From 3d96d35bac4428dacfe8c9c71fe3ae96949d54a6 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Jun 18 2013 12:56:24 +0000 Subject: Merge branch 'f19' of ssh://pkgs.fedoraproject.org/selinux-policy into f19 --- diff --git a/config.tgz b/config.tgz index c4a79da..c230d9f 100644 Binary files a/config.tgz and b/config.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 01faa3e..deb0e92 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -765,7 +765,7 @@ index 66e85ea..d02654d 100644 ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..629fe1b 100644 +index 4705ab6..b7e7ea5 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -6,52 +6,59 @@ @@ -854,7 +854,7 @@ index 4705ab6..629fe1b 100644 ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false) +@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false) ## ##

@@ -880,6 +880,12 @@ index 4705ab6..629fe1b 100644 -gen_tunable(user_tcp_server,false) +gen_tunable(selinuxuser_tcp_server,false) + ++## ++##

++## Allow the mount commands to mount any directory or file. ++##

++## ++gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs index 216b3d1..81bc8c4 100644 --- a/policy/mcs @@ -2367,7 +2373,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..4165b4d 100644 +index d555767..4065a9a 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2808,10 +2814,10 @@ index d555767..4165b4d 100644 userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) +userdom_delete_all_user_home_content(useradd_t) @@ -2829,17 +2835,21 @@ index d555767..4165b4d 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +593,8 @@ optional_policy(` +@@ -542,7 +593,12 @@ optional_policy(` ') optional_policy(` - nscd_run(useradd_t, useradd_roles) + nscd_domtrans(useradd_t) +# nscd_run(useradd_t, useradd_roles) ++') ++ ++optional_policy(` ++ openshift_manage_lib_dirs(useradd_t) ') optional_policy(` -@@ -550,6 +602,11 @@ optional_policy(` +@@ -550,6 +606,11 @@ optional_policy(` ') optional_policy(` @@ -2851,7 +2861,7 @@ index d555767..4165b4d 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +616,12 @@ optional_policy(` +@@ -559,3 +620,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -2865,7 +2875,7 @@ index d555767..4165b4d 100644 + stapserver_manage_lib(useradd_t) +') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..dcc6337 100644 +index 1dc7a85..c6f4da0 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -43,18 +43,18 @@ interface(`seunshare_run',` @@ -2894,7 +2904,7 @@ index 1dc7a85..dcc6337 100644 ## ## ## Role allowed access. -@@ -66,15 +66,43 @@ interface(`seunshare_run',` +@@ -66,15 +66,44 @@ interface(`seunshare_run',` ## ## # @@ -2933,6 +2943,7 @@ index 1dc7a85..dcc6337 100644 + ') + + ps_process_pattern($3, $1_seunshare_t) ++ dontaudit $1_seunshare_t $3:file read; + allow $3 $1_seunshare_t:process signal_perms; + allow $3 $1_seunshare_t:fd use; + @@ -5537,7 +5548,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..3035b45 100644 +index b31c054..17e11e0 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5571,15 +5582,25 @@ index b31c054..3035b45 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -118,6 +122,7 @@ +@@ -106,6 +110,7 @@ + /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) + /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) + /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) +@@ -118,6 +123,9 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') ++/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +134,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +137,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -5594,7 +5615,7 @@ index b31c054..3035b45 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -198,12 +205,22 @@ ifdef(`distro_debian',` +@@ -198,12 +208,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -5620,7 +5641,7 @@ index b31c054..3035b45 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..e26dfc3 100644 +index 76f285e..7a424f4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6313,18 +6334,105 @@ index 76f285e..e26dfc3 100644 ## ## # -@@ -2975,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',` +@@ -2903,20 +3178,20 @@ interface(`dev_getattr_mtrr_dev',` + + ######################################## + ## +-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). (Deprecated) + ## + ## + ##

+-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). This interface has + ## been deprecated, dev_rw_mtrr() should be + ## used instead. + ##

+ ##

+ ## The MTRR device ioctls can be used for +-## reading and writing; thus, read access to the +-## device cannot be separated from write access. ++## reading and writing; thus, write access to the ++## device cannot be separated from read access. + ##

+ ## + ## +@@ -2925,43 +3200,34 @@ interface(`dev_getattr_mtrr_dev',` + ## + ## + # +-interface(`dev_read_mtrr',` ++interface(`dev_write_mtrr',` + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) + ') + + ######################################## + ## +-## Write the memory type range +-## registers (MTRR). (Deprecated) ++## Do not audit attempts to write the memory type ++## range registers (MTRR). + ## +-## +-##

+-## Write the memory type range +-## registers (MTRR). This interface has +-## been deprecated, dev_rw_mtrr() should be +-## used instead. +-##

+-##

+-## The MTRR device ioctls can be used for +-## reading and writing; thus, write access to the +-## device cannot be separated from read access. +-##

+-## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_mtrr',` +- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') +- dev_rw_mtrr($1) ++interface(`dev_dontaudit_write_mtrr',` ++ gen_require(` ++ type mtrr_device_t; ++ ') ++ ++ dontaudit $1 mtrr_device_t:file write_file_perms; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write the memory type ++## Do not audit attempts to read the memory type + ## range registers (MTRR). + ## + ## +@@ -2970,13 +3236,13 @@ interface(`dev_write_mtrr',` + ## + ## + # +-interface(`dev_dontaudit_write_mtrr',` ++interface(`dev_dontaudit_read_mtrr',` + gen_require(` type mtrr_device_t; ') - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; -+ dontaudit $1 mtrr_device_t:file write_file_perms; -+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ++ dontaudit $1 mtrr_device_t:file { open read }; ++ dontaudit $1 mtrr_device_t:chr_file { open read }; ') ######################################## -@@ -3144,6 +3419,42 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3410,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -6367,7 +6475,32 @@ index 76f285e..e26dfc3 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3254,7 +3565,25 @@ interface(`dev_rw_printer',` +@@ -3163,6 +3465,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` + + ######################################## + ## ++## Read BIOS non-volatile RAM. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_nvram',` ++ gen_require(` ++ type nvram_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, nvram_device_t) ++') ++ ++######################################## ++## + ## Read and write BIOS non-volatile RAM. + ## + ## +@@ -3254,7 +3574,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -6394,7 +6527,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -3262,12 +3591,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3600,13 @@ interface(`dev_rw_printer',` ## ## # @@ -6411,7 +6544,7 @@ index 76f285e..e26dfc3 100644 ') ######################################## -@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4194,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -6420,7 +6553,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,53 +4202,53 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -6485,7 +6618,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',` +@@ -3917,37 +4256,35 @@ interface(`dev_list_sysfs',` ## ## # @@ -6530,7 +6663,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,47 +4292,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -6585,7 +6718,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',` +@@ -4003,20 +4328,18 @@ interface(`dev_read_sysfs',` ## ## # @@ -6608,7 +6741,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',` +@@ -4024,21 +4347,210 @@ interface(`dev_rw_sysfs',` ## ## # @@ -6632,106 +6765,69 @@ index 76f285e..e26dfc3 100644 -## -##

-## Allow the specified domain to read from pseudo random number --## generator devices (e.g., /dev/urandom). Typically this is --## used in situations when a cryptographically secure random --## number is not necessarily needed. One example is the Stack --## Smashing Protector (SSP, formerly known as ProPolice) support --## that may be compiled into programs. --##

--##

--## Related interface: --##

--## --##

--## Related tunable: --##

--## --## - ## - ## --## Domain allowed access. ++## ++## +## Domain to not audit. - ## - ## --## - # --interface(`dev_read_urand',` ++## ++## ++# +interface(`dev_dontaudit_write_sysfs_dirs',` - gen_require(` -- type device_t, urandom_device_t; ++ gen_require(` + type sysfs_t; - ') - -- read_chr_files_pattern($1, device_t, urandom_device_t) ++ ') ++ + dontaudit $1 sysfs_t:dir write; - ') - - ######################################## - ## --## Do not audit attempts to read from pseudo --## random devices (e.g., /dev/urandom) ++') ++ ++######################################## ++## +## Read cpu online hardware state information. - ## ++## +## +##

+## Allow the specified domain to read /sys/devices/system/cpu/online file. +##

+## - ## - ## --## Domain to not audit. ++## ++## +## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_read_urand',` ++## ++## ++# +interface(`dev_read_cpu_online',` - gen_require(` -- type urandom_device_t; ++ gen_require(` + type cpu_online_t; - ') - -- dontaudit $1 urandom_device_t:chr_file { getattr read }; ++ ') ++ + dev_search_sysfs($1) + read_files_pattern($1, cpu_online_t, cpu_online_t) - ') - - ######################################## - ## --## Write to the pseudo random device (e.g., /dev/urandom). This --## sets the random number generator seed. ++') ++ ++######################################## ++## +## Relabel cpu online hardware state information. - ## - ## - ## -@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',` - ## - ## - # --interface(`dev_write_urand',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_relabel_cpu_online',` - gen_require(` -- type device_t, urandom_device_t; ++ gen_require(` + type cpu_online_t; + type sysfs_t; - ') - -- write_chr_files_pattern($1, device_t, urandom_device_t) ++ ') ++ + dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; - ') - ++') + - ######################################## - ## --## Getattr generic the USB devices. ++ ++######################################## ++## +## Read hardware state information. - ## --## ++## +## +##

+## Allow the specified domain to read the contents of @@ -6860,80 +6956,13 @@ index 76f285e..e26dfc3 100644 +## +##

+## Allow the specified domain to read from pseudo random number -+## generator devices (e.g., /dev/urandom). Typically this is -+## used in situations when a cryptographically secure random -+## number is not necessarily needed. One example is the Stack -+## Smashing Protector (SSP, formerly known as ProPolice) support -+## that may be compiled into programs. -+##

-+##

-+## Related interface: -+##

-+## -+##

-+## Related tunable: -+##

-+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_read_urand',` -+ gen_require(` -+ type device_t, urandom_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, urandom_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read from pseudo -+## random devices (e.g., /dev/urandom) -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_read_urand',` -+ gen_require(` -+ type urandom_device_t; -+ ') -+ -+ dontaudit $1 urandom_device_t:chr_file { getattr read }; -+') -+ -+######################################## -+## -+## Write to the pseudo random device (e.g., /dev/urandom). This -+## sets the random number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_write_urand',` -+ gen_require(` -+ type device_t, urandom_device_t; -+ ') -+ -+ write_chr_files_pattern($1, device_t, urandom_device_t) -+') -+ -+######################################## -+## + ## generator devices (e.g., /dev/urandom). Typically this is + ## used in situations when a cryptographically secure random + ## number is not necessarily needed. One example is the Stack +@@ -4113,6 +4625,25 @@ interface(`dev_write_urand',` + + ######################################## + ## +## Do not audit attempts to write to pseudo +## random devices (e.g., /dev/urandom) +## @@ -6953,13 +6982,10 @@ index 76f285e..e26dfc3 100644 + +######################################## +## -+## Getattr generic the USB devices. -+## -+## - ## - ## Domain allowed access. - ## -@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',` + ## Getattr generic the USB devices. + ## + ## +@@ -4409,9 +4940,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -6971,7 +6997,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +4950,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -6994,7 +7020,7 @@ index 76f285e..e26dfc3 100644 ## ## ## -@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +4968,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7010,7 +7036,7 @@ index 76f285e..e26dfc3 100644 ') ######################################## -@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5070,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7145,7 +7171,7 @@ index 76f285e..e26dfc3 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5216,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7170,7 +7196,7 @@ index 76f285e..e26dfc3 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5439,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7197,7 +7223,7 @@ index 76f285e..e26dfc3 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',` +@@ -4851,3 +5548,943 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8372,7 +8398,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..5376a48 100644 +index cf04cb5..19c3e01 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8500,7 +8526,7 @@ index cf04cb5..5376a48 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +229,287 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8521,6 +8547,10 @@ index cf04cb5..5376a48 100644 +') + +optional_policy(` ++ mandb_filetrans_named_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + seutil_filetrans_named_content(unconfined_domain_type) +') + @@ -8590,6 +8620,10 @@ index cf04cb5..5376a48 100644 +') + +optional_policy(` ++ iscsi_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + kerberos_filetrans_named_content(unconfined_domain_type) +') + @@ -8598,6 +8632,10 @@ index cf04cb5..5376a48 100644 +') + +optional_policy(` ++ mplayer_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + modules_filetrans_named_content(unconfined_domain_type) +') + @@ -9020,7 +9058,7 @@ index c2c6e05..be423a7 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..455cc6c 100644 +index 64ff4d7..fe6d89c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10696,17 +10734,51 @@ index 64ff4d7..455cc6c 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5774,8 +6714,7 @@ interface(`files_getattr_generic_locks',` +@@ -5761,7 +6701,7 @@ interface(`files_relabel_all_lock_dirs',` + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Relabel to and from all lock file types. + ## + ## + ## +@@ -5769,13 +6709,33 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_relabel_all_lock_files',` + gen_require(` ++ attribute lockfile; type var_t, var_lock_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Get the attributes of generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ + files_search_locks($1) allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6730,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6751,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -10724,7 +10796,7 @@ index 64ff4d7..455cc6c 100644 ') ######################################## -@@ -5816,9 +6754,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6775,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -10735,7 +10807,7 @@ index 64ff4d7..455cc6c 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6796,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6817,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -10745,7 +10817,7 @@ index 64ff4d7..455cc6c 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6818,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6839,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -10755,7 +10827,7 @@ index 64ff4d7..455cc6c 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6855,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6876,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -10765,7 +10837,7 @@ index 64ff4d7..455cc6c 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +6894,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +6915,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -10774,7 +10846,7 @@ index 64ff4d7..455cc6c 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +6914,48 @@ interface(`files_search_pids',` +@@ -5981,10 +6935,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -10823,7 +10895,7 @@ index 64ff4d7..455cc6c 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +6978,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +6999,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -10849,7 +10921,7 @@ index 64ff4d7..455cc6c 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6021,7 +7011,7 @@ interface(`files_list_pids',` +@@ -6021,7 +7032,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -10858,7 +10930,7 @@ index 64ff4d7..455cc6c 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6040,7 +7030,7 @@ interface(`files_read_generic_pids',` +@@ -6040,7 +7051,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -10867,7 +10939,7 @@ index 64ff4d7..455cc6c 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7050,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7071,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -10876,7 +10948,7 @@ index 64ff4d7..455cc6c 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7112,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7133,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -10884,7 +10956,32 @@ index 64ff4d7..455cc6c 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6164,7 +7153,7 @@ interface(`files_rw_generic_pids',` +@@ -6151,6 +7161,24 @@ interface(`files_pid_filetrans_lock_dir',` + + ######################################## + ## ++## rw generic pid files inherited from another process ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Read and write generic process ID files. + ## + ## +@@ -6164,7 +7192,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -10893,7 +10990,7 @@ index 64ff4d7..455cc6c 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6231,55 +7220,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +7259,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -10956,7 +11053,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6287,42 +7264,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +7303,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -11006,7 +11103,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6330,18 +7300,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7339,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -11030,7 +11127,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6349,37 +7319,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7358,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -11082,7 +11179,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6387,18 +7360,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7399,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -11105,7 +11202,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6406,18 +7378,18 @@ interface(`files_list_spool',` +@@ -6406,18 +7417,18 @@ interface(`files_list_spool',` ## ## # @@ -11129,7 +11226,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6425,19 +7397,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6425,19 +7436,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -11154,7 +11251,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6445,55 +7416,43 @@ interface(`files_read_generic_spool',` +@@ -6445,45 +7455,312 @@ interface(`files_read_generic_spool',` ## ## # @@ -11205,57 +11302,38 @@ index 64ff4d7..455cc6c 100644 - type var_t, var_spool_t; + attribute pidfile; + type var_t, var_run_t; - ') - ++ ') ++ + files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Delete all process ID directories. - ## - ## - ## -@@ -6501,64 +7460,814 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_dirs',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') - -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) ++ +######################################## +## +## Make the specified type a file @@ -11507,89 +11585,13 @@ index 64ff4d7..455cc6c 100644 +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Allow access to manage all polyinstantiated -+## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_polyinstantiate_all',` -+ gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; -+ ') -+ -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; + ') -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') -+') -+ -+######################################## -+## -+## Unconfined access to files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_unconfined',` -+ gen_require(` -+ attribute files_unconfined_type; -+ ') -+ -+ typeattribute $1 files_unconfined_type; -+') + allow $1 var_t:dir search_dir_perms; +@@ -6562,3 +7839,474 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') + +######################################## +## @@ -11715,15 +11717,10 @@ index 64ff4d7..455cc6c 100644 + gen_require(` + attribute tmpfsfile; + ') - -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) ++ + allow $1 tmpfsfile:file { read write }; +') - -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) ++ +######################################## +## +## Do not audit attempts to read security files @@ -11738,13 +11735,7 @@ index 64ff4d7..455cc6c 100644 + gen_require(` + attribute security_file_type; + ') - -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) ++ + dontaudit $1 security_file_type:file read_file_perms; +') + @@ -11766,36 +11757,32 @@ index 64ff4d7..455cc6c 100644 +interface(`files_rw_all_inherited_files',` + gen_require(` + attribute file_type; - ') ++ ') + + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Allow any file point to be the entrypoint of this domain - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_unconfined',` ++# +interface(`files_entrypoint_all_files',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + attribute file_type; - ') ++ ') + allow $1 file_type:file entrypoint; +') - -- typeattribute $1 files_unconfined_type; ++ +######################################## +## +## Do not audit attempts to rw inherited file perms @@ -11990,7 +11977,7 @@ index 64ff4d7..455cc6c 100644 + ') + files_type($1) + typeattribute $1 base_file_type; - ') ++') + +######################################## +## @@ -15117,7 +15104,7 @@ index 522ab32..cb9c3a2 100644 ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc -index 54f1827..409df4f 100644 +index 54f1827..cc2de1a 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -23,12 +23,15 @@ @@ -15137,16 +15124,17 @@ index 54f1827..409df4f 100644 /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -51,7 +54,7 @@ ifdef(`distro_redhat', ` +@@ -51,7 +54,8 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0) +/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -81,3 +84,6 @@ ifdef(`distro_redhat', ` +@@ -81,3 +85,6 @@ ifdef(`distro_redhat', ` /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) @@ -15703,7 +15691,7 @@ index 7d45d15..22c9cfe 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 771bce1..55ebf4b 100644 +index 771bce1..5bbf50b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -15715,7 +15703,33 @@ index 771bce1..55ebf4b 100644 # When user logs in from /dev/console, relabel it # to user tty type as well. type_change $1 console_device_t:chr_file $2; -@@ -208,6 +208,27 @@ interface(`term_use_all_terms',` +@@ -133,6 +133,25 @@ interface(`term_user_tty',` + + ######################################## + ## ++## Create the /dev/pts directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_create_pty_dir',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:dir create_dir_perms; ++ dev_filetrans($1, devpts_t, dir, "devpts") ++') ++ ++######################################## ++## + ## Create a pty in the /dev/pts directory. + ## + ## +@@ -208,6 +227,27 @@ interface(`term_use_all_terms',` ######################################## ## @@ -15743,7 +15757,7 @@ index 771bce1..55ebf4b 100644 ## Write to the console. ## ## -@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',` +@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',` ## Domain allowed access. ## ## @@ -15751,7 +15765,7 @@ index 771bce1..55ebf4b 100644 # interface(`term_use_console',` gen_require(` -@@ -299,9 +319,12 @@ interface(`term_use_console',` +@@ -299,9 +338,12 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; @@ -15765,7 +15779,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',` +@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',` ######################################## ## @@ -15808,7 +15822,7 @@ index 771bce1..55ebf4b 100644 ## Relabel from and to pty filesystem. ## ## -@@ -481,6 +540,24 @@ interface(`term_list_ptys',` +@@ -481,6 +559,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -15833,7 +15847,7 @@ index 771bce1..55ebf4b 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',` +@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',` ######################################## ## @@ -15842,7 +15856,7 @@ index 771bce1..55ebf4b 100644 ## write the generic pty type. This is ## generally only used in the targeted policy. ## -@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',` +@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') @@ -15850,7 +15864,7 @@ index 771bce1..55ebf4b 100644 dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') -@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',` +@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -15877,7 +15891,7 @@ index 771bce1..55ebf4b 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -15886,7 +15900,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',` +@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',` ') dev_list_all_dev_nodes($1) @@ -15895,7 +15909,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -15904,7 +15918,7 @@ index 771bce1..55ebf4b 100644 ## ## # -@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -15953,7 +15967,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -15967,7 +15981,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -15980,7 +15994,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -16009,7 +16023,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -16018,7 +16032,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -16027,7 +16041,7 @@ index 771bce1..55ebf4b 100644 ## ## # -@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -16957,10 +16971,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..45f4d0a 100644 +index 88d0028..c461b2b 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -17032,6 +17046,7 @@ index 88d0028..45f4d0a 100644 +sysnet_filetrans_named_content(sysadm_t) # Add/remove user home directories ++userdom_manage_user_tmp_chr_files(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +userdom_manage_tmp_role(sysadm_r, sysadm_t) @@ -17051,7 +17066,7 @@ index 88d0028..45f4d0a 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -17066,7 +17081,7 @@ index 88d0028..45f4d0a 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +105,9 @@ optional_policy(` +@@ -71,9 +106,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -17077,7 +17092,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -87,6 +121,7 @@ optional_policy(` +@@ -87,6 +122,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -17085,7 +17100,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -110,11 +145,17 @@ optional_policy(` +@@ -110,11 +146,17 @@ optional_policy(` ') optional_policy(` @@ -17103,7 +17118,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -122,11 +163,19 @@ optional_policy(` +@@ -122,11 +164,19 @@ optional_policy(` ') optional_policy(` @@ -17125,7 +17140,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -140,6 +189,10 @@ optional_policy(` +@@ -140,6 +190,10 @@ optional_policy(` ') optional_policy(` @@ -17136,7 +17151,7 @@ index 88d0028..45f4d0a 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +209,11 @@ optional_policy(` +@@ -156,11 +210,11 @@ optional_policy(` ') optional_policy(` @@ -17150,7 +17165,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -179,6 +232,13 @@ optional_policy(` +@@ -179,6 +233,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -17164,7 +17179,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -186,15 +246,20 @@ optional_policy(` +@@ -186,15 +247,20 @@ optional_policy(` ') optional_policy(` @@ -17188,7 +17203,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -214,22 +279,20 @@ optional_policy(` +@@ -214,22 +280,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -17217,7 +17232,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -241,14 +304,27 @@ optional_policy(` +@@ -241,14 +305,27 @@ optional_policy(` ') optional_policy(` @@ -17245,7 +17260,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -256,10 +332,20 @@ optional_policy(` +@@ -256,10 +333,20 @@ optional_policy(` ') optional_policy(` @@ -17266,7 +17281,7 @@ index 88d0028..45f4d0a 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +356,36 @@ optional_policy(` +@@ -270,31 +357,36 @@ optional_policy(` ') optional_policy(` @@ -17310,7 +17325,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -319,12 +410,18 @@ optional_policy(` +@@ -319,12 +411,18 @@ optional_policy(` ') optional_policy(` @@ -17330,7 +17345,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -349,7 +446,18 @@ optional_policy(` +@@ -349,7 +447,18 @@ optional_policy(` ') optional_policy(` @@ -17350,7 +17365,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -360,19 +468,15 @@ optional_policy(` +@@ -360,19 +469,15 @@ optional_policy(` ') optional_policy(` @@ -17372,7 +17387,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -384,10 +488,6 @@ optional_policy(` +@@ -384,10 +489,6 @@ optional_policy(` ') optional_policy(` @@ -17383,7 +17398,7 @@ index 88d0028..45f4d0a 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +495,9 @@ optional_policy(` +@@ -395,6 +496,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -17393,7 +17408,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -402,31 +505,34 @@ optional_policy(` +@@ -402,31 +506,34 @@ optional_policy(` ') optional_policy(` @@ -17434,7 +17449,7 @@ index 88d0028..45f4d0a 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +545,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +546,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17445,7 +17460,7 @@ index 88d0028..45f4d0a 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +565,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +566,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20737,7 +20752,7 @@ index d1f64a0..97140ee 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..f0080ba 100644 +index 6bf0ecc..18223e7 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -21209,7 +21224,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -21225,6 +21240,26 @@ index 6bf0ecc..f0080ba 100644 + +######################################## +## ++## Allow domain to append XDM unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++interface(`xserver_append_xdm_stream_socket',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:unix_stream_socket append; ++') ++ ++######################################## ++## +## Read XDM files in user home directories. +## +## @@ -21283,7 +21318,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -21309,7 +21344,7 @@ index 6bf0ecc..f0080ba 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -21336,7 +21371,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -21364,7 +21399,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -21389,7 +21424,7 @@ index 6bf0ecc..f0080ba 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',` +@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -21417,7 +21452,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -21426,7 +21461,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -21472,7 +21507,7 @@ index 6bf0ecc..f0080ba 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -21481,113 +21516,73 @@ index 6bf0ecc..f0080ba 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## -## Do not audit attempts to get the attributes of --## xdm temporary named sockets. +## Create, read, write, and delete xdm temporary dirs. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` ++## ++## ++# +interface(`xserver_relabel_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - -- dontaudit $1 xdm_tmp_t:sock_file getattr; -+ allow $1 xdm_tmp_t:dir relabel_dir_perms; - ') - - ######################################## - ## --## Execute the X server in the X server domain. -+## Create, read, write, and delete xdm temporary dirs. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`xserver_domtrans',` -+interface(`xserver_manage_xdm_tmp_dirs',` - gen_require(` -- type xserver_t, xserver_exec_t; -+ type xdm_tmp_t; - ') - -- allow $1 xserver_t:process siginh; -- domtrans_pattern($1, xserver_exec_t, xserver_t) -+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) - ') - - ######################################## - ## --## Signal X servers -+## Do not audit attempts to get the attributes of -+## xdm temporary named sockets. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`xserver_signal',` -+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + gen_require(` + type xdm_tmp_t; + ') + -+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; ++ allow $1 xdm_tmp_t:dir relabel_dir_perms; +') + +######################################## +## -+## Execute the X server in the X server domain. ++## Create, read, write, and delete xdm temporary dirs. +## +## +## -+## Domain allowed to transition. ++## Domain allowed access. +## +## +# -+interface(`xserver_domtrans',` ++interface(`xserver_manage_xdm_tmp_dirs',` + gen_require(` -+ type xserver_t, xserver_exec_t; ++ type xdm_tmp_t; + ') + -+ allow $1 xserver_t:process siginh; -+ domtrans_pattern($1, xserver_exec_t, xserver_t) -+ -+ allow xserver_t $1:process getpgid; ++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) +') + +######################################## +## -+## Signal X servers -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_signal',` - gen_require(` - type xserver_t; ++## Do not audit attempts to get the attributes of + ## xdm temporary named sockets. + ## + ## +@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + type xdm_tmp_t; + ') + +- dontaudit $1 xdm_tmp_t:sock_file getattr; ++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; + ') + + ######################################## +@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',` + type xserver_t, xserver_exec_t; ') -@@ -1210,6 +1579,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` + +- allow $1 xserver_t:process siginh; ++ allow $1 xserver_t:process siginh; + domtrans_pattern($1, xserver_exec_t, xserver_t) ++ ++ allow xserver_t $1:process getpgid; + ') + + ######################################## +@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -21613,7 +21608,7 @@ index 6bf0ecc..f0080ba 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1614,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -21640,7 +21635,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -1251,7 +1659,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -21649,7 +21644,7 @@ index 6bf0ecc..f0080ba 100644 ## ## ## -@@ -1261,13 +1669,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -21674,7 +21669,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -1284,10 +1702,604 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -26908,7 +26903,7 @@ index 24e7804..d0780a9 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..969bda2 100644 +index dd3be8d..8cda2bb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27095,7 +27090,7 @@ index dd3be8d..969bda2 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +222,48 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -27119,6 +27114,7 @@ index dd3be8d..969bda2 100644 +allow init_t security_t:security load_policy; -term_use_all_terms(init_t) ++term_create_pty_dir(init_t) +term_use_unallocated_ttys(init_t) +term_use_console(init_t) +term_use_all_inherited_terms(init_t) @@ -27147,7 +27143,7 @@ index dd3be8d..969bda2 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +272,178 @@ ifdef(`distro_gentoo',` +@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -27175,9 +27171,14 @@ index dd3be8d..969bda2 100644 + +optional_policy(` + gnome_filetrans_home_content(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) ++ iscsi_read_lib_files(init_t) + ') + + optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) +') @@ -27306,14 +27307,13 @@ index dd3be8d..969bda2 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -27334,7 +27334,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -216,6 +451,27 @@ optional_policy(` +@@ -216,6 +456,27 @@ optional_policy(` ') optional_policy(` @@ -27362,7 +27362,7 @@ index dd3be8d..969bda2 100644 unconfined_domain(init_t) ') -@@ -225,8 +481,9 @@ optional_policy(` +@@ -225,8 +486,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -27374,7 +27374,7 @@ index dd3be8d..969bda2 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +514,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -27391,7 +27391,7 @@ index dd3be8d..969bda2 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +539,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -27434,7 +27434,7 @@ index dd3be8d..969bda2 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +576,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -27446,7 +27446,7 @@ index dd3be8d..969bda2 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +588,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -27457,7 +27457,7 @@ index dd3be8d..969bda2 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +599,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -27467,7 +27467,7 @@ index dd3be8d..969bda2 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +608,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -27475,7 +27475,7 @@ index dd3be8d..969bda2 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -27483,7 +27483,7 @@ index dd3be8d..969bda2 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +623,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -27501,7 +27501,7 @@ index dd3be8d..969bda2 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +641,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -27515,7 +27515,7 @@ index dd3be8d..969bda2 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +656,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -27529,7 +27529,7 @@ index dd3be8d..969bda2 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +669,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -27537,7 +27537,7 @@ index dd3be8d..969bda2 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +681,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -27545,7 +27545,7 @@ index dd3be8d..969bda2 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +700,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -27569,7 +27569,7 @@ index dd3be8d..969bda2 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +733,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -27577,7 +27577,7 @@ index dd3be8d..969bda2 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +767,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -27588,7 +27588,7 @@ index dd3be8d..969bda2 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +791,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +796,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -27597,7 +27597,7 @@ index dd3be8d..969bda2 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +806,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +811,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -27605,7 +27605,7 @@ index dd3be8d..969bda2 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +827,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +832,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -27613,7 +27613,7 @@ index dd3be8d..969bda2 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +837,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +842,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -27658,7 +27658,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -558,14 +882,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +887,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -27690,7 +27690,7 @@ index dd3be8d..969bda2 100644 ') ') -@@ -576,6 +917,39 @@ ifdef(`distro_suse',` +@@ -576,6 +922,39 @@ ifdef(`distro_suse',` ') ') @@ -27730,7 +27730,7 @@ index dd3be8d..969bda2 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +962,8 @@ optional_policy(` +@@ -588,6 +967,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -27739,7 +27739,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -609,6 +985,7 @@ optional_policy(` +@@ -609,6 +990,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -27747,7 +27747,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -625,6 +1002,17 @@ optional_policy(` +@@ -625,6 +1007,17 @@ optional_policy(` ') optional_policy(` @@ -27765,7 +27765,7 @@ index dd3be8d..969bda2 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1029,13 @@ optional_policy(` +@@ -641,9 +1034,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -27779,7 +27779,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -656,15 +1048,11 @@ optional_policy(` +@@ -656,15 +1053,11 @@ optional_policy(` ') optional_policy(` @@ -27797,7 +27797,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -685,6 +1073,15 @@ optional_policy(` +@@ -685,6 +1078,15 @@ optional_policy(` ') optional_policy(` @@ -27813,7 +27813,7 @@ index dd3be8d..969bda2 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1122,7 @@ optional_policy(` +@@ -725,6 +1127,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -27821,7 +27821,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -742,7 +1140,14 @@ optional_policy(` +@@ -742,7 +1145,14 @@ optional_policy(` ') optional_policy(` @@ -27836,7 +27836,7 @@ index dd3be8d..969bda2 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1170,10 @@ optional_policy(` +@@ -765,6 +1175,10 @@ optional_policy(` ') optional_policy(` @@ -27847,7 +27847,7 @@ index dd3be8d..969bda2 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1183,20 @@ optional_policy(` +@@ -774,10 +1188,20 @@ optional_policy(` ') optional_policy(` @@ -27868,7 +27868,7 @@ index dd3be8d..969bda2 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1205,10 @@ optional_policy(` +@@ -786,6 +1210,10 @@ optional_policy(` ') optional_policy(` @@ -27879,7 +27879,7 @@ index dd3be8d..969bda2 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1230,6 @@ optional_policy(` +@@ -807,8 +1235,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -27888,7 +27888,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -817,6 +1238,10 @@ optional_policy(` +@@ -817,6 +1243,10 @@ optional_policy(` ') optional_policy(` @@ -27899,7 +27899,7 @@ index dd3be8d..969bda2 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1251,12 @@ optional_policy(` +@@ -826,10 +1256,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -27912,7 +27912,7 @@ index dd3be8d..969bda2 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1283,27 @@ optional_policy(` +@@ -856,12 +1288,27 @@ optional_policy(` ') optional_policy(` @@ -27941,7 +27941,7 @@ index dd3be8d..969bda2 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1313,18 @@ optional_policy(` +@@ -871,6 +1318,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -27960,7 +27960,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -886,6 +1340,10 @@ optional_policy(` +@@ -886,6 +1345,10 @@ optional_policy(` ') optional_policy(` @@ -27971,7 +27971,7 @@ index dd3be8d..969bda2 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1354,196 @@ optional_policy(` +@@ -896,3 +1359,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28398,7 +28398,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..b6e9ebc 100644 +index 9e54bf9..468dc31 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28424,7 +28424,7 @@ index 9e54bf9..b6e9ebc 100644 allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; +allow ipsec_t self:netlink_selinux_socket create_socket_perms; -+allow ipsec_t self:unix_stream_socket create_stream_socket_perms; ++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; @@ -28699,7 +28699,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 5dfa44b..022d91d 100644 +index 5dfa44b..2502d06 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -28796,15 +28796,20 @@ index 5dfa44b..022d91d 100644 ') optional_policy(` -@@ -124,6 +129,7 @@ optional_policy(` +@@ -124,6 +129,12 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) + psad_write_log(iptables_t) ++') ++ ++optional_policy(` ++ quantum_rw_inherited_pipes(iptables_t) ++ quantum_sigchld(iptables_t) ') optional_policy(` -@@ -135,9 +141,9 @@ optional_policy(` +@@ -135,9 +146,9 @@ optional_policy(` ') optional_policy(` @@ -28816,7 +28821,7 @@ index 5dfa44b..022d91d 100644 optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..46439b4 100644 +index 73bb3c0..dc79c6f 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -28978,7 +28983,7 @@ index 73bb3c0..46439b4 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -29013,6 +29018,7 @@ index 73bb3c0..46439b4 100644 -/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) +/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + ++/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -29487,7 +29493,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index c04ac46..e06286c 100644 +index c04ac46..799d194 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -29611,15 +29617,19 @@ index c04ac46..e06286c 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,6 +211,7 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; +kernel_read_crypto_sysctls(sulogin_t) kernel_read_system_state(sulogin_t) ++dev_getattr_all_chr_files(sulogin_t) ++dev_getattr_all_blk_files(sulogin_t) ++ fs_search_auto_mountpoints(sulogin_t) -@@ -223,13 +220,16 @@ fs_rw_tmpfs_chr_files(sulogin_t) + fs_rw_tmpfs_chr_files(sulogin_t) + files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) @@ -29636,7 +29646,9 @@ index c04ac46..e06286c 100644 seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) -@@ -238,14 +238,24 @@ userdom_use_unpriv_users_fds(sulogin_t) + userdom_use_unpriv_users_fds(sulogin_t) + ++userdom_search_admin_dir(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -29663,7 +29675,7 @@ index c04ac46..e06286c 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +266,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -31286,7 +31298,7 @@ index fc28bc3..2960ed7 100644 + files_var_filetrans($1, public_content_t, dir, "ftp") +') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index d6293de..3225647 100644 +index d6293de..8f8d80d 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2) @@ -31297,6 +31309,19 @@ index d6293de..3225647 100644 attribute cert_type; # +@@ -48,10 +47,10 @@ files_type(man_cache_t) + # Types for public content + # + type public_content_t; #, customizable; +-files_type(public_content_t) ++files_mountpoint(public_content_t) + + type public_content_rw_t; #, customizable; +-files_type(public_content_rw_t) ++files_mountpoint(public_content_rw_t) + + # + # Base type for the tests directory. diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc index 9933677..b155a0d 100644 --- a/policy/modules/system/modutils.fc @@ -31421,7 +31446,7 @@ index 7449974..6375786 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a49e28..3e5393b 100644 +index 7a49e28..1d374a0 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) @@ -31602,7 +31627,7 @@ index 7a49e28..3e5393b 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +202,32 @@ optional_policy(` +@@ -184,28 +202,33 @@ optional_policy(` ') optional_policy(` @@ -31619,6 +31644,7 @@ index 7a49e28..3e5393b 100644 optional_policy(` - hotplug_search_config(insmod_t) ++ firewalld_dontaudit_write_tmp_files(insmod_t) + firewallgui_dontaudit_rw_pipes(insmod_t) ') @@ -31642,7 +31668,7 @@ index 7a49e28..3e5393b 100644 ') optional_policy(` -@@ -225,6 +247,7 @@ optional_policy(` +@@ -225,6 +248,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -31650,7 +31676,7 @@ index 7a49e28..3e5393b 100644 ') optional_policy(` -@@ -233,6 +256,10 @@ optional_policy(` +@@ -233,6 +257,10 @@ optional_policy(` ') optional_policy(` @@ -31661,7 +31687,7 @@ index 7a49e28..3e5393b 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +318,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -32015,16 +32041,20 @@ index 4584457..e432df3 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..ca097a7 100644 +index 6a50270..fa545e7 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) - ## Allow the mount command to mount any directory or file. - ##

- ## --gen_tunable(allow_mount_anyfile, false) -+gen_tunable(mount_anyfile, false) +@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1) + # Declarations + # +-## +-##

+-## Allow the mount command to mount any directory or file. +-##

+-## +-gen_tunable(allow_mount_anyfile, false) +- -attribute_role mount_roles; -roleattribute system_r mount_roles; +#attribute_role mount_roles; @@ -32090,13 +32120,13 @@ index 6a50270..ca097a7 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t) +@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+files_pid_filetrans(mount_t,mount_var_run_t,dir) ++files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount") +files_var_filetrans(mount_t,mount_var_run_t,dir) +dev_filetrans(mount_t, mount_var_run_t, dir) + @@ -32116,7 +32146,7 @@ index 6a50270..ca097a7 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t) +@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -32167,7 +32197,7 @@ index 6a50270..ca097a7 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +148,39 @@ files_list_mnt(mount_t) +@@ -92,28 +141,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -32213,7 +32243,7 @@ index 6a50270..ca097a7 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -32237,7 +32267,7 @@ index 6a50270..ca097a7 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -32277,7 +32307,7 @@ index 6a50270..ca097a7 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +252,9 @@ optional_policy(` +@@ -179,6 +245,9 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -32287,7 +32317,7 @@ index 6a50270..ca097a7 100644 ') optional_policy(` -@@ -186,6 +262,36 @@ optional_policy(` +@@ -186,6 +255,40 @@ optional_policy(` ') optional_policy(` @@ -32299,6 +32329,10 @@ index 6a50270..ca097a7 100644 +') + +optional_policy(` ++ fsadm_manage_pid(mount_t) ++') ++ ++optional_policy(` + glusterd_domtrans(mount_t) +') + @@ -32324,7 +32358,7 @@ index 6a50270..ca097a7 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +300,129 @@ optional_policy(` +@@ -194,24 +297,128 @@ optional_policy(` ') optional_policy(` @@ -32393,16 +32427,16 @@ index 6a50270..ca097a7 100644 +optional_policy(` + unconfined_write_keys(mount_t) +') ++ ++optional_policy(` ++ virt_read_blk_images(mount_t) ++') optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) -+ virt_read_blk_images(mount_t) - ') -+ -+optional_policy(` + vmware_exec_host(mount_t) -+') + ') + +###################################### +# @@ -32460,7 +32494,6 @@ index 6a50270..ca097a7 100644 +fs_read_ecryptfs_files(mount_ecryptfs_t) + +auth_use_nsswitch(mount_ecryptfs_t) -+ diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc index b263a8a..9348c8c 100644 --- a/policy/modules/system/netlabel.fc @@ -33122,7 +33155,7 @@ index 3822072..1029e3b 100644 + userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..73ef1e8 100644 +index ec01d0b..64db314 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,17 @@ gen_require(` @@ -33559,11 +33592,11 @@ index ec01d0b..73ef1e8 100644 -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) +- +-logging_send_syslog_msg(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) --logging_send_syslog_msg(semanage_t) -- -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -33651,7 +33684,7 @@ index ec01d0b..73ef1e8 100644 ') ######################################## -@@ -522,108 +599,178 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -33733,12 +33766,12 @@ index ec01d0b..73ef1e8 100644 + # pki is leaking + pki_dontaudit_write_log(setfiles_t) +') - --seutil_libselinux_linked(setfiles_t) ++ +optional_policy(` + xserver_append_xdm_tmp_files(setfiles_t) +') -+ + +-seutil_libselinux_linked(setfiles_t) +ifdef(`hide_broken_symptoms',` + + optional_policy(` @@ -33915,6 +33948,9 @@ index ec01d0b..73ef1e8 100644 + +userdom_dontaudit_write_user_home_content_files(policy_manager_domain) +userdom_use_user_ptys(policy_manager_domain) ++ ++files_rw_inherited_generic_pid_files(setfiles_domain) ++files_rw_inherited_generic_pid_files(seutil_semanage_domain) diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc index bea4629..06e2834 100644 --- a/policy/modules/system/setrans.fc @@ -34304,7 +34340,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..fda9b8a 100644 +index b7686d5..9c7aa79 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -34636,7 +34672,7 @@ index b7686d5..fda9b8a 100644 ') optional_policy(` -@@ -339,7 +423,11 @@ optional_policy(` +@@ -339,7 +423,15 @@ optional_policy(` ') optional_policy(` @@ -34645,16 +34681,24 @@ index b7686d5..fda9b8a 100644 +') + +optional_policy(` ++ libs_exec_ldconfig(ifconfig_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(ifconfig_t) ') optional_policy(` -@@ -360,3 +448,9 @@ optional_policy(` +@@ -360,3 +452,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') + +optional_policy(` ++ iptables_domtrans(ifconfig_t) ++') ++ ++optional_policy(` + tunable_policy(`dhcpc_exec_iptables',` + iptables_domtrans(dhcpc_t) + ') @@ -35910,10 +35954,10 @@ index 0000000..2e5b822 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..35c1a7d +index 0000000..87474b2 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,645 @@ +@@ -0,0 +1,647 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -36215,6 +36259,7 @@ index 0000000..35c1a7d +files_getattr_all_sockets(systemd_tmpfiles_t) +files_getattr_all_symlinks(systemd_tmpfiles_t) +files_relabel_all_lock_dirs(systemd_tmpfiles_t) ++files_relabel_all_lock_files(systemd_tmpfiles_t) +files_relabel_all_pid_dirs(systemd_tmpfiles_t) +files_relabel_all_pid_files(systemd_tmpfiles_t) +files_relabel_all_spool_dirs(systemd_tmpfiles_t) @@ -36238,6 +36283,7 @@ index 0000000..35c1a7d + +mls_file_read_all_levels(systemd_tmpfiles_t) +mls_file_write_all_levels(systemd_tmpfiles_t) ++mls_file_upgrade(systemd_tmpfiles_t) + +selinux_get_enforce_mode(systemd_tmpfiles_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f091d89..41328d9 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -518,7 +518,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..5e60ff3 100644 +index cc43d25..b4c749b 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -668,8 +668,9 @@ index cc43d25..5e60ff3 100644 # -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; +-dontaudit abrt_t self:capability sys_rawio; +allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace }; - dontaudit abrt_t self:capability sys_rawio; ++dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + allow abrt_t self:fifo_file rw_fifo_file_perms; @@ -1097,7 +1098,7 @@ index bd5ec9a..a5ed692 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 313b33f..f9d3343 100644 +index 313b33f..6e0a894 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1136,16 +1137,18 @@ index 313b33f..f9d3343 100644 fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) -@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t) +@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t) auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) -miscfiles_read_localization(accountsd_t) +init_dbus_chat(accountsd_t) ++logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) -@@ -65,9 +72,16 @@ optional_policy(` + +@@ -65,9 +73,16 @@ optional_policy(` ') optional_policy(` @@ -1465,7 +1468,7 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 4b28ab3..cf64a9a 100644 +index 4b28ab3..6e8746f 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1476,7 +1479,16 @@ index 4b28ab3..cf64a9a 100644 role aide_roles types aide_t; type aide_log_t; -@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file) +@@ -23,7 +24,7 @@ files_type(aide_db_t) + # Local policy + # + +-allow aide_t self:capability { dac_override fowner }; ++allow aide_t self:capability { dac_override fowner ipc_lock }; + + manage_files_pattern(aide_t, aide_db_t, aide_db_t) + +@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) files_read_all_symlinks(aide_t) @@ -1491,6 +1503,10 @@ index 4b28ab3..cf64a9a 100644 -userdom_use_user_terminals(aide_t) +userdom_use_inherited_user_terminals(aide_t) ++ ++optional_policy(` ++ prelink_domtrans(aide_t) ++') optional_policy(` seutil_use_newrole_fds(aide_t) @@ -1883,24 +1899,41 @@ index cda6d20..fbe259e 100644 userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) +diff --git a/amanda.fc b/amanda.fc +index 7f4dfbc..4d750fa 100644 +--- a/amanda.fc ++++ b/amanda.fc +@@ -13,6 +13,8 @@ + /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + ++/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0) ++ + /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) + diff --git a/amanda.te b/amanda.te -index ed45974..46e2c0d 100644 +index ed45974..95b56a6 100644 --- a/amanda.te +++ b/amanda.te -@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles; +@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles; roleattribute system_r amanda_recover_roles; type amanda_t; +type amanda_exec_t; type amanda_inetd_exec_t; - inetd_service_domain(amanda_t, amanda_inetd_exec_t) +-inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++init_daemon_domain(amanda_t, amanda_exec_t) ++role system_r types amanda_t; -type amanda_exec_t; -domain_entry_file(amanda_t, amanda_exec_t) ++type amanda_unit_file_t; ++systemd_unit_file(amanda_unit_file_t) type amanda_log_t; logging_log_file(amanda_log_t) -@@ -60,7 +59,7 @@ optional_policy(` +@@ -60,7 +62,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; @@ -1909,7 +1942,7 @@ index ed45974..46e2c0d 100644 allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms; +@@ -71,6 +73,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -1917,7 +1950,7 @@ index ed45974..46e2c0d 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,13 +103,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -1925,7 +1958,15 @@ index ed45974..46e2c0d 100644 corenet_all_recvfrom_netlabel(amanda_t) corenet_tcp_sendrecv_generic_if(amanda_t) corenet_tcp_sendrecv_generic_node(amanda_t) -@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t) + corenet_tcp_sendrecv_all_ports(amanda_t) + corenet_tcp_bind_generic_node(amanda_t) + ++corenet_tcp_bind_amanda_port(amanda_t) ++ + corenet_sendrecv_all_server_packets(amanda_t) + corenet_tcp_bind_all_rpc_ports(amanda_t) + corenet_tcp_bind_generic_port(amanda_t) +@@ -170,7 +174,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -1933,7 +1974,7 @@ index ed45974..46e2c0d 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +198,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -1949,6 +1990,10 @@ index ed45974..46e2c0d 100644 userdom_search_user_home_content(amanda_recover_t) + +optional_policy(` ++ inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++') ++ ++optional_policy(` + fstools_domtrans(amanda_t) + fstools_signal(amanda_t) +') @@ -2527,10 +2572,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..1a35e88 +index 0000000..36cb011 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,248 @@ +@@ -0,0 +1,252 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2753,6 +2798,10 @@ index 0000000..1a35e88 +') + +optional_policy(` ++ mysql_stream_connect(antivirus_domain) ++') ++ ++optional_policy(` + postfix_read_config(antivirus_domain) + postfix_list_spool(antivirus_domain) +') @@ -4475,10 +4524,10 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..3a12c26 100644 +index 1a82e29..392480e 100644 --- a/apache.te +++ b/apache.te -@@ -1,297 +1,360 @@ +@@ -1,297 +1,367 @@ -policy_module(apache, 2.6.10) +policy_module(apache, 2.4.0) + @@ -4895,6 +4944,13 @@ index 1a82e29..3a12c26 100644 -## nfs file systems. -##

+##

++## Allow httpd to connect to sasl ++##

++## ++gen_tunable(httpd_use_sasl, false) ++ ++## ++##

+## Allow httpd to access nfs file systems +##

## @@ -4988,7 +5044,7 @@ index 1a82e29..3a12c26 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -5001,7 +5057,7 @@ index 1a82e29..3a12c26 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t; +@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5023,7 +5079,7 @@ index 1a82e29..3a12c26 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -5043,7 +5099,7 @@ index 1a82e29..3a12c26 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5094,7 +5150,7 @@ index 1a82e29..3a12c26 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms; +@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5136,7 +5192,7 @@ index 1a82e29..3a12c26 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5145,7 +5201,7 @@ index 1a82e29..3a12c26 100644 allow httpd_t httpd_rotatelogs_t:process signal_perms; manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -5156,7 +5212,7 @@ index 1a82e29..3a12c26 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5232,6 +5288,7 @@ index 1a82e29..3a12c26 100644 +corecmd_exec_shell(httpd_t) + +domain_use_interactive_fds(httpd_t) ++domain_dontaudit_read_all_domains_state(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -5384,7 +5441,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +710,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5444,7 +5501,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +762,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5490,18 +5547,18 @@ index 1a82e29..3a12c26 100644 - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') --') -- --optional_policy(` -- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` -- spamassassin_domtrans_client(httpd_t) -- ') +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) ') +-optional_policy(` +- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` +- spamassassin_domtrans_client(httpd_t) +- ') +-') +- -tunable_policy(`httpd_graceful_shutdown',` - corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) @@ -5529,7 +5586,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +803,42 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5557,26 +5614,22 @@ index 1a82e29..3a12c26 100644 - fs_manage_cifs_dirs(httpd_t) - fs_manage_cifs_files(httpd_t) - fs_manage_cifs_symlinks(httpd_t) --') -- --tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_t) + userdom_use_inherited_user_terminals(httpd_t) + userdom_use_inherited_user_terminals(httpd_suexec_t) ') --tunable_policy(`httpd_use_fusefs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_fusefs_dirs(httpd_t) -- fs_manage_fusefs_files(httpd_t) -- fs_read_fusefs_symlinks(httpd_t) +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_t) -') +optional_policy(` + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) +-tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_fusefs_dirs(httpd_t) +- fs_manage_fusefs_files(httpd_t) +- fs_read_fusefs_symlinks(httpd_t) -') + tunable_policy(`httpd_serve_cobbler_files',` + cobbler_manage_lib_files(httpd_t) @@ -5585,13 +5638,21 @@ index 1a82e29..3a12c26 100644 + cobbler_search_lib(httpd_t) + ') +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) ++ tunable_policy(`httpd_can_network_connect_cobbler',` ++ corenet_tcp_connect_cobbler_port(httpd_t) ++ ') + ') + -tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_nfs_dirs(httpd_t) - fs_manage_nfs_files(httpd_t) - fs_manage_nfs_symlinks(httpd_t) -+ tunable_policy(`httpd_can_network_connect_cobbler',` -+ corenet_tcp_connect_cobbler_port(httpd_t) ++optional_policy(` ++ tunable_policy(`httpd_use_sasl',` ++ sasl_connect(httpd_t) + ') ') @@ -5606,7 +5667,7 @@ index 1a82e29..3a12c26 100644 ') optional_policy(` -@@ -743,14 +849,6 @@ optional_policy(` +@@ -743,14 +863,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5621,7 +5682,7 @@ index 1a82e29..3a12c26 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +863,23 @@ optional_policy(` +@@ -765,6 +877,23 @@ optional_policy(` ') optional_policy(` @@ -5645,7 +5706,7 @@ index 1a82e29..3a12c26 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +896,42 @@ optional_policy(` +@@ -781,34 +910,42 @@ optional_policy(` ') optional_policy(` @@ -5699,7 +5760,7 @@ index 1a82e29..3a12c26 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +939,18 @@ optional_policy(` +@@ -816,8 +953,18 @@ optional_policy(` ') optional_policy(` @@ -5718,7 +5779,7 @@ index 1a82e29..3a12c26 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +959,7 @@ optional_policy(` +@@ -826,6 +973,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5726,7 +5787,7 @@ index 1a82e29..3a12c26 100644 ') optional_policy(` -@@ -836,20 +970,38 @@ optional_policy(` +@@ -836,20 +984,38 @@ optional_policy(` ') optional_policy(` @@ -5771,7 +5832,7 @@ index 1a82e29..3a12c26 100644 ') optional_policy(` -@@ -857,6 +1009,16 @@ optional_policy(` +@@ -857,6 +1023,16 @@ optional_policy(` ') optional_policy(` @@ -5788,7 +5849,7 @@ index 1a82e29..3a12c26 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,6 +1027,7 @@ optional_policy(` +@@ -865,11 +1041,16 @@ optional_policy(` ') optional_policy(` @@ -5796,7 +5857,16 @@ index 1a82e29..3a12c26 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -877,65 +1040,166 @@ optional_policy(` + + optional_policy(` ++ thin_stream_connect(httpd_t) ++') ++ ++optional_policy(` + udev_read_db(httpd_t) + ') + +@@ -877,65 +1058,165 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5835,7 +5905,6 @@ index 1a82e29..3a12c26 100644 + allow httpd_t self:process setexec; + + files_dontaudit_getattr_all_files(httpd_t) -+ domain_dontaudit_read_all_domains_state(httpd_t) + domain_getpgid_all_domains(httpd_t) +') + @@ -5985,7 +6054,7 @@ index 1a82e29..3a12c26 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1208,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1225,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6140,7 +6209,7 @@ index 1a82e29..3a12c26 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1292,104 @@ optional_policy(` +@@ -1077,172 +1309,104 @@ optional_policy(` ') ') @@ -6162,11 +6231,11 @@ index 1a82e29..3a12c26 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -+allow httpd_sys_script_t self:process getsched; - +- -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -- ++allow httpd_sys_script_t self:process getsched; + -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6319,10 +6388,10 @@ index 1a82e29..3a12c26 100644 -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; - -kernel_read_kernel_sysctls(httpd_sys_script_t) -- --fs_search_auto_mountpoints(httpd_sys_script_t) +corenet_all_recvfrom_netlabel(httpd_sys_script_t) +-fs_search_auto_mountpoints(httpd_sys_script_t) +- -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -6376,7 +6445,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1397,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1414,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6473,7 +6542,7 @@ index 1a82e29..3a12c26 100644 ######################################## # -@@ -1315,8 +1472,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1489,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6490,7 +6559,7 @@ index 1a82e29..3a12c26 100644 ') ######################################## -@@ -1324,49 +1488,36 @@ optional_policy(` +@@ -1324,49 +1505,36 @@ optional_policy(` # User content local policy # @@ -6554,7 +6623,7 @@ index 1a82e29..3a12c26 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1527,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1544,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7504,7 +7573,7 @@ index 089430a..7cd037b 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index a579c3b..512d6b1 100644 +index a579c3b..294b5f4 100644 --- a/automount.te +++ b/automount.te @@ -22,12 +22,16 @@ type automount_tmp_t; @@ -7564,6 +7633,15 @@ index a579c3b..512d6b1 100644 fstools_domtrans(automount_t) ') +@@ -160,3 +165,8 @@ optional_policy(` + optional_policy(` + udev_read_db(automount_t) + ') ++ ++tunable_policy(`mount_anyfile',` ++ files_mounton_non_security(automount_t) ++') ++ diff --git a/avahi.fc b/avahi.fc index e9fe2ca..4c2d076 100644 --- a/avahi.fc @@ -8331,7 +8409,7 @@ index 16ec525..1dd4059 100644 ######################################## diff --git a/blueman.te b/blueman.te -index bc5c984..d8af68f 100644 +index bc5c984..63a4b1d 100644 --- a/blueman.te +++ b/blueman.te @@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) @@ -8353,7 +8431,16 @@ index bc5c984..d8af68f 100644 allow blueman_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -@@ -41,29 +42,40 @@ corecmd_exec_bin(blueman_t) +@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) + manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) + files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) + +-kernel_read_net_sysctls(blueman_t) ++kernel_rw_net_sysctls(blueman_t) + kernel_read_system_state(blueman_t) + kernel_request_load_module(blueman_t) + +@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t) dev_read_rand(blueman_t) dev_read_urand(blueman_t) dev_rw_wireless(blueman_t) @@ -8378,6 +8465,10 @@ index bc5c984..d8af68f 100644 ') optional_policy(` ++ bluetooth_read_config(blueman_t) ++') ++ ++optional_policy(` + dbus_system_domain(blueman_t, blueman_exec_t) +') + @@ -10813,7 +10904,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index 914ee2d..6567c77 100644 +index 914ee2d..770ae51 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -10826,7 +10917,7 @@ index 914ee2d..6567c77 100644 type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t) +@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t) # Local policy # @@ -10838,13 +10929,12 @@ index 914ee2d..6567c77 100644 +allow chronyd_t self:unix_dgram_socket create_socket_perms; allow chronyd_t self:fifo_file rw_fifo_file_perms; -+ +allow chronyd_t chronyd_keys_t:file append_file_perms; +allow chronyd_t chronyd_keys_t:file setattr_file_perms; allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -11361,21 +11451,28 @@ index 29782b8..685edff 100644 ') diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..8a40857 +index 0000000..cc740da --- /dev/null +++ b/cloudform.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,29 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + -+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) ++/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) ++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) +/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) -+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) ++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) + +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) + ++/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) ++ ++/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) ++ ++/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0) ++/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0) +/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) -+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) ++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) + +/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) +/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0) @@ -11437,10 +11534,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..def8328 +index 0000000..a56e579 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,195 @@ +@@ -0,0 +1,296 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -11452,6 +11549,19 @@ index 0000000..def8328 +cloudform_domain_template(deltacloudd) +cloudform_domain_template(iwhd) +cloudform_domain_template(mongod) ++cloudform_domain_template(cloud_init) ++ ++type cloud_init_tmp_t; ++files_tmp_file(cloud_init_tmp_t) ++ ++type cloud_init_unit_file_t; ++systemd_unit_file(cloud_init_unit_file_t) ++ ++type cloud_var_lib_t; ++files_type(cloud_var_lib_t) ++ ++type cloud_log_t; ++logging_log_file(cloud_log_t) + +type deltacloudd_log_t; +logging_log_file(deltacloudd_log_t) @@ -11505,6 +11615,93 @@ index 0000000..def8328 + +miscfiles_read_certs(cloudform_domain) + ++################################# ++# ++# cloud-init local policy ++# ++ ++allow cloud_init_t self:capability { fowner chown fsetid dac_override }; ++ ++allow cloud_init_t self:udp_socket create_socket_perms; ++ ++manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) ++manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) ++files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir }) ++ ++manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++ ++manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t) ++logging_log_filetrans(cloud_init_t, cloud_log_t, { file }) ++ ++kernel_read_network_state(cloud_init_t) ++ ++corenet_tcp_connect_http_port(cloud_init_t) ++ ++corecmd_exec_bin(cloud_init_t) ++corecmd_exec_shell(cloud_init_t) ++ ++fs_getattr_all_fs(cloud_init_t) ++ ++storage_raw_read_fixed_disk(cloud_init_t) ++ ++libs_exec_ldconfig(cloud_init_t) ++ ++logging_send_syslog_msg(cloud_init_t) ++ ++miscfiles_read_localization(cloud_init_t) ++ ++selinux_validate_context(cloud_init_t) ++ ++systemd_dbus_chat_hostnamed(cloud_init_t) ++systemd_exec_systemctl(cloud_init_t) ++systemd_start_all_services(cloud_init_t) ++ ++usermanage_domtrans_passwd(cloud_init_t) ++ ++optional_policy(` ++ dbus_system_bus_client(cloud_init_t) ++') ++ ++optional_policy(` ++ dmidecode_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ hostname_exec(cloud_init_t) ++') ++ ++optional_policy(` ++ mount_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ # it check file context and run restorecon ++ seutil_read_file_contexts(cloud_init_t) ++ seutil_domtrans_setfiles(cloud_init_t) ++') ++ ++optional_policy(` ++ ssh_exec_keygen(cloud_init_t) ++ ssh_read_user_home_files(cloud_init_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(cloud_init_t) ++ sysnet_read_dhcpc_state(cloud_init_t) ++ sysnet_dns_name_resolve(cloud_init_t) ++') ++ ++optional_policy(` ++ unconfined_domain(cloud_init_t) ++') ++ ++ +######################################## +# +# deltacloudd local policy @@ -11618,6 +11815,7 @@ index 0000000..def8328 + +corenet_tcp_bind_generic_node(mongod_t) +corenet_tcp_bind_mongod_port(mongod_t) ++corenet_tcp_connect_mongod_port(mongod_t) +corenet_tcp_connect_postgresql_port(mongod_t) + +kernel_read_vm_sysctls(mongod_t) @@ -12173,7 +12371,7 @@ index 8e27a37..825f537 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 09f18e2..9d70983 100644 +index 09f18e2..3547d05 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -12236,7 +12434,7 @@ index 09f18e2..9d70983 100644 storage_getattr_fixed_disk_dev(colord_t) storage_getattr_removable_dev(colord_t) -@@ -98,25 +104,28 @@ storage_write_scsi_generic(colord_t) +@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t) auth_use_nsswitch(colord_t) @@ -12258,6 +12456,7 @@ index 09f18e2..9d70983 100644 -') +userdom_rw_user_tmpfs_files(colord_t) +userdom_home_reader(colord_t) ++userdom_list_user_home_content(colord_t) +userdom_read_inherited_user_home_content_files(colord_t) optional_policy(` @@ -12275,7 +12474,7 @@ index 09f18e2..9d70983 100644 ') optional_policy(` -@@ -133,3 +142,16 @@ optional_policy(` +@@ -133,3 +143,16 @@ optional_policy(` optional_policy(` udev_read_db(colord_t) ') @@ -13352,10 +13551,36 @@ index c086302..4f33119 100644 /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) diff --git a/couchdb.if b/couchdb.if -index 83d6744..627ab43 100644 +index 83d6744..6afc08d 100644 --- a/couchdb.if +++ b/couchdb.if -@@ -10,6 +10,89 @@ +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Allow to read couchdb lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_lib_files',` ++ gen_require(` ++ type couchdb_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an couchdb environment. + ## +@@ -10,6 +29,108 @@ ## Domain allowed access. ## ## @@ -13390,6 +13615,25 @@ index 83d6744..627ab43 100644 + +######################################## +## ++## Allow to read couchdb conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_conf_files',` ++ gen_require(` ++ type couchdb_conf_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) ++') ++ ++######################################## ++## +## Read couchdb PID files. +## +## @@ -13445,7 +13689,7 @@ index 83d6744..627ab43 100644 ## ## ## Role allowed access. -@@ -19,14 +102,19 @@ +@@ -19,14 +140,19 @@ # interface(`couchdb_admin',` gen_require(` @@ -13466,7 +13710,7 @@ index 83d6744..627ab43 100644 init_labeled_script_domtrans($1, couchdb_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 couchdb_initrc_exec_t system_r; -@@ -46,4 +134,13 @@ interface(`couchdb_admin',` +@@ -46,4 +172,13 @@ interface(`couchdb_admin',` files_search_pids($1) admin_pattern($1, couchdb_var_run_t) @@ -13537,10 +13781,10 @@ index 8a4b596..cbecde8 100644 /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) diff --git a/courier.if b/courier.if -index 10f820f..4040ec2 100644 +index 10f820f..acdb179 100644 --- a/courier.if +++ b/courier.if -@@ -1,41 +1,50 @@ +@@ -1,12 +1,12 @@ -## Courier IMAP and POP3 email servers. +## Courier IMAP and POP3 email servers @@ -13558,19 +13802,16 @@ index 10f820f..4040ec2 100644 ## ## # - template(`courier_domain_template',` -- gen_require(` -- attribute courier_domain; -- ') +@@ -15,7 +15,7 @@ template(`courier_domain_template',` + attribute courier_domain; + ') - ######################################## + ############################## # # Declarations # - -- type courier_$1_t, courier_domain; -+ type courier_$1_t; +@@ -24,18 +24,30 @@ template(`courier_domain_template',` type courier_$1_exec_t; init_daemon_domain(courier_$1_t, courier_$1_exec_t) @@ -13605,7 +13846,7 @@ index 10f820f..4040ec2 100644 ## ## ## -@@ -48,34 +57,32 @@ interface(`courier_domtrans_authdaemon',` +@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',` type courier_authdaemon_t, courier_authdaemon_exec_t; ') @@ -13650,7 +13891,7 @@ index 10f820f..4040ec2 100644 ## ## ## -@@ -88,13 +95,12 @@ interface(`courier_domtrans_pop',` +@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',` type courier_pop_t, courier_pop_exec_t; ') @@ -13665,7 +13906,7 @@ index 10f820f..4040ec2 100644 ## ## ## -@@ -127,7 +133,7 @@ interface(`courier_manage_spool_dirs',` +@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',` type courier_spool_t; ') @@ -13674,7 +13915,7 @@ index 10f820f..4040ec2 100644 manage_dirs_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -136,7 +142,7 @@ interface(`courier_manage_spool_dirs',` +@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',` ## Create, read, write, and delete courier ## spool files. ## @@ -13683,7 +13924,7 @@ index 10f820f..4040ec2 100644 ## ## Domain allowed access. ## -@@ -147,7 +153,7 @@ interface(`courier_manage_spool_files',` +@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',` type courier_spool_t; ') @@ -13692,7 +13933,7 @@ index 10f820f..4040ec2 100644 manage_files_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -166,13 +172,13 @@ interface(`courier_read_spool',` +@@ -166,13 +175,13 @@ interface(`courier_read_spool',` type courier_spool_t; ') @@ -13708,7 +13949,7 @@ index 10f820f..4040ec2 100644 ## ## ## -@@ -185,6 +191,5 @@ interface(`courier_rw_spool_pipes',` +@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',` type courier_spool_t; ') @@ -13716,7 +13957,7 @@ index 10f820f..4040ec2 100644 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/courier.te b/courier.te -index 77bb077..76b93d2 100644 +index 77bb077..1499c3f 100644 --- a/courier.te +++ b/courier.te @@ -18,7 +18,7 @@ type courier_etc_t; @@ -13752,7 +13993,26 @@ index 77bb077..76b93d2 100644 sysnet_read_config(courier_domain) userdom_dontaudit_use_unpriv_user_fds(courier_domain) -@@ -112,7 +107,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) +@@ -77,6 +72,10 @@ optional_policy(` + ') + + optional_policy(` ++ mysql_stream_connect(courier_domain) ++') ++ ++optional_policy(` + udev_read_db(courier_domain) + ') + +@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; + create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + ++manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) + + allow courier_authdaemon_t courier_tcpd_t:process sigchld; +@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) libs_read_lib_files(courier_authdaemon_t) @@ -13760,7 +14020,7 @@ index 77bb077..76b93d2 100644 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) -@@ -135,7 +129,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; +@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; @@ -13769,7 +14029,7 @@ index 77bb077..76b93d2 100644 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) -@@ -172,7 +166,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) +@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) dev_read_rand(courier_tcpd_t) dev_read_urand(courier_tcpd_t) @@ -16288,7 +16548,7 @@ index 949011e..afe482b 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 06da9a0..ca832e1 100644 +index 06da9a0..6d69a2f 100644 --- a/cups.if +++ b/cups.if @@ -15,6 +15,11 @@ @@ -16348,7 +16608,13 @@ index 06da9a0..ca832e1 100644 ## All of the rules required to ## administrate an cups environment. ## -@@ -329,13 +360,18 @@ interface(`cups_admin',` +@@ -324,18 +355,23 @@ interface(`cups_stream_connect_ptal',` + interface(`cups_admin',` + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; +- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; ++ type cupsd_etc_t, cupsd_log_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; @@ -16371,8 +16637,13 @@ index 06da9a0..ca832e1 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -353,8 +389,61 @@ interface(`cups_admin',` +@@ -348,13 +384,63 @@ interface(`cups_admin',` + logging_list_logs($1) + admin_pattern($1, cupsd_log_t) +- files_list_spool($1) +- admin_pattern($1, cupsd_spool_t) +- files_list_tmp($1) admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) - @@ -16436,7 +16707,7 @@ index 06da9a0..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..c7268a7 100644 +index 9f34c2e..ab0eee9 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16578,7 +16849,7 @@ index 9f34c2e..c7268a7 100644 allow cupsd_t self:appletalk_socket create_socket_perms; allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -16586,7 +16857,13 @@ index 9f34c2e..c7268a7 100644 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) + filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) + files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) ++cups_filetrans_named_content(cupsd_t) + + allow cupsd_t cupsd_exec_t:dir search_dir_perms; + allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; +@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) @@ -16614,7 +16891,7 @@ index 9f34c2e..c7268a7 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -16626,7 +16903,7 @@ index 9f34c2e..c7268a7 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -16651,7 +16928,7 @@ index 9f34c2e..c7268a7 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -16659,7 +16936,7 @@ index 9f34c2e..c7268a7 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t) +@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -16679,7 +16956,7 @@ index 9f34c2e..c7268a7 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) -@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -16688,7 +16965,7 @@ index 9f34c2e..c7268a7 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -16714,7 +16991,7 @@ index 9f34c2e..c7268a7 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -275,6 +309,8 @@ optional_policy(` +@@ -275,6 +310,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -16723,7 +17000,7 @@ index 9f34c2e..c7268a7 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +321,10 @@ optional_policy(` +@@ -285,8 +322,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -16734,7 +17011,7 @@ index 9f34c2e..c7268a7 100644 ') ') -@@ -299,8 +337,8 @@ optional_policy(` +@@ -299,8 +338,8 @@ optional_policy(` ') optional_policy(` @@ -16744,7 +17021,7 @@ index 9f34c2e..c7268a7 100644 ') optional_policy(` -@@ -309,7 +347,6 @@ optional_policy(` +@@ -309,7 +348,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -16752,7 +17029,7 @@ index 9f34c2e..c7268a7 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +374,11 @@ optional_policy(` +@@ -337,7 +375,11 @@ optional_policy(` ') optional_policy(` @@ -16765,7 +17042,7 @@ index 9f34c2e..c7268a7 100644 ') ######################################## -@@ -345,12 +386,11 @@ optional_policy(` +@@ -345,12 +387,11 @@ optional_policy(` # Configuration daemon local policy # @@ -16781,7 +17058,7 @@ index 9f34c2e..c7268a7 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -16802,7 +17079,7 @@ index 9f34c2e..c7268a7 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -16823,7 +17100,7 @@ index 9f34c2e..c7268a7 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -16835,7 +17112,7 @@ index 9f34c2e..c7268a7 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +477,12 @@ optional_policy(` +@@ -452,9 +478,12 @@ optional_policy(` ') optional_policy(` @@ -16849,7 +17126,7 @@ index 9f34c2e..c7268a7 100644 ') optional_policy(` -@@ -490,10 +518,6 @@ optional_policy(` +@@ -490,10 +519,6 @@ optional_policy(` # Lpd local policy # @@ -16860,7 +17137,7 @@ index 9f34c2e..c7268a7 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -16893,7 +17170,7 @@ index 9f34c2e..c7268a7 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +561,6 @@ optional_policy(` +@@ -546,7 +562,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -16901,7 +17178,7 @@ index 9f34c2e..c7268a7 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -17053,7 +17330,7 @@ index 9f34c2e..c7268a7 100644 ######################################## # -@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -17061,7 +17338,7 @@ index 9f34c2e..c7268a7 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -17075,7 +17352,7 @@ index 9f34c2e..c7268a7 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -17084,7 +17361,7 @@ index 9f34c2e..c7268a7 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -769,3 +653,4 @@ optional_policy(` +@@ -769,3 +654,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -20478,7 +20755,7 @@ index 23ab808..4a801b5 100644 /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..b303b37 100644 +index 19aa0b8..531cf03 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -20489,7 +20766,7 @@ index 19aa0b8..b303b37 100644 interface(`dnsmasq_domtrans',` gen_require(` type dnsmasq_exec_t, dnsmasq_t; -@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',` +@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',` domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) ') @@ -20511,10 +20788,28 @@ index 19aa0b8..b303b37 100644 + can_exec($1, dnsmasq_exec_t) +') + ++######################################## ++## ++## Allow read/write dnsmasq pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_rw_inherited_pipes',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ++ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ######################################## ## ## Execute the dnsmasq init script in -@@ -42,6 +59,29 @@ interface(`dnsmasq_initrc_domtrans',` +@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',` ######################################## ## @@ -20541,10 +20836,29 @@ index 19aa0b8..b303b37 100644 + +######################################## +## ++## Send sigchld to dnsmasq. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`dnsmasq_sigchld',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ++ allow $1 dnsmasq_t:process sigchld; ++') ++ ++######################################## ++## ## Send generic signals to dnsmasq. ## ## -@@ -145,12 +185,12 @@ interface(`dnsmasq_write_config',` +@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',` ## ## # @@ -20558,7 +20872,11 @@ index 19aa0b8..b303b37 100644 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -176,7 +216,7 @@ interface(`dnsmasq_manage_pid_files',` ++ + ######################################## + ## + ## Create, read, write, and delete +@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',` ######################################## ## @@ -20567,7 +20885,7 @@ index 19aa0b8..b303b37 100644 ## ## ## -@@ -184,12 +224,12 @@ interface(`dnsmasq_manage_pid_files',` +@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',` ## ## # @@ -20581,7 +20899,7 @@ index 19aa0b8..b303b37 100644 read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -214,37 +254,46 @@ interface(`dnsmasq_create_pid_dirs',` +@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',` ######################################## ## @@ -20593,22 +20911,22 @@ index 19aa0b8..b303b37 100644 ## ## -## Domain allowed access. -+## Domain allowed access. - ## - ## +-## +-## -## -+## - ## +-## -## Directory to transition on. -## -## -## -## -## The object class of the object being created. --## --## ++## Domain allowed access. + ## + ## -## --## ++## + ## -## The name of the object being created. +## The type of the directory for the object to be created. ## @@ -20646,7 +20964,7 @@ index 19aa0b8..b303b37 100644 ') ######################################## -@@ -267,12 +316,17 @@ interface(`dnsmasq_spec_filetrans_pid',` +@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; @@ -20666,7 +20984,13 @@ index 19aa0b8..b303b37 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -286,4 +340,8 @@ interface(`dnsmasq_admin',` +@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',` + files_list_var_lib($1) + admin_pattern($1, dnsmasq_lease_t) + +- logging_seearch_logs($1) ++ logging_search_logs($1) + admin_pattern($1, dnsmasq_var_log_t) files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) @@ -20676,7 +21000,7 @@ index 19aa0b8..b303b37 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index ba14bcf..869bba7 100644 +index ba14bcf..0a3179c 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -20689,7 +21013,12 @@ index ba14bcf..869bba7 100644 ######################################## # # Local policy -@@ -56,7 +59,9 @@ kernel_read_network_state(dnsmasq_t) +@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) + files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(dnsmasq_t) ++kernel_read_net_sysctls(dnsmasq_t) + kernel_read_network_state(dnsmasq_t) kernel_read_system_state(dnsmasq_t) kernel_request_load_module(dnsmasq_t) @@ -20700,7 +21029,7 @@ index ba14bcf..869bba7 100644 corenet_all_recvfrom_netlabel(dnsmasq_t) corenet_tcp_sendrecv_generic_if(dnsmasq_t) corenet_udp_sendrecv_generic_if(dnsmasq_t) -@@ -86,9 +91,9 @@ fs_search_auto_mountpoints(dnsmasq_t) +@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t) auth_use_nsswitch(dnsmasq_t) @@ -20712,7 +21041,7 @@ index ba14bcf..869bba7 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -98,12 +103,21 @@ optional_policy(` +@@ -98,12 +104,21 @@ optional_policy(` ') optional_policy(` @@ -20735,7 +21064,7 @@ index ba14bcf..869bba7 100644 ') optional_policy(` -@@ -124,6 +138,13 @@ optional_policy(` +@@ -124,6 +139,14 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -20746,6 +21075,7 @@ index ba14bcf..869bba7 100644 + +optional_policy(` + quantum_manage_lib_files(dnsmasq_t) ++ quantum_stream_connect(dnsmasq_t) + quantum_rw_fifo_file(dnsmasq_t) + quantum_sigchld(dnsmasq_t) +') @@ -22681,7 +23011,7 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..d49f5ad 100644 +index 0872e50..5d49b4f 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t) @@ -22726,7 +23056,7 @@ index 0872e50..d49f5ad 100644 iptables_domtrans(fail2ban_t) ') -@@ -137,14 +137,10 @@ corecmd_exec_bin(fail2ban_client_t) +@@ -137,14 +137,12 @@ corecmd_exec_bin(fail2ban_client_t) domain_use_interactive_fds(fail2ban_client_t) @@ -22734,6 +23064,8 @@ index 0872e50..d49f5ad 100644 -files_read_usr_files(fail2ban_client_t) files_search_pids(fail2ban_client_t) ++auth_read_passwd(fail2ban_client_t) ++ logging_getattr_all_logs(fail2ban_client_t) logging_search_all_logs(fail2ban_client_t) @@ -28229,17 +28561,18 @@ index 25f09ae..3085534 100644 chronyd_stream_connect(gpsd_t) diff --git a/gssproxy.fc b/gssproxy.fc new file mode 100644 -index 0000000..404ae4f +index 0000000..f4659d1 --- /dev/null +++ b/gssproxy.fc -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + -+/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0) ++/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0) ++/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 index 0000000..072ddb0 @@ -28451,10 +28784,10 @@ index 0000000..072ddb0 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..6f0253c +index 0000000..80179fe --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,65 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -28491,8 +28824,9 @@ index 0000000..6f0253c + +manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) +manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) -+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file }) ++files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file }) + +kernel_rw_rpc_sysctls(gssproxy_t) + @@ -29317,10 +29651,10 @@ index c5a8112..947efe0 100644 userdom_dontaudit_search_user_home_dirs(irqbalance_t) diff --git a/iscsi.fc b/iscsi.fc -index 08b7560..9d1930b 100644 +index 08b7560..417e630 100644 --- a/iscsi.fc +++ b/iscsi.fc -@@ -1,19 +1,17 @@ +@@ -1,19 +1,18 @@ -/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0) - /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -29330,6 +29664,7 @@ index 08b7560..9d1930b 100644 /usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0) /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) @@ -29344,21 +29679,47 @@ index 08b7560..9d1930b 100644 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) diff --git a/iscsi.if b/iscsi.if -index 1a35420..1d27695 100644 +index 1a35420..4b9b978 100644 --- a/iscsi.if +++ b/iscsi.if -@@ -88,27 +88,21 @@ interface(`iscsi_read_lib_files',` - ## Domain allowed access. +@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an iscsi environment. ++## Transition to iscsi named content + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access. ## ## -## --## ++# ++interface(`iscsi_filetrans_named_content',` ++ gen_require(` ++ type iscsi_lock_t; ++ ') ++ ++ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi") ++') ++ ++ ++######################################## ++## ++## All of the rules required to ++## administrate an iscsi environment. ++## ++## + ## -## Role allowed access. --## --## ++## Domain allowed access. + ## + ## ## - # - interface(`iscsi_admin',` +@@ -99,16 +113,15 @@ interface(`iscsi_admin',` gen_require(` type iscsid_t, iscsi_lock_t, iscsi_log_t; type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; @@ -29380,7 +29741,7 @@ index 1a35420..1d27695 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index 57304e4..7edd3d4 100644 +index 57304e4..46e5e3d 100644 --- a/iscsi.te +++ b/iscsi.te @@ -9,8 +9,8 @@ type iscsid_t; @@ -29394,11 +29755,13 @@ index 57304e4..7edd3d4 100644 type iscsi_lock_t; files_lock_file(iscsi_lock_t) -@@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t) +@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t) + # Local policy # - allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; +-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; ++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; @@ -29416,7 +29779,7 @@ index 57304e4..7edd3d4 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,10 +85,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -29432,15 +29795,20 @@ index 57304e4..7edd3d4 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) -@@ -99,8 +102,6 @@ init_stream_connect_script(iscsid_t) + ++files_read_kernel_modules(iscsid_t) ++ + auth_use_nsswitch(iscsid_t) + + init_stream_connect_script(iscsid_t) logging_send_syslog_msg(iscsid_t) -miscfiles_read_localization(iscsid_t) -- ++modutils_read_module_config(iscsid_t) + optional_policy(` tgtd_manage_semaphores(iscsid_t) - ') diff --git a/isns.te b/isns.te index bc11034..e393434 100644 --- a/isns.te @@ -33085,7 +33453,7 @@ index 19f2b97..fbc0e48 100644 ppp_signal(l2tpd_t) ppp_kill(l2tpd_t) diff --git a/ldap.fc b/ldap.fc -index bc25c95..dcdbe9b 100644 +index bc25c95..6692d91 100644 --- a/ldap.fc +++ b/ldap.fc @@ -1,8 +1,11 @@ @@ -33098,7 +33466,7 @@ index bc25c95..dcdbe9b 100644 -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + -+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) @@ -33116,7 +33484,7 @@ index bc25c95..dcdbe9b 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index ee0c7cc..6ec5f73 100644 +index ee0c7cc..446c507 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -33282,7 +33650,7 @@ index ee0c7cc..6ec5f73 100644 - type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; - type slapd_db_t; + type slapd_initrc_exec_t; -+ type ldap_unit_file_t; ++ type slapd_unit_file_t; ') - allow $1 slapd_t:process { ptrace signal_perms }; @@ -33319,8 +33687,8 @@ index ee0c7cc..6ec5f73 100644 admin_pattern($1, slapd_var_run_t) + + ldap_systemctl($1) -+ admin_pattern($1, ldap_unit_file_t) -+ allow $1 ldap_unit_file_t:service all_service_perms; ++ admin_pattern($1, slapd_unit_file_t) ++ allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te index d7d9b09..562c288 100644 @@ -34610,6 +34978,24 @@ index b9270f7..15f3748 100644 +optional_policy(` + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') +diff --git a/mailman.fc b/mailman.fc +index 7fa381b..bbe6b01 100644 +--- a/mailman.fc ++++ b/mailman.fc +@@ -3,10 +3,12 @@ + + /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) + ++/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +-/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) ++/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + /var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) + + /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) diff --git a/mailman.if b/mailman.if index 108c0f1..a248501 100644 --- a/mailman.if @@ -35294,10 +35680,10 @@ index e08c55d..9e634bd 100644 + +') diff --git a/mandb.fc b/mandb.fc -index 2de0f64..85c3827 100644 +index 2de0f64..50f34fd 100644 --- a/mandb.fc +++ b/mandb.fc -@@ -1 +1,7 @@ +@@ -1 +1,9 @@ /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) @@ -35305,8 +35691,10 @@ index 2de0f64..85c3827 100644 +/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) + +/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) ++ ++HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if -index 327f3f7..8d5841f 100644 +index 327f3f7..4f61561 100644 --- a/mandb.if +++ b/mandb.if @@ -1,14 +1,14 @@ @@ -35449,7 +35837,7 @@ index 327f3f7..8d5841f 100644 ') ######################################## -@@ -99,37 +129,63 @@ interface(`mandb_read_cache_content',` +@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',` ## ## # @@ -35462,13 +35850,34 @@ index 327f3f7..8d5841f 100644 + + files_search_var($1) + manage_files_pattern($1, mandb_cache_t, mandb_cache_t) ++') ++ ++######################################## ++## ++## Manage mandb cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mandb_manage_cache_dirs',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) ') ######################################## ## -## All of the rules required to -## administrate an mandb environment. -+## Manage mandb cache dirs. ++## Create configuration files in user ++## home directories with a named file ++## type transition. ## ## ## @@ -35477,16 +35886,14 @@ index 327f3f7..8d5841f 100644 ## -## +# -+interface(`mandb_manage_cache_dirs',` ++interface(`mandb_filetrans_named_home_content',` + gen_require(` -+ type mandb_cache_t; ++ type mandb_home_t; + ') + -+ files_search_var($1) -+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) ++ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath") +') + -+ +######################################## +## +## All of the rules required to administrate @@ -35525,10 +35932,10 @@ index 327f3f7..8d5841f 100644 + ') ') diff --git a/mandb.te b/mandb.te -index 5a414e0..fd54e2b 100644 +index 5a414e0..7fee444 100644 --- a/mandb.te +++ b/mandb.te -@@ -10,28 +10,45 @@ roleattribute system_r mandb_roles; +@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -35539,6 +35946,9 @@ index 5a414e0..fd54e2b 100644 +type mandb_cache_t; +files_type(mandb_cache_t) + ++type mandb_home_t; ++userdom_user_home_content(mandb_home_t) ++ +type mandb_lock_t; +files_lock_file(mandb_lock_t) + @@ -35558,6 +35968,9 @@ index 5a414e0..fd54e2b 100644 +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) +can_exec(mandb_t, mandb_exec_t) + ++userdom_search_user_home_dirs(mandb_t) ++allow mandb_t mandb_home_t:file read_file_perms; ++ +allow mandb_t mandb_lock_t:file manage_file_perms; +files_lock_filetrans(mandb_t, mandb_lock_t, file) + @@ -37069,10 +37482,16 @@ index 7e534cf..3652584 100644 + ') +') diff --git a/mongodb.te b/mongodb.te -index 4de8949..5c237c3 100644 +index 4de8949..d705316 100644 --- a/mongodb.te +++ b/mongodb.te -@@ -54,8 +54,5 @@ corenet_tcp_bind_generic_node(mongod_t) +@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t) + corenet_all_recvfrom_netlabel(mongod_t) + corenet_tcp_sendrecv_generic_if(mongod_t) + corenet_tcp_sendrecv_generic_node(mongod_t) ++corenet_tcp_connect_mongodb_port(mongod_t) + corenet_tcp_bind_generic_node(mongod_t) + dev_read_sysfs(mongod_t) dev_read_urand(mongod_t) @@ -37123,10 +37542,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..d341a52 100644 +index 6ffaba2..bb33a48 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,64 @@ +@@ -1,38 +1,65 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -37158,6 +37577,7 @@ index 6ffaba2..d341a52 100644 +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -37226,7 +37646,7 @@ index 6ffaba2..d341a52 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..879f5db 100644 +index 6194b80..af1201e 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -37865,7 +38285,7 @@ index 6194b80..879f5db 100644 ## ## ## -@@ -530,45 +448,51 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +448,52 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -37931,6 +38351,7 @@ index 6194b80..879f5db 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") @@ -37942,7 +38363,7 @@ index 6194b80..879f5db 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..30005c3 100644 +index 6a306ee..0a31eec 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -38008,7 +38429,7 @@ index 6a306ee..30005c3 100644 type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -@@ -31,29 +58,24 @@ userdom_user_home_content(mozilla_home_t) +@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; @@ -38037,13 +38458,12 @@ index 6a306ee..30005c3 100644 type mozilla_plugin_config_t; type mozilla_plugin_config_exec_t; -userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) --role mozilla_plugin_config_roles types mozilla_plugin_config_t; +application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +role mozilla_roles types mozilla_plugin_config_t; + role mozilla_plugin_config_roles types mozilla_plugin_config_t; type mozilla_tmp_t; - userdom_user_tmp_file(mozilla_tmp_t) -@@ -63,10 +85,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys +@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) @@ -38054,7 +38474,7 @@ index 6a306ee..30005c3 100644 ######################################## # # Local policy -@@ -75,27 +93,30 @@ optional_policy(` +@@ -75,27 +94,30 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -38098,7 +38518,7 @@ index 6a306ee..30005c3 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +124,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -38206,7 +38626,7 @@ index 6a306ee..30005c3 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +195,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -38317,7 +38737,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -244,19 +275,12 @@ optional_policy(` +@@ -244,19 +276,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -38339,7 +38759,7 @@ index 6a306ee..30005c3 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +289,32 @@ optional_policy(` +@@ -265,33 +290,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -38387,7 +38807,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -300,221 +323,177 @@ optional_policy(` +@@ -300,221 +324,180 @@ optional_policy(` ######################################## # @@ -38403,6 +38823,7 @@ index 6a306ee..30005c3 100644 + +allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow mozilla_plugin_t self:netlink_socket create_socket_perms; +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; +allow mozilla_plugin_t self:udp_socket create_socket_perms; allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -38567,6 +38988,7 @@ index 6a306ee..30005c3 100644 -corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) +corenet_udp_bind_generic_node(mozilla_plugin_t) ++corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t) +corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t) -dev_read_generic_usb_dev(mozilla_plugin_t) @@ -38592,6 +39014,7 @@ index 6a306ee..30005c3 100644 -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) +dev_rwx_zero(mozilla_plugin_t) ++dev_dontaudit_read_mtrr(mozilla_plugin_t) +dev_dontaudit_rw_dri(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) @@ -38705,7 +39128,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -523,36 +502,48 @@ optional_policy(` +@@ -523,36 +506,48 @@ optional_policy(` ') optional_policy(` @@ -38767,7 +39190,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -560,7 +551,7 @@ optional_policy(` +@@ -560,7 +555,7 @@ optional_policy(` ') optional_policy(` @@ -38776,7 +39199,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -568,108 +559,118 @@ optional_policy(` +@@ -568,108 +563,118 @@ optional_policy(` ') optional_policy(` @@ -39089,6 +39512,44 @@ index 7c8afcc..97f2b6f 100644 udev_read_db(mpd_t) ') +diff --git a/mplayer.if b/mplayer.if +index 861d5e9..87fd115 100644 +--- a/mplayer.if ++++ b/mplayer.if +@@ -161,3 +161,33 @@ interface(`mplayer_home_filetrans_mplayer_home',` + + userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) + ') ++ ++######################################## ++## ++## Create specified objects in user home ++## directories with the generic mplayer ++## home type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`mplayer_filetrans_home_content',` ++ gen_require(` ++ type mplayer_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer") ++') diff --git a/mplayer.te b/mplayer.te index 9aca704..f92829c 100644 --- a/mplayer.te @@ -42086,7 +42547,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..dfa6623 100644 +index 9f6179e..2b85b52 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -42244,7 +42705,18 @@ index 9f6179e..dfa6623 100644 ') optional_policy(` -@@ -153,29 +154,22 @@ optional_policy(` +@@ -144,6 +145,10 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_search_lib(mysqld_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(mysqld_t) + ') + +@@ -153,29 +158,22 @@ optional_policy(` ####################################### # @@ -42279,7 +42751,7 @@ index 9f6179e..dfa6623 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,17 +181,21 @@ dev_list_sysfs(mysqld_safe_t) +@@ -187,17 +185,21 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -42295,10 +42767,10 @@ index 9f6179e..dfa6623 100644 -miscfiles_read_localization(mysqld_safe_t) +auth_read_passwd(mysqld_safe_t) ++ ++domain_dontaudit_signull_all_domains(mysqld_safe_t) -userdom_search_user_home_dirs(mysqld_safe_t) -+domain_dontaudit_signull_all_domains(mysqld_safe_t) -+ +mysql_manage_db_files(mysqld_safe_t) +mysql_read_config(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) @@ -42307,7 +42779,7 @@ index 9f6179e..dfa6623 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +203,7 @@ optional_policy(` +@@ -205,7 +207,7 @@ optional_policy(` ######################################## # @@ -42316,7 +42788,7 @@ index 9f6179e..dfa6623 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +212,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +216,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -42334,7 +42806,7 @@ index 9f6179e..dfa6623 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +225,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +229,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -42365,9 +42837,9 @@ index 9f6179e..dfa6623 100644 -files_read_usr_files(mysqlmanagerd_t) -files_search_pids(mysqlmanagerd_t) -files_search_var_lib(mysqlmanagerd_t) - +- -miscfiles_read_localization(mysqlmanagerd_t) - +- -userdom_search_user_home_dirs(mysqlmanagerd_t) +userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/mythtv.fc b/mythtv.fc @@ -43390,10 +43862,10 @@ index 56c0fbd..173a2c0 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index a1fb3c3..8fe1d63 100644 +index a1fb3c3..82f8ae6 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,43 +1,43 @@ +@@ -1,43 +1,44 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -43458,6 +43930,7 @@ index a1fb3c3..8fe1d63 100644 +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if @@ -44857,12 +45330,31 @@ index 0000000..02dc6dc +/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) diff --git a/nova.if b/nova.if new file mode 100644 -index 0000000..7d11148 +index 0000000..cf8f660 --- /dev/null +++ b/nova.if -@@ -0,0 +1,36 @@ +@@ -0,0 +1,55 @@ +## openstack-nova + ++###################################### ++## ++## Manage nova lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nova_manage_lib_files',` ++ gen_require(` ++ type nova_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t) ++') ++ +####################################### +## +## Creates types and rules for a basic @@ -48815,10 +49307,10 @@ index 0000000..f2d6119 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..6c841fa +index 0000000..bddd4b3 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,676 @@ +@@ -0,0 +1,677 @@ + +## policy for openshift + @@ -49307,6 +49799,7 @@ index 0000000..6c841fa + domain_user_exemption_target($1_app_t) + domain_obj_id_change_exemption($1_app_t) + domain_dyntrans_type($1_app_t) ++ auth_use_nsswitch($1_app_t) + + kernel_read_system_state($1_app_t) + @@ -49497,10 +49990,10 @@ index 0000000..6c841fa +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..461f551 +index 0000000..877c71a --- /dev/null +++ b/openshift.te -@@ -0,0 +1,541 @@ +@@ -0,0 +1,546 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -49594,6 +50087,7 @@ index 0000000..461f551 +# +# openshift initrc local policy +# ++ +unconfined_domain_noaudit(openshift_initrc_t) +mcs_process_set_categories(openshift_initrc_t) + @@ -49623,6 +50117,9 @@ index 0000000..461f551 +dontaudit openshift_domain openshift_initrc_t:process signull; +dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write }; + ++init_domtrans_script(openshift_initrc_t) ++init_initrc_domain(openshift_initrc_t) ++ +####################################################### +# +# Policy for all openshift domains @@ -49966,6 +50463,7 @@ index 0000000..461f551 + +allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms; +manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t) ++allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms; + +######################################## +# @@ -51119,7 +51617,7 @@ index bf59ef7..c050b37 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') diff --git a/passenger.te b/passenger.te -index 4e114ff..c016f25 100644 +index 4e114ff..6691677 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -51138,7 +51636,7 @@ index 4e114ff..c016f25 100644 type passenger_var_lib_t; files_type(passenger_var_lib_t) -@@ -22,22 +25,23 @@ files_pid_file(passenger_var_run_t) +@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t) ######################################## # @@ -51147,9 +51645,11 @@ index 4e114ff..c016f25 100644 # allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; - allow passenger_t self:process { setpgid setsched sigkill signal }; +-allow passenger_t self:process { setpgid setsched sigkill signal }; ++allow passenger_t self:process { setpgid setsched sigkill signal signull }; allow passenger_t self:fifo_file rw_fifo_file_perms; -allow passenger_t self:unix_stream_socket { accept connectto listen }; ++allow passenger_t self:tcp_socket listen; +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +can_exec(passenger_t, passenger_exec_t) @@ -51168,7 +51668,7 @@ index 4e114ff..c016f25 100644 manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -@@ -45,19 +49,19 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -45,19 +50,20 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) @@ -51190,29 +51690,29 @@ index 4e114ff..c016f25 100644 -corenet_sendrecv_http_client_packets(passenger_t) corenet_tcp_connect_http_port(passenger_t) -corenet_tcp_sendrecv_http_port(passenger_t) ++corenet_tcp_connect_postgresql_port(passenger_t) corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -66,14 +70,11 @@ dev_read_urand(passenger_t) +@@ -66,8 +72,6 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) -files_read_etc_files(passenger_t) - +- auth_use_nsswitch(passenger_t) logging_send_syslog_msg(passenger_t) - --miscfiles_read_localization(passenger_t) -- - userdom_dontaudit_use_user_terminals(passenger_t) - - optional_policy(` -@@ -90,14 +91,16 @@ optional_policy(` +@@ -90,14 +94,21 @@ optional_policy(` ') optional_policy(` - puppet_manage_lib_files(passenger_t) ++ mysql_stream_connect(passenger_t) ++ mysql_list_db(passenger_t) ++') ++ ++optional_policy(` + puppet_domtrans_master(passenger_t) + puppet_manage_lib(passenger_t) puppet_read_config(passenger_t) @@ -55950,7 +56450,7 @@ index 2e23946..589bbf2 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..aa3e5f0 100644 +index 191a66f..93a04c2 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -56779,7 +57279,8 @@ index 191a66f..aa3e5f0 100644 -allow postfix_virtual_t self:process setrlimit; +allow postfix_virtual_t self:process { setsched setrlimit }; - allow postfix_virtual_t postfix_spool_t:file rw_file_perms; +-allow postfix_virtual_t postfix_spool_t:file rw_file_perms; ++manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t) +# connect to master process stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) @@ -62860,10 +63361,10 @@ index 70ab68b..e97da31 100644 /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) diff --git a/quantum.if b/quantum.if -index afc0068..b25d41e 100644 +index afc0068..5fb7731 100644 --- a/quantum.if +++ b/quantum.if -@@ -2,41 +2,252 @@ +@@ -2,41 +2,292 @@ ######################################## ## @@ -62888,7 +63389,25 @@ index afc0068..b25d41e 100644 + +######################################## +## -+## Read quantum's log files. ++## Allow read/write quantum pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`quantum_rw_inherited_pipes',` ++ gen_require(` ++ type quantum_t; ++ ') ++ ++ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Send sigchld to quantum. ## ## ## @@ -62896,8 +63415,28 @@ index afc0068..b25d41e 100644 ## ## -## -+## +# ++# ++interface(`quantum_sigchld',` ++ gen_require(` ++ type quantum_t; ++ ') ++ ++ allow $1 quantum_t:process sigchld; ++') ++ ++######################################## ++## ++## Read quantum's log files. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + ## + # +interface(`quantum_read_log',` + gen_require(` + type quantum_log_t; @@ -62912,8 +63451,7 @@ index afc0068..b25d41e 100644 +## Append to quantum log files. +## +## - ## --## Role allowed access. ++## +## Domain allowed access. +## +## @@ -63042,9 +63580,10 @@ index afc0068..b25d41e 100644 + allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms; +') + -+######################################## ++##################################### +## -+## Allow domain to send sigchld to quantum process. ++## Connect to quantum over a unix domain ++## stream socket. +## +## +## @@ -63052,13 +63591,15 @@ index afc0068..b25d41e 100644 +## +## +# -+interface(`quantum_sigchld',` ++interface(`quantum_stream_connect',` + gen_require(` -+ type quantum_t; ++ type quantum_var_lib_t; + ') + -+ allow $1 quantum_t:process sigchld; ++ files_search_pids($1) ++ stream_connect_pattern($1, quantum_var_lib_t, quantum_var_lib_t, quantum_t ) +') ++ +######################################## +## +## Execute quantum server in the quantum domain. @@ -63092,10 +63633,9 @@ index afc0068..b25d41e 100644 +## +## +## Domain allowed access. - ## - ## --## - # ++## ++## ++# interface(`quantum_admin',` gen_require(` - type quantum_t, quantum_initrc_exec_t, quantum_log_t; @@ -63605,7 +64145,7 @@ index c5ad6de..c67dbef 100644 /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..a68f9f1 100644 +index 3698b51..42caa6c 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t) @@ -63617,7 +64157,7 @@ index 3698b51..a68f9f1 100644 corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) corenet_all_recvfrom_netlabel(rabbitmq_beam_t) corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) -@@ -68,11 +70,13 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -68,20 +70,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -63629,12 +64169,20 @@ index 3698b51..a68f9f1 100644 +auth_read_passwd(rabbitmq_beam_t) -miscfiles_read_localization(rabbitmq_beam_t) ++fs_getattr_xattr_fs(rabbitmq_beam_t) ++ +dev_read_sysfs(rabbitmq_beam_t) +dev_read_urand(rabbitmq_beam_t) sysnet_dns_name_resolve(rabbitmq_beam_t) -@@ -81,7 +85,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t) ++optional_policy(` ++ couchdb_read_conf_files(rabbitmq_beam_t) ++ couchdb_read_lib_files(rabbitmq_beam_t) ++') ++ + ######################################## + # # Epmd local policy # @@ -63642,7 +64190,7 @@ index 3698b51..a68f9f1 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +102,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +109,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -63998,7 +64546,7 @@ index 951db7f..6d6ec1d 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..259b790 100644 +index 2c1730b..e67ea1b 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t; @@ -64044,10 +64592,11 @@ index 2c1730b..259b790 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -51,17 +59,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t) +@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) dev_read_realtime_clock(mdadm_t) dev_read_raw_memory(mdadm_t) ++dev_read_nvram(mdadm_t) +dev_read_generic_files(mdadm_t) +domain_read_all_domains_state(mdadm_t) @@ -64066,7 +64615,7 @@ index 2c1730b..259b790 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,16 +80,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -68915,7 +69464,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..ede6c81 100644 +index e5212e6..74f3e1b 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -69104,24 +69653,24 @@ index e5212e6..ede6c81 100644 optional_policy(` - nis_read_ypserv_config(rpcd_t) + domain_unconfined_signal(rpcd_t) -+') -+ -+optional_policy(` -+ quota_manage_db(rpcd_t) ') optional_policy(` - quota_manage_db_files(rpcd_t) -+ nis_read_ypserv_config(rpcd_t) ++ quota_manage_db(rpcd_t) ') optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) -+ quota_read_db(rpcd_t) ++ nis_read_ypserv_config(rpcd_t) ') optional_policy(` - unconfined_signal(rpcd_t) ++ quota_read_db(rpcd_t) ++') ++ ++optional_policy(` + rhcs_manage_cluster_tmp_files(rpcd_t) ') @@ -69253,13 +69802,17 @@ index e5212e6..ede6c81 100644 ') optional_policy(` -@@ -306,8 +270,7 @@ optional_policy(` +@@ -306,8 +270,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) - kerberos_manage_host_rcache(gssd_t) - kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0") ++') ++ ++optional_policy(` ++ gssproxy_stream_connect(gssd_t) ') optional_policy(` @@ -70120,7 +70673,7 @@ index 0628d50..84f2fd7 100644 + allow rpm_script_t $1:process sigchld; ') diff --git a/rpm.te b/rpm.te -index 5cbe81c..f79d5f4 100644 +index 5cbe81c..ff2b58e 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -70376,7 +70929,7 @@ index 5cbe81c..f79d5f4 100644 ') ######################################## -@@ -239,19 +252,20 @@ optional_policy(` +@@ -239,18 +252,20 @@ optional_policy(` # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; @@ -70394,13 +70947,13 @@ index 5cbe81c..f79d5f4 100644 allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; - --allow rpm_script_t rpm_t:netlink_route_socket { read write }; - +-allow rpm_script_t rpm_t:netlink_route_socket { read write }; ++allow rpm_script_t self:netlink_audit_socket create_socket_perms; + allow rpm_script_t rpm_tmp_t:file read_file_perms; - allow rpm_script_t rpm_script_tmp_t:dir mounton; -@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -70411,7 +70964,7 @@ index 5cbe81c..f79d5f4 100644 kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) -@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t) +@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t) kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) @@ -70461,7 +71014,7 @@ index 5cbe81c..f79d5f4 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -70519,7 +71072,7 @@ index 5cbe81c..f79d5f4 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,40 +378,54 @@ ifdef(`distro_redhat',` +@@ -363,40 +379,54 @@ ifdef(`distro_redhat',` ') ') @@ -70584,7 +71137,7 @@ index 5cbe81c..f79d5f4 100644 unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -409,6 +438,6 @@ optional_policy(` +@@ -409,6 +439,6 @@ optional_policy(` ') optional_policy(` @@ -73712,10 +74265,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..1b21b7b +index 0000000..5da5bff --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,391 @@ +@@ -0,0 +1,392 @@ + +## policy for sandboxX + @@ -73754,6 +74307,7 @@ index 0000000..1b21b7b + dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; + dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; + allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; ++ dontaudit sandbox_xserver_t $1:file read; + allow sandbox_x_domain sandbox_x_domain:process signal; + # Dontaudit leaked file descriptors + dontaudit sandbox_x_domain $1:fifo_file { read write }; @@ -78136,7 +78690,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 81864ce..24fe118 100644 +index 81864ce..4b6b771 100644 --- a/snmp.te +++ b/snmp.te @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) @@ -78206,11 +78760,15 @@ index 81864ce..24fe118 100644 seutil_dontaudit_search_config(snmpd_t) -@@ -131,7 +133,7 @@ optional_policy(` +@@ -131,7 +133,11 @@ optional_policy(` ') optional_policy(` - corosync_stream_connect(snmpd_t) ++ fstools_domtrans(snmpd_t) ++') ++ ++optional_policy(` + rhcs_stream_connect_cluster(snmpd_t) ') @@ -83030,6 +83588,18 @@ index 38389e6..4847b43 100644 +/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) +/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) +diff --git a/tgtd.if b/tgtd.if +index 5406b6e..dc5b46e 100644 +--- a/tgtd.if ++++ b/tgtd.if +@@ -97,6 +97,6 @@ interface(`tgtd_admin',` + files_search_tmp($1) + admin_pattern($1, tgtd_tmp_t) + +- files_search_tmpfs($1) ++ fs_search_tmpfs($1) + admin_pattern($1, tgtd_tmpfs_t) + ') diff --git a/tgtd.te b/tgtd.te index c93c973..08aef1e 100644 --- a/tgtd.te @@ -83088,10 +83658,10 @@ index 0000000..7f4bce8 +/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) diff --git a/thin.if b/thin.if new file mode 100644 -index 0000000..d000122 +index 0000000..b9f811d --- /dev/null +++ b/thin.if -@@ -0,0 +1,44 @@ +@@ -0,0 +1,66 @@ +## thin policy + +####################################### @@ -83136,12 +83706,34 @@ index 0000000..d000122 + + can_exec($1, thin_exec_t) +') ++ ++##################################### ++## ++## Connect to thin over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thin_stream_connect',` ++ gen_require(` ++ type thin_t, thin_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t) ++') ++ ++ diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..555b49e +index 0000000..dda7934 --- /dev/null +++ b/thin.te -@@ -0,0 +1,108 @@ +@@ -0,0 +1,113 @@ +policy_module(thin, 1.0) + +######################################## @@ -83205,6 +83797,10 @@ index 0000000..555b49e +kernel_read_kernel_sysctls(thin_domain) + +optional_policy(` ++ apache_read_sys_content(thin_domain) ++') ++ ++optional_policy(` + sysnet_read_config(thin_domain) +') + @@ -83224,6 +83820,7 @@ index 0000000..555b49e +logging_log_filetrans(thin_t, thin_log_t, { file dir }) + +manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) +files_pid_filetrans(thin_t, thin_var_run_t, { file }) + +corenet_tcp_bind_ntop_port(thin_t) @@ -84452,7 +85049,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..8beef17 100644 +index 7116181..971952e 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -84470,7 +85067,7 @@ index 7116181..8beef17 100644 # -allow tuned_t self:capability { sys_admin sys_nice }; -+allow tuned_t self:capability { sys_admin sys_nice sys_rawio }; ++allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; +allow tuned_t self:process { setsched signal }; @@ -85989,7 +86586,7 @@ index 31c752e..ef52235 100644 init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te -index 77be35a..4abe2aa 100644 +index 77be35a..0e9a7d1 100644 --- a/vdagent.te +++ b/vdagent.te @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) @@ -86000,21 +86597,27 @@ index 77be35a..4abe2aa 100644 allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket { accept listen }; -@@ -43,13 +44,15 @@ dev_rw_input_dev(vdagent_t) +@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) + setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) + logging_log_filetrans(vdagent_t, vdagent_log_t, file) + ++kernel_request_load_module(vdagent_t) ++ + dev_rw_input_dev(vdagent_t) dev_read_sysfs(vdagent_t) dev_dontaudit_write_mtrr(vdagent_t) -files_read_etc_files(vdagent_t) - +- init_read_state(vdagent_t) -logging_send_syslog_msg(vdagent_t) +systemd_read_logind_sessions_files(vdagent_t) +systemd_login_read_pid_files(vdagent_t) ++ ++term_use_virtio_console(vdagent_t) -miscfiles_read_localization(vdagent_t) -+term_use_virtio_console(vdagent_t) -+ +logging_send_syslog_msg(vdagent_t) userdom_read_all_users_state(vdagent_t) @@ -87873,7 +88476,7 @@ index 9dec06c..7877729 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..a8390d3 100644 +index 1f22fba..253d98d 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -88079,7 +88682,7 @@ index 1f22fba..a8390d3 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -155,290 +165,130 @@ type virt_qmf_exec_t; +@@ -155,290 +165,134 @@ type virt_qmf_exec_t; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) type virt_bridgehelper_t; @@ -88264,60 +88867,78 @@ index 1f22fba..a8390d3 100644 - fs_manage_nfs_named_sockets(virt_domain) - fs_read_nfs_symlinks(virt_domain) -') -- ++type virtd_lxc_t; ++type virtd_lxc_exec_t; ++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(virt_domain) - fs_manage_cifs_files(virt_domain) - fs_manage_cifs_named_sockets(virt_domain) - fs_read_cifs_symlinks(virt_domain) -') -- ++type virt_lxc_var_run_t; ++files_pid_file(virt_lxc_var_run_t) ++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; + -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(virt_domain) -') -- ++# virt lxc container files ++type svirt_lxc_file_t; ++files_mountpoint(svirt_lxc_file_t) + -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(virt_domain) - dev_read_sysfs(virt_domain) - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -- ++######################################## ++# ++# svirt local policy ++# + -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -optional_policy(` - dbus_read_lib_files(virt_domain) -') -- ++corenet_udp_sendrecv_generic_if(svirt_t) ++corenet_udp_sendrecv_generic_node(svirt_t) ++corenet_udp_sendrecv_all_ports(svirt_t) ++corenet_udp_bind_generic_node(svirt_t) ++corenet_udp_bind_all_ports(svirt_t) ++corenet_tcp_bind_all_ports(svirt_t) ++corenet_tcp_connect_all_ports(svirt_t) + -optional_policy(` - nscd_use(virt_domain) -') -+type virtd_lxc_t; -+type virtd_lxc_exec_t; -+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) ++miscfiles_read_generic_certs(svirt_t) --optional_policy(` + optional_policy(` - samba_domtrans_smbd(virt_domain) --') -+type virt_lxc_var_run_t; -+files_pid_file(virt_lxc_var_run_t) -+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; ++ nscd_dontaudit_write_sock_file(svirt_t) + ') --optional_policy(` + optional_policy(` - xen_rw_image_files(virt_domain) --') -+# virt lxc container files -+type svirt_lxc_file_t; -+files_mountpoint(svirt_lxc_file_t) ++ sssd_dontaudit_stream_connect(svirt_t) + ') - ######################################## +-######################################## ++####################################### # - # svirt local policy +-# svirt local policy ++# svirt_prot_exec local policy # -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) @@ -88334,13 +88955,11 @@ index 1f22fba..a8390d3 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - - corenet_udp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) - corenet_udp_bind_generic_node(svirt_t) +- +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) - -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) @@ -88354,26 +88973,13 @@ index 1f22fba..a8390d3 100644 -corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) - corenet_udp_bind_all_ports(svirt_t) - corenet_tcp_bind_all_ports(svirt_t) -- --corenet_sendrecv_all_client_packets(svirt_t) - corenet_tcp_connect_all_ports(svirt_t) - -+miscfiles_read_generic_certs(svirt_t) -+ -+optional_policy(` -+ nscd_use(svirt_t) -+') -+ -+####################################### -+# -+# svirt_prot_exec local policy -+# -+ +-corenet_udp_bind_all_ports(svirt_t) +-corenet_tcp_bind_all_ports(svirt_t) +allow svirt_tcg_t self:process { execmem execstack }; +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; -+ + +-corenet_sendrecv_all_client_packets(svirt_t) +-corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) +corenet_udp_sendrecv_generic_node(svirt_tcg_t) +corenet_udp_sendrecv_all_ports(svirt_tcg_t) @@ -88381,7 +88987,7 @@ index 1f22fba..a8390d3 100644 +corenet_udp_bind_all_ports(svirt_tcg_t) +corenet_tcp_bind_all_ports(svirt_tcg_t) +corenet_tcp_connect_all_ports(svirt_tcg_t) -+ + ######################################## # # virtd local policy @@ -88447,7 +89053,7 @@ index 1f22fba..a8390d3 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +298,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +302,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -88493,28 +89099,28 @@ index 1f22fba..a8390d3 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +332,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +336,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- -can_exec(virtd_t, virt_tmp_t) - -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +344,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +348,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -88522,7 +89128,7 @@ index 1f22fba..a8390d3 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +356,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -88550,7 +89156,7 @@ index 1f22fba..a8390d3 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +376,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -88579,7 +89185,7 @@ index 1f22fba..a8390d3 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +423,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -88599,7 +89205,7 @@ index 1f22fba..a8390d3 100644 selinux_validate_context(virtd_t) -@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +445,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -88634,7 +89240,7 @@ index 1f22fba..a8390d3 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +471,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -88643,7 +89249,7 @@ index 1f22fba..a8390d3 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +492,321 @@ optional_policy(` +@@ -658,95 +496,321 @@ optional_policy(` ') optional_policy(` @@ -89013,7 +89619,7 @@ index 1f22fba..a8390d3 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +822,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -89043,7 +89649,7 @@ index 1f22fba..a8390d3 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +841,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -89070,7 +89676,7 @@ index 1f22fba..a8390d3 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +861,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -89102,7 +89708,7 @@ index 1f22fba..a8390d3 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +890,20 @@ optional_policy(` +@@ -847,14 +894,20 @@ optional_policy(` ') optional_policy(` @@ -89124,7 +89730,7 @@ index 1f22fba..a8390d3 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +928,44 @@ optional_policy(` +@@ -879,34 +932,44 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -89178,7 +89784,7 @@ index 1f22fba..a8390d3 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +979,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -89196,7 +89802,7 @@ index 1f22fba..a8390d3 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +1001,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -89207,7 +89813,7 @@ index 1f22fba..a8390d3 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1010,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -89215,7 +89821,7 @@ index 1f22fba..a8390d3 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1022,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -89234,7 +89840,7 @@ index 1f22fba..a8390d3 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1036,36 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -89279,7 +89885,7 @@ index 1f22fba..a8390d3 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1073,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -89306,7 +89912,7 @@ index 1f22fba..a8390d3 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1091,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -89325,7 +89931,7 @@ index 1f22fba..a8390d3 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1110,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -89352,7 +89958,7 @@ index 1f22fba..a8390d3 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1135,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -89491,7 +90097,7 @@ index 1f22fba..a8390d3 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1233,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -89506,7 +90112,7 @@ index 1f22fba..a8390d3 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1247,8 @@ optional_policy(` +@@ -1183,9 +1251,8 @@ optional_policy(` ######################################## # @@ -89517,7 +90123,7 @@ index 1f22fba..a8390d3 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1265,114 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -90490,18 +91096,21 @@ index fd2b6cc..4b83bb0 100644 ######################################## diff --git a/wine.te b/wine.te -index b51923c..bdbac3a 100644 +index b51923c..2641d0b 100644 --- a/wine.te +++ b/wine.te -@@ -39,6 +39,7 @@ allow wine_t self:fifo_file manage_fifo_file_perms; +@@ -38,7 +38,10 @@ allow wine_t self:fifo_file manage_fifo_file_perms; + can_exec(wine_t, wine_exec_t) ++manage_files_pattern(wine_t, wine_home_t, wine_home_t) ++manage_dirs_pattern(wine_t, wine_home_t, wine_home_t) userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") +userdom_tmpfs_filetrans(wine_t, file) manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -@@ -48,7 +49,7 @@ domain_mmap_low(wine_t) +@@ -48,7 +51,7 @@ domain_mmap_low(wine_t) files_execmod_all_files(wine_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index f2e847d..31de190 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 48%{?dist} +Release: 53%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -530,6 +530,89 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jun 18 2013 Miroslav Grepl 3.12.1-53 +- Make vdagent able to request loading kernel module +- Add support for cloud-init make it as unconfined domain +- Allow snmpd to run smartctl in fsadm_t domain +- remove duplicate openshift_search_lib() interface +- Allow mysqld to search openshift lib files +- Allow openshift cgroup to interact with passedin file descriptors +- Allow colord to list directories inthe users homedir +- aide executes prelink to check files +- Make sure cupsd_t creates content in /etc/cups with the correct label +- Lest dontaudit apache read all domains, so passenger will not cause this avc +- Allow gssd to connect to gssproxy +- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS +- Allow systemd-tmpfiles to relabel also lock files +- Allow useradd to add homdir in /var/lib/openshift +- Allow setfiles and semanage to write output to /run/files + +* Fri Jun 14 2013 Miroslav Grepl 3.12.1-52 +- Add labeling for /dev/tgt +- Dontaudit leak fd from firewalld for modprobe +- Allow runuser running as rpm_script_t to create netlink_audit socket +- Allow mdadm to read BIOS non-volatile RAM + +* Thu Jun 13 2013 Miroslav Grepl 3.12.1-51 +- accountservice watches when accounts come and go in wtmp +- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket +- Add httpd_use_sasl boolean +- Allow net_admin for tuned_t +- iscsid needs sys_module to auto-load kernel modules +- Allow blueman to read bluetooth conf +- Add nova_manage_lib_files() interface +- Fix mplayer_filetrans_home_content() +- Add mplayer_filetrans_home_content() +- mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t +- Revert "Allow thumb_t to append inherited xdm stream socket" +- Add iscsi_filetrans_named_content() interface +- Allow to create .mplayer with the correct labeling for unconfined +- Allow iscsiadmin to create lock file with the correct labeling + +* Tue Jun 11 2013 Miroslav Grepl 3.12.1-50 +- Allow wine to manage wine home content +- Make amanda working with socket actiovation +- Add labeling for /usr/sbin/iscsiadm +- Add support for /var/run/gssproxy.sock +- dnsmasq_t needs to read sysctl_net_t + +* Fri Jun 7 2013 Miroslav Grepl 3.12.1-49 +- Fix courier_domain_template() interface +- Allow blueman to write ip_forward +- Allow mongodb to connect to mongodb port +- Allow mongodb to connect to mongodb port +- Allow java to bind jobss_debug port +- Fixes for *_admin interfaces +- Allow iscsid auto-load kernel modules needed for proper iSCSI functionality +- Need to assign attribute for courier_domain to all courier_domains +- Fail2ban reads /etc/passwd +- postfix_virtual will create new files in postfix_spool_t +- abrt triggers sys_ptrace by running pidof +- Label ~/abc as mozilla_home_t, since java apps as plugin want to create it +- Add passenger fixes needed by foreman +- Remove dup interfaces +- Add additional interfaces for quantum +- Add new interfaces for dnsmasq +- Allow passenger to read localization and send signull to itself +- Allow dnsmasq to stream connect to quantum +- Add quantum_stream_connect() +- Make sure that mcollective starts the service with the correct labeling +- Add labels for ~/.manpath +- Dontaudit attempts by svirt_t to getpw* calls +- sandbox domains are trying to look at parent process data +- Allow courior auth to create its pid file in /var/spool/courier subdir +- Add fixes for beam to have it working with couchdb +- Add labeling for /run/nm-xl2tpd.con +- Allow apache to stream connect to thin +- Add systemd support for amand +- Make public types usable for fs mount points +- Call correct mandb interface in domain.te +- Allow iptables to r/w quantum inherited pipes and send sigchld +- Allow ifconfig domtrans to iptables and execute ldconfig +- Add labels for ~/.manpath +- Allow systemd to read iscsi lib files +- seunshare is trying to look at parent process data + * Mon Jun 3 2013 Miroslav Grepl 3.12.1-48 - Fix openshift_search_lib - Add support for abrt-uefioops-oops