From 2828d42ec2e0a7a7a15d6c9228d7293adfb738e0 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 19 2012 13:58:29 +0000 Subject: * Mon Nov 19 2012 Miroslav Grepl 3.11.1-55 - Fix userhelper_console_role_template() - Allow enabling Network Access Point service using blueman - Make vmware_host_t as unconfined domain - Allow authenticate users in webaccess via squid, using mysql as backend - Allow gathers to get various metrics on mounted file systems - Allow firewalld to read /etc/hosts - Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t inst - Allow kdumpgui to read/write to zipl.conf - Commands needed to get mock to build from staff_t in enforcing mode - Allow mdadm_t to manage cgroup files - Allow all daemons and systemprocesses to use inherited initrc_tmp_t files - dontaudit ifconfig_t looking at fifo_files that are leaked to it - Add lableing for Quest Authentication System --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index fd1af43..f161cfe 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -117405,7 +117405,7 @@ index 8796ca3..c2055b3 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..f10ea0b 100644 +index e1e814d..edf2674 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -117553,7 +117553,33 @@ index e1e814d..f10ea0b 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ## -@@ -1073,10 +1182,8 @@ interface(`files_relabel_all_files',` +@@ -953,6 +1062,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` + + ######################################## + ## ++## Do not audit attempts to read/write ++## of non security named pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_pipes',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## + ## Get the attributes of all named sockets. + ## + ## +@@ -1073,10 +1201,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -117566,7 +117592,7 @@ index e1e814d..f10ea0b 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1655,6 +1762,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1655,6 +1781,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -117591,7 +117617,7 @@ index e1e814d..f10ea0b 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1673,6 +1798,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1673,6 +1817,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -117616,7 +117642,7 @@ index e1e814d..f10ea0b 100644 ## List the contents of the root directory. ## ## -@@ -1856,6 +1999,42 @@ interface(`files_delete_root_dir_entry',` +@@ -1856,6 +2018,42 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -117659,7 +117685,7 @@ index e1e814d..f10ea0b 100644 ## Unmount a rootfs filesystem. ## ## -@@ -1874,6 +2053,24 @@ interface(`files_unmount_rootfs',` +@@ -1874,6 +2072,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -117684,7 +117710,7 @@ index e1e814d..f10ea0b 100644 ## Get attributes of the /boot directory. ## ## -@@ -2573,6 +2770,24 @@ interface(`files_rw_etc_dirs',` +@@ -2573,6 +2789,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -117709,7 +117735,7 @@ index e1e814d..f10ea0b 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2644,6 +2859,7 @@ interface(`files_read_etc_files',` +@@ -2644,6 +2878,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -117717,7 +117743,7 @@ index e1e814d..f10ea0b 100644 ') ######################################## -@@ -2652,7 +2868,7 @@ interface(`files_read_etc_files',` +@@ -2652,7 +2887,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -117726,7 +117752,7 @@ index e1e814d..f10ea0b 100644 ## ## # -@@ -2708,6 +2924,25 @@ interface(`files_manage_etc_files',` +@@ -2708,6 +2943,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -117752,7 +117778,7 @@ index e1e814d..f10ea0b 100644 ## Delete system configuration files in /etc. ## ## -@@ -2726,6 +2961,24 @@ interface(`files_delete_etc_files',` +@@ -2726,6 +2980,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -117777,7 +117803,7 @@ index e1e814d..f10ea0b 100644 ## Execute generic files in /etc. ## ## -@@ -2891,24 +3144,6 @@ interface(`files_delete_boot_flag',` +@@ -2891,24 +3163,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -117802,11 +117828,67 @@ index e1e814d..f10ea0b 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2949,6 +3184,42 @@ interface(`files_read_etc_runtime_files',` +@@ -2949,9 +3203,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## +-## Do not audit attempts to read files +-## in /etc that are dynamically +-## created on boot, such as mtab. +## Do not audit attempts to set the attributes of the etc_runtime files + ## + ## + ## +@@ -2959,42 +3211,81 @@ interface(`files_read_etc_runtime_files',` + ## + ## + # +-interface(`files_dontaudit_read_etc_runtime_files',` ++interface(`files_dontaudit_setattr_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + +- dontaudit $1 etc_runtime_t:file { getattr read }; ++ dontaudit $1 etc_runtime_t:file setattr; + ') + + ######################################## + ## +-## Read and write files in /etc that are dynamically +-## created on boot, such as mtab. ++## Do not audit attempts to write etc_runtime files + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## +-## + # +-interface(`files_rw_etc_runtime_files',` ++interface(`files_dontaudit_write_etc_runtime_files',` + gen_require(` +- type etc_t, etc_runtime_t; ++ type etc_runtime_t; + ') + +- allow $1 etc_t:dir list_dir_perms; +- rw_files_pattern($1, etc_t, etc_runtime_t) ++ dontaudit $1 etc_runtime_t:file write; + ') + + ######################################## + ## +-## Create, read, write, and delete files in +-## /etc that are dynamically created on boot, +-## such as mtab. +-## +-## ++## Do not audit attempts to read files ++## in /etc that are dynamically ++## created on boot, such as mtab. +## +## +## @@ -117814,46 +117896,47 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_dontaudit_setattr_etc_runtime_files',` ++interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + -+ dontaudit $1 etc_runtime_t:file setattr; ++ dontaudit $1 etc_runtime_t:file { getattr read }; +') + +######################################## +## -+## Do not audit attempts to write etc_runtime files ++## Read and write files in /etc that are dynamically ++## created on boot, such as mtab. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## ++## +# -+interface(`files_dontaudit_write_etc_runtime_files',` ++interface(`files_rw_etc_runtime_files',` + gen_require(` -+ type etc_runtime_t; ++ type etc_t, etc_runtime_t; + ') + -+ dontaudit $1 etc_runtime_t:file write; ++ allow $1 etc_t:dir list_dir_perms; ++ rw_files_pattern($1, etc_t, etc_runtime_t) ++ read_lnk_files_pattern($1, etc_t, etc_t) +') + +######################################## +## - ## Do not audit attempts to read files - ## in /etc that are dynamically - ## created on boot, such as mtab. -@@ -2986,6 +3257,7 @@ interface(`files_rw_etc_runtime_files',` - - allow $1 etc_t:dir list_dir_perms; - rw_files_pattern($1, etc_t, etc_runtime_t) -+ read_lnk_files_pattern($1, etc_t, etc_t) - ') - - ######################################## -@@ -3007,6 +3279,7 @@ interface(`files_manage_etc_runtime_files',` ++## Create, read, write, and delete files in ++## /etc that are dynamically created on boot, ++## such as mtab. ++## ++## + ## + ## Domain allowed access. + ## +@@ -3007,6 +3298,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -117861,22 +117944,19 @@ index e1e814d..f10ea0b 100644 ') ######################################## -@@ -3135,8 +3408,8 @@ interface(`files_delete_isid_type_dirs',` +@@ -3135,6 +3427,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## --## Create, read, write, and delete directories --## on new filesystems that have not yet been labeled. +## Relabelfrom all file opbjects on new filesystems +## that have not yet been labeled. - ## - ## - ## -@@ -3144,7 +3417,26 @@ interface(`files_delete_isid_type_dirs',` - ## - ## - # --interface(`files_manage_isid_type_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabelfrom_isid_type',` + gen_require(` + type file_t; @@ -117887,20 +117967,10 @@ index e1e814d..f10ea0b 100644 + +######################################## +## -+## Create, read, write, and delete directories -+## on new filesystems that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_isid_type_dirs',` - gen_require(` - type file_t; - ') -@@ -3382,6 +3674,25 @@ interface(`files_rw_isid_type_blk_files',` + ## Create, read, write, and delete directories + ## on new filesystems that have not yet been labeled. + ## +@@ -3382,6 +3693,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -117926,7 +117996,7 @@ index e1e814d..f10ea0b 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3723,20 +4034,38 @@ interface(`files_list_mnt',` +@@ -3723,20 +4053,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -117970,7 +118040,7 @@ index e1e814d..f10ea0b 100644 ') ######################################## -@@ -4126,6 +4455,127 @@ interface(`files_read_world_readable_sockets',` +@@ -4126,6 +4474,127 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -118098,7 +118168,7 @@ index e1e814d..f10ea0b 100644 ######################################## ## ## Allow the specified type to associate -@@ -4148,6 +4598,26 @@ interface(`files_associate_tmp',` +@@ -4148,6 +4617,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -118125,7 +118195,7 @@ index e1e814d..f10ea0b 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4161,6 +4631,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4161,6 +4650,7 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -118133,7 +118203,7 @@ index e1e814d..f10ea0b 100644 allow $1 tmp_t:dir getattr; ') -@@ -4171,7 +4642,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4171,7 +4661,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -118142,7 +118212,7 @@ index e1e814d..f10ea0b 100644 ## ## # -@@ -4198,6 +4669,7 @@ interface(`files_search_tmp',` +@@ -4198,6 +4688,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -118150,7 +118220,7 @@ index e1e814d..f10ea0b 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4234,6 +4706,7 @@ interface(`files_list_tmp',` +@@ -4234,6 +4725,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -118158,7 +118228,7 @@ index e1e814d..f10ea0b 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4243,7 +4716,7 @@ interface(`files_list_tmp',` +@@ -4243,7 +4735,7 @@ interface(`files_list_tmp',` ## ## ## @@ -118167,7 +118237,7 @@ index e1e814d..f10ea0b 100644 ## ## # -@@ -4255,6 +4728,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4255,6 +4747,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -118193,7 +118263,7 @@ index e1e814d..f10ea0b 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4270,6 +4762,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4270,6 +4781,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -118201,7 +118271,7 @@ index e1e814d..f10ea0b 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4311,6 +4804,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4311,6 +4823,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -118234,29 +118304,199 @@ index e1e814d..f10ea0b 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4365,6 +4884,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4365,7 +4903,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## +-## Set the attributes of all tmp directories. +## Relabel a dir from the type used in /tmp. -+## -+## -+## + ## + ## + ## +@@ -4373,17 +4911,17 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir { search_dir_perms setattr }; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## List all tmp directories. ++## Relabel a file from the type used in /tmp. + ## + ## + ## +@@ -4391,59 +4929,53 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## directory types. ++## Set the attributes of all tmp directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` + attribute tmpfile; +- type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:dir { search_dir_perms setattr }; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. ++## Allow caller to read inherited tmp files. + ## + ## + ## +-## Domain not to audit. +## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` + attribute tmpfile; + ') + +- dontaudit $1 tmpfile:file getattr; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; + ') + + ######################################## + ## +-## Allow attempts to get the attributes +-## of all tmp files. ++## Allow caller to append inherited tmp files. + ## + ## + ## +@@ -4451,62 +4983,140 @@ interface(`files_dontaudit_getattr_all_tmp_files',` + ## + ## + # +-interface(`files_getattr_all_tmp_files',` ++interface(`files_append_inherited_tmp_files',` + gen_require(` + attribute tmpfile; + ') + +- allow $1 tmpfile:file getattr; ++ allow $1 tmpfile:file append_inherited_file_perms; + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## file types. ++## List all tmp directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; +- type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:dir list_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Relabel to and from all temporary ++## directory types. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` + attribute tmpfile; ++ type var_t; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Read all tmp files. ++## Do not audit attempts to get the attributes ++## of all tmp files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; + ') + -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmpfile:file getattr; +') + +######################################## +## -+## Relabel a file from the type used in /tmp. ++## Allow attempts to get the attributes ++## of all tmp files. +## +## +## @@ -118264,81 +118504,66 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_getattr_all_tmp_files',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; + ') + -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file getattr; +') + +######################################## +## - ## Set the attributes of all tmp directories. - ## - ## -@@ -4383,6 +4938,42 @@ interface(`files_setattr_all_tmp_dirs',` - - ######################################## - ## -+## Allow caller to read inherited tmp files. ++## Relabel to and from all temporary ++## file types. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_read_inherited_tmp_files',` ++interface(`files_relabel_all_tmp_files',` + gen_require(` + attribute tmpfile; ++ type var_t; + ') + -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) +') + +######################################## +## -+## Allow caller to append inherited tmp files. ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_append_inherited_tmp_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:file append_inherited_file_perms; ++ dontaudit $1 tmpfile:sock_file getattr; +') + +######################################## +## - ## List all tmp directories. - ## - ## -@@ -4428,7 +5019,7 @@ interface(`files_relabel_all_tmp_dirs',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -4488,7 +5079,7 @@ interface(`files_relabel_all_tmp_files',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. ++## Read all tmp files. ++## ++## ++## ++## Domain allowed access. ## ## # -@@ -4573,6 +5164,16 @@ interface(`files_purge_tmp',` +@@ -4573,6 +5183,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -118355,7 +118580,7 @@ index e1e814d..f10ea0b 100644 ') ######################################## -@@ -5150,6 +5751,24 @@ interface(`files_list_var',` +@@ -5150,6 +5770,24 @@ interface(`files_list_var',` ######################################## ## @@ -118380,7 +118605,7 @@ index e1e814d..f10ea0b 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5505,6 +6124,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5505,6 +6143,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -118406,7 +118631,7 @@ index e1e814d..f10ea0b 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5550,7 +6188,7 @@ interface(`files_manage_mounttab',` +@@ -5550,7 +6207,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -118415,7 +118640,7 @@ index e1e814d..f10ea0b 100644 ## ## ## -@@ -5558,12 +6196,13 @@ interface(`files_manage_mounttab',` +@@ -5558,12 +6215,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -118431,7 +118656,7 @@ index e1e814d..f10ea0b 100644 ') ######################################## -@@ -5581,6 +6220,7 @@ interface(`files_search_locks',` +@@ -5581,6 +6239,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -118439,7 +118664,7 @@ index e1e814d..f10ea0b 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5607,7 +6247,7 @@ interface(`files_dontaudit_search_locks',` +@@ -5607,7 +6266,7 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -118448,7 +118673,7 @@ index e1e814d..f10ea0b 100644 ## ## ## -@@ -5615,13 +6255,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5615,13 +6274,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -118465,7 +118690,7 @@ index e1e814d..f10ea0b 100644 ') ######################################## -@@ -5640,7 +6279,7 @@ interface(`files_rw_lock_dirs',` +@@ -5640,7 +6298,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -118474,7 +118699,7 @@ index e1e814d..f10ea0b 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5673,7 +6312,6 @@ interface(`files_create_lock_dirs',` +@@ -5673,7 +6331,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -118482,7 +118707,7 @@ index e1e814d..f10ea0b 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5701,8 +6339,7 @@ interface(`files_getattr_generic_locks',` +@@ -5701,8 +6358,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -118492,7 +118717,7 @@ index e1e814d..f10ea0b 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5718,13 +6355,12 @@ interface(`files_getattr_generic_locks',` +@@ -5718,13 +6374,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -118510,7 +118735,7 @@ index e1e814d..f10ea0b 100644 ') ######################################## -@@ -5743,8 +6379,7 @@ interface(`files_manage_generic_locks',` +@@ -5743,8 +6398,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -118520,7 +118745,7 @@ index e1e814d..f10ea0b 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5786,8 +6421,7 @@ interface(`files_read_all_locks',` +@@ -5786,8 +6440,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -118530,7 +118755,7 @@ index e1e814d..f10ea0b 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5809,8 +6443,7 @@ interface(`files_manage_all_locks',` +@@ -5809,8 +6462,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -118540,7 +118765,7 @@ index e1e814d..f10ea0b 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5847,8 +6480,7 @@ interface(`files_lock_filetrans',` +@@ -5847,8 +6499,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -118550,7 +118775,7 @@ index e1e814d..f10ea0b 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5911,6 +6543,43 @@ interface(`files_search_pids',` +@@ -5911,6 +6562,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -118593,82 +118818,347 @@ index e1e814d..f10ea0b 100644 + ######################################## ## - ## Do not audit attempts to search -@@ -5933,6 +6602,25 @@ interface(`files_dontaudit_search_pids',` + ## Do not audit attempts to search +@@ -5933,6 +6621,25 @@ interface(`files_dontaudit_search_pids',` + + ######################################## + ## ++## Do not audit attempts to search ++## the all /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6048,7 +6755,6 @@ interface(`files_pid_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, var_run_t, $2, $3, $4) + ') + +@@ -6157,30 +6863,25 @@ interface(`files_dontaudit_ioctl_all_pids',` + + ######################################## + ## +-## Read all process ID files. ++## Relable all pid directories + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` ++interface(`files_relabel_all_pid_dirs',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) ++ relabel_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all pid sockets + ## + ## + ## +@@ -6188,43 +6889,35 @@ interface(`files_read_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` +- attribute polymember; ++ attribute pidfile; + ') + +- allow $1 polymember:dir mounton; ++ allow $1 pidfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process IDs. ++## Create all pid sockets + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` ++interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 pidfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process ID directories. ++## Create all pid named pipes + ## + ## + ## +@@ -6232,21 +6925,17 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` ++interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:fifo_file create_fifo_file_perms; + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). ++## Delete all pid named pipes + ## + ## + ## +@@ -6254,56 +6943,59 @@ interface(`files_delete_all_pid_dirs',` + ## + ## + # +-interface(`files_search_spool',` ++interface(`files_delete_all_pid_pipes',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- search_dirs_pattern($1, var_t, var_spool_t) ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. ++## manage all pidfile directories ++## in the /var/run directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_spool',` ++interface(`files_manage_all_pid_dirs',` + gen_require(` +- type var_spool_t; ++ attribute pidfile; + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; ++ manage_dirs_pattern($1,pidfile,pidfile) + ') + ++ + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. ++## Read all process ID files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_list_spool',` ++interface(`files_read_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; ++ type var_t; + ') + +- list_dirs_pattern($1, var_t, var_spool_t) ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). ++## Relable all pid files + ## + ## + ## +@@ -6311,18 +7003,17 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` ++interface(`files_relabel_all_pid_files',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ relabel_files_pattern($1, pidfile, pidfile) + ') ######################################## ## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). +-## Read generic spool files. ++## Execute generic programs in /var/run in the caller domain. ## -@@ -6048,7 +6736,6 @@ interface(`files_pid_filetrans',` + ## + ## +@@ -6330,19 +7021,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` ++interface(`files_exec_generic_pid_files',` + gen_require(` +- type var_t, var_spool_t; ++ type var_run_t; ') - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) ++ exec_files_pattern($1, var_run_t, var_run_t) ') -@@ -6157,6 +6844,116 @@ interface(`files_dontaudit_ioctl_all_pids',` + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. ++## manage all pidfiles ++## in the /var/run directory. + ## + ## + ## +@@ -6350,30 +7040,295 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` ++interface(`files_manage_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) ++ manage_files_pattern($1,pidfile,pidfile) + ') ######################################## ## -+## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## +-## Create objects in the spool directory +-## with a private type with a type transition. ++## Mount filesystems on all polyinstantiation ++## member directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +# -+interface(`files_relabel_all_pid_dirs',` ++interface(`files_mounton_all_poly_members',` + gen_require(` -+ attribute pidfile; ++ attribute polymember; + ') + -+ relabel_dirs_pattern($1, pidfile, pidfile) ++ allow $1 polymember:dir mounton; +') + +######################################## +## -+## Delete all pid sockets ++## Delete all process IDs. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_delete_all_pid_sockets',` ++interface(`files_delete_all_pids',` + gen_require(` + attribute pidfile; ++ type var_t, var_run_t; + ') + -+ allow $1 pidfile:sock_file delete_sock_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +') + +######################################## +## -+## Create all pid sockets ++## Delete all process ID directories. +## +## +## @@ -118676,35 +119166,68 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_create_all_pid_sockets',` ++interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; ++ type var_t, var_run_t; + ') + -+ allow $1 pidfile:sock_file create_sock_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) +') + +######################################## +## -+## Create all pid named pipes ++## Make the specified type a file ++## used for spool files. +## -+## ++## ++##

++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_spool_filetrans()
    • ++##
++##

++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

++##

++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

++## ++## +## -+## Domain allowed access. ++## Type of the file to be used as a ++## spool file. +## +## ++## +# -+interface(`files_create_all_pid_pipes',` ++interface(`files_spool_file',` + gen_require(` -+ attribute pidfile; ++ attribute spoolfile; + ') + -+ allow $1 pidfile:fifo_file create_fifo_file_perms; ++ files_type($1) ++ typeattribute $1 spoolfile; +') + +######################################## +## -+## Delete all pid named pipes ++## Create all spool sockets +## +## +## @@ -118712,18 +119235,17 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_delete_all_pid_pipes',` ++interface(`files_create_all_spool_sockets',` + gen_require(` -+ attribute pidfile; ++ attribute spoolfile; + ') + -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++ allow $1 spoolfile:sock_file create_sock_file_perms; +') + +######################################## +## -+## manage all pidfile directories -+## in the /var/run directory. ++## Delete all spool sockets +## +## +## @@ -118731,37 +119253,18 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_manage_all_pid_dirs',` ++interface(`files_delete_all_spool_sockets',` + gen_require(` -+ attribute pidfile; ++ attribute spoolfile; + ') + -+ manage_dirs_pattern($1,pidfile,pidfile) -+') -+ -+ -+######################################## -+## - ## Read all process ID files. - ## - ## -@@ -6169,12 +6966,67 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; -+ type var_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 spoolfile:sock_file delete_sock_file_perms; +') + +######################################## +## -+## Relable all pid files ++## Search the contents of generic spool ++## directories (/var/spool). +## +## +## @@ -118769,36 +119272,37 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_relabel_all_pid_files',` ++interface(`files_search_spool',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ relabel_files_pattern($1, pidfile, pidfile) ++ search_dirs_pattern($1, var_t, var_spool_t) +') + +######################################## +## -+## Execute generic programs in /var/run in the caller domain. ++## Do not audit attempts to search generic ++## spool directories. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_exec_generic_pid_files',` ++interface(`files_dontaudit_search_spool',` + gen_require(` -+ type var_run_t; ++ type var_spool_t; + ') + -+ exec_files_pattern($1, var_run_t, var_run_t) ++ dontaudit $1 var_spool_t:dir search_dir_perms; +') + +######################################## +## -+## manage all pidfiles -+## in the /var/run directory. ++## List the contents of generic spool ++## (/var/spool) directories. +## +## +## @@ -118806,68 +119310,37 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_manage_all_pids',` ++interface(`files_list_spool',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_spool_t; + ') + -+ manage_files_pattern($1,pidfile,pidfile) - ') - - ######################################## -@@ -6245,6 +7097,90 @@ interface(`files_delete_all_pid_dirs',` - - ######################################## - ## -+## Make the specified type a file -+## used for spool files. ++ list_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool directories (/var/spool). +## -+## -+##

-+## Make the specified type usable for spool files. -+## This will also make the type usable for files, making -+## calls to files_type() redundant. Failure to use this interface -+## for a spool file may result in problems with -+## purging spool files. -+##

-+##

-+## Related interfaces: -+##

-+##
    -+##
  • files_spool_filetrans()
    • -+##
-+##

-+## Example usage with a domain that can create and -+## write its spool file in the system spool file -+## directories (/var/spool): -+##

-+##

-+## type myspoolfile_t; -+## files_spool_file(myfile_spool_t) -+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; -+## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

-+## -+## ++## +## -+## Type of the file to be used as a -+## spool file. ++## Domain allowed access. +## +## -+## +# -+interface(`files_spool_file',` ++interface(`files_manage_generic_spool_dirs',` + gen_require(` -+ attribute spoolfile; ++ type var_t, var_spool_t; + ') + -+ files_type($1) -+ typeattribute $1 spoolfile; ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## Create all spool sockets ++## Read generic spool files. +## +## +## @@ -118875,17 +119348,19 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_create_all_spool_sockets',` ++interface(`files_read_generic_spool',` + gen_require(` -+ attribute spoolfile; ++ type var_t, var_spool_t; + ') + -+ allow $1 spoolfile:sock_file create_sock_file_perms; ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## Delete all spool sockets ++## Create, read, write, and delete generic ++## spool files. +## +## +## @@ -118893,20 +119368,34 @@ index e1e814d..f10ea0b 100644 +## +## +# -+interface(`files_delete_all_spool_sockets',` ++interface(`files_manage_generic_spool',` + gen_require(` -+ attribute spoolfile; ++ type var_t, var_spool_t; + ') + -+ allow $1 spoolfile:sock_file delete_sock_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## - ## Search the contents of generic spool - ## directories (/var/spool). - ## -@@ -6467,3 +7403,457 @@ interface(`files_unconfined',` ++## Create objects in the spool directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## + ## + ## + ## Object class(es) (single or set including {}) for which this +@@ -6467,3 +7422,457 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -130070,7 +130559,7 @@ index c6fdab7..32f45fa 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..dac7844 100644 +index 28ad538..300fec0 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,25 @@ @@ -130103,7 +130592,7 @@ index 28ad538..dac7844 100644 /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -@@ -16,13 +27,22 @@ ifdef(`distro_suse', ` +@@ -16,13 +27,24 @@ ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') @@ -130125,10 +130614,12 @@ index 28ad538..dac7844 100644 +/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + +/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++ ++/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -@@ -30,6 +50,8 @@ ifdef(`distro_gentoo', ` +@@ -30,6 +52,8 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -130137,7 +130628,7 @@ index 28ad538..dac7844 100644 /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -39,11 +61,13 @@ ifdef(`distro_gentoo', ` +@@ -39,11 +63,13 @@ ifdef(`distro_gentoo', ` /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) @@ -133010,7 +133501,7 @@ index d26fe81..95c1bd8 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 4a88fa1..533881b 100644 +index 4a88fa1..dd15fda 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -134053,7 +134544,7 @@ index 4a88fa1..533881b 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -880,3 +1344,178 @@ optional_policy(` +@@ -880,3 +1344,180 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -134156,6 +134647,7 @@ index 4a88fa1..533881b 100644 +allow daemon init_t:unix_dgram_socket sendto; +# need write to /var/run/systemd/notify +init_write_pid_socket(daemon) ++init_rw_inherited_script_tmp_files(daemon) + +# Handle upstart/systemd direct transition to a executable +allow init_t systemprocess:process { dyntransition siginh }; @@ -134163,6 +134655,7 @@ index 4a88fa1..533881b 100644 +allow init_t systemprocess:unix_dgram_socket create_socket_perms; +allow systemprocess init_t:unix_dgram_socket sendto; +allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; ++init_rw_inherited_script_tmp_files(systemprocess) + +userdom_dontaudit_search_user_home_dirs(systemprocess) +userdom_dontaudit_rw_stream(systemprocess) @@ -139999,7 +140492,7 @@ index 41a1853..af08353 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index ed363e1..2e7bfc1 100644 +index ed363e1..3407878 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0) @@ -140244,7 +140737,7 @@ index ed363e1..2e7bfc1 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,11 +338,17 @@ corenet_rw_tun_tap_dev(ifconfig_t) +@@ -276,11 +338,18 @@ corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -140255,6 +140748,7 @@ index ed363e1..2e7bfc1 100644 +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + ++files_dontaudit_rw_inherited_pipes(ifconfig_t) +files_dontaudit_read_root_files(ifconfig_t) files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) @@ -140262,7 +140756,7 @@ index ed363e1..2e7bfc1 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -293,7 +361,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -293,22 +362,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -140271,7 +140765,9 @@ index ed363e1..2e7bfc1 100644 init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) -@@ -302,13 +370,12 @@ libs_read_lib_files(ifconfig_t) ++init_rw_inherited_script_tmp_files(ifconfig_t) + + libs_read_lib_files(ifconfig_t) logging_send_syslog_msg(ifconfig_t) @@ -140288,7 +140784,7 @@ index ed363e1..2e7bfc1 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -317,7 +384,22 @@ ifdef(`distro_ubuntu',` +@@ -317,7 +386,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -140311,7 +140807,7 @@ index ed363e1..2e7bfc1 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -328,8 +410,14 @@ ifdef(`hide_broken_symptoms',` +@@ -328,8 +412,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -140326,7 +140822,7 @@ index ed363e1..2e7bfc1 100644 ') optional_policy(` -@@ -338,7 +426,15 @@ optional_policy(` +@@ -338,7 +428,15 @@ optional_policy(` ') optional_policy(` @@ -140343,7 +140839,7 @@ index ed363e1..2e7bfc1 100644 ') optional_policy(` -@@ -359,3 +455,9 @@ optional_policy(` +@@ -359,3 +457,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 792089f..acdde8c 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -6133,7 +6133,7 @@ index 6355318..98ba16a 100644 /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/blueman.te b/blueman.te -index 70969fa..fcbd031 100644 +index 70969fa..c1216de 100644 --- a/blueman.te +++ b/blueman.te @@ -7,7 +7,6 @@ policy_module(blueman, 1.0.0) @@ -6149,13 +6149,21 @@ index 70969fa..fcbd031 100644 # blueman local policy # + -+allow blueman_t self:capability sys_nice; ++allow blueman_t self:capability { net_admin sys_nice }; +allow blueman_t self:process { signal_perms setsched }; + allow blueman_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -@@ -34,13 +37,24 @@ dev_rw_wireless(blueman_t) +@@ -24,6 +27,7 @@ manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) + files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir) + + kernel_read_system_state(blueman_t) ++kernel_request_load_module(blueman_t) + + corecmd_exec_bin(blueman_t) + +@@ -34,13 +38,24 @@ dev_rw_wireless(blueman_t) domain_use_interactive_fds(blueman_t) files_read_usr_files(blueman_t) @@ -12870,7 +12878,7 @@ index 3559a05..224142a 100644 /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/atjobs/[^/]* -- <> diff --git a/cron.if b/cron.if -index 6e12dc7..6de4176 100644 +index 6e12dc7..b006818 100644 --- a/cron.if +++ b/cron.if @@ -12,12 +12,17 @@ @@ -13044,7 +13052,7 @@ index 6e12dc7..6de4176 100644 ') ######################################## -@@ -199,6 +164,7 @@ interface(`cron_unconfined_role',` +@@ -199,10 +164,12 @@ interface(`cron_unconfined_role',` ## User domain for the role ## ## @@ -13052,7 +13060,12 @@ index 6e12dc7..6de4176 100644 # interface(`cron_admin_role',` gen_require(` -@@ -219,7 +185,10 @@ interface(`cron_admin_role',` + type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; ++ type user_cron_spool_t, crond_t; + class passwd crontab; + ') + +@@ -219,7 +186,18 @@ interface(`cron_admin_role',` # crontab shows up in user ps ps_process_pattern($2, admin_crontab_t) @@ -13061,10 +13074,18 @@ index 6e12dc7..6de4176 100644 + tunable_policy(`deny_ptrace',`',` + allow $2 admin_crontab_t:process ptrace; + ') ++ ++ allow $2 crond_t:process sigchld; ++ allow crond_t $2:process transition; ++ ++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; ++ ++ # needs to be authorized SELinux context for cron ++ allow $2 user_cron_spool_t:file entrypoint; # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) -@@ -263,6 +232,9 @@ interface(`cron_system_entry',` +@@ -263,6 +241,9 @@ interface(`cron_system_entry',` domtrans_pattern(crond_t, $2, $1) role system_r types $1; @@ -13074,7 +13095,7 @@ index 6e12dc7..6de4176 100644 ') ######################################## -@@ -303,7 +275,7 @@ interface(`cron_exec',` +@@ -303,7 +284,7 @@ interface(`cron_exec',` ######################################## ## @@ -13083,7 +13104,7 @@ index 6e12dc7..6de4176 100644 ## ## ## -@@ -321,6 +293,29 @@ interface(`cron_initrc_domtrans',` +@@ -321,6 +302,29 @@ interface(`cron_initrc_domtrans',` ######################################## ## @@ -13113,7 +13134,7 @@ index 6e12dc7..6de4176 100644 ## Inherit and use a file descriptor ## from the cron daemon. ## -@@ -358,6 +353,24 @@ interface(`cron_sigchld',` +@@ -358,6 +362,24 @@ interface(`cron_sigchld',` ######################################## ## @@ -13138,7 +13159,7 @@ index 6e12dc7..6de4176 100644 ## Read a cron daemon unnamed pipe. ## ## -@@ -376,6 +389,47 @@ interface(`cron_read_pipes',` +@@ -376,6 +398,47 @@ interface(`cron_read_pipes',` ######################################## ## @@ -13186,7 +13207,7 @@ index 6e12dc7..6de4176 100644 ## Do not audit attempts to write cron daemon unnamed pipes. ## ## -@@ -407,7 +461,43 @@ interface(`cron_rw_pipes',` +@@ -407,7 +470,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -13231,7 +13252,7 @@ index 6e12dc7..6de4176 100644 ') ######################################## -@@ -467,6 +557,25 @@ interface(`cron_search_spool',` +@@ -467,6 +566,25 @@ interface(`cron_search_spool',` ######################################## ## @@ -13257,7 +13278,7 @@ index 6e12dc7..6de4176 100644 ## Manage pid files used by cron ## ## -@@ -480,6 +589,7 @@ interface(`cron_manage_pid_files',` +@@ -480,6 +598,7 @@ interface(`cron_manage_pid_files',` type crond_var_run_t; ') @@ -13265,7 +13286,7 @@ index 6e12dc7..6de4176 100644 manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') -@@ -535,7 +645,7 @@ interface(`cron_write_system_job_pipes',` +@@ -535,7 +654,7 @@ interface(`cron_write_system_job_pipes',` type system_cronjob_t; ') @@ -13274,7 +13295,7 @@ index 6e12dc7..6de4176 100644 ') ######################################## -@@ -553,7 +663,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -553,7 +672,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -13283,7 +13304,7 @@ index 6e12dc7..6de4176 100644 ') ######################################## -@@ -586,11 +696,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -586,11 +705,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -13299,7 +13320,7 @@ index 6e12dc7..6de4176 100644 ') ######################################## -@@ -626,7 +739,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -626,7 +748,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -20926,10 +20947,10 @@ index 0000000..c4c7510 +') diff --git a/firewalld.te b/firewalld.te new file mode 100644 -index 0000000..837a7cb +index 0000000..a172e15 --- /dev/null +++ b/firewalld.te -@@ -0,0 +1,88 @@ +@@ -0,0 +1,90 @@ + +policy_module(firewalld,1.0.0) + @@ -20999,6 +21020,8 @@ index 0000000..837a7cb + +sysnet_dns_name_resolve(firewalld_t) + ++sysnet_read_config(firewalld_t) ++ +optional_policy(` + dbus_system_domain(firewalld_t, firewalld_exec_t) + @@ -28612,7 +28635,7 @@ index d6af9b0..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 0c52f60..73934d8 100644 +index 0c52f60..96f687c 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0) @@ -28654,7 +28677,7 @@ index 0c52f60..73934d8 100644 files_manage_boot_files(kdumpgui_t) files_manage_boot_symlinks(kdumpgui_t) -@@ -36,28 +47,51 @@ files_manage_etc_runtime_files(kdumpgui_t) +@@ -36,28 +47,52 @@ files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) files_read_usr_files(kdumpgui_t) @@ -28682,6 +28705,7 @@ index 0c52f60..73934d8 100644 + +optional_policy(` + bootloader_exec(kdumpgui_t) ++ bootloader_rw_config(kdumpgui_t) +') optional_policy(` @@ -31742,7 +31766,7 @@ index 67c7fdd..2f226de 100644 ## ## Execute mailman CGI scripts in the diff --git a/mailman.te b/mailman.te -index 22265f0..f2f7e05 100644 +index 22265f0..da52800 100644 --- a/mailman.te +++ b/mailman.te @@ -19,6 +19,9 @@ logging_log_file(mailman_log_t) @@ -31808,6 +31832,15 @@ index 22265f0..f2f7e05 100644 ') ######################################## +@@ -94,7 +115,7 @@ optional_policy(` + # + + allow mailman_queue_t self:capability { setgid setuid }; +-allow mailman_queue_t self:process signal; ++allow mailman_queue_t self:process { setsched signal_perms }; + allow mailman_queue_t self:fifo_file rw_fifo_file_perms; + allow mailman_queue_t self:unix_dgram_socket create_socket_perms; + @@ -104,13 +125,12 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) kernel_read_proc_symlinks(mailman_queue_t) @@ -33219,10 +33252,10 @@ index 0000000..7f6f2d6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..55ab637 +index 0000000..ecfd7be --- /dev/null +++ b/mock.te -@@ -0,0 +1,248 @@ +@@ -0,0 +1,247 @@ +policy_module(mock,1.0.0) + +## @@ -33266,7 +33299,7 @@ index 0000000..55ab637 +# mock local policy +# + -+allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; +# Needed because mock can run java and mono withing build environment +allow mock_t self:process { execmem execstack }; @@ -33378,7 +33411,7 @@ index 0000000..55ab637 +') + +optional_policy(` -+ mount_domtrans(mock_t) ++ mount_exec(mock_t) +') + +optional_policy(` @@ -33467,7 +33500,6 @@ index 0000000..55ab637 + +libs_exec_ldconfig(mock_build_t) + -+ +tunable_policy(`mock_enable_homedirs',` + userdom_read_user_home_content_files(mock_build_t) +') @@ -52665,7 +52697,7 @@ index b1a85b5..db0d815 100644 ## ## diff --git a/raid.te b/raid.te -index a8a12b7..b633301 100644 +index a8a12b7..a6cbba3 100644 --- a/raid.te +++ b/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -52709,7 +52741,7 @@ index a8a12b7..b633301 100644 kernel_rw_software_raid_state(mdadm_t) kernel_getattr_core_if(mdadm_t) -@@ -52,14 +52,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) +@@ -52,15 +52,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: dev_read_raw_memory(mdadm_t) @@ -52727,9 +52759,11 @@ index a8a12b7..b633301 100644 +fs_list_hugetlbfs(mdadm_t) +fs_list_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) ++fs_manage_cgroup_files(mdadm_t) mls_file_read_all_levels(mdadm_t) -@@ -69,16 +71,17 @@ mls_file_write_all_levels(mdadm_t) + mls_file_write_all_levels(mdadm_t) +@@ -69,16 +72,17 @@ mls_file_write_all_levels(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_dev_filetrans_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) @@ -52749,7 +52783,7 @@ index a8a12b7..b633301 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) userdom_dontaudit_use_user_terminals(mdadm_t) -@@ -86,6 +89,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) +@@ -86,6 +90,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) mta_send_mail(mdadm_t) optional_policy(` @@ -60086,7 +60120,7 @@ index fa24879..3abfdf2 100644 ps_process_pattern($1, sblim_reposd_t) diff --git a/sblim.te b/sblim.te -index 869f976..1aa9946 100644 +index 869f976..5171bda 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,9 @@ policy_module(sblim, 1.0.0) @@ -60105,16 +60139,20 @@ index 869f976..1aa9946 100644 type sblim_var_run_t; files_pid_file(sblim_var_run_t) -@@ -42,6 +38,8 @@ domain_read_all_domains_state(sblim_gatherd_t) +@@ -41,6 +37,12 @@ dev_read_urand(sblim_gatherd_t) + domain_read_all_domains_state(sblim_gatherd_t) fs_getattr_all_fs(sblim_gatherd_t) - -+logging_send_syslog_msg(sblim_gatherd_t) ++fs_search_cgroup_dirs(sblim_gatherd_t) + ++storage_raw_read_fixed_disk(sblim_gatherd_t) ++storage_raw_read_removable_device(sblim_gatherd_t) ++ ++logging_send_syslog_msg(sblim_gatherd_t) + sysnet_dns_name_resolve(sblim_gatherd_t) - term_getattr_pty_fs(sblim_gatherd_t) -@@ -63,7 +61,9 @@ optional_policy(` +@@ -63,7 +65,9 @@ optional_policy(` ') optional_policy(` @@ -60124,7 +60162,7 @@ index 869f976..1aa9946 100644 ') optional_policy(` -@@ -81,6 +81,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) +@@ -81,6 +85,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) corenet_tcp_bind_all_nodes(sblim_reposd_t) corenet_tcp_bind_repository_port(sblim_reposd_t) @@ -60133,7 +60171,7 @@ index 869f976..1aa9946 100644 ###################################### # # sblim_domain local policy -@@ -91,14 +93,13 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms; +@@ -91,14 +97,13 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) @@ -63844,7 +63882,7 @@ index d2496bd..c7614d7 100644 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/squid.te b/squid.te -index c38de7a..2a14ab2 100644 +index c38de7a..413146c 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -63930,7 +63968,7 @@ index c38de7a..2a14ab2 100644 ') tunable_policy(`squid_use_tproxy',` -@@ -182,17 +195,15 @@ optional_policy(` +@@ -182,17 +195,19 @@ optional_policy(` allow httpd_squid_script_t self:tcp_socket create_socket_perms; @@ -63942,17 +63980,18 @@ index c38de7a..2a14ab2 100644 sysnet_dns_name_resolve(httpd_squid_script_t) - squid_read_config(httpd_squid_script_t) --') -- --optional_policy(` -- cron_system_entry(squid_t, squid_exec_t) + optional_policy(` + squid_read_config(httpd_squid_script_t) + ') ') optional_policy(` -@@ -206,3 +217,32 @@ optional_policy(` +- cron_system_entry(squid_t, squid_exec_t) ++ mysql_stream_connect(squid_t) + ') + + optional_policy(` +@@ -206,3 +221,32 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -67962,7 +68001,7 @@ index e70b0e8..cd83b89 100644 /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 65baaac..48f3270 100644 +index 65baaac..3b93d32 100644 --- a/userhelper.if +++ b/userhelper.if @@ -25,6 +25,7 @@ template(`userhelper_role_template',` @@ -68010,7 +68049,7 @@ index 65baaac..48f3270 100644 tunable_policy(`! secure_mode',` #if we are not in secure mode then we can transition to sysadm_t sysadm_bin_spec_domtrans($1_userhelper_t) -@@ -255,3 +246,90 @@ interface(`userhelper_exec',` +@@ -255,3 +246,91 @@ interface(`userhelper_exec',` can_exec($1, userhelper_exec_t) ') @@ -68058,6 +68097,7 @@ index 65baaac..48f3270 100644 + allow $3 $1_consolehelper_t:process signal; + allow $3 $1_consolehelper_t:dbus send_msg; + allow $1_consolehelper_t $3:dbus send_msg; ++ allow $1_consolehelper_t $3:unix_stream_socket connectto; + + kernel_read_system_state($1_consolehelper_t) + @@ -68102,10 +68142,10 @@ index 65baaac..48f3270 100644 + can_exec($1, consolehelper_exec_t) +') diff --git a/userhelper.te b/userhelper.te -index f25ed61..fe6107b 100644 +index f25ed61..1b381f0 100644 --- a/userhelper.te +++ b/userhelper.te -@@ -6,9 +6,80 @@ policy_module(userhelper, 1.7.0) +@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0) # attribute userhelper_type; @@ -68147,6 +68187,7 @@ index f25ed61..fe6107b 100644 +dev_getattr_all_chr_files(consolehelper_domain) +dev_dontaudit_list_all_dev_nodes(consolehelper_domain) +dev_dontaudit_getattr_all(consolehelper_domain) ++fs_getattr_all_fs(consolehelper_domain) +fs_getattr_all_dirs(consolehelper_domain) + +files_read_config_files(consolehelper_domain) @@ -71021,7 +71062,7 @@ index 2511093..669dc13 100644 -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmware.te b/vmware.te -index 7d334c4..453fdb9 100644 +index 7d334c4..979e82f 100644 --- a/vmware.te +++ b/vmware.te @@ -68,7 +68,8 @@ ifdef(`enable_mcs',` @@ -71070,14 +71111,19 @@ index 7d334c4..453fdb9 100644 sysnet_dns_name_resolve(vmware_host_t) sysnet_domtrans_ifconfig(vmware_host_t) -@@ -157,10 +157,22 @@ netutils_domtrans_ping(vmware_host_t) +@@ -156,11 +156,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) + netutils_domtrans_ping(vmware_host_t) optional_policy(` - hostname_exec(vmware_host_t) --') -+') +- hostname_exec(vmware_host_t) ++ unconfined_domain(vmware_host_t) + ') optional_policy(` ++ hostname_exec(vmware_host_t) ++') ++ ++optional_policy(` modutils_domtrans_insmod(vmware_host_t) +') + @@ -71094,7 +71140,7 @@ index 7d334c4..453fdb9 100644 ') optional_policy(` -@@ -269,9 +281,8 @@ libs_exec_ld_so(vmware_t) +@@ -269,9 +285,8 @@ libs_exec_ld_so(vmware_t) # Access X11 config files libs_read_lib_files(vmware_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index af895ae..3ad0616 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 54%{?dist} +Release: 55%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -523,6 +523,21 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Nov 19 2012 Miroslav Grepl 3.11.1-55 +- Fix userhelper_console_role_template() +- Allow enabling Network Access Point service using blueman +- Make vmware_host_t as unconfined domain +- Allow authenticate users in webaccess via squid, using mysql as backend +- Allow gathers to get various metrics on mounted file systems +- Allow firewalld to read /etc/hosts +- Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t +- Allow kdumpgui to read/write to zipl.conf +- Commands needed to get mock to build from staff_t in enforcing mode +- Allow mdadm_t to manage cgroup files +- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files +- dontaudit ifconfig_t looking at fifo_files that are leaked to it +- Add lableing for Quest Authentication System + * Thu Nov 15 2012 Miroslav Grepl 3.11.1-54 - Fix filetrans interface definitions - Dontaudit xdm_t to getattr on BOINC lib files