From 36da6bbf45861bbf43088c250cb2581294041e83 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 11 2016 14:53:47 +0000 Subject: * Mon Jul 11 2016 Lukas Vrabec 3.13.1-191.4 - Allow lttng tools to block suspending - Allow creation of vpnaas in openstack - Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100) - Allow opensm daemon to rw infiniband_mgmt_device_t - Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 - Fix typo in brltty policy - Add new SELinux module sbd - Allow pcp dmcache metrics collection - Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t - Allow openvpn to create sock files labeled as openvpn_var_run_t - Allow hypervkvp daemon to getattr on all filesystem types. - Allow firewalld to create net_conf_t files - Allow mock to use lvm - Allow mirromanager creating log files in /tmp - Allow vmtools_t to transition to rpm_script domain - Allow nsd daemon to manage nsd_conf_t dirs and files - Allow cluster to create dirs in /var/run labeled as cluster_var_run_t - Allow sssd read also sssd_conf_t dirs - Allow krb5kdc_t to communicate with sssd - Allow prosody to bind on prosody ports - Add dac_override caps for fail2ban-client Resolves: rhbz#1316678 - dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637 - Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726 - Add label for brltty log file Resolves: rhbz#1328818 - Allow snort_t to communicate with sssd Resolves: rhbz#1284908 - Add interface lttng_sessiond_tmpfs_t() - Add new policy for systemd-modules-load - Allow udev to manage systemd-hwdb files - Add interface systemd_hwdb_manage_config() - Fix paths to infiniband devices. This allows use more then two infiniband interfaces. - Make label for new infiniband_mgmt deivices - corecmd: Remove fcontext for /etc/sysconfig/libvirtd - iptables: add fcontext for nftables - Add interface lvm_getattr_exec_files() - Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl - Add prosody ports Resolves: rhbz#1304664 --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index cb19aa0..8fce541 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 0112673..b519149 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -2145,7 +2145,7 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..a777e72 100644 +index 03ec5ca..48ab7f8 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -58,6 +58,7 @@ template(`su_restricted_domain_template', ` @@ -2195,7 +2195,7 @@ index 03ec5ca..a777e72 100644 allow $1_su_t $3:key search; # Transition from the user domain to this domain. -@@ -194,125 +182,12 @@ template(`su_role_template',` +@@ -194,125 +182,16 @@ template(`su_role_template',` allow $3 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) @@ -2207,7 +2207,7 @@ index 03ec5ca..a777e72 100644 - dev_read_urand($1_su_t) - - fs_search_auto_mountpoints($1_su_t) - +- - # needed for pam_rootok - selinux_compute_access_vector($1_su_t) - @@ -2217,9 +2217,11 @@ index 03ec5ca..a777e72 100644 - auth_rw_faillog($1_su_t) - - corecmd_search_bin($1_su_t) -- ++ kernel_dontaudit_getattr_core_if($1_su_t) + - domain_use_interactive_fds($1_su_t) -- ++ auth_use_pam($1_su_t) + - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) @@ -2228,12 +2230,12 @@ index 03ec5ca..a777e72 100644 - init_dontaudit_use_fds($1_su_t) - # Write to utmp. - init_rw_utmp($1_su_t) -+ auth_use_pam($1_su_t) ++ init_dontaudit_getattr_initctl($1_su_t) mls_file_write_all_levels($1_su_t) logging_send_syslog_msg($1_su_t) -- + - miscfiles_read_localization($1_su_t) - - userdom_use_user_terminals($1_su_t) @@ -3509,7 +3511,7 @@ index 7590165..d81185e 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..48f001d 100644 +index 33e0f8d..3437271 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3566,7 +3568,7 @@ index 33e0f8d..48f001d 100644 /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -101,8 +118,6 @@ ifdef(`distro_redhat',` +@@ -101,11 +118,8 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -3574,8 +3576,11 @@ index 33e0f8d..48f001d 100644 - /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -116,6 +131,9 @@ ifdef(`distro_redhat',` +-/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) + +@@ -116,6 +130,9 @@ ifdef(`distro_redhat',` /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3585,7 +3590,7 @@ index 33e0f8d..48f001d 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -128,6 +146,8 @@ ifdef(`distro_debian',` +@@ -128,6 +145,8 @@ ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3594,7 +3599,7 @@ index 33e0f8d..48f001d 100644 # # /lib # -@@ -135,10 +155,12 @@ ifdef(`distro_debian',` +@@ -135,10 +154,12 @@ ifdef(`distro_debian',` /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -3608,7 +3613,7 @@ index 33e0f8d..48f001d 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',` +@@ -149,10 +170,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3622,7 +3627,7 @@ index 33e0f8d..48f001d 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +191,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3630,7 +3635,7 @@ index 33e0f8d..48f001d 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',` +@@ -179,34 +203,50 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3690,7 +3695,7 @@ index 33e0f8d..48f001d 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',` +@@ -218,19 +258,32 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3730,7 +3735,7 @@ index 33e0f8d..48f001d 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',` +@@ -245,26 +298,40 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3776,7 +3781,7 @@ index 33e0f8d..48f001d 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',` +@@ -280,10 +347,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3791,7 +3796,7 @@ index 33e0f8d..48f001d 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +369,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3816,7 +3821,7 @@ index 33e0f8d..48f001d 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +403,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +402,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3845,7 +3850,7 @@ index 33e0f8d..48f001d 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +431,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +430,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3853,7 +3858,7 @@ index 33e0f8d..48f001d 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,17 +473,34 @@ ifdef(`distro_suse', ` +@@ -387,17 +472,34 @@ ifdef(`distro_suse', ` # # /var # @@ -5796,7 +5801,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..72bc5d0 100644 +index b191055..6c3e760 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6037,7 +6042,7 @@ index b191055..72bc5d0 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +241,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +241,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -6088,6 +6093,7 @@ index b191055..72bc5d0 100644 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) +network_port(preupgrade, tcp, 8099, s0) network_port(printer, tcp,515,s0) ++network_port(prosody, tcp,5280-5281,s0) network_port(ptal, tcp,5703,s0) -network_port(pulseaudio, tcp,4713,s0) +network_port(pulseaudio, tcp,4713,s0, udp,4713,s0) @@ -6186,7 +6192,7 @@ index b191055..72bc5d0 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +371,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +372,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6213,7 +6219,7 @@ index b191055..72bc5d0 100644 ######################################## # -@@ -333,6 +420,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +421,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6222,7 +6228,7 @@ index b191055..72bc5d0 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +434,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +435,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -6278,7 +6284,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..012cc6f 100644 +index b31c054..ab7c054 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6302,16 +6308,20 @@ index b31c054..012cc6f 100644 /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -44,6 +47,8 @@ +@@ -44,6 +47,12 @@ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) ++/dev/infiniband/issm[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) ++/dev/infiniband/umad[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) +/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) ++/dev/infiniband/issm[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) ++/dev/infiniband/umad[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -61,8 +66,10 @@ +@@ -61,8 +70,10 @@ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -6323,7 +6333,7 @@ index b31c054..012cc6f 100644 /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) -@@ -72,7 +79,9 @@ +@@ -72,7 +83,9 @@ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) @@ -6333,7 +6343,7 @@ index b31c054..012cc6f 100644 /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -@@ -80,6 +89,8 @@ +@@ -80,6 +93,8 @@ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -6342,7 +6352,7 @@ index b31c054..012cc6f 100644 /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -90,6 +101,7 @@ +@@ -90,6 +105,7 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6350,7 +6360,7 @@ index b31c054..012cc6f 100644 /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -106,6 +118,7 @@ +@@ -106,6 +122,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6358,7 +6368,7 @@ index b31c054..012cc6f 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +131,12 @@ +@@ -118,6 +135,12 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6371,7 +6381,7 @@ index b31c054..012cc6f 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +148,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +152,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6386,7 +6396,7 @@ index b31c054..012cc6f 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,15 +193,21 @@ ifdef(`distro_suse', ` +@@ -172,15 +197,21 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6408,7 +6418,7 @@ index b31c054..012cc6f 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +225,27 @@ ifdef(`distro_debian',` +@@ -198,12 +229,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6439,7 +6449,7 @@ index b31c054..012cc6f 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..5cd2702 100644 +index 76f285e..0aef35e 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6940,7 +6950,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -2043,7 +2285,99 @@ interface(`dev_getattr_framebuffer_dev',` +@@ -2043,7 +2285,137 @@ interface(`dev_getattr_framebuffer_dev',` ## ## # @@ -7011,6 +7021,44 @@ index 76f285e..5cd2702 100644 + +######################################## +## ++## Read infiniband mgmt devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_infiniband_mgmt_dev',` ++ gen_require(` ++ type device_t, infiniband_mgmt_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) ++ read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) ++') ++ ++######################################## ++## ++## Read and write ipmi devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_infiniband_mgmt_dev',` ++ gen_require(` ++ type device_t, infiniband_mgmt_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) ++ rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) ++') ++ ++######################################## ++## +## Get the attributes of the framebuffer device node. +## +## @@ -7041,7 +7089,7 @@ index 76f285e..5cd2702 100644 gen_require(` type device_t, framebuf_device_t; ') -@@ -2402,7 +2736,97 @@ interface(`dev_filetrans_lirc',` +@@ -2402,7 +2774,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -7140,7 +7188,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -2532,6 +2956,24 @@ interface(`dev_read_raw_memory',` +@@ -2532,6 +2994,24 @@ interface(`dev_read_raw_memory',` ######################################## ## @@ -7165,7 +7213,7 @@ index 76f285e..5cd2702 100644 ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## -@@ -2573,6 +3015,24 @@ interface(`dev_write_raw_memory',` +@@ -2573,6 +3053,24 @@ interface(`dev_write_raw_memory',` ######################################## ## @@ -7190,7 +7238,7 @@ index 76f285e..5cd2702 100644 ## Read and execute raw memory devices (e.g. /dev/mem). ## ## -@@ -2725,7 +3185,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3223,7 @@ interface(`dev_write_misc',` ## ## ## @@ -7199,178 +7247,245 @@ index 76f285e..5cd2702 100644 ## ## # -@@ -2811,6 +3271,78 @@ interface(`dev_rw_modem',` +@@ -2811,7 +3309,7 @@ interface(`dev_rw_modem',` ######################################## ## +-## Get the attributes of the mouse devices. +## Get the attributes of the monitor devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2819,17 +3317,17 @@ interface(`dev_rw_modem',` + ## + ## + # +-interface(`dev_getattr_mouse_dev',` +interface(`dev_getattr_monitor_dev',` -+ gen_require(` + gen_require(` +- type device_t, mouse_device_t; + type device_t, monitor_device_t; -+ ') -+ + ') + +- getattr_chr_files_pattern($1, device_t, mouse_device_t) + getattr_chr_files_pattern($1, device_t, monitor_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set the attributes of the mouse devices. +## Set the attributes of the monitor devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2837,17 +3335,17 @@ interface(`dev_getattr_mouse_dev',` + ## + ## + # +-interface(`dev_setattr_mouse_dev',` +interface(`dev_setattr_monitor_dev',` -+ gen_require(` + gen_require(` +- type device_t, mouse_device_t; + type device_t, monitor_device_t; -+ ') -+ + ') + +- setattr_chr_files_pattern($1, device_t, mouse_device_t) + setattr_chr_files_pattern($1, device_t, monitor_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read the mouse devices. +## Read the monitor devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2855,17 +3353,17 @@ interface(`dev_setattr_mouse_dev',` + ## + ## + # +-interface(`dev_read_mouse',` +interface(`dev_read_monitor_dev',` -+ gen_require(` + gen_require(` +- type device_t, mouse_device_t; + type device_t, monitor_device_t; -+ ') -+ + ') + +- read_chr_files_pattern($1, device_t, mouse_device_t) + read_chr_files_pattern($1, device_t, monitor_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write to mouse devices. +## Read and write to monitor devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2873,18 +3371,17 @@ interface(`dev_read_mouse',` + ## + ## + # +-interface(`dev_rw_mouse',` +interface(`dev_rw_monitor_dev',` -+ gen_require(` + gen_require(` +- type device_t, mouse_device_t; + type device_t, monitor_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, mouse_device_t) + rw_chr_files_pattern($1, device_t, monitor_device_t) -+') -+ -+######################################## -+## - ## Get the attributes of the mouse devices. - ## - ## -@@ -2903,20 +3435,20 @@ interface(`dev_getattr_mtrr_dev',` + ') ######################################## ## --## Read the memory type range -+## Write the memory type range - ## registers (MTRR). (Deprecated) +-## Get the attributes of the memory type range +-## registers (MTRR) device. ++## Get the attributes of the mouse devices. ## - ## - ##

--## Read the memory type range -+## Write the memory type range - ## registers (MTRR). This interface has - ## been deprecated, dev_rw_mtrr() should be - ## used instead. - ##

- ##

- ## The MTRR device ioctls can be used for --## reading and writing; thus, read access to the --## device cannot be separated from write access. -+## reading and writing; thus, write access to the -+## device cannot be separated from read access. - ##

- ## ## -@@ -2925,43 +3457,34 @@ interface(`dev_getattr_mtrr_dev',` + ## +@@ -2892,47 +3389,91 @@ interface(`dev_rw_mouse',` ## ## # --interface(`dev_read_mtrr',` -+interface(`dev_write_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') - dev_rw_mtrr($1) +-interface(`dev_getattr_mtrr_dev',` ++interface(`dev_getattr_mouse_dev',` + gen_require(` +- type device_t, mtrr_device_t; ++ type device_t, mouse_device_t; + ') + +- getattr_files_pattern($1, device_t, mtrr_device_t) +- getattr_chr_files_pattern($1, device_t, mtrr_device_t) ++ getattr_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## --## Write the memory type range +-## Read the memory type range -## registers (MTRR). (Deprecated) -+## Do not audit attempts to write the memory type -+## range registers (MTRR). ++## Set the attributes of the mouse devices. ## -## -##

--## Write the memory type range +-## Read the memory type range -## registers (MTRR). This interface has -## been deprecated, dev_rw_mtrr() should be -## used instead. -##

-##

-## The MTRR device ioctls can be used for --## reading and writing; thus, write access to the --## device cannot be separated from read access. +-## reading and writing; thus, read access to the +-## device cannot be separated from write access. -##

-## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## # --interface(`dev_write_mtrr',` +-interface(`dev_read_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') - dev_rw_mtrr($1) -+interface(`dev_dontaudit_write_mtrr',` ++interface(`dev_setattr_mouse_dev',` + gen_require(` -+ type mtrr_device_t; ++ type device_t, mouse_device_t; + ') + -+ dontaudit $1 mtrr_device_t:file write_file_perms; -+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ++ setattr_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## --## Do not audit attempts to write the memory type -+## Do not audit attempts to read the memory type - ## range registers (MTRR). +-## Write the memory type range ++## Read the mouse devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_mouse',` ++ gen_require(` ++ type device_t, mouse_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, mouse_device_t) ++') ++ ++######################################## ++## ++## Read and write to mouse devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_mouse',` ++ gen_require(` ++ type device_t, mouse_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, mouse_device_t) ++') ++ ++######################################## ++## ++## Get the attributes of the memory type range ++## registers (MTRR) device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_mtrr_dev',` ++ gen_require(` ++ type device_t, mtrr_device_t; ++ ') ++ ++ getattr_files_pattern($1, device_t, mtrr_device_t) ++ getattr_chr_files_pattern($1, device_t, mtrr_device_t) ++') ++ ++######################################## ++## ++## Write the memory type range + ## registers (MTRR). (Deprecated) ## - ## -@@ -2970,13 +3493,32 @@ interface(`dev_write_mtrr',` - ## - ## - # --interface(`dev_dontaudit_write_mtrr',` -+interface(`dev_dontaudit_read_mtrr',` - gen_require(` + ## +@@ -2975,8 +3516,47 @@ interface(`dev_dontaudit_write_mtrr',` type mtrr_device_t; ') - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; ++ dontaudit $1 mtrr_device_t:file write_file_perms; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read the memory type ++## range registers (MTRR). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_mtrr',` ++ gen_require(` ++ type mtrr_device_t; ++ ') ++ + dontaudit $1 mtrr_device_t:file { open read }; + dontaudit $1 mtrr_device_t:chr_file { open read }; +') @@ -7395,7 +7510,7 @@ index 76f285e..5cd2702 100644 ') ######################################## -@@ -3144,6 +3686,61 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3724,61 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -7457,7 +7572,7 @@ index 76f285e..5cd2702 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3760,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3798,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -7482,7 +7597,7 @@ index 76f285e..5cd2702 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3869,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3907,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -7509,7 +7624,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -3262,12 +3895,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3933,13 @@ interface(`dev_rw_printer',` ## ## # @@ -7526,7 +7641,7 @@ index 76f285e..5cd2702 100644 ') ######################################## -@@ -3399,7 +4033,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4071,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7535,7 +7650,7 @@ index 76f285e..5cd2702 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4047,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4085,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7544,7 +7659,7 @@ index 76f285e..5cd2702 100644 ') ######################################## -@@ -3855,7 +4489,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4527,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7553,7 +7668,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -3863,91 +4497,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4535,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -7664,7 +7779,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -3955,68 +4587,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,68 +4625,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -7743,7 +7858,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4024,114 +4641,97 @@ interface(`dev_rw_sysfs',` +@@ -4024,53 +4679,279 @@ interface(`dev_rw_sysfs',` ## ## # @@ -7803,114 +7918,93 @@ index 76f285e..5cd2702 100644 - read_chr_files_pattern($1, device_t, urandom_device_t) + allow $1 sysfs_t:dir write; - ') - - ######################################## - ## --## Do not audit attempts to read from pseudo --## random devices (e.g., /dev/urandom) ++') ++ ++######################################## ++## +## Access check for a sysfs directories. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_read_urand',` ++## ++## ++# +interface(`dev_access_check_sysfs',` - gen_require(` -- type urandom_device_t; ++ gen_require(` + type sysfs_t; - ') - -- dontaudit $1 urandom_device_t:chr_file { getattr read }; ++ ') ++ + allow $1 sysfs_t:dir audit_access; - ') - - ######################################## - ## --## Write to the pseudo random device (e.g., /dev/urandom). This --## sets the random number generator seed. ++') ++ ++######################################## ++## +## Do not audit attempts to write in a sysfs directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`dev_write_urand',` ++## ++## ++# +interface(`dev_dontaudit_write_sysfs_dirs',` - gen_require(` -- type device_t, urandom_device_t; ++ gen_require(` + type sysfs_t; - ') - -- write_chr_files_pattern($1, device_t, urandom_device_t) ++ ') ++ + dontaudit $1 sysfs_t:dir write; - ') - - ######################################## - ## --## Getattr generic the USB devices. ++') ++ ++######################################## ++## +## Read cpu online hardware state information. - ## ++## +## +##

+## Allow the specified domain to read /sys/devices/system/cpu/online file. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`dev_getattr_generic_usb_dev',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_read_cpu_online',` - gen_require(` -- type usb_device_t; ++ gen_require(` + type cpu_online_t; - ') - -- getattr_chr_files_pattern($1, device_t, usb_device_t) ++ ') ++ + dev_search_sysfs($1) + read_files_pattern($1, cpu_online_t, cpu_online_t) - ') - - ######################################## - ## --## Setattr generic the USB devices. ++') ++ ++######################################## ++## +## Relabel cpu online hardware state information. - ## - ## - ## -@@ -4139,35 +4739,50 @@ interface(`dev_getattr_generic_usb_dev',` - ## - ## - # --interface(`dev_setattr_generic_usb_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_relabel_cpu_online',` - gen_require(` -- type usb_device_t; ++ gen_require(` + type cpu_online_t; + type sysfs_t; - ') - -- setattr_chr_files_pattern($1, device_t, usb_device_t) ++ ') ++ + dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; - ') - ++') + - ######################################## - ## --## Read generic the USB devices. ++ ++######################################## ++## +## Read hardware state information. - ## ++## +## +##

+## Allow the specified domain to read the contents of @@ -7919,39 +8013,34 @@ index 76f285e..5cd2702 100644 +## hardware installed on the system. +##

+## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`dev_read_generic_usb_dev',` ++# +interface(`dev_read_sysfs',` - gen_require(` -- type usb_device_t; ++ gen_require(` + type sysfs_t; - ') - -- read_chr_files_pattern($1, device_t, usb_device_t) ++ ') ++ + read_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + + list_dirs_pattern($1, sysfs_t, sysfs_t) - ') - - ######################################## - ## --## Read and write generic the USB devices. ++') ++ ++######################################## ++## +## Allow caller to modify hardware state information. - ## - ## - ## -@@ -4175,7 +4790,254 @@ interface(`dev_read_generic_usb_dev',` - ## - ## - # --interface(`dev_rw_generic_usb_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_rw_sysfs',` + gen_require(` + type sysfs_t; @@ -8076,48 +8165,13 @@ index 76f285e..5cd2702 100644 + ') + + read_chr_files_pattern($1, device_t, urandom_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read from pseudo -+## random devices (e.g., /dev/urandom) -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_read_urand',` -+ gen_require(` -+ type urandom_device_t; -+ ') -+ -+ dontaudit $1 urandom_device_t:chr_file { getattr read }; -+') -+ -+######################################## -+## -+## Write to the pseudo random device (e.g., /dev/urandom). This -+## sets the random number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_write_urand',` -+ gen_require(` -+ type device_t, urandom_device_t; -+ ') -+ -+ write_chr_files_pattern($1, device_t, urandom_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## +@@ -4113,6 +4994,25 @@ interface(`dev_write_urand',` + + ######################################## + ## +## Do not audit attempts to write to pseudo +## random devices (e.g., /dev/urandom) +## @@ -8137,73 +8191,19 @@ index 76f285e..5cd2702 100644 + +######################################## +## -+## Getattr generic the USB devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_generic_usb_dev',` -+ gen_require(` -+ type usb_device_t,device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, usb_device_t) -+') -+ -+######################################## -+## -+## Setattr generic the USB devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_generic_usb_dev',` -+ gen_require(` -+ type usb_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, usb_device_t) -+') -+ -+######################################## -+## -+## Read generic the USB devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_generic_usb_dev',` -+ gen_require(` -+ type usb_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, usb_device_t) -+') -+ -+######################################## -+## -+## Read and write generic the USB devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_generic_usb_dev',` + ## Getattr generic the USB devices. + ## + ## +@@ -4123,7 +5023,7 @@ interface(`dev_write_urand',` + # + interface(`dev_getattr_generic_usb_dev',` gen_require(` - type device_t, usb_device_t; +- type usb_device_t; ++ type usb_device_t,device_t; ') -@@ -4330,28 +5192,180 @@ interface(`dev_search_usbfs',` + + getattr_chr_files_pattern($1, device_t, usb_device_t) +@@ -4330,28 +5230,180 @@ interface(`dev_search_usbfs',` ######################################## ## @@ -8393,7 +8393,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4359,19 +5373,17 @@ interface(`dev_list_usbfs',` +@@ -4359,19 +5411,17 @@ interface(`dev_list_usbfs',` ## ## # @@ -8417,7 +8417,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4379,19 +5391,17 @@ interface(`dev_setattr_usbfs_files',` +@@ -4379,19 +5429,17 @@ interface(`dev_setattr_usbfs_files',` ## ## # @@ -8441,7 +8441,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4399,37 +5409,36 @@ interface(`dev_read_usbfs',` +@@ -4399,37 +5447,36 @@ interface(`dev_read_usbfs',` ## ## # @@ -8490,7 +8490,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4437,18 +5446,18 @@ interface(`dev_getattr_video_dev',` +@@ -4437,18 +5484,18 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -8514,7 +8514,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4456,17 +5465,17 @@ interface(`dev_rw_userio_dev',` +@@ -4456,17 +5503,17 @@ interface(`dev_rw_userio_dev',` ## ## # @@ -8536,7 +8536,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4474,36 +5483,35 @@ interface(`dev_dontaudit_getattr_video_dev',` +@@ -4474,36 +5521,35 @@ interface(`dev_dontaudit_getattr_video_dev',` ## ## # @@ -8582,7 +8582,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4511,17 +5519,17 @@ interface(`dev_dontaudit_setattr_video_dev',` +@@ -4511,17 +5557,17 @@ interface(`dev_dontaudit_setattr_video_dev',` ## ## # @@ -8604,7 +8604,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4529,17 +5537,17 @@ interface(`dev_read_video_dev',` +@@ -4529,17 +5575,17 @@ interface(`dev_read_video_dev',` ## ## # @@ -8626,7 +8626,7 @@ index 76f285e..5cd2702 100644 ## ## ## -@@ -4547,12 +5555,12 @@ interface(`dev_write_video_dev',` +@@ -4547,12 +5593,12 @@ interface(`dev_write_video_dev',` ## ## # @@ -8641,7 +8641,7 @@ index 76f285e..5cd2702 100644 ') ######################################## -@@ -4630,6 +5638,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5676,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8666,7 +8666,7 @@ index 76f285e..5cd2702 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5788,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5826,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8711,7 +8711,7 @@ index 76f285e..5cd2702 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5915,1020 @@ interface(`dev_unconfined',` +@@ -4851,3 +5953,1020 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -9733,7 +9733,7 @@ index 76f285e..5cd2702 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..4cef59b 100644 +index 0b1a871..9f3512c 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -9770,7 +9770,7 @@ index 0b1a871..4cef59b 100644 # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) -@@ -88,12 +89,27 @@ type framebuf_device_t; +@@ -88,12 +89,33 @@ type framebuf_device_t; dev_node(framebuf_device_t) # @@ -9795,10 +9795,16 @@ index 0b1a871..4cef59b 100644 +dev_node(infiniband_device_t) + +# ++# Type for /dev/infiniband mgmt devices ++# ++type infiniband_mgmt_device_t; ++dev_node(infiniband_mgmt_device_t) ++ ++# # Type for /dev/kmsg # type kmsg_device_t; -@@ -111,6 +127,7 @@ dev_node(ksm_device_t) +@@ -111,6 +133,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -9806,7 +9812,7 @@ index 0b1a871..4cef59b 100644 # # Type for /dev/lirc -@@ -118,6 +135,9 @@ dev_node(kvm_device_t) +@@ -118,6 +141,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) @@ -9816,7 +9822,7 @@ index 0b1a871..4cef59b 100644 type loop_control_device_t; dev_node(loop_control_device_t) -@@ -150,12 +170,24 @@ type modem_device_t; +@@ -150,12 +176,24 @@ type modem_device_t; dev_node(modem_device_t) # @@ -9841,7 +9847,7 @@ index 0b1a871..4cef59b 100644 # Type for /dev/cpu/mtrr and /proc/mtrr # type mtrr_device_t; -@@ -183,6 +215,12 @@ type nvram_device_t; +@@ -183,6 +221,12 @@ type nvram_device_t; dev_node(nvram_device_t) # @@ -9854,7 +9860,7 @@ index 0b1a871..4cef59b 100644 # Type for /dev/pmu # type power_device_t; -@@ -227,6 +265,10 @@ files_mountpoint(sysfs_t) +@@ -227,6 +271,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -9865,7 +9871,7 @@ index 0b1a871..4cef59b 100644 # # Type for /dev/tpm # -@@ -266,6 +308,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +314,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -9881,7 +9887,7 @@ index 0b1a871..4cef59b 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +325,7 @@ dev_node(v4l_device_t) +@@ -274,6 +331,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -9889,7 +9895,7 @@ index 0b1a871..4cef59b 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +371,8 @@ files_associate_tmp(device_node) +@@ -319,5 +377,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -38815,15 +38821,16 @@ index 312cd04..102b975 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..ec4c7c7 100644 +index 73a1c4e..a143623 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,43 @@ +@@ -1,22 +1,45 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nftables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) @@ -38854,6 +38861,7 @@ index 73a1c4e..ec4c7c7 100644 -/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -41337,10 +41345,10 @@ index 6b91740..7c98978 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..8f7b119 100644 +index 58bc27f..9e86fce 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -1,5 +1,22 @@ +@@ -1,5 +1,41 @@ ## Policy for logical volume management programs. + @@ -41360,10 +41368,29 @@ index 58bc27f..8f7b119 100644 + ') +') + ++######################################## ++## ++## Get the attribute of lvm entrypoint files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_getattr_exec_files',` ++ gen_require(` ++ type lvm_exec_t; ++ ') ++ ++ files_list_etc($1) ++ allow $1 lvm_exec_t:file getattr; ++') ++ ######################################## ## ## Execute lvm programs in the lvm domain. -@@ -86,6 +103,50 @@ interface(`lvm_read_config',` +@@ -86,6 +122,50 @@ interface(`lvm_read_config',` ######################################## ## @@ -41414,7 +41441,7 @@ index 58bc27f..8f7b119 100644 ## Manage LVM configuration files. ## ## -@@ -105,6 +166,25 @@ interface(`lvm_manage_config',` +@@ -105,6 +185,25 @@ interface(`lvm_manage_config',` manage_files_pattern($1, lvm_etc_t, lvm_etc_t) ') @@ -41440,7 +41467,7 @@ index 58bc27f..8f7b119 100644 ###################################### ## ## Execute a domain transition to run clvmd. -@@ -123,3 +203,175 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +222,175 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -46405,10 +46432,10 @@ index a392fc4..155d5ce 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..6cf3942 +index 0000000..8b77d7a --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,69 @@ +@@ -0,0 +1,71 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -46435,6 +46462,7 @@ index 0000000..6cf3942 +/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0) ++/usr/lib/systemd/system/systemd-modules-load\.service gen_context(system_u:object_r:systemd_modules_load_unit_file_t,s0) +/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) +/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0) +/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0) @@ -46457,6 +46485,7 @@ index 0000000..6cf3942 +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) +/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) ++/usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) +/usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0) + @@ -46480,10 +46509,10 @@ index 0000000..6cf3942 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..ebd6cc8 +index 0000000..513b97b --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1716 @@ +@@ -0,0 +1,1738 @@ +## SELinux policy for systemd components + +###################################### @@ -48200,12 +48229,34 @@ index 0000000..ebd6cc8 + files_search_etc($1) + allow $1 systemd_hwdb_etc_t:file read_file_perms; +') ++ ++######################################## ++## ++## Allow process to manage hwdb config file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_hwdb_manage_config',` ++ gen_require(` ++ type systemd_hwdb_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) ++ allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; ++ files_etc_filetrans($1, systemd_hwdb_etc_t, file) ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..356f74a +index 0000000..0800a00 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,932 @@ +@@ -0,0 +1,950 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48267,6 +48318,11 @@ index 0000000..356f74a +type systemd_resolved_unit_file_t; +systemd_unit_file(systemd_resolved_unit_file_t) + ++systemd_domain_template(systemd_modules_load) ++ ++type systemd_modules_load_unit_file_t; ++systemd_unit_file(systemd_modules_load_unit_file_t) ++ +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + @@ -49138,6 +49194,19 @@ index 0000000..356f74a + +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) ++ ++####################################### ++# ++# systemd_modules_load domain ++# ++ ++kernel_dgram_send(systemd_modules_load_t) ++ ++dev_read_sysfs(systemd_modules_load_t) ++ ++files_read_kernel_modules(systemd_modules_load_t) ++modutils_list_module_config(systemd_modules_load_t) ++ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e..49fd32e 100644 --- a/policy/modules/system/udev.fc @@ -49436,7 +49505,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..5658ab4 100644 +index 39f185f..1ce3c60 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -49598,7 +49667,7 @@ index 39f185f..5658ab4 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,9 +193,13 @@ sysnet_read_dhcpc_pid(udev_t) +@@ -169,9 +193,14 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) @@ -49607,13 +49676,14 @@ index 39f185f..5658ab4 100644 + +systemd_login_read_pid_files(udev_t) +systemd_getattr_unit_files(udev_t) ++systemd_hwdb_manage_config(udev_t) userdom_dontaudit_search_user_home_content(udev_t) +userdom_rw_inherited_user_tmp_pipes(udev_t) ifdef(`distro_debian',` files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") -@@ -195,16 +223,9 @@ ifdef(`distro_gentoo',` +@@ -195,16 +224,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -49632,7 +49702,7 @@ index 39f185f..5658ab4 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -242,6 +263,7 @@ optional_policy(` +@@ -242,6 +264,7 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -49640,7 +49710,7 @@ index 39f185f..5658ab4 100644 ') optional_policy(` -@@ -249,17 +271,31 @@ optional_policy(` +@@ -249,17 +272,31 @@ optional_policy(` dbus_use_system_bus_fds(udev_t) optional_policy(` @@ -49674,7 +49744,7 @@ index 39f185f..5658ab4 100644 ') optional_policy(` -@@ -289,6 +325,10 @@ optional_policy(` +@@ -289,6 +326,10 @@ optional_policy(` ') optional_policy(` @@ -49685,7 +49755,7 @@ index 39f185f..5658ab4 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -303,6 +343,15 @@ optional_policy(` +@@ -303,6 +344,15 @@ optional_policy(` ') optional_policy(` @@ -49701,7 +49771,7 @@ index 39f185f..5658ab4 100644 unconfined_signal(udev_t) ') -@@ -315,6 +364,7 @@ optional_policy(` +@@ -315,6 +365,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index fba7038..b136566 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -11112,10 +11112,12 @@ index c5a9113..1919abd 100644 xen_dontaudit_rw_unix_stream_sockets(brctl_t) diff --git a/brltty.fc b/brltty.fc new file mode 100644 -index 0000000..0cfe342 +index 0000000..05e3528 --- /dev/null +++ b/brltty.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,10 @@ ++/tmp/brltty\.log.* -- gen_context(system_u:object_r:brltty_log_t,s0) ++ +/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0) + +/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0) @@ -11212,10 +11214,10 @@ index 0000000..968c957 +') diff --git a/brltty.te b/brltty.te new file mode 100644 -index 0000000..eabda1e +index 0000000..c167267 --- /dev/null +++ b/brltty.te -@@ -0,0 +1,62 @@ +@@ -0,0 +1,70 @@ +policy_module(brltty, 1.0.0) + +######################################## @@ -11233,6 +11235,9 @@ index 0000000..eabda1e +type brltty_var_run_t; +files_pid_file(brltty_var_run_t) + ++type brltty_log_t; ++logging_log_file(brltty_log_t) ++ +type brltty_unit_file_t; +systemd_unit_file(brltty_unit_file_t) + @@ -11247,6 +11252,11 @@ index 0000000..eabda1e +allow brltty_t self:unix_stream_socket create_stream_socket_perms; +allow brltty_t self:tcp_socket listen; + ++manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t) ++manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t) ++manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t) ++files_tmp_filetrans(brltty_t, brltty_log_t, { file dir }) ++ +manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t) +manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t) +manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t) @@ -25980,10 +25990,10 @@ index 0000000..d22ed69 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..f186d85 +index 0000000..e44017c --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,88 @@ +@@ -0,0 +1,89 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -26065,6 +26075,7 @@ index 0000000..f186d85 +') + +optional_policy(` ++ networkmanager_dbus_chat(dnssec_trigger_t) + networkmanager_stream_connect(dnssec_trigger_t) + networkmanager_signal(dnssec_trigger_t) + networkmanager_sigchld(dnssec_trigger_t) @@ -28288,7 +28299,7 @@ index 50d0084..94e1936 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..7945ad9 100644 +index cf0e567..7bebd26 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -28369,7 +28380,13 @@ index cf0e567..7945ad9 100644 shorewall_domtrans(fail2ban_t) ') -@@ -131,22 +146,32 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -126,27 +141,37 @@ optional_policy(` + # Client Local policy + # + +-allow fail2ban_client_t self:capability dac_read_search; ++allow fail2ban_client_t self:capability { dac_read_search dac_override }; + allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -28765,7 +28782,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..18a2ef2 100644 +index 98072a3..50e7985 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28809,7 +28826,7 @@ index 98072a3..18a2ef2 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +77,20 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +77,21 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -28834,10 +28851,11 @@ index 98072a3..18a2ef2 100644 -sysnet_read_config(firewalld_t) +sysnet_dns_name_resolve(firewalld_t) +sysnet_manage_config_dirs(firewalld_t) ++sysnet_create_config(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +109,10 @@ optional_policy(` +@@ -95,6 +110,10 @@ optional_policy(` ') optional_policy(` @@ -37391,10 +37409,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..fc5435f 100644 +index 4eb7041..b7b9201 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,146 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,148 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -37427,11 +37445,12 @@ index 4eb7041..fc5435f 100644 + +type hypervvssd_unit_file_t; +systemd_unit_file(hypervvssd_unit_file_t) -+ -+######################################## -+# + + ######################################## + # +-# Local policy +# hyperv domain local policy -+# + # + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -37443,10 +37462,9 @@ index 4eb7041..fc5435f 100644 +corecmd_exec_bin(hyperv_domain) + +dev_read_sysfs(hyperv_domain) - - ######################################## ++ ++######################################## # --# Local policy +# hypervkvp local policy +# + @@ -37481,6 +37499,8 @@ index 4eb7041..fc5435f 100644 + +files_dontaudit_search_home(hypervkvp_t) + ++fs_getattr_all_fs(hypervkvp_t) ++ +auth_use_nsswitch(hypervkvp_t) + +logging_send_syslog_msg(hypervkvp_t) @@ -37533,14 +37553,14 @@ index 4eb7041..fc5435f 100644 +') + +######################################## - # ++# +# hypervvssd local policy - # ++# ++ ++allow hypervvssd_t self:capability sys_admin; -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; -+allow hypervvssd_t self:capability sys_admin; -+ +dev_rw_hypervvssd(hypervvssd_t) -logging_send_syslog_msg(hypervkvpd_t) @@ -37710,7 +37730,7 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..a28aa13 100644 +index c6450df..6304b00 100644 --- a/inetd.te +++ b/inetd.te @@ -37,9 +37,9 @@ ifdef(`enable_mcs',` @@ -37800,7 +37820,7 @@ index c6450df..a28aa13 100644 dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t) +@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) @@ -37810,6 +37830,10 @@ index c6450df..a28aa13 100644 +optional_policy(` + kerberos_use(inetd_child_t) +') ++ ++optional_policy(` ++ systemd_dbus_chat_logind(inetd_child_t) ++') optional_policy(` unconfined_domain(inetd_child_t) @@ -42593,7 +42617,7 @@ index f6c00d8..e3cb4f1 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..1d0599a 100644 +index 8833d59..a6356be 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -42862,7 +42886,7 @@ index 8833d59..1d0599a 100644 selinux_validate_context(krb5kdc_t) -+auth_read_passwd(krb5kdc_t) ++auth_use_nsswitch(krb5kdc_t) + logging_send_syslog_msg(krb5kdc_t) @@ -46798,10 +46822,10 @@ index 0000000..bdd17ca +/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0) diff --git a/lttng-tools.if b/lttng-tools.if new file mode 100644 -index 0000000..6b0da33 +index 0000000..e86897d --- /dev/null +++ b/lttng-tools.if -@@ -0,0 +1,98 @@ +@@ -0,0 +1,117 @@ + +## LTTng 2.x central tracing registry session daemon. + @@ -46900,9 +46924,28 @@ index 0000000..6b0da33 + systemd_read_fifo_file_passwd_run($1) + ') +') ++ ++######################################## ++## ++## Read and write lttng-tools shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lttng_read_shm',` ++ gen_require(` ++ type lttng_sessiond_tmpfs_t; ++ ') ++ ++ read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t) ++ fs_search_tmpfs($1) ++') diff --git a/lttng-tools.te b/lttng-tools.te new file mode 100644 -index 0000000..0b9ade5 +index 0000000..1d2ca22 --- /dev/null +++ b/lttng-tools.te @@ -0,0 +1,60 @@ @@ -46932,7 +46975,7 @@ index 0000000..0b9ade5 +# + +allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource }; -+ ++allow lttng_sessiond_t self:capability2 block_suspend; +allow lttng_sessiond_t self:process { setrlimit signal_perms }; +allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms; +allow lttng_sessiond_t self:tcp_socket listen; @@ -49713,10 +49756,10 @@ index 0000000..f5b98e6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..86766b0 +index 0000000..66c45cb --- /dev/null +++ b/mock.te -@@ -0,0 +1,278 @@ +@@ -0,0 +1,284 @@ +policy_module(mock,1.0.0) + +## @@ -49863,7 +49906,13 @@ index 0000000..86766b0 +logging_send_audit_msgs(mock_t) +logging_send_syslog_msg(mock_t) + ++lvm_manage_lock(mock_t) ++lvm_read_config(mock_t) ++lvm_read_metadata(mock_t) ++lvm_getattr_exec_files(mock_t) ++ +userdom_use_user_ptys(mock_t) ++userdom_use_user_ttys(mock_t) + +files_search_home(mock_t) + @@ -60308,7 +60357,7 @@ index ba64485..429bd79 100644 + +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) diff --git a/nscd.if b/nscd.if -index 8f2ab09..cd5d344 100644 +index 8f2ab09..a298198 100644 --- a/nscd.if +++ b/nscd.if @@ -1,8 +1,8 @@ @@ -60494,16 +60543,34 @@ index 8f2ab09..cd5d344 100644 ## ## ## -@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',` +@@ -193,7 +214,25 @@ interface(`nscd_dontaudit_search_pid',` ######################################## ## -## Read nscd pid files. ++## Do not audit attempts to read the NSCD pid directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`nscd_dontaudit_read_pid',` ++ gen_require(` ++ type nscd_var_run_t; ++ ') ++ ++ dontaudit $1 nscd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## +## Read NSCD pid file. ## ## ## -@@ -212,7 +233,7 @@ interface(`nscd_read_pid',` +@@ -212,7 +251,7 @@ interface(`nscd_read_pid',` ######################################## ## @@ -60512,7 +60579,7 @@ index 8f2ab09..cd5d344 100644 ## ## ## -@@ -244,20 +265,20 @@ interface(`nscd_unconfined',` +@@ -244,20 +283,20 @@ interface(`nscd_unconfined',` ## Role allowed access. ## ## @@ -60537,7 +60604,7 @@ index 8f2ab09..cd5d344 100644 ## ## ## -@@ -275,8 +296,32 @@ interface(`nscd_initrc_domtrans',` +@@ -275,8 +314,32 @@ interface(`nscd_initrc_domtrans',` ######################################## ## @@ -60572,7 +60639,7 @@ index 8f2ab09..cd5d344 100644 ## ## ## -@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',` +@@ -285,7 +348,7 @@ interface(`nscd_initrc_domtrans',` ## ## ## @@ -60581,7 +60648,7 @@ index 8f2ab09..cd5d344 100644 ## ## ## -@@ -294,10 +339,14 @@ interface(`nscd_admin',` +@@ -294,10 +357,14 @@ interface(`nscd_admin',` gen_require(` type nscd_t, nscd_log_t, nscd_var_run_t; type nscd_initrc_exec_t; @@ -60597,7 +60664,7 @@ index 8f2ab09..cd5d344 100644 init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) -@@ -310,5 +359,7 @@ interface(`nscd_admin',` +@@ -310,5 +377,7 @@ interface(`nscd_admin',` files_list_pids($1) admin_pattern($1, nscd_var_run_t) @@ -60920,7 +60987,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..5cc2b26 100644 +index 47bb1d2..45ea5b7 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -60969,13 +61036,14 @@ index 47bb1d2..5cc2b26 100644 allow nsd_t self:fifo_file rw_fifo_file_perms; -allow nsd_t self:tcp_socket { accept listen }; - allow nsd_t nsd_conf_t:dir list_dir_perms; +-allow nsd_t nsd_conf_t:dir list_dir_perms; -allow nsd_t nsd_conf_t:file read_file_perms; -allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; - -allow nsd_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) -+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) ++manage_dirs_pattern(nsd_t, nsd_conf_t, nsd_conf_t) ++manage_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) +read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) @@ -66176,10 +66244,10 @@ index 0000000..45de664 +') diff --git a/opensm.te b/opensm.te new file mode 100644 -index 0000000..de03e94 +index 0000000..87c86ed --- /dev/null +++ b/opensm.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,46 @@ +policy_module(opensm, 1.0.0) + +######################################## @@ -66223,6 +66291,7 @@ index 0000000..de03e94 + +dev_read_sysfs(opensm_t) +dev_rw_infiniband_dev(opensm_t) ++dev_rw_infiniband_mgmt_dev(opensm_t) + +logging_send_syslog_msg(opensm_t) diff --git a/openvpn.fc b/openvpn.fc @@ -66334,7 +66403,7 @@ index 6837e9a..8d6e33b 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a3..a6cf637 100644 +index 63957a3..91dead6 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -66388,7 +66457,7 @@ index 63957a3..a6cf637 100644 allow openvpn_t openvpn_etc_t:dir list_dir_perms; allow openvpn_t openvpn_etc_t:file read_file_perms; allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms; -@@ -73,13 +85,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +@@ -73,18 +85,23 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") @@ -66409,7 +66478,14 @@ index 63957a3..a6cf637 100644 logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -@@ -97,7 +113,6 @@ kernel_request_load_module(openvpn_t) + manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) +-files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) ++manage_sock_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) ++files_pid_filetrans(openvpn_t, openvpn_var_run_t, { sock_file file dir }) + + can_exec(openvpn_t, openvpn_etc_t) + +@@ -97,7 +114,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -66417,7 +66493,7 @@ index 63957a3..a6cf637 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -117,13 +132,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) +@@ -117,13 +133,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) corenet_sendrecv_http_server_packets(openvpn_t) corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) @@ -66434,7 +66510,7 @@ index 63957a3..a6cf637 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -132,21 +149,31 @@ files_read_etc_runtime_files(openvpn_t) +@@ -132,21 +150,31 @@ files_read_etc_runtime_files(openvpn_t) fs_getattr_all_fs(openvpn_t) fs_search_auto_mountpoints(openvpn_t) @@ -66469,7 +66545,7 @@ index 63957a3..a6cf637 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -164,10 +191,20 @@ tunable_policy(`openvpn_can_network_connect',` +@@ -164,10 +192,20 @@ tunable_policy(`openvpn_can_network_connect',` ') optional_policy(` @@ -66490,7 +66566,7 @@ index 63957a3..a6cf637 100644 dbus_system_bus_client(openvpn_t) dbus_connect_system_bus(openvpn_t) -@@ -175,3 +212,27 @@ optional_policy(` +@@ -175,3 +213,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -68424,10 +68500,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..a9ca49d +index 0000000..e81f463 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,285 @@ +@@ -0,0 +1,287 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -68538,6 +68614,7 @@ index 0000000..a9ca49d +# pcp_pmcd local policy +# + ++allow pcp_pmcd_t self:capability sys_admin; +allow pcp_pmcd_t self:process { setsched }; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms; + @@ -68555,6 +68632,7 @@ index 0000000..a9ca49d +corenet_tcp_connect_http_port(pcp_pmcd_t) + +dev_read_sysfs(pcp_pmcd_t) ++dev_rw_lvm_control(pcp_pmcd_t) + +domain_read_all_domains_state(pcp_pmcd_t) +domain_getattr_all_domains(pcp_pmcd_t) @@ -70425,13 +70503,15 @@ index 0000000..a989aea + +sysnet_read_config(piranha_domain) diff --git a/pkcs.fc b/pkcs.fc -index 9a72226..0351b1e 100644 +index 9a72226..b296894 100644 --- a/pkcs.fc +++ b/pkcs.fc -@@ -4,4 +4,6 @@ +@@ -4,4 +4,8 @@ /var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) ++/var/log/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_log_t,s0) ++ +/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_lock_t,s0) + /var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) @@ -70459,10 +70539,10 @@ index 69be2aa..2d7b3f6 100644 admin_pattern($1, pkcs_slotd_var_run_t) diff --git a/pkcs.te b/pkcs.te -index 8eb3f7b..ee837c6 100644 +index 8eb3f7b..81ee57d 100644 --- a/pkcs.te +++ b/pkcs.te -@@ -7,21 +7,31 @@ policy_module(pkcs, 1.0.1) +@@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1) type pkcs_slotd_t; type pkcs_slotd_exec_t; @@ -70481,6 +70561,9 @@ index 8eb3f7b..ee837c6 100644 +typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t; +files_lock_file(pkcs_slotd_lock_t) + ++type pkcs_slotd_log_t; ++logging_log_file(pkcs_slotd_log_t) ++ type pkcs_slotd_var_run_t; +typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t; files_pid_file(pkcs_slotd_var_run_t) @@ -70494,16 +70577,22 @@ index 8eb3f7b..ee837c6 100644 files_tmpfs_file(pkcs_slotd_tmpfs_t) ######################################## -@@ -40,6 +50,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +@@ -40,6 +53,14 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t) ++manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t) ++files_lock_filetrans(pkcs_slotd_t, pkcs_slotd_lock_t, dir) ++ ++manage_files_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t) ++manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t) ++logging_log_filetrans(pkcs_slotd_t, pkcs_slotd_log_t, dir) + manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) -@@ -51,10 +63,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) +@@ -51,10 +72,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) @@ -77555,10 +77644,10 @@ index 0000000..8231f4f +') diff --git a/prosody.te b/prosody.te new file mode 100644 -index 0000000..71f9abb +index 0000000..5a9f1d4 --- /dev/null +++ b/prosody.te -@@ -0,0 +1,98 @@ +@@ -0,0 +1,99 @@ +policy_module(prosody, 1.0.0) + +######################################## @@ -77631,6 +77720,7 @@ index 0000000..71f9abb +corenet_tcp_connect_postgresql_port(prosody_t) +corenet_tcp_connect_jabber_interserver_port(prosody_t) +corenet_tcp_connect_jabber_client_port(prosody_t) ++corenet_tcp_bind_prosody_port(prosody_t) +corenet_tcp_bind_jabber_client_port(prosody_t) +corenet_tcp_bind_jabber_interserver_port(prosody_t) +corenet_tcp_bind_jabber_router_port(prosody_t) @@ -82058,7 +82148,7 @@ index afc0068..589a7fd 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..4d073e9 100644 +index 8644d8b..e39f835 100644 --- a/quantum.te +++ b/quantum.te @@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0) @@ -82148,7 +82238,7 @@ index 8644d8b..4d073e9 100644 - -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) -+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; ++allow neutron_t self:capability { chown dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; + @@ -86060,7 +86150,7 @@ index 47de2d6..bc62d96 100644 +/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..1574225 100644 +index c8bdea2..8ad3e01 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -86089,7 +86179,7 @@ index c8bdea2..1574225 100644 ') ############################## -@@ -43,33 +43,29 @@ template(`rhcs_domain_template',` +@@ -43,11 +43,6 @@ template(`rhcs_domain_template',` manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) @@ -86101,11 +86191,9 @@ index c8bdea2..1574225 100644 logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) +@@ -56,20 +51,21 @@ template(`rhcs_domain_template',` manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -- files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) -+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file }) + files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) - optional_policy(` - dbus_system_bus_client($1_t) @@ -97187,6 +97275,204 @@ index 6c3bc20..14e8575 100644 ') optional_policy(` +diff --git a/sbd.fc b/sbd.fc +new file mode 100644 +index 0000000..41768ee +--- /dev/null ++++ b/sbd.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/sbd.service -- gen_context(system_u:object_r:sbd_unit_file_t,s0) ++ ++/usr/lib/systemd/system/sbd_remote.service -- gen_context(system_u:object_r:sbd_unit_file_t,s0) ++ ++/usr/sbin/sbd -- gen_context(system_u:object_r:sbd_exec_t,s0) ++ ++/var/run/sbd.* -- gen_context(system_u:object_r:sbd_var_run_t,s0) +diff --git a/sbd.if b/sbd.if +new file mode 100644 +index 0000000..7a058a8 +--- /dev/null ++++ b/sbd.if +@@ -0,0 +1,126 @@ ++ ++## policy for sbd ++ ++######################################## ++## ++## Execute sbd_exec_t in the sbd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sbd_domtrans',` ++ gen_require(` ++ type sbd_t, sbd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, sbd_exec_t, sbd_t) ++') ++ ++###################################### ++## ++## Execute sbd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sbd_exec',` ++ gen_require(` ++ type sbd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, sbd_exec_t) ++') ++######################################## ++## ++## Read sbd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sbd_read_pid_files',` ++ gen_require(` ++ type sbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, sbd_var_run_t, sbd_var_run_t) ++') ++ ++######################################## ++## ++## Execute sbd server in the sbd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sbd_systemctl',` ++ gen_require(` ++ type sbd_t; ++ type sbd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 sbd_unit_file_t:file read_file_perms; ++ allow $1 sbd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sbd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an sbd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`sbd_admin',` ++ gen_require(` ++ type sbd_t; ++ type sbd_var_run_t; ++ type sbd_unit_file_t; ++ ') ++ ++ allow $1 sbd_t:process { signal_perms }; ++ ps_process_pattern($1, sbd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sbd_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, sbd_var_run_t) ++ ++ sbd_systemctl($1) ++ admin_pattern($1, sbd_unit_file_t) ++ allow $1 sbd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/sbd.te b/sbd.te +new file mode 100644 +index 0000000..8666aec +--- /dev/null ++++ b/sbd.te +@@ -0,0 +1,47 @@ ++policy_module(sbd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type sbd_t; ++type sbd_exec_t; ++init_daemon_domain(sbd_t, sbd_exec_t) ++ ++type sbd_var_run_t; ++files_pid_file(sbd_var_run_t) ++ ++type sbd_unit_file_t; ++systemd_unit_file(sbd_unit_file_t) ++ ++######################################## ++# ++# sbd local policy ++# ++allow sbd_t self:capability { dac_override ipc_lock sys_nice }; ++allow sbd_t self:process { fork setsched signal_perms }; ++allow sbd_t self:fifo_file rw_fifo_file_perms; ++allow sbd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t) ++manage_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t) ++manage_lnk_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t) ++files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file }) ++ ++kernel_read_system_state(sbd_t) ++ ++dev_read_rand(sbd_t) ++dev_write_watchdog(sbd_t) ++ ++domain_read_all_domains_state(sbd_t) ++ ++files_read_etc_files(sbd_t) ++ ++miscfiles_read_localization(sbd_t) ++ ++optional_policy(` ++ rhcs_rw_cluster_tmpfs(sbd_t) ++ rhcs_stream_connect_cluster(sbd_t) ++ ++') diff --git a/sblim.fc b/sblim.fc index 68a550d..e976fc6 100644 --- a/sblim.fc @@ -101065,7 +101351,7 @@ index 7d86b34..5f58180 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 1af72df..7e55b50 100644 +index 1af72df..ffccc41 100644 --- a/snort.te +++ b/snort.te @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) @@ -101102,7 +101388,7 @@ index 1af72df..7e55b50 100644 corenet_all_recvfrom_netlabel(snort_t) corenet_tcp_sendrecv_generic_if(snort_t) corenet_udp_sendrecv_generic_if(snort_t) -@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t) +@@ -86,18 +86,19 @@ dev_rw_generic_usb_dev(snort_t) domain_use_interactive_fds(snort_t) @@ -101114,6 +101400,8 @@ index 1af72df..7e55b50 100644 +auth_read_passwd(snort_t) + ++auth_use_nsswitch(snort_t) ++ init_read_utmp(snort_t) logging_send_syslog_msg(snort_t) @@ -102989,10 +103277,10 @@ index b38b8b1..eb36653 100644 userdom_dontaudit_search_user_home_dirs(speedmgmt_t) diff --git a/squid.fc b/squid.fc -index 0a8b0f7..0630506 100644 +index 0a8b0f7..03fb6b1 100644 --- a/squid.fc +++ b/squid.fc -@@ -1,20 +1,26 @@ +@@ -1,20 +1,28 @@ -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/dev/shm/squid-* -- gen_context(system_u:object_r:squid_tmpfs_t,s0) @@ -103002,6 +103290,8 @@ index 0a8b0f7..0630506 100644 +/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) ++/usr/libexec/squid/cache_swap\.sh -- gen_context(system_u:object_r:squid_exec_t,s0) ++ +/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0) + +/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) @@ -103942,10 +104232,10 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..a696686 100644 +index 2d8db1f..c420309 100644 --- a/sssd.te +++ b/sssd.te -@@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t) +@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) type sssd_var_run_t; files_pid_file(sssd_var_run_t) @@ -103973,8 +104263,11 @@ index 2d8db1f..a696686 100644 +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) ++list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t) -@@ -51,9 +59,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) + manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) +@@ -51,9 +60,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) @@ -103985,7 +104278,7 @@ index 2d8db1f..a696686 100644 logging_log_filetrans(sssd_t, sssd_var_log_t, file) manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -62,17 +68,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +@@ -62,17 +69,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -104007,7 +104300,7 @@ index 2d8db1f..a696686 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +85,35 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +86,35 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -104047,7 +104340,7 @@ index 2d8db1f..a696686 100644 init_read_utmp(sssd_t) -@@ -112,18 +121,64 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +122,64 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -112738,7 +113031,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..5b78d90 100644 +index f03dcf5..06e97a2 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -113750,7 +114043,7 @@ index f03dcf5..5b78d90 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +707,327 @@ optional_policy(` +@@ -746,44 +707,332 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -113895,7 +114188,7 @@ index f03dcf5..5b78d90 100644 +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - ++ +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -113921,6 +114214,7 @@ index f03dcf5..5b78d90 100644 +dev_rw_kvm(virt_domain) +dev_rw_qemu(virt_domain) +dev_rw_inherited_vhost(virt_domain) ++dev_rw_infiniband_dev(virt_domain) + +domain_use_interactive_fds(virt_domain) + @@ -113963,6 +114257,10 @@ index f03dcf5..5b78d90 100644 +') + +optional_policy(` ++ nscd_dontaudit_read_pid(virt_domain) ++') ++ ++optional_policy(` + ptchown_domtrans(virt_domain) +') + @@ -113975,7 +114273,7 @@ index f03dcf5..5b78d90 100644 + sssd_dontaudit_read_lib(virt_domain) + sssd_dontaudit_read_public_files(virt_domain) +') -+ + +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) @@ -114100,7 +114398,7 @@ index f03dcf5..5b78d90 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1038,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1043,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -114127,7 +114425,7 @@ index f03dcf5..5b78d90 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1058,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1063,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -114144,10 +114442,10 @@ index f03dcf5..5b78d90 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -114161,7 +114459,7 @@ index f03dcf5..5b78d90 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1095,20 @@ optional_policy(` +@@ -856,14 +1100,20 @@ optional_policy(` ') optional_policy(` @@ -114183,7 +114481,7 @@ index f03dcf5..5b78d90 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1133,66 @@ optional_policy(` +@@ -888,49 +1138,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -114268,7 +114566,7 @@ index f03dcf5..5b78d90 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1204,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1209,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -114288,7 +114586,7 @@ index f03dcf5..5b78d90 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1225,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1230,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -114312,7 +114610,7 @@ index f03dcf5..5b78d90 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1255,354 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -114341,7 +114639,8 @@ index f03dcf5..5b78d90 100644 +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -114349,8 +114648,7 @@ index f03dcf5..5b78d90 100644 +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -114565,9 +114863,11 @@ index f03dcf5..5b78d90 100644 - udev_read_pid_files(svirt_lxc_domain) + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + gear_read_pid_files(svirt_sandbox_domain) +') + @@ -114605,11 +114905,9 @@ index f03dcf5..5b78d90 100644 + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + docker_read_share_files(svirt_sandbox_domain) + docker_exec_share_files(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) @@ -114752,11 +115050,11 @@ index f03dcf5..5b78d90 100644 +manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) -+ -+term_use_generic_ptys(svirt_qemu_net_t) -+term_use_ptmx(svirt_qemu_net_t) -allow svirt_prot_exec_t self:process { execmem execstack }; ++term_use_generic_ptys(svirt_qemu_net_t) ++term_use_ptmx(svirt_qemu_net_t) ++ +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) @@ -114808,7 +115106,7 @@ index f03dcf5..5b78d90 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1615,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -114823,7 +115121,7 @@ index f03dcf5..5b78d90 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1628,7 @@ optional_policy(` +@@ -1192,7 +1633,7 @@ optional_policy(` ######################################## # @@ -114832,7 +115130,7 @@ index f03dcf5..5b78d90 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1642,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -115246,10 +115544,10 @@ index 0000000..afd0c97 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..1928ad9 +index 0000000..f98f288 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,96 @@ +@@ -0,0 +1,100 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -115325,6 +115623,10 @@ index 0000000..1928ad9 +') + +optional_policy(` ++ rpm_transition_script(vmtools_t,system_r) ++') ++ ++optional_policy(` + unconfined_domain(vmtools_t) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index 7f21cb5..a373621 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191%{?dist}.3 +Release: 191%{?dist}.4 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,44 @@ exit 0 %endif %changelog +* Mon Jul 11 2016 Lukas Vrabec 3.13.1-191.4 +- Allow lttng tools to block suspending +- Allow creation of vpnaas in openstack +- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100) +- Allow opensm daemon to rw infiniband_mgmt_device_t +- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 +- Fix typo in brltty policy +- Add new SELinux module sbd +- Allow pcp dmcache metrics collection +- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t +- Allow openvpn to create sock files labeled as openvpn_var_run_t +- Allow hypervkvp daemon to getattr on all filesystem types. +- Allow firewalld to create net_conf_t files +- Allow mock to use lvm +- Allow mirromanager creating log files in /tmp +- Allow vmtools_t to transition to rpm_script domain +- Allow nsd daemon to manage nsd_conf_t dirs and files +- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t +- Allow sssd read also sssd_conf_t dirs +- Allow krb5kdc_t to communicate with sssd +- Allow prosody to bind on prosody ports +- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678 +- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637 +- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726 +- Add label for brltty log file Resolves: rhbz#1328818 +- Allow snort_t to communicate with sssd Resolves: rhbz#1284908 +- Add interface lttng_sessiond_tmpfs_t() +- Add new policy for systemd-modules-load +- Allow udev to manage systemd-hwdb files +- Add interface systemd_hwdb_manage_config() +- Fix paths to infiniband devices. This allows use more then two infiniband interfaces. +- Make label for new infiniband_mgmt deivices +- corecmd: Remove fcontext for /etc/sysconfig/libvirtd +- iptables: add fcontext for nftables +- Add interface lvm_getattr_exec_files() +- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl +- Add prosody ports Resolves: rhbz#1304664 + * Tue Jun 28 2016 Lukas Vrabec 3.13.1-191.3 - Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. - Allow glusterd daemon to get systemd status