From 325f094a6683d98c7bde93e900cf8bbd1061e1d4 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Nov 16 2011 14:32:39 +0000 Subject: - Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t --- diff --git a/policy-F16.patch b/policy-F16.patch index acd9272..7fc22ef 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -211,7 +211,7 @@ index 4705ab6..262b5ba 100644 +gen_tunable(allow_console_login,false) + diff --git a/policy/mcs b/policy/mcs -index df8e0fa..92b6177 100644 +index df8e0fa..09eea90 100644 --- a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats) @@ -251,7 +251,23 @@ index df8e0fa..92b6177 100644 # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. -@@ -101,6 +117,9 @@ mlsconstrain process { ptrace } +@@ -87,10 +103,13 @@ mlsconstrain file { create relabelto } + + # new file labels must be dominated by the relabeling subject clearance + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } +- ( h1 dom h2 ); ++ (( h1 dom h2 ) or ( t1 == mcswriteall )); ++ ++mlsconstrain { file lnk_file fifo_file } { create relabelto } ++ ( l2 eq h2 ); + + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } +- (( h1 dom h2 ) and ( l2 eq h2 )); ++ ( h1 dom h2 ); + + mlsconstrain process { transition dyntransition } + (( h1 dom h2 ) or ( t1 == mcssetcats )); +@@ -101,6 +120,9 @@ mlsconstrain process { ptrace } mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); @@ -261,7 +277,7 @@ index df8e0fa..92b6177 100644 # # MCS policy for SELinux-enabled databases # -@@ -144,4 +163,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -144,4 +166,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -1288,7 +1304,7 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..98f0a2e 100644 +index 7090dae..c1ccc06 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t) @@ -1319,7 +1335,15 @@ index 7090dae..98f0a2e 100644 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) -@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) +@@ -75,6 +77,7 @@ fs_list_inotifyfs(logrotate_t) + mls_file_read_all_levels(logrotate_t) + mls_file_write_all_levels(logrotate_t) + mls_file_upgrade(logrotate_t) ++mls_process_write_to_clearance(logrotate_t) + + selinux_get_fs_mount(logrotate_t) + selinux_get_enforce_mode(logrotate_t) +@@ -102,6 +105,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -1327,7 +1351,7 @@ index 7090dae..98f0a2e 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +120,15 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -1350,7 +1374,7 @@ index 7090dae..98f0a2e 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +139,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +140,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -1359,7 +1383,7 @@ index 7090dae..98f0a2e 100644 ') optional_policy(` -@@ -154,6 +155,10 @@ optional_policy(` +@@ -154,6 +156,10 @@ optional_policy(` ') optional_policy(` @@ -1370,7 +1394,7 @@ index 7090dae..98f0a2e 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +167,20 @@ optional_policy(` +@@ -162,10 +168,20 @@ optional_policy(` ') optional_policy(` @@ -1391,7 +1415,7 @@ index 7090dae..98f0a2e 100644 cups_domtrans(logrotate_t) ') -@@ -200,9 +215,12 @@ optional_policy(` +@@ -200,9 +216,12 @@ optional_policy(` ') optional_policy(` @@ -1405,7 +1429,7 @@ index 7090dae..98f0a2e 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +246,14 @@ optional_policy(` +@@ -228,3 +247,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -4851,10 +4875,10 @@ index 0000000..1553356 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..28cfa1d +index 0000000..9dd77b4 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,178 @@ +@@ -0,0 +1,180 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4940,6 +4964,8 @@ index 0000000..28cfa1d +userdom_read_inherited_user_home_content_files(chrome_sandbox_t) +userdom_dontaudit_use_user_terminals(chrome_sandbox_t) +userdom_search_user_home_content(chrome_sandbox_t) ++# This one we should figure a way to make it more secure ++userdom_manage_home_certs(chrome_sandbox_t) + +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) @@ -5591,10 +5617,10 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..3f977fc 100644 +index f5afe78..479e9f7 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,787 @@ +@@ -1,44 +1,818 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -5898,6 +5924,37 @@ index f5afe78..3f977fc 100644 + +######################################## +## ++## Create objects in a Gnome cache home directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`gnome_config_filetrans',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ filetrans_pattern($1, config_home_t, $2, $3, $4) ++ userdom_search_user_home_dirs($1) ++') ++ ++######################################## ++## +## Read generic cache home files (.cache) +## +## @@ -6401,7 +6458,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -46,37 +789,117 @@ interface(`gnome_role',` +@@ -46,37 +820,117 @@ interface(`gnome_role',` ## ## # @@ -6529,7 +6586,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -84,37 +907,53 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +938,53 @@ template(`gnome_read_gconf_config',` ## ## # @@ -6594,7 +6651,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -122,17 +961,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +992,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -6616,7 +6673,7 @@ index f5afe78..3f977fc 100644 ## ## ## -@@ -140,51 +979,299 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1010,299 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -8261,7 +8318,7 @@ index fbb5c5a..8fe4551 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..8768af4 100644 +index 2e9318b..237cab3 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -8382,17 +8439,19 @@ index 2e9318b..8768af4 100644 corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -@@ -344,6 +356,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) +@@ -344,6 +356,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) +corenet_tcp_connect_streaming_port(mozilla_plugin_t) ++corenet_tcp_connect_ftp_port(mozilla_plugin_t) ++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) +corenet_udp_bind_generic_node(mozilla_plugin_t) dev_read_rand(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) -@@ -385,13 +400,19 @@ term_getattr_all_ttys(mozilla_plugin_t) +@@ -385,13 +402,19 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -8412,7 +8471,7 @@ index 2e9318b..8768af4 100644 tunable_policy(`allow_execmem',` allow mozilla_plugin_t self:process { execmem execstack }; -@@ -425,7 +446,13 @@ optional_policy(` +@@ -425,7 +448,13 @@ optional_policy(` ') optional_policy(` @@ -8426,7 +8485,7 @@ index 2e9318b..8768af4 100644 ') optional_policy(` -@@ -438,7 +465,14 @@ optional_policy(` +@@ -438,7 +467,14 @@ optional_policy(` ') optional_policy(` @@ -8442,7 +8501,7 @@ index 2e9318b..8768af4 100644 ') optional_policy(` -@@ -446,10 +480,27 @@ optional_policy(` +@@ -446,10 +482,27 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -12590,7 +12649,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..7bcafea 100644 +index 3fae11a..0b0896b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -97,8 +97,6 @@ ifdef(`distro_redhat',` @@ -12760,7 +12819,7 @@ index 3fae11a..7bcafea 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,6 +295,7 @@ ifdef(`distro_gentoo',` +@@ -286,15 +295,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -12768,9 +12827,10 @@ index 3fae11a..7bcafea 100644 /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -293,8 +303,10 @@ ifdef(`distro_gentoo',` + /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0) +/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12780,7 +12840,7 @@ index 3fae11a..7bcafea 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +318,11 @@ ifdef(`distro_redhat', ` +@@ -306,10 +319,11 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -12794,7 +12854,7 @@ index 3fae11a..7bcafea 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +332,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +333,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12806,7 +12866,7 @@ index 3fae11a..7bcafea 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,7 +378,7 @@ ifdef(`distro_redhat', ` +@@ -363,7 +379,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -12815,7 +12875,7 @@ index 3fae11a..7bcafea 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +390,9 @@ ifdef(`distro_suse', ` +@@ -375,8 +391,9 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12826,7 +12886,7 @@ index 3fae11a..7bcafea 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +401,4 @@ ifdef(`distro_suse', ` +@@ -385,3 +402,4 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -14064,7 +14124,7 @@ index 4f3b542..cf422f4 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..ff28a20 100644 +index 99b71cb..9c48de6 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14204,7 +14264,7 @@ index 99b71cb..ff28a20 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +172,25 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -14212,7 +14272,7 @@ index 99b71cb..ff28a20 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) -+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -14228,12 +14288,13 @@ index 99b71cb..ff28a20 100644 +network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) ++network_port(mongod, tcp,27017,s0) network_port(monopd, tcp,1234,s0) +network_port(movaz_ssc, tcp,5252,s0) network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +200,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -14266,7 +14327,7 @@ index 99b71cb..ff28a20 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,30 +237,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,30 +238,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -14306,7 +14367,7 @@ index 99b71cb..ff28a20 100644 network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -215,9 +278,11 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +279,11 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14319,7 +14380,7 @@ index 99b71cb..ff28a20 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +294,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +295,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14327,7 +14388,7 @@ index 99b71cb..ff28a20 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +304,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +305,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14340,7 +14401,7 @@ index 99b71cb..ff28a20 100644 ######################################## # -@@ -282,9 +354,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +355,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -16078,7 +16139,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..a60d2f8 100644 +index fae1ab1..cee9fe0 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -16103,7 +16164,7 @@ index fae1ab1..a60d2f8 100644 ## ##

-@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms; +@@ -87,14 +102,20 @@ allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) @@ -16119,10 +16180,13 @@ index fae1ab1..a60d2f8 100644 # create child processes in the domain -allow domain self:process { fork sigchld }; +allow domain self:process { fork getsched sigchld }; ++ ++# TODO: just for now until we know what is wrong ++dev_read_sysfs(domain) # Use trusted objects in /dev dev_rw_null(domain) -@@ -103,6 +121,16 @@ term_use_controlling_term(domain) +@@ -103,6 +124,16 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) @@ -16139,7 +16203,7 @@ index fae1ab1..a60d2f8 100644 tunable_policy(`global_ssp',` # enable reading of urandom for all domains: -@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',` +@@ -113,8 +144,13 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -16153,7 +16217,7 @@ index fae1ab1..a60d2f8 100644 ') optional_policy(` -@@ -125,6 +158,8 @@ optional_policy(` +@@ -125,6 +161,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -16162,7 +16226,7 @@ index fae1ab1..a60d2f8 100644 ') ######################################## -@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; +@@ -143,6 +181,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -16171,7 +16235,7 @@ index fae1ab1..a60d2f8 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -158,5 +195,215 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +198,216 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -16259,6 +16323,7 @@ index fae1ab1..a60d2f8 100644 + +optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) ++ userdom_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` @@ -21354,7 +21419,7 @@ index 2be17d2..e47e0f0 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..c6aa0bc 100644 +index e14b961..b4bff66 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,52 @@ ifndef(`enable_mls',` @@ -21440,11 +21505,12 @@ index e14b961..c6aa0bc 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -110,11 +147,19 @@ optional_policy(` +@@ -110,11 +147,20 @@ optional_policy(` ') optional_policy(` + cron_admin_role(sysadm_r, sysadm_t) ++ #cron_role(sysadm_r, sysadm_t) +') + +optional_policy(` @@ -21461,7 +21527,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -128,6 +173,10 @@ optional_policy(` +@@ -128,6 +174,10 @@ optional_policy(` ') optional_policy(` @@ -21472,7 +21538,7 @@ index e14b961..c6aa0bc 100644 dmesg_exec(sysadm_t) ') -@@ -163,6 +212,13 @@ optional_policy(` +@@ -163,6 +213,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -21486,7 +21552,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -170,15 +226,20 @@ optional_policy(` +@@ -170,15 +227,20 @@ optional_policy(` ') optional_policy(` @@ -21510,7 +21576,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -198,22 +259,20 @@ optional_policy(` +@@ -198,22 +260,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -21539,7 +21605,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -225,25 +284,47 @@ optional_policy(` +@@ -225,25 +285,47 @@ optional_policy(` ') optional_policy(` @@ -21587,7 +21653,7 @@ index e14b961..c6aa0bc 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,31 +334,32 @@ optional_policy(` +@@ -253,31 +335,32 @@ optional_policy(` ') optional_policy(` @@ -21627,7 +21693,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -302,12 +384,18 @@ optional_policy(` +@@ -302,12 +385,18 @@ optional_policy(` ') optional_policy(` @@ -21647,7 +21713,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -332,7 +420,10 @@ optional_policy(` +@@ -332,7 +421,10 @@ optional_policy(` ') optional_policy(` @@ -21659,7 +21725,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -343,19 +434,15 @@ optional_policy(` +@@ -343,19 +435,15 @@ optional_policy(` ') optional_policy(` @@ -21681,7 +21747,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -367,45 +454,45 @@ optional_policy(` +@@ -367,45 +455,45 @@ optional_policy(` ') optional_policy(` @@ -21738,7 +21804,7 @@ index e14b961..c6aa0bc 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +505,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +506,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21749,7 +21815,7 @@ index e14b961..c6aa0bc 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +522,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +523,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -21757,7 +21823,7 @@ index e14b961..c6aa0bc 100644 ') optional_policy(` -@@ -446,11 +530,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +531,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24014,7 +24080,7 @@ index c0f858d..d639ae0 100644 accountsd_manage_lib_files($1) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te -index 1632f10..493bde2 100644 +index 1632f10..0359b30 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) @@ -24034,7 +24100,13 @@ index 1632f10..493bde2 100644 allow accountsd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -@@ -32,10 +35,12 @@ files_read_usr_files(accountsd_t) +@@ -28,14 +31,18 @@ kernel_read_kernel_sysctls(accountsd_t) + + corecmd_exec_bin(accountsd_t) + ++dev_read_sysfs(accountsd_t) ++ + files_read_usr_files(accountsd_t) files_read_mnt_files(accountsd_t) fs_list_inotifyfs(accountsd_t) @@ -24047,7 +24119,7 @@ index 1632f10..493bde2 100644 miscfiles_read_localization(accountsd_t) -@@ -55,3 +60,8 @@ optional_policy(` +@@ -55,3 +62,8 @@ optional_policy(` optional_policy(` policykit_dbus_chat(accountsd_t) ') @@ -26355,7 +26427,7 @@ index 1ea99b2..9427dd5 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..21b91de 100644 +index 1c8c27e..3522d00 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -26440,7 +26512,20 @@ index 1c8c27e..21b91de 100644 ',` # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) -@@ -201,7 +213,8 @@ optional_policy(` +@@ -181,6 +193,12 @@ optional_policy(` + ') + + optional_policy(` ++ devicekit_manage_pid_files(apmd_t) ++ devicekit_manage_log_files(apmd_t) ++ devicekit_relabel_log_files(apmd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(apmd_t) + + optional_policy(` +@@ -201,7 +219,8 @@ optional_policy(` ') optional_policy(` @@ -26450,7 +26535,7 @@ index 1c8c27e..21b91de 100644 ') optional_policy(` -@@ -209,8 +222,9 @@ optional_policy(` +@@ -209,8 +228,9 @@ optional_policy(` pcmcia_domtrans_cardctl(apmd_t) ') @@ -26461,7 +26546,7 @@ index 1c8c27e..21b91de 100644 ') optional_policy(` -@@ -219,10 +233,6 @@ optional_policy(` +@@ -219,10 +239,6 @@ optional_policy(` ') optional_policy(` @@ -28630,10 +28715,10 @@ index 0000000..4ec83df +/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if new file mode 100644 -index 0000000..12fe9ce +index 0000000..883b697 --- /dev/null +++ b/policy/modules/services/cfengine.if -@@ -0,0 +1,23 @@ +@@ -0,0 +1,42 @@ + +##

policy for cfengine + @@ -28657,6 +28742,25 @@ index 0000000..12fe9ce + domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t) +') + ++######################################## ++## ++## Read cfengine lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_read_lib_files',` ++ gen_require(` ++ type cfengine_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) ++') ++ diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te new file mode 100644 index 0000000..1ba0484 @@ -29221,7 +29325,7 @@ index 1f11572..9eb2461 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..8cd02e2 100644 +index f758323..4bc077f 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,16 @@ @@ -29281,30 +29385,42 @@ index f758323..8cd02e2 100644 corenet_sendrecv_clamd_server_packets(clamd_t) dev_read_rand(clamd_t) -@@ -127,12 +139,16 @@ logging_send_syslog_msg(clamd_t) +@@ -127,13 +139,6 @@ logging_send_syslog_msg(clamd_t) miscfiles_read_localization(clamd_t) -cron_use_fds(clamd_t) -cron_use_system_job_fds(clamd_t) -cron_rw_pipes(clamd_t) -+optional_policy(` +- +-mta_read_config(clamd_t) +-mta_send_mail(clamd_t) +- + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +@@ -142,13 +147,30 @@ optional_policy(` + ') + + optional_policy(` + cron_use_fds(clamd_t) + cron_use_system_job_fds(clamd_t) + cron_rw_pipes(clamd_t) +') ++ ++optional_policy(` + exim_read_spool_files(clamd_t) + ') --mta_read_config(clamd_t) --mta_send_mail(clamd_t) +optional_policy(` + mta_read_config(clamd_t) + mta_send_mail(clamd_t) +') - - optional_policy(` - amavis_read_lib_files(clamd_t) -@@ -147,8 +163,10 @@ optional_policy(` - ++ ++optional_policy(` ++ spamd_stream_connect(clamd_t) ++') ++ tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; -', ` @@ -29315,7 +29431,7 @@ index f758323..8cd02e2 100644 ') ######################################## -@@ -178,10 +196,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -29334,7 +29450,7 @@ index f758323..8cd02e2 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +213,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -29342,7 +29458,7 @@ index f758323..8cd02e2 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +232,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -29365,7 +29481,7 @@ index f758323..8cd02e2 100644 ######################################## # # clamscam local policy -@@ -242,15 +269,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -29395,7 +29511,7 @@ index f758323..8cd02e2 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +305,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -29494,10 +29610,10 @@ index 0000000..f2968f8 +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if new file mode 100644 -index 0000000..917f8d4 +index 0000000..6451167 --- /dev/null +++ b/policy/modules/services/cloudform.if -@@ -0,0 +1,23 @@ +@@ -0,0 +1,40 @@ +## cloudform policy + +####################################### @@ -29519,11 +29635,28 @@ index 0000000..917f8d4 + type $1_t, cloudform_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) ++') + ++###################################### ++## ++## Execute mongod in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`cloudform_exec_mongod',` ++ gen_require(` ++ type mogod_exec_t; ++ ') ++ ++ can_exec($1, mogod_exec_t) +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..5c0c84f +index 0000000..e1974d3 --- /dev/null +++ b/policy/modules/services/cloudform.te @@ -0,0 +1,223 @@ @@ -29701,7 +29834,7 @@ index 0000000..5c0c84f +files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) + +corenet_tcp_bind_generic_node(mongod_t) -+corenet_tcp_bind_generic_port(mongod_t) ++corenet_tcp_bind_mongod_port(mongod_t) + +files_read_usr_files(mongod_t) + @@ -30514,7 +30647,7 @@ index 0000000..2ee2be0 +') + diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 74505cc..6ff206b 100644 +index 74505cc..29aa481 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te @@ -23,6 +23,7 @@ files_type(colord_var_lib_t) @@ -30549,7 +30682,7 @@ index 74505cc..6ff206b 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -65,19 +73,31 @@ files_list_mnt(colord_t) +@@ -65,19 +73,29 @@ files_list_mnt(colord_t) files_read_etc_files(colord_t) files_read_usr_files(colord_t) @@ -30567,10 +30700,9 @@ index 74505cc..6ff206b 100644 miscfiles_read_localization(colord_t) - sysnet_dns_name_resolve(colord_t) - +-sysnet_dns_name_resolve(colord_t) +userdom_rw_user_tmpfs_files(colord_t) -+ + tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(colord_t) fs_read_nfs_files(colord_t) @@ -30581,7 +30713,7 @@ index 74505cc..6ff206b 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +109,10 @@ optional_policy(` +@@ -89,6 +107,10 @@ optional_policy(` ') optional_policy(` @@ -30592,8 +30724,15 @@ index 74505cc..6ff206b 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -98,3 +122,9 @@ optional_policy(` +@@ -96,5 +118,16 @@ optional_policy(` + ') + optional_policy(` ++ sysnet_exec_ifconfig(colord_t) ++ sysnet_dns_name_resolve(colord_t) ++') ++ ++optional_policy(` udev_read_db(colord_t) ') + @@ -30714,7 +30853,7 @@ index fd15dfe..d33cc41 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index e67a003..192332a 100644 +index e67a003..5eaa496 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t) @@ -30727,13 +30866,14 @@ index e67a003..192332a 100644 ######################################## # # consolekit local policy -@@ -69,11 +72,14 @@ logging_send_audit_msgs(consolekit_t) +@@ -69,11 +72,15 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) +systemd_exec_systemctl(consolekit_t) + +# consolekit needs to be able to ptrace all logged in users ++userdom_read_all_users_state(consolekit_t) +userdom_ptrace_all_users(consolekit_t) userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_dontaudit_getattr_admin_home_files(consolekit_t) @@ -30744,7 +30884,7 @@ index e67a003..192332a 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(consolekit_t) ') -@@ -83,6 +89,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -83,6 +90,14 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -30759,7 +30899,7 @@ index e67a003..192332a 100644 dbus_system_domain(consolekit_t, consolekit_exec_t) optional_policy(` -@@ -99,6 +113,10 @@ optional_policy(` +@@ -99,6 +114,10 @@ optional_policy(` ') optional_policy(` @@ -30770,7 +30910,7 @@ index e67a003..192332a 100644 policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) -@@ -106,9 +124,10 @@ optional_policy(` +@@ -106,9 +125,10 @@ optional_policy(` ') optional_policy(` @@ -30783,7 +30923,7 @@ index e67a003..192332a 100644 xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -125,5 +144,6 @@ optional_policy(` +@@ -125,5 +145,6 @@ optional_policy(` optional_policy(` #reading .Xauthity @@ -31644,7 +31784,7 @@ index 35241ed..445ced4 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..4100ff7 100644 +index f7583ab..1d71121 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -31807,13 +31947,24 @@ index f7583ab..4100ff7 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -203,11 +223,17 @@ files_list_usr(crond_t) +@@ -203,11 +223,28 @@ files_list_usr(crond_t) files_search_var_lib(crond_t) files_search_default(crond_t) +fs_manage_cgroup_dirs(crond_t) +fs_manage_cgroup_files(crond_t) + ++# needed by "crontab -e" ++mls_file_read_all_levels(crond_t) ++mls_file_write_all_levels(crond_t) ++ ++# needed because of kernel check of transition ++mls_process_set_level(crond_t) ++ ++# to make cronjob working ++mls_fd_share_all_levels(crond_t) ++mls_trusted_object(crond_t) ++ +init_read_state(crond_t) init_rw_utmp(crond_t) init_spec_domtrans_script(crond_t) @@ -31825,7 +31976,7 @@ index f7583ab..4100ff7 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,8 +246,11 @@ miscfiles_read_localization(crond_t) +@@ -220,8 +257,11 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -31837,7 +31988,7 @@ index f7583ab..4100ff7 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -233,7 +262,7 @@ ifdef(`distro_debian',` +@@ -233,7 +273,7 @@ ifdef(`distro_debian',` ') ') @@ -31846,7 +31997,7 @@ index f7583ab..4100ff7 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -250,11 +279,30 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +290,31 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -31867,6 +32018,7 @@ index f7583ab..4100ff7 100644 + # these should probably be unconfined_crond_t + dbus_system_bus_client(crond_t) + init_dbus_send_script(crond_t) ++ init_dbus_chat(crond_t) +') + +optional_policy(` @@ -31877,7 +32029,7 @@ index f7583ab..4100ff7 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +312,8 @@ optional_policy(` +@@ -264,6 +324,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -31886,7 +32038,7 @@ index f7583ab..4100ff7 100644 ') optional_policy(` -@@ -286,15 +336,26 @@ optional_policy(` +@@ -286,15 +348,26 @@ optional_policy(` ') optional_policy(` @@ -31913,7 +32065,7 @@ index f7583ab..4100ff7 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -306,10 +367,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +379,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -31934,7 +32086,7 @@ index f7583ab..4100ff7 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -329,6 +399,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +411,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -31942,7 +32094,7 @@ index f7583ab..4100ff7 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +411,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,9 +423,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -31957,7 +32109,7 @@ index f7583ab..4100ff7 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +440,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +452,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -31965,7 +32117,7 @@ index f7583ab..4100ff7 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +467,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +479,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -31973,7 +32125,7 @@ index f7583ab..4100ff7 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +490,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +502,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -31985,7 +32137,7 @@ index f7583ab..4100ff7 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +518,8 @@ optional_policy(` +@@ -439,6 +530,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -31994,7 +32146,7 @@ index f7583ab..4100ff7 100644 ') optional_policy(` -@@ -446,6 +527,14 @@ optional_policy(` +@@ -446,6 +539,14 @@ optional_policy(` ') optional_policy(` @@ -32009,7 +32161,7 @@ index f7583ab..4100ff7 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,15 +545,25 @@ optional_policy(` +@@ -456,15 +557,25 @@ optional_policy(` ') optional_policy(` @@ -32035,7 +32187,7 @@ index f7583ab..4100ff7 100644 ') optional_policy(` -@@ -480,7 +579,7 @@ optional_policy(` +@@ -480,7 +591,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -32044,7 +32196,7 @@ index f7583ab..4100ff7 100644 ') optional_policy(` -@@ -495,6 +594,7 @@ optional_policy(` +@@ -495,6 +606,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -32052,7 +32204,7 @@ index f7583ab..4100ff7 100644 ') optional_policy(` -@@ -502,7 +602,13 @@ optional_policy(` +@@ -502,7 +614,13 @@ optional_policy(` ') optional_policy(` @@ -32066,7 +32218,7 @@ index f7583ab..4100ff7 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +701,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +713,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -33850,7 +34002,7 @@ index 418a5a0..c25fbdc 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..5001351 100644 +index f706b99..037af58 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -33999,7 +34151,7 @@ index f706b99..5001351 100644 ######################################## ## ## Read devicekit PID files. -@@ -139,22 +252,52 @@ interface(`devicekit_read_pid_files',` +@@ -139,22 +252,92 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -34007,27 +34159,65 @@ index f706b99..5001351 100644 -## an devicekit environment +## Do not audit attempts to read +## devicekit PID files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_read_pid_files',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') ++ ++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; ++') ++ ++ ++######################################## ++## ++## Manage devicekit PID files. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## -## +# -+interface(`devicekit_dontaudit_read_pid_files',` -+ gen_require(` ++interface(`devicekit_manage_pid_files',` ++ gen_require(` + type devicekit_var_run_t; + ') + -+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; ++ files_search_pids($1) ++ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + ++####################################### ++## ++## Relabel devicekit LOG files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_relabel_log_files',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++') + +######################################## +## -+## Manage devicekit PID files. ++## Manage devicekit LOG files. +## +## ## @@ -34037,14 +34227,15 @@ index f706b99..5001351 100644 ## -## +# -+interface(`devicekit_manage_pid_files',` ++interface(`devicekit_manage_log_files',` + gen_require(` -+ type devicekit_var_run_t; ++ type devicekit_var_log_t; + ') + -+ files_search_pids($1) -+ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++ logging_search_logs($1) ++ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") +') + +######################################## @@ -34059,7 +34250,7 @@ index f706b99..5001351 100644 ## ## ## -@@ -165,21 +308,39 @@ interface(`devicekit_admin',` +@@ -165,21 +348,41 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -34100,10 +34291,12 @@ index f706b99..5001351 100644 +# +interface(`devicekit_filetrans_named_content',` + gen_require(` -+ type devicekit_var_run_t; ++ type devicekit_var_run_t, devicekit_var_log_t; + ') + + files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index f231f17..8cc1f09 100644 @@ -39691,7 +39884,7 @@ index ecab47a..40affd8 100644 - ') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te -index fdb7e9a..1c02a45 100644 +index fdb7e9a..17ed705 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te @@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0) @@ -39718,9 +39911,14 @@ index fdb7e9a..1c02a45 100644 manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +@@ -39,7 +47,18 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) + kernel_read_system_state(icecast_t) ++dev_read_sysfs(icecast_t) ++dev_read_urand(icecast_t) ++dev_read_rand(icecast_t) ++ corenet_tcp_bind_soundd_port(icecast_t) +corenet_tcp_connect_soundd_port(icecast_t) + @@ -44258,7 +44456,7 @@ index 343cee3..e5519fd 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..c84e80f 100644 +index 64268e4..65fd01f 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -44505,7 +44703,7 @@ index 64268e4..c84e80f 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(user_mail_t) fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +316,46 @@ optional_policy(` +@@ -292,3 +316,47 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -44519,6 +44717,7 @@ index 64268e4..c84e80f 100644 +allow user_mail_domain mta_exec_type:file entrypoint; + +append_files_pattern(user_mail_domain, mail_home_t, mail_home_t) ++read_files_pattern(user_mail_domain, mail_home_t, mail_home_t) + +read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t) + @@ -44661,7 +44860,7 @@ index c358d8f..fec6a97 100644 allow $1 munin_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..6b17513 100644 +index f17583b..9850f4d 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -44778,15 +44977,16 @@ index f17583b..6b17513 100644 ') optional_policy(` -@@ -245,6 +253,7 @@ optional_policy(` +@@ -245,6 +253,8 @@ optional_policy(` # local policy for service plugins # ++allow services_munin_plugin_t self:shm create_sem_perms; +allow services_munin_plugin_t self:sem create_sem_perms; allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +264,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -44801,7 +45001,7 @@ index f17583b..6b17513 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +292,10 @@ optional_policy(` +@@ -286,6 +293,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -44812,7 +45012,7 @@ index f17583b..6b17513 100644 ################################## # # local policy for system plugins -@@ -295,13 +305,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -44829,7 +45029,7 @@ index f17583b..6b17513 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +322,31 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -44998,7 +45198,7 @@ index e9c0982..14af30a 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..91de41a 100644 +index 0a0d63c..fdd8615 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -45065,7 +45265,13 @@ index 0a0d63c..91de41a 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t) +@@ -170,26 +175,33 @@ kernel_read_system_state(mysqld_safe_t) + kernel_read_kernel_sysctls(mysqld_safe_t) + + corecmd_exec_bin(mysqld_safe_t) ++corecmd_exec_shell(mysqld_safe_t) + + dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -45498,7 +45704,7 @@ index 74da57f..b94bb3b 100644 /usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc -index 386543b..47e1b41 100644 +index 386543b..8e8f911 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc @@ -1,6 +1,15 @@ @@ -45518,7 +45724,7 @@ index 386543b..47e1b41 100644 /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -@@ -16,7 +25,8 @@ +@@ -16,11 +25,13 @@ /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) @@ -45528,6 +45734,11 @@ index 386543b..47e1b41 100644 /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if index 2324d9e..8666a3c 100644 --- a/policy/modules/services/networkmanager.if @@ -47308,6 +47519,36 @@ index 9d0a67b..9197ef0 100644 ## # interface(`openct_domtrans',` +diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te +index 7f8fdc2..047d985 100644 +--- a/policy/modules/services/openct.te ++++ b/policy/modules/services/openct.te +@@ -23,12 +23,13 @@ allow openct_t self:process signal_perms; + manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +-files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) + + kernel_read_kernel_sysctls(openct_t) + kernel_list_proc(openct_t) + kernel_read_proc_symlinks(openct_t) + ++can_exec(openct_t, openct_exec_t) ++ + dev_read_sysfs(openct_t) + # openct asks for this + dev_rw_usbfs(openct_t) +@@ -50,7 +51,9 @@ miscfiles_read_localization(openct_t) + userdom_dontaudit_use_unpriv_user_fds(openct_t) + userdom_dontaudit_search_user_home_dirs(openct_t) + +-openct_exec(openct_t) ++optional_policy(` ++ pcscd_stream_connect(openct_t) ++') + + optional_policy(` + seutil_sigchld_newrole(openct_t) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 8b550f4..ed5aae9 100644 --- a/policy/modules/services/openvpn.te @@ -47970,10 +48211,10 @@ index 0000000..548d0a2 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..9c4df9f +index 0000000..33980a8 --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,299 @@ +@@ -0,0 +1,300 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -48077,6 +48318,7 @@ index 0000000..9c4df9f +corenet_tcp_bind_piranha_port(piranha_web_t) +corenet_tcp_connect_ricci_port(piranha_web_t) + ++dev_read_rand(piranha_web_t) +dev_read_urand(piranha_web_t) + +domain_read_all_domains_state(piranha_web_t) @@ -48745,10 +48987,39 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te -index 1e7169d..add05dd 100644 +index 1e7169d..e3d4700 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te -@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) +@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0) + # Declarations + # + +-type policykit_t alias polkit_t; +-type policykit_exec_t alias polkit_exec_t; ++attribute policykit_domain; ++ ++type policykit_t, policykit_domain; ++type policykit_exec_t; + init_daemon_domain(policykit_t, policykit_exec_t) + +-type policykit_auth_t alias polkit_auth_t; +-type policykit_auth_exec_t alias polkit_auth_exec_t; ++type policykit_auth_t, policykit_domain; ++type policykit_auth_exec_t; + init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) + +-type policykit_grant_t alias polkit_grant_t; +-type policykit_grant_exec_t alias polkit_grant_exec_t; ++type policykit_grant_t, policykit_domain; ++type policykit_grant_exec_t; + init_system_domain(policykit_grant_t, policykit_grant_exec_t) + +-type policykit_resolve_t alias polkit_resolve_t; +-type policykit_resolve_exec_t alias polkit_resolve_exec_t; ++type policykit_resolve_t, policykit_domain; ++type policykit_resolve_exec_t; + init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) + type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) @@ -48758,7 +49029,27 @@ index 1e7169d..add05dd 100644 type policykit_var_lib_t alias polkit_var_lib_t; files_type(policykit_var_lib_t) -@@ -35,11 +38,11 @@ files_pid_file(policykit_var_run_t) + type policykit_var_run_t alias polkit_var_run_t; + files_pid_file(policykit_var_run_t) + ++####################################### ++# ++# policykit_domain local policy ++# ++ ++allow policykit_domain self:process getattr; ++allow policykit_domain self:fifo_file rw_fifo_file_perms; ++ ++dev_read_sysfs(policykit_domain) ++ ++#auth_use_nsswitch(policykit_domain) ++ ++logging_send_syslog_msg(policykit_domain) ++ ++miscfiles_read_localization(policykit_domain) ++ + ######################################## + # # policykit local policy # @@ -48766,15 +49057,22 @@ index 1e7169d..add05dd 100644 -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; +allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; -+allow policykit_t self:process { getsched getattr signal }; -+allow policykit_t self:fifo_file rw_fifo_file_perms; ++allow policykit_t self:process { getsched signal }; allow policykit_t self:unix_dgram_socket create_socket_perms; -allow policykit_t self:unix_stream_socket create_stream_socket_perms; +allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; policykit_domtrans_auth(policykit_t) -@@ -56,10 +59,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) + can_exec(policykit_t, policykit_exec_t) + corecmd_exec_bin(policykit_t) + ++dev_read_sysfs(policykit_t) ++ + rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) + + policykit_domtrans_resolve(policykit_t) +@@ -56,56 +78,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -48791,19 +49089,18 @@ index 1e7169d..add05dd 100644 auth_use_nsswitch(policykit_t) -@@ -67,45 +76,92 @@ logging_send_syslog_msg(policykit_t) - - miscfiles_read_localization(policykit_t) - +-logging_send_syslog_msg(policykit_t) +userdom_getattr_all_users(policykit_t) - userdom_read_all_users_state(policykit_t) ++userdom_read_all_users_state(policykit_t) +userdom_dontaudit_search_admin_dir(policykit_t) + +optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) -+ + +-miscfiles_read_localization(policykit_t) + init_dbus_chat(policykit_t) -+ + +-userdom_read_all_users_state(policykit_t) + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') @@ -48832,8 +49129,7 @@ index 1e7169d..add05dd 100644 -allow policykit_auth_t self:fifo_file rw_file_perms; +allow policykit_auth_t self:capability { ipc_lock setgid setuid }; +dontaudit policykit_auth_t self:capability sys_tty_config; -+allow policykit_auth_t self:process { getattr getsched signal }; -+allow policykit_auth_t self:fifo_file rw_fifo_file_perms; ++allow policykit_auth_t self:process { getsched signal }; + allow policykit_auth_t self:unix_dgram_socket create_socket_perms; allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -48866,17 +49162,17 @@ index 1e7169d..add05dd 100644 files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) +files_search_home(policykit_auth_t) -+ -+fs_getattr_all_fs(polkit_auth_t) -+fs_search_tmpfs(polkit_auth_t) - auth_use_nsswitch(policykit_auth_t) +-auth_use_nsswitch(policykit_auth_t) ++fs_getattr_all_fs(policykit_auth_t) ++fs_search_tmpfs(policykit_auth_t) + +-logging_send_syslog_msg(policykit_auth_t) ++auth_use_nsswitch(policykit_auth_t) +auth_rw_var_auth(policykit_auth_t) +auth_domtrans_chk_passwd(policykit_auth_t) - logging_send_syslog_msg(policykit_auth_t) - - miscfiles_read_localization(policykit_auth_t) +-miscfiles_read_localization(policykit_auth_t) +miscfiles_read_fonts(policykit_auth_t) +miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) @@ -48890,7 +49186,7 @@ index 1e7169d..add05dd 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,6 +174,14 @@ optional_policy(` +@@ -118,14 +185,21 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -48905,17 +49201,23 @@ index 1e7169d..add05dd 100644 ######################################## # # polkit_grant local policy -@@ -125,7 +189,8 @@ optional_policy(` + # allow policykit_grant_t self:capability setuid; - allow policykit_grant_t self:process getattr; +-allow policykit_grant_t self:process getattr; -allow policykit_grant_t self:fifo_file rw_file_perms; -+allow policykit_grant_t self:fifo_file rw_fifo_file_perms; + allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -155,9 +220,12 @@ miscfiles_read_localization(policykit_grant_t) +@@ -148,16 +222,15 @@ files_read_usr_files(policykit_grant_t) + auth_use_nsswitch(policykit_grant_t) + auth_domtrans_chk_passwd(policykit_grant_t) + +-logging_send_syslog_msg(policykit_grant_t) +- +-miscfiles_read_localization(policykit_grant_t) +- userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -48929,17 +49231,28 @@ index 1e7169d..add05dd 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -169,7 +237,8 @@ optional_policy(` +@@ -168,8 +241,7 @@ optional_policy(` + # allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; - allow policykit_resolve_t self:process getattr; +-allow policykit_resolve_t self:process getattr; -allow policykit_resolve_t self:fifo_file rw_file_perms; -+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; + allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -207,4 +276,3 @@ optional_policy(` +@@ -189,10 +261,6 @@ mcs_ptrace_all(policykit_resolve_t) + + auth_use_nsswitch(policykit_resolve_t) + +-logging_send_syslog_msg(policykit_resolve_t) +- +-miscfiles_read_localization(policykit_resolve_t) +- + userdom_read_all_users_state(policykit_resolve_t) + + optional_policy(` +@@ -207,4 +275,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -49841,7 +50154,7 @@ index 46bee12..ca32d30 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..3a59bac 100644 +index a32c4b3..94e68b2 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -49948,7 +50261,15 @@ index a32c4b3..3a59bac 100644 manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ + + delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + + kernel_read_all_sysctls(postfix_master_t) +@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -49958,7 +50279,7 @@ index a32c4b3..3a59bac 100644 corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t) +@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t) domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -49969,7 +50290,7 @@ index a32c4b3..3a59bac 100644 term_dontaudit_search_ptys(postfix_master_t) -@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; +@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; @@ -49988,7 +50309,7 @@ index a32c4b3..3a59bac 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, +@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) @@ -50006,7 +50327,7 @@ index a32c4b3..3a59bac 100644 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) -@@ -264,8 +294,8 @@ optional_policy(` +@@ -264,8 +295,8 @@ optional_policy(` # Postfix local local policy # @@ -50016,7 +50337,7 @@ index a32c4b3..3a59bac 100644 # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -50025,7 +50346,7 @@ index a32c4b3..3a59bac 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -50044,7 +50365,7 @@ index a32c4b3..3a59bac 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +334,10 @@ optional_policy(` +@@ -297,6 +335,10 @@ optional_policy(` ') optional_policy(` @@ -50055,7 +50376,7 @@ index a32c4b3..3a59bac 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +345,22 @@ optional_policy(` +@@ -304,9 +346,22 @@ optional_policy(` ') optional_policy(` @@ -50078,7 +50399,7 @@ index a32c4b3..3a59bac 100644 ######################################## # # Postfix map local policy -@@ -372,6 +426,7 @@ optional_policy(` +@@ -372,6 +427,7 @@ optional_policy(` # Postfix pickup local policy # @@ -50086,7 +50407,7 @@ index a32c4b3..3a59bac 100644 allow postfix_pickup_t self:tcp_socket create_socket_perms; stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) -@@ -379,19 +434,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,19 +435,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -50114,7 +50435,7 @@ index a32c4b3..3a59bac 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -50123,7 +50444,7 @@ index a32c4b3..3a59bac 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +484,7 @@ optional_policy(` +@@ -420,6 +485,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -50131,7 +50452,7 @@ index a32c4b3..3a59bac 100644 ') optional_policy(` -@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -50149,7 +50470,7 @@ index a32c4b3..3a59bac 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -50160,7 +50481,7 @@ index a32c4b3..3a59bac 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +578,8 @@ optional_policy(` +@@ -507,6 +579,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -50169,7 +50490,7 @@ index a32c4b3..3a59bac 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -50182,7 +50503,7 @@ index a32c4b3..3a59bac 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -50193,7 +50514,16 @@ index a32c4b3..3a59bac 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +644,14 @@ optional_policy(` +@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; + + allow postfix_smtp_t postfix_spool_t:file rw_file_perms; + ++rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++ + files_search_all_mountpoints(postfix_smtp_t) + + optional_policy(` +@@ -565,6 +647,14 @@ optional_policy(` ') optional_policy(` @@ -50208,7 +50538,7 @@ index a32c4b3..3a59bac 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +675,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +678,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -50225,7 +50555,7 @@ index a32c4b3..3a59bac 100644 ') optional_policy(` -@@ -599,6 +692,10 @@ optional_policy(` +@@ -599,6 +695,10 @@ optional_policy(` ') optional_policy(` @@ -50236,7 +50566,7 @@ index a32c4b3..3a59bac 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,8 +708,8 @@ optional_policy(` +@@ -611,8 +711,8 @@ optional_policy(` # Postfix virtual local policy # @@ -50246,7 +50576,7 @@ index a32c4b3..3a59bac 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +730,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -51498,7 +51828,7 @@ index 2855a44..58bb459 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..5f6e7b8 100644 +index 64c5f95..8168c62 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -51545,16 +51875,54 @@ index 64c5f95..5f6e7b8 100644 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) -@@ -132,7 +144,7 @@ sysnet_dns_name_resolve(puppet_t) +@@ -80,7 +92,10 @@ kernel_dontaudit_search_sysctl(puppet_t) + kernel_dontaudit_search_kernel_sysctl(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) + ++corecmd_read_all_executables(puppet_t) ++corecmd_dontaudit_access_all_executables(puppet_t) + corecmd_exec_bin(puppet_t) + corecmd_exec_shell(puppet_t) + +@@ -103,6 +118,7 @@ files_manage_config_files(puppet_t) + files_manage_config_dirs(puppet_t) + files_manage_etc_dirs(puppet_t) + files_manage_etc_files(puppet_t) ++files_read_usr_files(puppet_t) + files_read_usr_symlinks(puppet_t) + files_relabel_config_dirs(puppet_t) + files_relabel_config_files(puppet_t) +@@ -115,6 +131,8 @@ selinux_validate_context(puppet_t) + term_dontaudit_getattr_unallocated_ttys(puppet_t) + term_dontaudit_getattr_all_ttys(puppet_t) + ++auth_use_nsswitch(puppet_t) ++ + init_all_labeled_script_domtrans(puppet_t) + init_domtrans_script(puppet_t) + init_read_utmp(puppet_t) +@@ -127,12 +145,17 @@ miscfiles_read_localization(puppet_t) + + seutil_domtrans_setfiles(puppet_t) + seutil_domtrans_semanage(puppet_t) ++seutil_read_file_contexts(puppet_t) + + sysnet_dns_name_resolve(puppet_t) sysnet_run_ifconfig(puppet_t, system_r) tunable_policy(`puppet_manage_all_files',` - auth_manage_all_files_except_shadow(puppet_t) + files_manage_non_security_files(puppet_t) ++') ++ ++optional_policy(` ++ cfengine_read_lib_files(puppet_t) ') optional_policy(` -@@ -144,6 +156,10 @@ optional_policy(` +@@ -144,6 +167,14 @@ optional_policy(` ') optional_policy(` @@ -51562,10 +51930,14 @@ index 64c5f95..5f6e7b8 100644 +') + +optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` files_rw_var_files(puppet_t) rpm_domtrans(puppet_t) -@@ -162,7 +178,60 @@ optional_policy(` +@@ -162,7 +193,60 @@ optional_policy(` ######################################## # @@ -51627,7 +51999,7 @@ index 64c5f95..5f6e7b8 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -171,29 +240,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +@@ -171,29 +255,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; @@ -51666,7 +52038,7 @@ index 64c5f95..5f6e7b8 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +281,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +296,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -51716,7 +52088,7 @@ index 64c5f95..5f6e7b8 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +331,9 @@ optional_policy(` +@@ -231,3 +346,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -56043,7 +56415,7 @@ index 82cb169..0a29f68 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..9010ac2 100644 +index e30bb63..66881fa 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -56207,7 +56579,14 @@ index e30bb63..9010ac2 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +565,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -555,18 +560,20 @@ optional_policy(` + # smbcontrol local policy + # + ++ ++allow smbcontrol_t self:process signal; + # internal communication is often done using fifo and unix sockets. + allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -56225,7 +56604,7 @@ index e30bb63..9010ac2 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -574,11 +579,19 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -574,11 +581,19 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -56246,7 +56625,7 @@ index e30bb63..9010ac2 100644 ######################################## # -@@ -644,19 +657,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +659,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -56271,7 +56650,7 @@ index e30bb63..9010ac2 100644 ######################################## # # SWAT Local policy -@@ -677,7 +692,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +694,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -56280,7 +56659,7 @@ index e30bb63..9010ac2 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +707,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +709,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -56295,7 +56674,7 @@ index e30bb63..9010ac2 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +727,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +729,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -56303,7 +56682,7 @@ index e30bb63..9010ac2 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +772,8 @@ logging_search_logs(swat_t) +@@ -754,6 +774,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -56312,7 +56691,7 @@ index e30bb63..9010ac2 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +803,7 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +805,7 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -56321,7 +56700,7 @@ index e30bb63..9010ac2 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +828,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -56343,7 +56722,7 @@ index e30bb63..9010ac2 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +854,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +856,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -56351,7 +56730,7 @@ index e30bb63..9010ac2 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -863,6 +885,12 @@ userdom_manage_user_home_content_pipes(winbind_t) +@@ -863,6 +887,12 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) @@ -56364,7 +56743,7 @@ index e30bb63..9010ac2 100644 optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +932,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +934,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -56373,7 +56752,7 @@ index e30bb63..9010ac2 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +950,18 @@ optional_policy(` +@@ -922,6 +952,18 @@ optional_policy(` # optional_policy(` @@ -56392,7 +56771,7 @@ index e30bb63..9010ac2 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +972,12 @@ optional_policy(` +@@ -932,9 +974,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -57841,7 +58220,7 @@ index c954f31..c7cadcb 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..a370364 100644 +index ec1eb1e..df88282 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0) @@ -58165,7 +58544,7 @@ index ec1eb1e..a370364 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +471,27 @@ files_read_var_lib_files(spamd_t) +@@ -367,22 +471,31 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -58183,6 +58562,10 @@ index ec1eb1e..a370364 100644 userdom_search_user_home_dirs(spamd_t) +optional_policy(` ++ clamav_stream_connect(spamd_t) ++') ++ ++optional_policy(` + exim_manage_spool_dirs(spamd_t) + exim_manage_spool_files(spamd_t) +') @@ -58197,7 +58580,7 @@ index ec1eb1e..a370364 100644 fs_manage_cifs_files(spamd_t) ') -@@ -399,7 +508,9 @@ optional_policy(` +@@ -399,7 +512,9 @@ optional_policy(` ') optional_policy(` @@ -58207,7 +58590,7 @@ index ec1eb1e..a370364 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -408,25 +519,17 @@ optional_policy(` +@@ -408,25 +523,17 @@ optional_policy(` ') optional_policy(` @@ -58235,7 +58618,7 @@ index ec1eb1e..a370364 100644 postgresql_stream_connect(spamd_t) ') -@@ -437,6 +540,10 @@ optional_policy(` +@@ -437,6 +544,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -58246,7 +58629,7 @@ index ec1eb1e..a370364 100644 ') optional_policy(` -@@ -451,3 +558,51 @@ optional_policy(` +@@ -451,3 +562,51 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -58429,7 +58812,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..b13cd67 100644 +index 22adaca..4b063ff 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -58758,7 +59141,7 @@ index 22adaca..b13cd67 100644 files_search_pids($1) ') -@@ -643,6 +721,24 @@ interface(`ssh_agent_exec',` +@@ -643,6 +721,42 @@ interface(`ssh_agent_exec',` ######################################## ## @@ -58780,10 +59163,28 @@ index 22adaca..b13cd67 100644 + +######################################## +## ++## Dontaudit search ssh home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_dontaudit_search_user_home_dir',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ dontaudit $1 ssh_home_t:dir search_dir_perms; ++') ++ ++######################################## ++## ## Read ssh home directory content ## ## -@@ -682,6 +778,50 @@ interface(`ssh_domtrans_keygen',` +@@ -682,6 +796,50 @@ interface(`ssh_domtrans_keygen',` ######################################## ## @@ -58834,7 +59235,7 @@ index 22adaca..b13cd67 100644 ## Read ssh server keys ## ## -@@ -695,7 +835,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +853,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -58843,7 +59244,7 @@ index 22adaca..b13cd67 100644 ') ###################################### -@@ -735,3 +875,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +893,81 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -60917,28 +61318,37 @@ index 1f872b5..da605ba 100644 - ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te -index 32a3c13..7baeb6f 100644 +index 32a3c13..e3d91ad 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te -@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t) +@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t) + # allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; - allow vhostmd_t self:process { setsched getsched }; +-allow vhostmd_t self:process { setsched getsched }; -allow vhostmd_t self:fifo_file rw_file_perms; ++allow vhostmd_t self:process { setsched getsched signal }; +allow vhostmd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -@@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t) +@@ -44,9 +44,15 @@ corecmd_exec_shell(vhostmd_t) corenet_tcp_connect_soundd_port(vhostmd_t) ++dev_read_rand(vhostmd_t) ++dev_read_sysfs(vhostmd_t) ++ +# 579803 +files_list_tmp(vhostmd_t) files_read_etc_files(vhostmd_t) files_read_usr_files(vhostmd_t) -@@ -66,6 +68,7 @@ optional_policy(` ++dev_read_rand(vhostmd_t) + dev_read_sysfs(vhostmd_t) + + auth_use_nsswitch(vhostmd_t) +@@ -66,6 +72,7 @@ optional_policy(` optional_policy(` virt_stream_connect(vhostmd_t) @@ -61564,7 +61974,7 @@ index 7c5d8d8..fc6beb9 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..54e53fb 100644 +index 3eca020..d19abb5 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) @@ -61991,16 +62401,22 @@ index 3eca020..54e53fb 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,16 +477,23 @@ optional_policy(` - ') - - optional_policy(` -+ dmidecode_domtrans(virtd_t) +@@ -326,6 +474,14 @@ optional_policy(` + optional_policy(` + hal_dbus_chat(virtd_t) + ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(virtd_t) ++ ') +') + +optional_policy(` - dnsmasq_domtrans(virtd_t) - dnsmasq_signal(virtd_t) ++ dmidecode_domtrans(virtd_t) + ') + + optional_policy(` +@@ -334,11 +490,14 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) @@ -62015,7 +62431,7 @@ index 3eca020..54e53fb 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -360,11 +515,11 @@ optional_policy(` +@@ -360,11 +519,11 @@ optional_policy(` ') optional_policy(` @@ -62032,7 +62448,7 @@ index 3eca020..54e53fb 100644 ') optional_policy(` -@@ -394,20 +549,36 @@ optional_policy(` +@@ -394,20 +553,36 @@ optional_policy(` # virtual domains common policy # @@ -62072,7 +62488,7 @@ index 3eca020..54e53fb 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +593,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -62085,7 +62501,7 @@ index 3eca020..54e53fb 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +601,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +605,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -62098,7 +62514,7 @@ index 3eca020..54e53fb 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +614,367 @@ files_search_all(virt_domain) +@@ -440,25 +618,367 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -62106,12 +62522,12 @@ index 3eca020..54e53fb 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -64072,7 +64488,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..40e56f1 100644 +index 143c893..9fa3f76 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -64590,7 +65006,7 @@ index 143c893..40e56f1 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +603,24 @@ files_list_mnt(xdm_t) +@@ -435,9 +603,25 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -64600,6 +65016,7 @@ index 143c893..40e56f1 100644 +files_dontaudit_getattr_all_dirs(xdm_t) +files_dontaudit_getattr_all_symlinks(xdm_t) +files_dontaudit_getattr_all_tmp_sockets(xdm_t) ++files_dontaudit_all_access_check(xdm_t) fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) @@ -64615,7 +65032,7 @@ index 143c893..40e56f1 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +630,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -64655,7 +65072,7 @@ index 143c893..40e56f1 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +669,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -64686,7 +65103,7 @@ index 143c893..40e56f1 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +708,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -64701,7 +65118,7 @@ index 143c893..40e56f1 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +729,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -64723,7 +65140,7 @@ index 143c893..40e56f1 100644 ') optional_policy(` -@@ -519,12 +750,63 @@ optional_policy(` +@@ -519,12 +751,63 @@ optional_policy(` ') optional_policy(` @@ -64787,7 +65204,7 @@ index 143c893..40e56f1 100644 hostname_exec(xdm_t) ') -@@ -542,28 +824,69 @@ optional_policy(` +@@ -542,28 +825,69 @@ optional_policy(` ') optional_policy(` @@ -64866,7 +65283,7 @@ index 143c893..40e56f1 100644 ') optional_policy(` -@@ -575,6 +898,14 @@ optional_policy(` +@@ -575,6 +899,14 @@ optional_policy(` ') optional_policy(` @@ -64881,7 +65298,7 @@ index 143c893..40e56f1 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +930,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +931,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -64890,7 +65307,7 @@ index 143c893..40e56f1 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +944,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +945,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -64906,7 +65323,7 @@ index 143c893..40e56f1 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +971,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +972,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -64928,7 +65345,7 @@ index 143c893..40e56f1 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +991,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +992,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -64936,7 +65353,7 @@ index 143c893..40e56f1 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,21 +1018,28 @@ dev_rw_apm_bios(xserver_t) +@@ -672,21 +1019,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -64967,7 +65384,7 @@ index 143c893..40e56f1 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1050,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1051,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -64981,7 +65398,7 @@ index 143c893..40e56f1 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1069,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1070,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -64990,7 +65407,7 @@ index 143c893..40e56f1 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1076,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1077,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -65005,7 +65422,7 @@ index 143c893..40e56f1 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1135,40 @@ optional_policy(` +@@ -778,16 +1136,40 @@ optional_policy(` ') optional_policy(` @@ -65047,7 +65464,7 @@ index 143c893..40e56f1 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1177,10 @@ optional_policy(` +@@ -796,6 +1178,10 @@ optional_policy(` ') optional_policy(` @@ -65058,7 +65475,7 @@ index 143c893..40e56f1 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1196,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1197,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -65072,7 +65489,7 @@ index 143c893..40e56f1 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1207,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1208,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -65081,7 +65498,7 @@ index 143c893..40e56f1 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1220,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1221,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -65091,7 +65508,7 @@ index 143c893..40e56f1 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1230,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1231,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -65103,7 +65520,7 @@ index 143c893..40e56f1 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1243,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1244,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -65120,7 +65537,7 @@ index 143c893..40e56f1 100644 ') optional_policy(` -@@ -862,6 +1258,10 @@ optional_policy(` +@@ -862,6 +1259,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -65131,7 +65548,7 @@ index 143c893..40e56f1 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1306,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -65140,7 +65557,7 @@ index 143c893..40e56f1 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1359,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1360,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -65172,7 +65589,7 @@ index 143c893..40e56f1 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1405,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1406,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -65647,7 +66064,7 @@ index 28ad538..59742f4 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..6a25dd6 100644 +index 73554ec..2c6ee0e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -65709,13 +66126,14 @@ index 73554ec..6a25dd6 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -123,13 +141,19 @@ interface(`auth_login_pgm_domain',` +@@ -123,13 +141,20 @@ interface(`auth_login_pgm_domain',` # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) + tunable_policy(`authlogin_radius',` + corenet_udp_bind_all_unreserved_ports($1) + ') ++ corenet_tcp_connect_pki_ca_port($1) + # for fingerprint readers dev_rw_input_dev($1) @@ -65730,7 +66148,7 @@ index 73554ec..6a25dd6 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -145,6 +169,8 @@ interface(`auth_login_pgm_domain',` +@@ -145,6 +170,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -65739,7 +66157,7 @@ index 73554ec..6a25dd6 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +181,83 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +182,83 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -65825,7 +66243,7 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -368,13 +468,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -368,13 +469,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -65842,7 +66260,7 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -421,6 +523,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +524,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -65868,7 +66286,7 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -736,7 +857,47 @@ interface(`auth_rw_faillog',` +@@ -736,7 +858,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -65917,7 +66335,7 @@ index 73554ec..6a25dd6 100644 ') ####################################### -@@ -932,9 +1093,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1094,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -65951,7 +66369,7 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -1387,6 +1569,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1570,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -65977,7 +66395,7 @@ index 73554ec..6a25dd6 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1742,6 @@ interface(`auth_manage_login_records',` +@@ -1541,24 +1743,6 @@ interface(`auth_manage_login_records',` ######################################## ## @@ -66002,7 +66420,7 @@ index 73554ec..6a25dd6 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1578,54 +1761,11 @@ interface(`auth_relabel_login_records',` +@@ -1578,54 +1762,11 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -66060,7 +66478,7 @@ index 73554ec..6a25dd6 100644 ') ######################################## -@@ -1659,3 +1799,33 @@ interface(`auth_unconfined',` +@@ -1659,3 +1800,33 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -66648,7 +67066,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..b5e5c70 100644 +index 94fd8dd..f2689e3 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -66961,7 +67379,7 @@ index 94fd8dd..b5e5c70 100644 + type init_t; + ') + -+ dontaudit $1 init_t:unix_stream_socket { read write }; ++ dontaudit $1 init_t:unix_stream_socket { getattr read write }; ') ######################################## @@ -67563,7 +67981,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..7752aa1 100644 +index 29a9565..49a7fbd 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -67757,7 +68175,7 @@ index 29a9565..7752aa1 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +251,138 @@ tunable_policy(`init_upstart',` +@@ -186,16 +251,139 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -67807,6 +68225,7 @@ index 29a9565..7752aa1 100644 + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) + files_manage_all_pid_dirs(init_t) ++ files_manage_generic_tmp_dirs(init_t) + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) @@ -67898,7 +68317,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -203,6 +390,17 @@ optional_policy(` +@@ -203,6 +391,17 @@ optional_policy(` ') optional_policy(` @@ -67916,7 +68335,7 @@ index 29a9565..7752aa1 100644 unconfined_domain(init_t) ') -@@ -212,7 +410,7 @@ optional_policy(` +@@ -212,7 +411,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -67925,7 +68344,7 @@ index 29a9565..7752aa1 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +439,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +440,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -67941,7 +68360,7 @@ index 29a9565..7752aa1 100644 init_write_initctl(initrc_t) -@@ -258,20 +459,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +460,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -67978,7 +68397,7 @@ index 29a9565..7752aa1 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +492,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +493,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -67986,7 +68405,7 @@ index 29a9565..7752aa1 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +503,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +504,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -67997,7 +68416,7 @@ index 29a9565..7752aa1 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +514,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +515,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -68013,7 +68432,7 @@ index 29a9565..7752aa1 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +532,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +533,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -68021,7 +68440,7 @@ index 29a9565..7752aa1 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +540,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +541,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -68033,7 +68452,7 @@ index 29a9565..7752aa1 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +559,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +560,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -68047,7 +68466,7 @@ index 29a9565..7752aa1 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,8 +574,12 @@ fs_mount_all_fs(initrc_t) +@@ -351,8 +575,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -68060,7 +68479,7 @@ index 29a9565..7752aa1 100644 mcs_ptrace_all(initrc_t) mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -363,6 +590,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +591,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -68068,7 +68487,7 @@ index 29a9565..7752aa1 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +602,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +603,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -68076,7 +68495,7 @@ index 29a9565..7752aa1 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +623,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +624,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -68098,7 +68517,7 @@ index 29a9565..7752aa1 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +686,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +687,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -68109,7 +68528,7 @@ index 29a9565..7752aa1 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +710,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +711,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -68118,7 +68537,7 @@ index 29a9565..7752aa1 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +725,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +726,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -68126,7 +68545,7 @@ index 29a9565..7752aa1 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +755,34 @@ ifdef(`distro_redhat',` +@@ -522,8 +756,34 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -68161,7 +68580,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -531,10 +790,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +791,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -68184,7 +68603,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -549,6 +820,39 @@ ifdef(`distro_suse',` +@@ -549,6 +821,39 @@ ifdef(`distro_suse',` ') ') @@ -68224,7 +68643,7 @@ index 29a9565..7752aa1 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +865,8 @@ optional_policy(` +@@ -561,6 +866,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -68233,7 +68652,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -577,6 +883,7 @@ optional_policy(` +@@ -577,6 +884,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -68241,7 +68660,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -589,6 +896,17 @@ optional_policy(` +@@ -589,6 +897,17 @@ optional_policy(` ') optional_policy(` @@ -68259,7 +68678,7 @@ index 29a9565..7752aa1 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +923,13 @@ optional_policy(` +@@ -605,9 +924,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -68273,7 +68692,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -632,6 +954,10 @@ optional_policy(` +@@ -632,6 +955,10 @@ optional_policy(` ') optional_policy(` @@ -68284,7 +68703,7 @@ index 29a9565..7752aa1 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +975,11 @@ optional_policy(` +@@ -649,6 +976,11 @@ optional_policy(` ') optional_policy(` @@ -68296,7 +68715,7 @@ index 29a9565..7752aa1 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1020,7 @@ optional_policy(` +@@ -689,6 +1021,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -68304,7 +68723,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -706,7 +1038,13 @@ optional_policy(` +@@ -706,7 +1039,13 @@ optional_policy(` ') optional_policy(` @@ -68318,7 +68737,7 @@ index 29a9565..7752aa1 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1067,10 @@ optional_policy(` +@@ -729,6 +1068,10 @@ optional_policy(` ') optional_policy(` @@ -68329,7 +68748,7 @@ index 29a9565..7752aa1 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1080,20 @@ optional_policy(` +@@ -738,10 +1081,20 @@ optional_policy(` ') optional_policy(` @@ -68350,7 +68769,7 @@ index 29a9565..7752aa1 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1102,10 @@ optional_policy(` +@@ -750,6 +1103,10 @@ optional_policy(` ') optional_policy(` @@ -68361,7 +68780,7 @@ index 29a9565..7752aa1 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1127,6 @@ optional_policy(` +@@ -771,8 +1128,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -68370,7 +68789,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -790,10 +1144,12 @@ optional_policy(` +@@ -790,10 +1145,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -68383,7 +68802,7 @@ index 29a9565..7752aa1 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1161,6 @@ optional_policy(` +@@ -805,7 +1162,6 @@ optional_policy(` ') optional_policy(` @@ -68391,7 +68810,7 @@ index 29a9565..7752aa1 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1170,26 @@ optional_policy(` +@@ -815,11 +1171,26 @@ optional_policy(` ') optional_policy(` @@ -68419,7 +68838,7 @@ index 29a9565..7752aa1 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1199,25 @@ optional_policy(` +@@ -829,6 +1200,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -68445,7 +68864,7 @@ index 29a9565..7752aa1 100644 ') optional_policy(` -@@ -844,6 +1233,10 @@ optional_policy(` +@@ -844,6 +1234,10 @@ optional_policy(` ') optional_policy(` @@ -68456,7 +68875,7 @@ index 29a9565..7752aa1 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1247,160 @@ optional_policy(` +@@ -854,3 +1248,160 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -69031,10 +69450,20 @@ index ddbd8be..ac8e814 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..4986f1b 100644 +index 560dc48..ffb8797 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc -@@ -37,17 +37,12 @@ ifdef(`distro_redhat',` +@@ -28,7 +28,9 @@ ifdef(`distro_redhat',` + # /etc + # + /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) ++/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) + /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0) ++/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) + + /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) + +@@ -37,17 +39,12 @@ ifdef(`distro_redhat',` # /lib -d gen_context(system_u:object_r:lib_t,s0) /lib/.* gen_context(system_u:object_r:lib_t,s0) @@ -69052,7 +69481,7 @@ index 560dc48..4986f1b 100644 ') ifdef(`distro_gentoo',` -@@ -62,7 +57,6 @@ ifdef(`distro_gentoo',` +@@ -62,7 +59,6 @@ ifdef(`distro_gentoo',` # /opt/.*\.so gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -69060,7 +69489,7 @@ index 560dc48..4986f1b 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -119,64 +113,62 @@ ifdef(`distro_redhat',` +@@ -119,64 +115,62 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -69159,7 +69588,7 @@ index 560dc48..4986f1b 100644 ') ifdef(`distro_gentoo',` -@@ -195,7 +187,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -195,7 +189,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -69167,7 +69596,7 @@ index 560dc48..4986f1b 100644 /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -203,86 +194,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -203,86 +196,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -69312,7 +69741,7 @@ index 560dc48..4986f1b 100644 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -303,8 +295,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -303,8 +297,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -69322,7 +69751,7 @@ index 560dc48..4986f1b 100644 ') dnl end distro_redhat # -@@ -312,17 +303,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +305,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -69484,7 +69913,7 @@ index 560dc48..4986f1b 100644 +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..eb621fd 100644 +index 808ba93..4ff705d 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -207,6 +207,23 @@ interface(`libs_search_lib',` @@ -69567,7 +69996,7 @@ index 808ba93..eb621fd 100644 ') ######################################## -@@ -534,3 +533,22 @@ interface(`lib_filetrans_shared_lib',` +@@ -534,3 +533,24 @@ interface(`lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -69588,7 +70017,9 @@ index 808ba93..eb621fd 100644 + ') + + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index e5836d3..eae9427 100644 @@ -73196,7 +73627,7 @@ index ff80d0a..be800df 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..767ccbd 100644 +index 34d0ec5..889356a 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -73307,12 +73738,13 @@ index 34d0ec5..767ccbd 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -155,6 +174,16 @@ optional_policy(` +@@ -155,6 +174,17 @@ optional_policy(` ') optional_policy(` + chronyd_initrc_domtrans(dhcpc_t) + chronyd_systemctl(dhcpc_t) ++ chronyd_read_keys(dhcpc_t) +') + +optional_policy(` @@ -73324,7 +73756,7 @@ index 34d0ec5..767ccbd 100644 init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -171,6 +200,8 @@ optional_policy(` +@@ -171,6 +201,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -73333,7 +73765,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -192,17 +223,31 @@ optional_policy(` +@@ -192,17 +224,31 @@ optional_policy(` ') optional_policy(` @@ -73365,7 +73797,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -213,6 +258,11 @@ optional_policy(` +@@ -213,6 +259,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -73377,7 +73809,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -255,6 +305,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +306,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -73385,7 +73817,7 @@ index 34d0ec5..767ccbd 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +327,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +328,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -73397,7 +73829,7 @@ index 34d0ec5..767ccbd 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -301,11 +355,12 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +356,12 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -73412,7 +73844,7 @@ index 34d0ec5..767ccbd 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +369,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +370,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -73431,7 +73863,7 @@ index 34d0ec5..767ccbd 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +391,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +392,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -73446,7 +73878,7 @@ index 34d0ec5..767ccbd 100644 ') optional_policy(` -@@ -335,6 +407,18 @@ optional_policy(` +@@ -335,6 +408,18 @@ optional_policy(` ') optional_policy(` @@ -73465,7 +73897,7 @@ index 34d0ec5..767ccbd 100644 nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +440,9 @@ optional_policy(` +@@ -356,3 +441,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -75580,10 +76012,10 @@ index eae5001..71e46b2 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..494ec08 100644 +index db75976..ce61aed 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,19 @@ +@@ -1,4 +1,20 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -75599,13 +76031,14 @@ index db75976..494ec08 100644 +HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs/.* <> +HOME_DIR/\.debug(/.*)? <> + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..9b49159 100644 +index 4b2878a..86b81c0 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -75847,7 +76280,7 @@ index 4b2878a..9b49159 100644 ############################## # # Domain access to home dir -@@ -228,17 +265,21 @@ interface(`userdom_manage_home_role',` +@@ -228,43 +265,48 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -75877,9 +76310,12 @@ index 4b2878a..9b49159 100644 + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) ++ # TODO: add back but we need to more test pulseaudio changes ++ #userdom_filetrans_home_content($2) ++ files_list_home($2) -@@ -246,25 +287,23 @@ interface(`userdom_manage_home_role',` + # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -75909,7 +76345,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -286,17 +325,63 @@ interface(`userdom_manage_home_role',` +@@ -286,17 +328,63 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -75978,7 +76414,7 @@ index 4b2878a..9b49159 100644 ') ####################################### -@@ -316,6 +401,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +404,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -75986,7 +76422,7 @@ index 4b2878a..9b49159 100644 files_search_tmp($1) ') -@@ -347,59 +433,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,59 +436,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -76081,7 +76517,7 @@ index 4b2878a..9b49159 100644 ') ####################################### -@@ -430,6 +519,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +522,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -76089,7 +76525,7 @@ index 4b2878a..9b49159 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -462,8 +552,8 @@ template(`userdom_change_password_template',` +@@ -462,8 +555,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -76100,7 +76536,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -490,7 +580,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +583,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -76109,7 +76545,7 @@ index 4b2878a..9b49159 100644 ############################## # -@@ -500,73 +590,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +593,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -76131,27 +76567,27 @@ index 4b2878a..9b49159 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -76175,10 +76611,10 @@ index 4b2878a..9b49159 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) ++ ++ application_getattr_socket($1_usertype) - fs_rw_cgroup_files($1_t) -+ application_getattr_socket($1_usertype) -+ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -76233,7 +76669,7 @@ index 4b2878a..9b49159 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +672,117 @@ template(`userdom_common_user_template',` +@@ -574,67 +675,117 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -76242,25 +76678,25 @@ index 4b2878a..9b49159 100644 - alsa_relabel_home_files($1_t) + # Allow graphical boot to check battery lifespan + apm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ canna_stream_connect($1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ canna_stream_connect($1_usertype) ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) ++ colord_read_lib_files($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ colord_read_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -76268,66 +76704,64 @@ index 4b2878a..9b49159 100644 + optional_policy(` + avahi_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ policykit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ bluetooth_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ ') -+ -+ optional_policy(` -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ gnome_dbus_chat_gconfdefault($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ policykit_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpn_dbus_chat($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') - ') - - optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) ++ ++ optional_policy(` ++ gnome_dbus_chat_gconfdefault($1_usertype) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ kde_dbus_chat_backlighthelper($1_usertype) ++ ') ++ ++ optional_policy(` ++ modemmanager_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ++ ') ++ ++ optional_policy(` ++ vpn_dbus_chat($1_usertype) ++ ') ++ ') ++ ++ optional_policy(` + git_session_role($1_r, $1_usertype) + ') + @@ -76337,20 +76771,22 @@ index 4b2878a..9b49159 100644 ') optional_policy(` -- inn_read_config($1_t) -- inn_read_news_lib($1_t) -- inn_read_news_spool($1_t) +- inetd_use_fds($1_t) +- inetd_rw_tcp_sockets($1_t) + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) ') optional_policy(` -- locate_read_lib_files($1_t) +- inn_read_config($1_t) +- inn_read_news_lib($1_t) +- inn_read_news_spool($1_t) + lircd_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- locate_read_lib_files($1_t) + locate_read_lib_files($1_usertype) ') @@ -76358,21 +76794,21 @@ index 4b2878a..9b49159 100644 optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ mta_filetrans_home_content($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ++ mta_filetrans_home_content($1_usertype) ++ ') ++ ++ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -650,40 +798,52 @@ template(`userdom_common_user_template',` +@@ -650,40 +801,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -76408,51 +76844,49 @@ index 4b2878a..9b49159 100644 + + optional_policy(` + rpcbind_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ slrnpull_search_spool($1_usertype) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ slrnpull_search_spool($1_usertype) -+ ') -+ -+ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') -@@ -712,13 +872,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +875,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -76460,7 +76894,9 @@ index 4b2878a..9b49159 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -76468,7 +76904,7 @@ index 4b2878a..9b49159 100644 userdom_change_password_template($1) -@@ -736,72 +909,76 @@ template(`userdom_login_user_template', ` +@@ -736,72 +912,76 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -76536,49 +76972,49 @@ index 4b2878a..9b49159 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) ++ optional_policy(` ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ++ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) ++ kerberos_use($1_usertype) ++ kerberos_filetrans_home_content($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ kerberos_use($1_usertype) -+ kerberos_filetrans_home_content($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) -+ ') -+ -+ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1013,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -76588,7 +77024,7 @@ index 4b2878a..9b49159 100644 ############################## # # Local policy -@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1057,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -76718,7 +77154,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1203,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -76727,7 +77163,7 @@ index 4b2878a..9b49159 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1212,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -76745,7 +77181,7 @@ index 4b2878a..9b49159 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1234,72 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1237,72 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -76780,11 +77216,9 @@ index 4b2878a..9b49159 100644 + + optional_policy(` + cron_role($1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + games_rw_data($1_usertype) + ') + @@ -76802,9 +77236,11 @@ index 4b2878a..9b49159 100644 + + optional_policy(` + execmem_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + java_role_template($1, $1_r, $1_t) + ') + @@ -76827,7 +77263,7 @@ index 4b2878a..9b49159 100644 ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -76838,7 +77274,7 @@ index 4b2878a..9b49159 100644 ') ') -@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -76847,7 +77283,7 @@ index 4b2878a..9b49159 100644 ') ############################## -@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -76855,7 +77291,7 @@ index 4b2878a..9b49159 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -76865,7 +77301,7 @@ index 4b2878a..9b49159 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -76873,7 +77309,7 @@ index 4b2878a..9b49159 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -76887,7 +77323,7 @@ index 4b2878a..9b49159 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -76930,7 +77366,7 @@ index 4b2878a..9b49159 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -76939,7 +77375,7 @@ index 4b2878a..9b49159 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -76948,7 +77384,7 @@ index 4b2878a..9b49159 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -76959,7 +77395,7 @@ index 4b2878a..9b49159 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -76988,7 +77424,7 @@ index 4b2878a..9b49159 100644 ') optional_policy(` -@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -77004,7 +77440,7 @@ index 4b2878a..9b49159 100644 ') optional_policy(` -@@ -1279,54 +1619,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1622,103 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -77083,14 +77519,13 @@ index 4b2878a..9b49159 100644 ## -## Create a user pty. +## Allow domain to attach to TUN devices created by administrative users. - ## - ## - ## -@@ -1334,7 +1686,44 @@ interface(`userdom_setattr_user_ptys',` - ## - ## - # --interface(`userdom_create_user_pty',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_attach_admin_tun_iface',` + gen_require(` + attribute admindomain; @@ -77121,18 +77556,10 @@ index 4b2878a..9b49159 100644 +######################################## +## +## Create a user pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_create_user_pty',` - gen_require(` - type user_devpts_t; - ') -@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',` + ## + ## + ## +@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -77140,7 +77567,7 @@ index 4b2878a..9b49159 100644 files_search_home($1) ') -@@ -1441,6 +1831,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -77155,7 +77582,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -77167,7 +77594,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -77210,7 +77637,7 @@ index 4b2878a..9b49159 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -77219,7 +77646,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -77234,7 +77661,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -77278,7 +77705,7 @@ index 4b2878a..9b49159 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -77304,7 +77731,7 @@ index 4b2878a..9b49159 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2196,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2199,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -77337,7 +77764,7 @@ index 4b2878a..9b49159 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2232,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2235,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -77355,7 +77782,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -1779,6 +2298,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2301,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -77416,7 +77843,7 @@ index 4b2878a..9b49159 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2383,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2386,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -77426,7 +77853,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -1827,20 +2399,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2402,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -77451,7 +77878,7 @@ index 4b2878a..9b49159 100644 ######################################## ## -@@ -1941,6 +2507,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2510,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -77476,7 +77903,7 @@ index 4b2878a..9b49159 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2592,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2595,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -77485,7 +77912,7 @@ index 4b2878a..9b49159 100644 files_search_home($1) ') -@@ -2039,7 +2623,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2626,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -77494,7 +77921,7 @@ index 4b2878a..9b49159 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2182,7 +2766,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2769,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -77503,7 +77930,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -2390,7 +2974,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2977,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -77512,7 +77939,7 @@ index 4b2878a..9b49159 100644 files_search_tmp($1) ') -@@ -2419,6 +3003,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +3006,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') @@ -77538,7 +77965,7 @@ index 4b2878a..9b49159 100644 ######################################## ## ## Read user tmpfs files. -@@ -2435,13 +3038,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3041,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -77554,7 +77981,7 @@ index 4b2878a..9b49159 100644 ## ## ## -@@ -2462,7 +3066,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3069,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -77563,7 +77990,7 @@ index 4b2878a..9b49159 100644 ## ## ## -@@ -2470,14 +3074,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2470,14 +3077,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -77598,7 +78025,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -2572,7 +3192,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3195,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -77607,7 +78034,7 @@ index 4b2878a..9b49159 100644 ## ## ## -@@ -2580,48 +3200,97 @@ interface(`userdom_use_user_ttys',` +@@ -2580,48 +3203,97 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -77729,7 +78156,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -2640,8 +3309,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2640,8 +3312,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -77759,7 +78186,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,6 +3404,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -77784,7 +78211,7 @@ index 4b2878a..9b49159 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2736,24 +3442,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3445,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -77809,7 +78236,7 @@ index 4b2878a..9b49159 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3460,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3463,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -77835,7 +78262,7 @@ index 4b2878a..9b49159 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3521,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3524,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -77844,7 +78271,7 @@ index 4b2878a..9b49159 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3537,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3540,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -77878,7 +78305,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -2972,7 +3625,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3628,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -77887,7 +78314,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -3027,7 +3680,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3683,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -77934,7 +78361,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -3045,7 +3736,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3739,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -77943,7 +78370,7 @@ index 4b2878a..9b49159 100644 ') ######################################## -@@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3758,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -77951,7 +78378,7 @@ index 4b2878a..9b49159 100644 kernel_search_proc($1) ') -@@ -3142,6 +3834,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3837,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -77976,7 +78403,7 @@ index 4b2878a..9b49159 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3870,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3873,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -78001,7 +78428,7 @@ index 4b2878a..9b49159 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3922,1094 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3925,1146 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -78728,6 +79155,29 @@ index 4b2878a..9b49159 100644 + read_lnk_files_pattern($1, home_cert_t, home_cert_t) +') + ++######################################## ++## ++## Manage system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ allow $1 home_cert_t:dir list_dir_perms; ++ manage_files_pattern($1, home_cert_t, home_cert_t) ++ manage_lnk_files_pattern($1, home_cert_t, home_cert_t) ++ ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") ++') ++ +####################################### +## +## Dontaudit Write system SSL certificates in the users homedir. @@ -79096,6 +79546,35 @@ index 4b2878a..9b49159 100644 + + allow $1 unpriv_userdomain:sem rw_sem_perms; +') ++ ++######################################## ++## ++## Transition to userdom named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_filetrans_home_content',` ++ gen_require(` ++ type home_bin_t, home_cert_t; ++ type audio_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") ++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") ++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") ++ gnome_config_filetrans($1, home_cert_t, dir, "certificates") ++ ++ #optional_policy(` ++ # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin") ++ #') ++') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 9b4a930..d6c3860 100644 --- a/policy/modules/system/userdomain.te diff --git a/selinux-policy.spec b/selinux-policy.spec index a6f1020..2a15390 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 55%{?dist} +Release: 56%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,24 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Nov 16 2011 Miroslav Grepl 3.10.0-56 +- Add ssh_dontaudit_search_home_dir +- Changes to allow namespace_init_t to work +- Add interface to allow exec of mongod, add port definition for mongod port, 27017 +- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t +- Allow spamd and clamd to steam connect to each other +- Add policy label for passwd.OLD +- More fixes for postfix and postfix maildro +- Add ftp support for mozilla plugins +- Useradd now needs to manage policy since it calls libsemanage +- Fix devicekit_manage_log_files() interface +- Allow colord to execute ifconfig +- Allow accountsd to read /sys +- Allow mysqld-safe to execute shell +- Allow openct to stream connect to pcscd +- Add label for /var/run/nm-dns-dnsmasq\.conf +- Allow networkmanager to chat with virtd_t + * Mon Nov 7 2011 Miroslav Grepl 3.10.0-55 - Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working