From 2b48e0889c6725d584a70bdaa1f58a877b48bb81 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Nov 02 2011 11:48:18 +0000 Subject: - Make nvidia* to be labeled correctly --- diff --git a/policy-F16.patch b/policy-F16.patch index 142d456..b066667 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -3865,10 +3865,10 @@ index 975af1a..634c47a 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index 2731fa1..22beabf 100644 +index 2731fa1..11212f2 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,110 @@ attribute sudodomain; +@@ -7,3 +7,111 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -3925,7 +3925,7 @@ index 2731fa1..22beabf 100644 +files_list_tmp(sudodomain) + +fs_search_auto_mountpoints(sudodomain) -+fs_getattr_xattr_fs(sudodomain) ++fs_getattr_all_fs(sudodomain) + +selinux_validate_context(sudodomain) +selinux_compute_relabel_context(sudodomain) @@ -3946,6 +3946,7 @@ index 2731fa1..22beabf 100644 + +logging_send_audit_msgs(sudodomain) +logging_send_syslog_msg(sudodomain) ++logging_set_audit_parameters(sudodomain) + +miscfiles_read_localization(sudodomain) + @@ -8029,7 +8030,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..6c95832 100644 +index fbb5c5a..8fe4551 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -8067,7 +8068,14 @@ index fbb5c5a..6c95832 100644 ') ######################################## -@@ -203,6 +213,15 @@ interface(`mozilla_domtrans_plugin',` +@@ -197,12 +207,21 @@ interface(`mozilla_domtrans',` + # + interface(`mozilla_domtrans_plugin',` + gen_require(` +- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; ++ type mozilla_plugin_t, mozilla_plugin_exec_t; + class dbus send_msg; + ') domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) allow mozilla_plugin_t $1:process signull; @@ -14337,7 +14345,7 @@ index 6cf8784..12bd6fc 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..60394ec 100644 +index f820f3b..c2a334f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -14629,7 +14637,34 @@ index f820f3b..60394ec 100644 ## Delete all block device files. ## ## -@@ -2358,7 +2504,97 @@ interface(`dev_filetrans_lirc',` +@@ -1648,6 +1794,26 @@ interface(`dev_filetrans_cardmgr',` + + ######################################## + ## ++## Automatic type transition to the type ++## for xserver misc device nodes when ++## created in /dev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_xserver_misc',` ++ gen_require(` ++ type device_t, xserver_misc_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file ) ++') ++ ++######################################## ++## + ## Get the attributes of the CPU + ## microcode and id interfaces. + ## +@@ -2358,7 +2524,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -14728,7 +14763,7 @@ index f820f3b..60394ec 100644 ## ## ## -@@ -2681,7 +2917,7 @@ interface(`dev_write_misc',` +@@ -2681,7 +2937,7 @@ interface(`dev_write_misc',` ## ## ## @@ -14737,7 +14772,7 @@ index f820f3b..60394ec 100644 ## ## # -@@ -2931,8 +3167,8 @@ interface(`dev_dontaudit_write_mtrr',` +@@ -2931,8 +3187,8 @@ interface(`dev_dontaudit_write_mtrr',` type mtrr_device_t; ') @@ -14748,7 +14783,7 @@ index f820f3b..60394ec 100644 ') ######################################## -@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',` +@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -14773,7 +14808,7 @@ index f820f3b..60394ec 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3811,6 +4029,42 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -14816,7 +14851,7 @@ index f820f3b..60394ec 100644 ## Search the sysfs directories. ## ## -@@ -3902,25 +4156,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -14842,7 +14877,7 @@ index f820f3b..60394ec 100644 ## Read hardware state information. ## ## -@@ -3972,6 +4207,42 @@ interface(`dev_rw_sysfs',` +@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -14885,7 +14920,7 @@ index f820f3b..60394ec 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4340,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -14911,7 +14946,7 @@ index f820f3b..60394ec 100644 ## Getattr generic the USB devices. ## ## -@@ -4495,6 +4785,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4805,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -14936,7 +14971,34 @@ index f820f3b..60394ec 100644 ## Read and write VMWare devices. ## ## -@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',` +@@ -4695,6 +5023,26 @@ interface(`dev_rw_xserver_misc',` + + ######################################## + ## ++## Read and write X server miscellaneous devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_xserver_misc',` ++ gen_require(` ++ type device_t, xserver_misc_device_t; ++ ') ++ ++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t) ++ ++ dev_filetrans_xserver_named_dev($1) ++') ++ ++######################################## ++## + ## Read and write to the zero device (/dev/zero). + ## + ## +@@ -4784,3 +5132,812 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -14975,7 +15037,6 @@ index f820f3b..60394ec 100644 +gen_require(` + type device_t; + type usb_device_t; -+ type xserver_misc_device_t; + type sound_device_t; + type apm_bios_t; + type mouse_device_t; @@ -15019,7 +15080,6 @@ index f820f3b..60394ec 100644 + type mtrr_device_t; +') + -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") @@ -15094,7 +15154,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep") + filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") + filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1") @@ -15191,8 +15250,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") @@ -15310,16 +15367,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0") @@ -15378,20 +15425,8 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9") + filetrans_pattern($1, device_t, null_device_t, chr_file, "null") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") + filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") @@ -15539,17 +15574,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1") @@ -15606,16 +15630,6 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9") + filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt") + filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2") @@ -15730,6 +15744,72 @@ index f820f3b..60394ec 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") ++ dev_filetrans_xserver_named_dev($1) ++') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_xserver_named_dev',` ++ ++ gen_require(` ++ type xserver_misc_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 08f01e7..1c2562c 100644 @@ -33594,7 +33674,7 @@ index 418a5a0..c25fbdc 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..afb61c9 100644 +index f706b99..5001351 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -33718,7 +33798,7 @@ index f706b99..afb61c9 100644 + type devicekit_var_log_t; + ') + -+ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms; ++ dontaudit $1 devicekit_var_log_t:file rw_file_perms; +') + +######################################## @@ -38717,10 +38797,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..8768e6b 100644 +index 4fde46b..4978f18 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,24 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -38728,9 +38808,10 @@ index 4fde46b..8768e6b 100644 +allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; - -+kernel_read_system_state(gnomeclock_t) ++allow gnomeclock_t self:unix_dgram_socket create_socket_perms; + ++kernel_read_system_state(gnomeclock_t) + corecmd_exec_bin(gnomeclock_t) +corecmd_exec_shell(gnomeclock_t) +corecmd_dontaudit_access_check_bin(gnomeclock_t) @@ -38749,7 +38830,7 @@ index 4fde46b..8768e6b 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +41,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -55729,7 +55810,7 @@ index 82cb169..0a29f68 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..f0f6907 100644 +index e30bb63..9010ac2 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -55773,7 +55854,7 @@ index e30bb63..f0f6907 100644 # smbd Local policy # -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -59767,7 +59848,7 @@ index 904f13e..464347f 100644 init_labeled_script_domtrans($1, tor_initrc_exec_t) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te -index c842cad..fe5deee 100644 +index c842cad..1136b10 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t) @@ -59778,7 +59859,7 @@ index c842cad..fe5deee 100644 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -95,6 +96,7 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -59786,6 +59867,10 @@ index c842cad..fe5deee 100644 # tor uses crypto and needs random dev_read_urand(tor_t) ++dev_read_sysfs(tor_t) + + domain_use_interactive_fds(tor_t) + diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if index 54b8605..752697f 100644 --- a/policy/modules/services/tuned.if @@ -60617,7 +60702,7 @@ index 32a3c13..7baeb6f 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..d935248 100644 +index 2124b6a..49c15d1 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -1,5 +1,6 @@ @@ -60629,7 +60714,7 @@ index 2124b6a..d935248 100644 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +13,38 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +13,39 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -60665,6 +60750,7 @@ index 2124b6a..d935248 100644 +/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) +/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) ++/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) @@ -61217,7 +61303,7 @@ index 7c5d8d8..d711fd5 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..96e71d4 100644 +index 3eca020..f6d46db 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) @@ -61443,7 +61529,7 @@ index 3eca020..96e71d4 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +224,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +224,24 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -61465,14 +61551,10 @@ index 3eca020..96e71d4 100644 +') + +optional_policy(` -+ xen_rw_image_files(svirt_t) -+') -+ -+optional_policy(` xen_rw_image_files(svirt_t) ') -@@ -174,21 +255,36 @@ optional_policy(` +@@ -174,21 +251,36 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -61515,9 +61597,11 @@ index 3eca020..96e71d4 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +296,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -199,9 +291,17 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) ++manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) -allow virtd_t virt_image_type:file { relabelfrom relabelto }; -allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; @@ -61533,7 +61617,7 @@ index 3eca020..96e71d4 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +320,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +317,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -61549,7 +61633,7 @@ index 3eca020..96e71d4 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +348,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +345,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -61582,7 +61666,7 @@ index 3eca020..96e71d4 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +377,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -61601,14 +61685,14 @@ index 3eca020..96e71d4 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +415,29 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +412,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -61627,11 +61711,12 @@ index 3eca020..96e71d4 100644 +manage_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) -+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) ++#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) ++virt_filetrans_home_content(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +456,10 @@ optional_policy(` +@@ -313,6 +454,10 @@ optional_policy(` ') optional_policy(` @@ -61642,7 +61727,7 @@ index 3eca020..96e71d4 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,16 +476,23 @@ optional_policy(` +@@ -329,16 +474,23 @@ optional_policy(` ') optional_policy(` @@ -61666,7 +61751,7 @@ index 3eca020..96e71d4 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -360,11 +514,12 @@ optional_policy(` +@@ -360,11 +512,12 @@ optional_policy(` ') optional_policy(` @@ -61684,7 +61769,7 @@ index 3eca020..96e71d4 100644 ') optional_policy(` -@@ -394,20 +549,36 @@ optional_policy(` +@@ -394,20 +547,36 @@ optional_policy(` # virtual domains common policy # @@ -61724,7 +61809,7 @@ index 3eca020..96e71d4 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +587,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -61737,7 +61822,7 @@ index 3eca020..96e71d4 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +601,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +599,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -61750,7 +61835,7 @@ index 3eca020..96e71d4 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +614,362 @@ files_search_all(virt_domain) +@@ -440,25 +612,362 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -63719,7 +63804,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..c3e4d56 100644 +index 143c893..40e56f1 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -64583,7 +64668,7 @@ index 143c893..c3e4d56 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1018,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,21 +1018,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -64591,8 +64676,13 @@ index 143c893..c3e4d56 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1027,17 @@ dev_wx_raw_memory(xserver_t) - dev_rw_xserver_misc(xserver_t) + dev_read_raw_memory(xserver_t) + dev_wx_raw_memory(xserver_t) + # for other device nodes such as the NVidia binary-only driver +-dev_rw_xserver_misc(xserver_t) ++dev_manage_xserver_misc(xserver_t) ++dev_filetrans_xserver_misc(xserver_t) ++ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) +dev_read_raw_memory(xserver_t) @@ -64609,7 +64699,7 @@ index 143c893..c3e4d56 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1048,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1050,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -64623,7 +64713,7 @@ index 143c893..c3e4d56 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1067,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1069,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -64632,7 +64722,7 @@ index 143c893..c3e4d56 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1074,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1076,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -64647,7 +64737,7 @@ index 143c893..c3e4d56 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1133,40 @@ optional_policy(` +@@ -778,16 +1135,40 @@ optional_policy(` ') optional_policy(` @@ -64689,7 +64779,7 @@ index 143c893..c3e4d56 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1175,10 @@ optional_policy(` +@@ -796,6 +1177,10 @@ optional_policy(` ') optional_policy(` @@ -64700,7 +64790,7 @@ index 143c893..c3e4d56 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1194,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1196,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -64714,7 +64804,7 @@ index 143c893..c3e4d56 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1205,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1207,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -64723,7 +64813,7 @@ index 143c893..c3e4d56 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1218,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1220,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -64733,7 +64823,7 @@ index 143c893..c3e4d56 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1228,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1230,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -64745,7 +64835,7 @@ index 143c893..c3e4d56 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1241,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1243,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -64762,7 +64852,7 @@ index 143c893..c3e4d56 100644 ') optional_policy(` -@@ -862,6 +1256,10 @@ optional_policy(` +@@ -862,6 +1258,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -64773,7 +64863,7 @@ index 143c893..c3e4d56 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -64782,7 +64872,7 @@ index 143c893..c3e4d56 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1357,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1359,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -64814,7 +64904,7 @@ index 143c893..c3e4d56 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1403,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1405,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -67190,7 +67280,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..29930e4 100644 +index 29a9565..77fb967 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -67614,14 +67704,13 @@ index 29a9565..29930e4 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +512,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +512,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) -# Early devtmpfs -dev_rw_generic_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) -+dev_filetrans_all_named_dev(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) @@ -67631,7 +67720,7 @@ index 29a9565..29930e4 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +531,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -67639,7 +67728,7 @@ index 29a9565..29930e4 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +539,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +538,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -67651,7 +67740,7 @@ index 29a9565..29930e4 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +558,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +557,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -67665,7 +67754,7 @@ index 29a9565..29930e4 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +573,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +572,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -67674,7 +67763,7 @@ index 29a9565..29930e4 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +587,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +586,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -67682,7 +67771,7 @@ index 29a9565..29930e4 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +599,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +598,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -67690,7 +67779,7 @@ index 29a9565..29930e4 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +620,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +619,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -67712,7 +67801,7 @@ index 29a9565..29930e4 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +683,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +682,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -67723,7 +67812,7 @@ index 29a9565..29930e4 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +707,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +706,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -67732,7 +67821,7 @@ index 29a9565..29930e4 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +722,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +721,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -67740,7 +67829,7 @@ index 29a9565..29930e4 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +752,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +751,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -67774,7 +67863,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -531,10 +786,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +785,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -67797,7 +67886,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -549,6 +816,39 @@ ifdef(`distro_suse',` +@@ -549,6 +815,39 @@ ifdef(`distro_suse',` ') ') @@ -67837,7 +67926,7 @@ index 29a9565..29930e4 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +861,8 @@ optional_policy(` +@@ -561,6 +860,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -67846,7 +67935,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -577,6 +879,7 @@ optional_policy(` +@@ -577,6 +878,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -67854,7 +67943,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -589,6 +892,17 @@ optional_policy(` +@@ -589,6 +891,17 @@ optional_policy(` ') optional_policy(` @@ -67872,7 +67961,7 @@ index 29a9565..29930e4 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +919,13 @@ optional_policy(` +@@ -605,9 +918,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -67886,7 +67975,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -632,6 +950,10 @@ optional_policy(` +@@ -632,6 +949,10 @@ optional_policy(` ') optional_policy(` @@ -67897,7 +67986,7 @@ index 29a9565..29930e4 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +971,11 @@ optional_policy(` +@@ -649,6 +970,11 @@ optional_policy(` ') optional_policy(` @@ -67909,7 +67998,7 @@ index 29a9565..29930e4 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1016,7 @@ optional_policy(` +@@ -689,6 +1015,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -67917,7 +68006,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -706,7 +1034,13 @@ optional_policy(` +@@ -706,7 +1033,13 @@ optional_policy(` ') optional_policy(` @@ -67931,7 +68020,7 @@ index 29a9565..29930e4 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1063,10 @@ optional_policy(` +@@ -729,6 +1062,10 @@ optional_policy(` ') optional_policy(` @@ -67942,7 +68031,7 @@ index 29a9565..29930e4 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1076,20 @@ optional_policy(` +@@ -738,10 +1075,20 @@ optional_policy(` ') optional_policy(` @@ -67963,7 +68052,7 @@ index 29a9565..29930e4 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1098,10 @@ optional_policy(` +@@ -750,6 +1097,10 @@ optional_policy(` ') optional_policy(` @@ -67974,7 +68063,7 @@ index 29a9565..29930e4 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1123,6 @@ optional_policy(` +@@ -771,8 +1122,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -67983,7 +68072,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -790,10 +1140,12 @@ optional_policy(` +@@ -790,10 +1139,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -67996,7 +68085,7 @@ index 29a9565..29930e4 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1157,6 @@ optional_policy(` +@@ -805,7 +1156,6 @@ optional_policy(` ') optional_policy(` @@ -68004,7 +68093,7 @@ index 29a9565..29930e4 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1166,26 @@ optional_policy(` +@@ -815,11 +1165,26 @@ optional_policy(` ') optional_policy(` @@ -68032,7 +68121,7 @@ index 29a9565..29930e4 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1195,25 @@ optional_policy(` +@@ -829,6 +1194,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -68058,7 +68147,7 @@ index 29a9565..29930e4 100644 ') optional_policy(` -@@ -844,6 +1229,10 @@ optional_policy(` +@@ -844,6 +1228,10 @@ optional_policy(` ') optional_policy(` @@ -68069,7 +68158,7 @@ index 29a9565..29930e4 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1243,160 @@ optional_policy(` +@@ -854,3 +1242,160 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 4376690..de87de3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -467,6 +467,7 @@ SELinux Reference policy mls base module. %changelog * Tue Nov 1 2011 Miroslav Grepl 3.10.0-53 +- Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS