035,7 @@ index 30861ec..d141931 100644 + rpm_manage_pid_files(abrt_retrace_coredump_t) + rpm_read_db(abrt_retrace_coredump_t) + rpm_signull(abrt_retrace_coredump_t) - ') ++') + +####################################### +# @@ -29829,7 +30369,7 @@ index f706b99..0d4a2ea 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..44d8969 100644 +index f231f17..4506fa3 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -29842,7 +30382,7 @@ index f231f17..44d8969 100644 ######################################## # # DeviceKit local policy -@@ -75,10 +78,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -75,10 +78,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -29852,10 +30392,11 @@ index f231f17..44d8969 100644 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) +kernel_list_unlabeled(devicekit_disk_t) ++kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -97,6 +102,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) +@@ -97,6 +103,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) @@ -29863,7 +30404,7 @@ index f231f17..44d8969 100644 domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) -@@ -105,14 +111,17 @@ domain_read_all_domains_state(devicekit_disk_t) +@@ -105,14 +112,17 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -29882,7 +30423,7 @@ index f231f17..44d8969 100644 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) -@@ -127,7 +136,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -127,7 +137,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -29891,7 +30432,7 @@ index f231f17..44d8969 100644 auth_use_nsswitch(devicekit_disk_t) -@@ -178,33 +187,53 @@ optional_policy(` +@@ -178,33 +188,53 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -29948,7 +30489,7 @@ index f231f17..44d8969 100644 domain_read_all_domains_state(devicekit_power_t) dev_read_input(devicekit_power_t) -@@ -212,21 +241,29 @@ dev_rw_generic_usb_dev(devicekit_power_t) +@@ -212,21 +242,29 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -29979,7 +30520,7 @@ index f231f17..44d8969 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,6 +272,10 @@ optional_policy(` +@@ -235,6 +273,10 @@ optional_policy(` ') optional_policy(` @@ -29990,7 +30531,7 @@ index f231f17..44d8969 100644 cron_initrc_domtrans(devicekit_power_t) ') -@@ -261,14 +302,21 @@ optional_policy(` +@@ -261,14 +303,21 @@ optional_policy(` ') optional_policy(` @@ -30013,7 +30554,7 @@ index f231f17..44d8969 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +324,25 @@ optional_policy(` +@@ -276,9 +325,25 @@ optional_policy(` ') optional_policy(` @@ -33723,10 +34264,10 @@ index 458aac6..8e83609 100644 + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te -index 7382f85..03dba61 100644 +index 7382f85..2ef543c 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te -@@ -1,8 +1,195 @@ +@@ -1,8 +1,197 @@ -policy_module(git, 1.0) +policy_module(git, 1.0.3) + @@ -33750,9 +34291,10 @@ index 7382f85..03dba61 100644 +##

+## +gen_tunable(git_system_use_nfs, false) -+ -+######################################## -+# + + ######################################## + # +-# Declarations +# Git daemon global private declarations. +# + @@ -33766,7 +34308,7 @@ index 7382f85..03dba61 100644 +role git_shell_r; + +######################################## -+# + # +# Git daemon system private declarations. +# + @@ -33836,7 +34378,8 @@ index 7382f85..03dba61 100644 +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(git_domains) +') -+ + +-apache_content_template(git) +optional_policy(` + nis_use_ypbind(git_domains) +') @@ -33905,18 +34448,18 @@ index 7382f85..03dba61 100644 + fs_list_cifs(git_session_t) + fs_read_cifs_files(git_session_t) +') - - ######################################## - # --# Declarations ++ ++######################################## ++# +# cgi git Declarations - # - --apache_content_template(git) ++# ++ +optional_policy(` + apache_content_template(git) + git_read_all_content_files(httpd_git_script_t) + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) ++ ++ auth_use_nsswitch(httpd_git_script_t) +') + +######################################## @@ -53187,13 +53730,30 @@ index 0000000..71d9784 + diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 -index 0000000..83336ab +index 0000000..7647279 --- /dev/null +++ b/policy/modules/services/vdagent.if -@@ -0,0 +1,93 @@ +@@ -0,0 +1,128 @@ + +## policy for vdagent + ++##################################### ++## ++## Getattr on vdagent executable. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`vdagent_getattr_exec',` ++ gen_require(` ++ type vdagent_exec_t; ++ ') ++ ++ allow $1 vdagent_exec_t:file getattr; ++') + +######################################## +## @@ -53213,6 +53773,24 @@ index 0000000..83336ab + domtrans_pattern($1, vdagent_exec_t, vdagent_t) +') + ++####################################### ++## ++## Get the attributes of vdagent logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_getattr_log',` ++ gen_require(` ++ type vdagent_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 vdagent_log_t:file getattr_file_perms; ++') + +######################################## +## @@ -58530,10 +59108,19 @@ index a97a096..ab1e16a 100644 /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index c28da1c..73883c4 100644 +index c28da1c..bf8ea27 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te -@@ -101,6 +101,8 @@ files_read_usr_files(fsadm_t) +@@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t) + allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; + allow fsadm_t fsadm_tmp_t:file manage_file_perms; + files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) ++files_create_boot_flag(fsadm_t) ++files_setattr_root_dirs(fsadm_t) + + # log files + allow fsadm_t fsadm_log_t:dir setattr; +@@ -101,6 +103,8 @@ files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) files_manage_isid_type_dirs(fsadm_t) @@ -58542,7 +59129,7 @@ index c28da1c..73883c4 100644 # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -@@ -120,6 +122,9 @@ fs_list_auto_mountpoints(fsadm_t) +@@ -120,6 +124,9 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -58552,7 +59139,7 @@ index c28da1c..73883c4 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -133,10 +138,12 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,10 +140,12 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -58565,7 +59152,7 @@ index c28da1c..73883c4 100644 init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) -@@ -147,13 +154,13 @@ miscfiles_read_localization(fsadm_t) +@@ -147,13 +156,13 @@ miscfiles_read_localization(fsadm_t) seutil_read_config(fsadm_t) @@ -58585,7 +59172,7 @@ index c28da1c..73883c4 100644 optional_policy(` amanda_rw_dumpdates_files(fsadm_t) -@@ -166,6 +173,11 @@ optional_policy(` +@@ -166,6 +175,11 @@ optional_policy(` ') optional_policy(` @@ -58597,7 +59184,7 @@ index c28da1c..73883c4 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -192,6 +204,10 @@ optional_policy(` +@@ -192,6 +206,10 @@ optional_policy(` ') optional_policy(` @@ -61858,7 +62445,7 @@ index 831b909..57064ad 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..2674701 100644 +index b6ec597..0c27f81 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,7 @@ files_security_file(auditd_log_t) @@ -62018,7 +62605,15 @@ index b6ec597..2674701 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -496,11 +535,20 @@ optional_policy(` +@@ -459,6 +498,7 @@ init_use_fds(syslogd_t) + + # cjp: this doesnt make sense + logging_send_syslog_msg(syslogd_t) ++logging_manage_all_logs(syslogd_t) + + miscfiles_read_localization(syslogd_t) + +@@ -496,11 +536,20 @@ optional_policy(` ') optional_policy(` @@ -66000,7 +66595,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..4485816 100644 +index d88f7c3..6932809 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -66045,7 +66640,7 @@ index d88f7c3..4485816 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -62,17 +69,15 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -66054,7 +66649,9 @@ index d88f7c3..4485816 100644 -dev_filetrans(udev_t, udev_tbl_t, file) - list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) - read_files_pattern(udev_t, udev_rules_t, udev_rules_t) +-read_files_pattern(udev_t, udev_rules_t, udev_rules_t) ++manage_files_pattern(udev_t, udev_rules_t, udev_rules_t) ++manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) @@ -66066,7 +66663,7 @@ index d88f7c3..4485816 100644 kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -87,6 +92,7 @@ kernel_rw_unix_dgram_sockets(udev_t) +@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) kernel_search_debugfs(udev_t) @@ -66074,7 +66671,7 @@ index d88f7c3..4485816 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -97,6 +103,7 @@ corecmd_exec_all_executables(udev_t) +@@ -97,6 +104,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -66082,7 +66679,7 @@ index d88f7c3..4485816 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +112,28 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,21 +113,28 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -66112,7 +66709,7 @@ index d88f7c3..4485816 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -66120,7 +66717,7 @@ index d88f7c3..4485816 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -66129,7 +66726,7 @@ index d88f7c3..4485816 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -186,15 +203,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +204,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -66150,7 +66747,7 @@ index d88f7c3..4485816 100644 ') optional_policy(` -@@ -216,11 +234,16 @@ optional_policy(` +@@ -216,11 +235,16 @@ optional_policy(` ') optional_policy(` @@ -66168,7 +66765,7 @@ index d88f7c3..4485816 100644 ') optional_policy(` -@@ -230,10 +253,20 @@ optional_policy(` +@@ -230,10 +254,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -66189,7 +66786,7 @@ index d88f7c3..4485816 100644 ') optional_policy(` -@@ -259,6 +292,10 @@ optional_policy(` +@@ -259,6 +293,10 @@ optional_policy(` ') optional_policy(` @@ -66200,7 +66797,7 @@ index d88f7c3..4485816 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +310,11 @@ optional_policy(` +@@ -273,6 +311,11 @@ optional_policy(` ') optional_policy(` @@ -66987,7 +67584,7 @@ index db75976..cca4cd1 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..6bd7bd2 100644 +index 4b2878a..76d6c05 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -68129,7 +68726,7 @@ index 4b2878a..6bd7bd2 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,32 +1238,76 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1238,71 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -68156,17 +68753,13 @@ index 4b2878a..6bd7bd2 100644 + + tunable_policy(`user_setrlimit',` + allow $1_usertype self:process setrlimit; - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + cdrecord_role($1_r, $1_t) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + cron_role($1_r, $1_t) + ') + @@ -68196,29 +68789,36 @@ index 4b2878a..6bd7bd2 100644 + + optional_policy(` + mono_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) + ') + + optional_policy(` -+ wine_role_template($1, $1_r, $1_t) ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) + ') + + optional_policy(` ++ wine_role_template($1, $1_r, $1_t) + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) -+ ') -+ -+ # Run pppd in pppd_t by default for user -+ optional_policy(` -+ ppp_run_cond($1_t, $1_r) + ') + + # Run pppd in pppd_t by default for user +@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', ` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) ++ vdagent_getattr_log($1_t) ++ vdagent_getattr_exec($1_t) ++ vdagent_stream_connect($1_t) ') ') -@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -68227,7 +68827,7 @@ index 4b2878a..6bd7bd2 100644 ') ############################## -@@ -1066,6 +1370,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -68235,7 +68835,7 @@ index 4b2878a..6bd7bd2 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1379,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -68245,7 +68845,7 @@ index 4b2878a..6bd7bd2 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1396,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -68253,7 +68853,7 @@ index 4b2878a..6bd7bd2 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1414,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -68267,7 +68867,7 @@ index 4b2878a..6bd7bd2 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1431,37 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1437,37 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -68309,7 +68909,7 @@ index 4b2878a..6bd7bd2 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1471,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1477,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -68318,7 +68918,7 @@ index 4b2878a..6bd7bd2 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1532,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1538,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -68327,7 +68927,7 @@ index 4b2878a..6bd7bd2 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1546,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1552,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -68338,7 +68938,7 @@ index 4b2878a..6bd7bd2 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1559,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1565,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -68367,7 +68967,7 @@ index 4b2878a..6bd7bd2 100644 ') optional_policy(` -@@ -1251,12 +1587,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1593,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -68383,7 +68983,7 @@ index 4b2878a..6bd7bd2 100644 ') optional_policy(` -@@ -1279,54 +1615,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1621,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -68465,7 +69065,7 @@ index 4b2878a..6bd7bd2 100644 ## ## ## -@@ -1334,7 +1682,44 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,7 +1688,44 @@ interface(`userdom_setattr_user_ptys',` ## ## # @@ -68511,7 +69111,7 @@ index 4b2878a..6bd7bd2 100644 gen_require(` type user_devpts_t; ') -@@ -1395,6 +1780,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1786,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -68519,7 +69119,7 @@ index 4b2878a..6bd7bd2 100644 files_search_home($1) ') -@@ -1441,6 +1827,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1833,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -68534,7 +69134,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -1456,9 +1850,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1856,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -68546,7 +69146,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -1515,6 +1911,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1917,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -68589,7 +69189,7 @@ index 4b2878a..6bd7bd2 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2021,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2027,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -68598,7 +69198,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -1603,10 +2037,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2043,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -68613,7 +69213,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -1649,6 +2085,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2091,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -68657,7 +69257,7 @@ index 4b2878a..6bd7bd2 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2141,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2147,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -68683,7 +69283,7 @@ index 4b2878a..6bd7bd2 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2192,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2198,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -68716,7 +69316,7 @@ index 4b2878a..6bd7bd2 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2228,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2234,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -68734,7 +69334,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -1779,6 +2294,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2300,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -68795,7 +69395,7 @@ index 4b2878a..6bd7bd2 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2379,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2385,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -68805,7 +69405,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -1827,20 +2395,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2401,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -68830,7 +69430,7 @@ index 4b2878a..6bd7bd2 100644 ######################################## ## -@@ -1941,6 +2503,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2509,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -68855,7 +69455,7 @@ index 4b2878a..6bd7bd2 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2588,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2594,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -68864,7 +69464,7 @@ index 4b2878a..6bd7bd2 100644 files_search_home($1) ') -@@ -2182,7 +2762,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2768,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -68873,7 +69473,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -2435,13 +3015,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3021,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -68889,7 +69489,7 @@ index 4b2878a..6bd7bd2 100644 ## ## ## -@@ -2462,26 +3043,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3049,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -68916,7 +69516,7 @@ index 4b2878a..6bd7bd2 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3133,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3139,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -68925,7 +69525,7 @@ index 4b2878a..6bd7bd2 100644 ## ## ## -@@ -2580,70 +3141,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3147,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -68997,8 +69597,9 @@ index 4b2878a..6bd7bd2 100644 gen_require(` - type user_tty_device_t, user_devpts_t; + type user_devpts_t; -+ ') -+ + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + @@ -69065,9 +69666,9 @@ index 4b2878a..6bd7bd2 100644 +interface(`userdom_dontaudit_use_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; - ') - - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; ++ ') ++ ++ dontaudit $1 user_tty_device_t:chr_file rw_term_perms; dontaudit $1 user_devpts_t:chr_file rw_term_perms; ') @@ -69093,7 +69694,7 @@ index 4b2878a..6bd7bd2 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2736,24 +3365,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3371,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -69118,7 +69719,7 @@ index 4b2878a..6bd7bd2 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3383,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3389,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -69144,7 +69745,7 @@ index 4b2878a..6bd7bd2 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3444,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3450,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -69153,7 +69754,7 @@ index 4b2878a..6bd7bd2 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3460,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3466,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -69187,7 +69788,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -2972,7 +3548,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3554,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -69196,7 +69797,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -3027,7 +3603,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3609,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -69243,7 +69844,7 @@ index 4b2878a..6bd7bd2 100644 ') ######################################## -@@ -3064,6 +3678,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3684,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -69251,7 +69852,7 @@ index 4b2878a..6bd7bd2 100644 kernel_search_proc($1) ') -@@ -3142,6 +3757,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3763,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -69276,7 +69877,7 @@ index 4b2878a..6bd7bd2 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3827,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3833,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 9ef5e91..e97cc3a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Aug 11 2011 Miroslav Grepl 3.10.0-18 +- Turn on allow_domain_fd_use boolean on F16 +- Allow syslog to manage all log files +- Add use_fusefs_home_dirs boolean for chrome +- Make vdagent working with confined users +- Add abrt_handle_event_t domain for ABRT event scripts +- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change +- Allow httpd_git_script_t to read passwd data +- Allow openvpn to set its process priority when the nice parameter is used + * Wed Aug 10 2011 Miroslav Grepl 3.10.0-17 - livecd fixes - spec file fixes