From 3ef5b994f3f8b3e898f5765599cc46522318085d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 27 2014 18:28:09 +0000 Subject: - Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - Add interface to getattr on an isid_type for any type of file - Update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Allow initrc_t domtrans to authconfig if unconfined is enabled - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - init calling needs to be optional in domain.te - Allow uncofined domain types to handle transient unit files - Fix labeling for vfio devices - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Back port pcp policy from rawhide - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container - Allow postfix and cyrus-imapd to work out of box - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - Dontaudit domains that are calling into journald to net_admin - Add rules to allow vmtools to do what it does - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call 'systemctl --force reboot' - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default - Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications - Allow docker to use the network and build images - Allow docker to read selinux files for labeling, and mount on devpts chr_file - Allow domains that transition to svirt_sandbox to send it signals --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index cb0663f..69cca27 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -6004,7 +6004,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..53df7ae 100644 +index b31c054..5d200ef 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6052,7 +6052,7 @@ index b31c054..53df7ae 100644 ') +/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) ++/dev/vfio/(vfio)?[0-9]+ -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -8888,7 +8888,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..61b53bc 100644 +index cf04cb5..c58f23f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -9006,7 +9006,7 @@ index cf04cb5..61b53bc 100644 ') ######################################## -@@ -147,12 +207,21 @@ optional_policy(` +@@ -147,12 +207,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -9017,9 +9017,6 @@ index cf04cb5..61b53bc 100644 +allow unconfined_domain_type unconfined_domain_type:dbus send_msg; + -+# Allow manage transient unit files -+allow unconfined_domain_type self:service manage_service_perms; -+ # Act upon any other process. -allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; +allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; @@ -9029,7 +9026,7 @@ index cf04cb5..61b53bc 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +235,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +232,322 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9080,6 +9077,14 @@ index cf04cb5..61b53bc 100644 + init_filetrans_named_content(named_filetrans_domain) +') + ++# Allow manage transient unit files ++optional_policy(` ++ init_start_transient_unit(unconfined_domain_type) ++ init_stop_transient_unit(unconfined_domain_type) ++ init_status_transient_unit(unconfined_domain_type) ++ init_reload_transient_unit(unconfined_domain_type) ++') ++ +optional_policy(` + auth_filetrans_named_content(named_filetrans_domain) + auth_filetrans_admin_home_content(named_filetrans_domain) @@ -9130,6 +9135,10 @@ index cf04cb5..61b53bc 100644 +') + +optional_policy(` ++ docker_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` + dnsmasq_filetrans_named_content(named_filetrans_domain) +') + @@ -9591,7 +9600,7 @@ index c2c6e05..2282452 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..f0233d1 100644 +index 64ff4d7..49a7b11 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10727,7 +10736,33 @@ index 64ff4d7..f0233d1 100644 ######################################## ## -@@ -3455,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3246,6 +3875,25 @@ interface(`files_mounton_isid_type_dirs',` + + ######################################## + ## ++## Mount a filesystem on a new chr_file ++## that has not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_isid_type_chr_file',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:chr_file mounton; ++') ++ ++######################################## ++## + ## Read files on new filesystems + ## that have not yet been labeled. + ## +@@ -3455,6 +4103,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -10753,7 +10788,7 @@ index 64ff4d7..f0233d1 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4444,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4463,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10797,7 +10832,7 @@ index 64ff4d7..f0233d1 100644 ') ######################################## -@@ -4199,6 +4865,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +4884,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10970,7 +11005,7 @@ index 64ff4d7..f0233d1 100644 ######################################## ## ## Allow the specified type to associate -@@ -4221,6 +5053,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +5072,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -10997,7 +11032,7 @@ index 64ff4d7..f0233d1 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +5086,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +5105,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -11036,7 +11071,7 @@ index 64ff4d7..f0233d1 100644 ## ## # -@@ -4271,6 +5143,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +5162,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -11044,7 +11079,7 @@ index 64ff4d7..f0233d1 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +5180,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +5199,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -11052,7 +11087,7 @@ index 64ff4d7..f0233d1 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +5190,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +5209,7 @@ interface(`files_list_tmp',` ## ## ## @@ -11061,7 +11096,7 @@ index 64ff4d7..f0233d1 100644 ## ## # -@@ -4328,6 +5202,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +5221,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -11087,7 +11122,7 @@ index 64ff4d7..f0233d1 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +5236,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +5255,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -11095,10 +11130,11 @@ index 64ff4d7..f0233d1 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,6 +5278,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,7 +5297,33 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## +-## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. +## +## @@ -11125,14 +11161,14 @@ index 64ff4d7..f0233d1 100644 + +######################################## +## - ## Manage temporary files and directories in /tmp. ++## Manage temporary files and directories in /tmp. ## ## -@@ -4438,7 +5358,43 @@ interface(`files_rw_generic_tmp_sockets',` + ## +@@ -4438,6 +5377,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Set the attributes of all tmp directories. +## Relabel a dir from the type used in /tmp. +## +## @@ -11169,11 +11205,10 @@ index 64ff4d7..f0233d1 100644 + +######################################## +## -+## Set the attributes of all tmp directories. + ## Set the attributes of all tmp directories. ## ## - ## -@@ -4456,6 +5412,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4456,6 +5431,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -11234,7 +11269,7 @@ index 64ff4d7..f0233d1 100644 ## List all tmp directories. ## ## -@@ -4501,7 +5511,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4501,7 +5530,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11243,7 +11278,7 @@ index 64ff4d7..f0233d1 100644 ## ## # -@@ -4561,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4561,7 +5590,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -11252,7 +11287,7 @@ index 64ff4d7..f0233d1 100644 ## ## # -@@ -4593,6 +5603,44 @@ interface(`files_read_all_tmp_files',` +@@ -4593,6 +5622,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11297,7 +11332,7 @@ index 64ff4d7..f0233d1 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4646,6 +5694,16 @@ interface(`files_purge_tmp',` +@@ -4646,6 +5713,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11314,7 +11349,7 @@ index 64ff4d7..f0233d1 100644 ') ######################################## -@@ -5223,6 +6281,24 @@ interface(`files_list_var',` +@@ -5223,6 +6300,24 @@ interface(`files_list_var',` ######################################## ## @@ -11339,7 +11374,7 @@ index 64ff4d7..f0233d1 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5507,6 +6583,23 @@ interface(`files_rw_var_lib_dirs',` +@@ -5507,6 +6602,23 @@ interface(`files_rw_var_lib_dirs',` rw_dirs_pattern($1, var_lib_t, var_lib_t) ') @@ -11363,7 +11398,7 @@ index 64ff4d7..f0233d1 100644 ######################################## ## ## Create objects in the /var/lib directory -@@ -5578,6 +6671,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6690,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11389,7 +11424,7 @@ index 64ff4d7..f0233d1 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6735,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6754,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11398,7 +11433,7 @@ index 64ff4d7..f0233d1 100644 ## ## ## -@@ -5631,12 +6743,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6762,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11414,7 +11449,7 @@ index 64ff4d7..f0233d1 100644 ') ######################################## -@@ -5654,6 +6767,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6786,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11422,7 +11457,7 @@ index 64ff4d7..f0233d1 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6794,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6813,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11450,7 +11485,7 @@ index 64ff4d7..f0233d1 100644 ## ## ## -@@ -5688,13 +6821,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6840,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11467,7 +11502,7 @@ index 64ff4d7..f0233d1 100644 ') ######################################## -@@ -5713,7 +6845,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6864,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11476,7 +11511,7 @@ index 64ff4d7..f0233d1 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6878,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6897,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11484,7 +11519,7 @@ index 64ff4d7..f0233d1 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5761,7 +6892,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5761,7 +6911,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11493,7 +11528,7 @@ index 64ff4d7..f0233d1 100644 ## ## ## -@@ -5769,13 +6900,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,13 +6919,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11528,7 +11563,7 @@ index 64ff4d7..f0233d1 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6942,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6961,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11546,7 +11581,7 @@ index 64ff4d7..f0233d1 100644 ') ######################################## -@@ -5816,9 +6966,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6985,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11557,7 +11592,7 @@ index 64ff4d7..f0233d1 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +7008,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +7027,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11567,7 +11602,7 @@ index 64ff4d7..f0233d1 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +7030,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +7049,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11577,7 +11612,7 @@ index 64ff4d7..f0233d1 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +7067,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +7086,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11587,7 +11622,7 @@ index 64ff4d7..f0233d1 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +7106,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +7125,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11596,7 +11631,7 @@ index 64ff4d7..f0233d1 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +7126,48 @@ interface(`files_search_pids',` +@@ -5981,10 +7145,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11645,51 +11680,77 @@ index 64ff4d7..f0233d1 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +7190,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,27 +7209,27 @@ interface(`files_dontaudit_search_pids',` ######################################## ## +-## List the contents of the runtime process +-## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_list_pids',` +interface(`files_dontaudit_search_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). - ## -@@ -6021,7 +7223,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) +- list_dirs_pattern($1, var_t, var_run_t) ++ dontaudit $1 pidfile:dir search_dir_perms; ') -@@ -6040,7 +7242,7 @@ interface(`files_read_generic_pids',` + ######################################## + ## +-## Read generic process ID files. ++## List the contents of the runtime process ++## ID directories (/var/run). + ## + ## + ## +@@ -6035,12 +7237,31 @@ interface(`files_list_pids',` + ## + ## + # +-interface(`files_read_generic_pids',` ++interface(`files_list_pids',` + gen_require(` type var_t, var_run_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++') ++ ++######################################## ++## ++## Read generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7262,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7281,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11698,7 +11759,7 @@ index 64ff4d7..f0233d1 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7324,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7343,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11706,37 +11767,11 @@ index 64ff4d7..f0233d1 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6151,7 +7352,7 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6151,6 +7371,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## --## Read and write generic process ID files. +## rw generic pid files inherited from another process - ## - ## - ## -@@ -6159,20 +7360,38 @@ interface(`files_pid_filetrans_lock_dir',` - ## - ## - # --interface(`files_rw_generic_pids',` -+interface(`files_rw_inherited_generic_pid_files',` - gen_require(` -- type var_t, var_run_t; -+ type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- rw_files_pattern($1, var_run_t, var_run_t) -+ allow $1 var_run_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of --## daemon runtime data files. -+## Read and write generic process ID files. +## +## +## @@ -11744,24 +11779,29 @@ index 64ff4d7..f0233d1 100644 +## +## +# -+interface(`files_rw_generic_pids',` ++interface(`files_rw_inherited_generic_pid_files',` + gen_require(` -+ type var_t, var_run_t; ++ type var_run_t; + ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ rw_files_pattern($1, var_run_t, var_run_t) ++ allow $1 var_run_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to get the attributes of -+## daemon runtime data files. + ## Read and write generic process ID files. ## ## - ## -@@ -6231,6 +7450,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6164,7 +7402,7 @@ interface(`files_rw_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6231,6 +7469,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11878,7 +11918,7 @@ index 64ff4d7..f0233d1 100644 ## Read all process ID files. ## ## -@@ -6243,12 +7572,86 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6243,12 +7591,86 @@ interface(`files_dontaudit_ioctl_all_pids',` interface(`files_read_all_pids',` gen_require(` attribute pidfile; @@ -11967,7 +12007,7 @@ index 64ff4d7..f0233d1 100644 ') ######################################## -@@ -6268,8 +7671,8 @@ interface(`files_delete_all_pids',` +@@ -6268,8 +7690,8 @@ interface(`files_delete_all_pids',` type var_t, var_run_t; ') @@ -11977,7 +12017,7 @@ index 64ff4d7..f0233d1 100644 allow $1 var_run_t:dir rmdir; allow $1 var_run_t:lnk_file delete_lnk_file_perms; delete_files_pattern($1, pidfile, pidfile) -@@ -6293,36 +7696,80 @@ interface(`files_delete_all_pid_dirs',` +@@ -6293,36 +7715,80 @@ interface(`files_delete_all_pid_dirs',` type var_t, var_run_t; ') @@ -12069,7 +12109,7 @@ index 64ff4d7..f0233d1 100644 ## ## ## -@@ -6330,12 +7777,33 @@ interface(`files_manage_all_pids',` +@@ -6330,12 +7796,33 @@ interface(`files_manage_all_pids',` ## ## # @@ -12106,7 +12146,7 @@ index 64ff4d7..f0233d1 100644 ') ######################################## -@@ -6562,3 +8030,514 @@ interface(`files_unconfined',` +@@ -6562,3 +8049,514 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -18416,11 +18456,11 @@ index 0000000..0e8654b +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..cf6582f +index 0000000..b1163a6 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,613 @@ -+## Unconfiend user role +@@ -0,0 +1,637 @@ ++## Unconfined user role + +######################################## +## @@ -19033,6 +19073,30 @@ index 0000000..cf6582f + allow $1 self:tun_socket relabelto; +') + ++######################################## ++## ++## Allow domain to transition to unconfined_t user ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_transition',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ domtrans_pattern($1,$2,unconfined_t) ++ allow unconfined_t $2:file entrypoint; ++ allow $1 unconfined_t:process signal_perms; ++') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 index 0000000..539c163 @@ -28344,7 +28408,7 @@ index 24e7804..45d0b37 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..3f4f878 100644 +index dd3be8d..fb85065 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28869,7 +28933,7 @@ index dd3be8d..3f4f878 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +585,37 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28890,6 +28954,7 @@ index dd3be8d..3f4f878 100644 +files_exec_etc_files(initrc_t) +files_manage_etc_symlinks(initrc_t) +files_manage_system_conf_files(initrc_t) ++files_filetrans_named_content(initrc_t) + +fs_manage_tmpfs_dirs(initrc_t) +fs_manage_tmpfs_symlinks(initrc_t) @@ -28912,7 +28977,7 @@ index dd3be8d..3f4f878 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +623,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28924,7 +28989,7 @@ index dd3be8d..3f4f878 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +634,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +635,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28935,7 +29000,7 @@ index dd3be8d..3f4f878 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +645,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +646,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28945,7 +29010,7 @@ index dd3be8d..3f4f878 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +654,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +655,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28953,7 +29018,7 @@ index dd3be8d..3f4f878 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +662,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28961,7 +29026,7 @@ index dd3be8d..3f4f878 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +669,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +670,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28979,7 +29044,7 @@ index dd3be8d..3f4f878 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +687,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +688,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28993,7 +29058,7 @@ index dd3be8d..3f4f878 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +702,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +703,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29007,7 +29072,7 @@ index dd3be8d..3f4f878 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +715,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +716,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29015,7 +29080,7 @@ index dd3be8d..3f4f878 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +727,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +728,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29023,7 +29088,7 @@ index dd3be8d..3f4f878 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +746,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +747,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29047,7 +29112,7 @@ index dd3be8d..3f4f878 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +779,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +780,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29055,7 +29120,7 @@ index dd3be8d..3f4f878 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +813,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +814,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -29066,7 +29131,7 @@ index dd3be8d..3f4f878 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +837,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +838,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29075,7 +29140,7 @@ index dd3be8d..3f4f878 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +852,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +853,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -29083,7 +29148,7 @@ index dd3be8d..3f4f878 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +873,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +874,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -29091,7 +29156,7 @@ index dd3be8d..3f4f878 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +883,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +884,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -29136,7 +29201,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -558,14 +928,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +929,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29168,7 +29233,7 @@ index dd3be8d..3f4f878 100644 ') ') -@@ -576,6 +963,39 @@ ifdef(`distro_suse',` +@@ -576,6 +964,39 @@ ifdef(`distro_suse',` ') ') @@ -29208,7 +29273,7 @@ index dd3be8d..3f4f878 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1008,8 @@ optional_policy(` +@@ -588,6 +1009,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29217,7 +29282,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -609,6 +1031,7 @@ optional_policy(` +@@ -609,6 +1032,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29225,7 +29290,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -625,6 +1048,17 @@ optional_policy(` +@@ -625,6 +1049,17 @@ optional_policy(` ') optional_policy(` @@ -29243,7 +29308,7 @@ index dd3be8d..3f4f878 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1075,13 @@ optional_policy(` +@@ -641,9 +1076,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29257,7 +29322,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -656,15 +1094,11 @@ optional_policy(` +@@ -656,15 +1095,11 @@ optional_policy(` ') optional_policy(` @@ -29275,7 +29340,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -685,6 +1119,15 @@ optional_policy(` +@@ -685,6 +1120,15 @@ optional_policy(` ') optional_policy(` @@ -29291,7 +29356,7 @@ index dd3be8d..3f4f878 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1168,7 @@ optional_policy(` +@@ -725,6 +1169,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -29299,7 +29364,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -742,7 +1186,13 @@ optional_policy(` +@@ -742,7 +1187,13 @@ optional_policy(` ') optional_policy(` @@ -29314,7 +29379,7 @@ index dd3be8d..3f4f878 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1215,10 @@ optional_policy(` +@@ -765,6 +1216,10 @@ optional_policy(` ') optional_policy(` @@ -29325,7 +29390,7 @@ index dd3be8d..3f4f878 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1228,20 @@ optional_policy(` +@@ -774,10 +1229,20 @@ optional_policy(` ') optional_policy(` @@ -29346,7 +29411,7 @@ index dd3be8d..3f4f878 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1250,10 @@ optional_policy(` +@@ -786,6 +1251,10 @@ optional_policy(` ') optional_policy(` @@ -29357,7 +29422,7 @@ index dd3be8d..3f4f878 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1275,6 @@ optional_policy(` +@@ -807,8 +1276,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29366,7 +29431,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -817,6 +1283,10 @@ optional_policy(` +@@ -817,6 +1284,10 @@ optional_policy(` ') optional_policy(` @@ -29377,7 +29442,7 @@ index dd3be8d..3f4f878 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1296,12 @@ optional_policy(` +@@ -826,10 +1297,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29390,7 +29455,7 @@ index dd3be8d..3f4f878 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1328,35 @@ optional_policy(` +@@ -856,12 +1329,35 @@ optional_policy(` ') optional_policy(` @@ -29427,7 +29492,7 @@ index dd3be8d..3f4f878 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1366,18 @@ optional_policy(` +@@ -871,6 +1367,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29446,7 +29511,7 @@ index dd3be8d..3f4f878 100644 ') optional_policy(` -@@ -886,6 +1393,10 @@ optional_policy(` +@@ -886,6 +1394,10 @@ optional_policy(` ') optional_policy(` @@ -29457,7 +29522,7 @@ index dd3be8d..3f4f878 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1407,218 @@ optional_policy(` +@@ -896,3 +1408,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index fe214bb..28e925b 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -560,7 +560,7 @@ index 058d908..10edac5 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..b06463f 100644 +index cc43d25..4c4830b 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -726,7 +726,7 @@ index cc43d25..b06463f 100644 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; +allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; -+dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; ++dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + allow abrt_t self:fifo_file rw_fifo_file_perms; @@ -16308,7 +16308,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..0cf34ad 100644 +index 28e1b86..3fcc236 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -16996,7 +16996,7 @@ index 28e1b86..0cf34ad 100644 ') optional_policy(` -@@ -588,15 +582,19 @@ optional_policy(` +@@ -588,15 +582,23 @@ optional_policy(` ') optional_policy(` @@ -17015,10 +17015,14 @@ index 28e1b86..0cf34ad 100644 prelink_read_cache(system_cronjob_t) - prelink_relabelfrom_lib(system_cronjob_t) + prelink_relabel_lib(system_cronjob_t) ++') ++ ++optional_policy(` ++ rkhunter_manage_lib_files(system_cronjob_t) ') optional_policy(` -@@ -606,6 +604,7 @@ optional_policy(` +@@ -606,6 +608,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -17026,7 +17030,7 @@ index 28e1b86..0cf34ad 100644 ') optional_policy(` -@@ -613,12 +612,24 @@ optional_policy(` +@@ -613,12 +616,24 @@ optional_policy(` ') optional_policy(` @@ -17053,7 +17057,7 @@ index 28e1b86..0cf34ad 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +637,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -17087,7 +17091,7 @@ index 28e1b86..0cf34ad 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +670,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -22671,10 +22675,10 @@ index ef36d73..fddd51f 100644 sysnet_etc_filetrans_config(dnssec_triggerd_t) diff --git a/docker.fc b/docker.fc new file mode 100644 -index 0000000..b24266e +index 0000000..1c4ac02 --- /dev/null +++ b/docker.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,17 @@ +/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) + +/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) @@ -22688,13 +22692,16 @@ index 0000000..b24266e + +/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) + -+ ++/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..c77a25f +index 0000000..3061ae5 --- /dev/null +++ b/docker.if -@@ -0,0 +1,257 @@ +@@ -0,0 +1,323 @@ + +## The open-source application container engine. + @@ -22776,6 +22783,25 @@ index 0000000..c77a25f + +######################################## +## ++## Read docker share files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_share_files',` ++ gen_require(` ++ type docker_share_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, docker_share_t, docker_share_t) ++') ++ ++######################################## ++## +## Manage docker lib files. +## +## @@ -22908,6 +22934,53 @@ index 0000000..c77a25f + allow $1 docker_t:sem rw_sem_perms; +') + ++####################################### ++## ++## Read and write the docker pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_use_ptys',` ++ gen_require(` ++ type docker_devpts_t; ++ ') ++ ++ allow $1 docker_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++####################################### ++## ++## Allow domain to create docker content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_filetrans_named_content',` ++ ++ gen_require(` ++ type docker_var_lib_t; ++ type docker_share_t; ++ type docker_log_t; ++ type docker_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") ++ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") ++ logging_log_filetrans($1, docker_log_t, dir, "lxc") ++ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") ++') ++ +######################################## +## +## All of the rules required to administrate @@ -22954,20 +23027,28 @@ index 0000000..c77a25f +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..4bfbc19 +index 0000000..99211cd --- /dev/null +++ b/docker.te -@@ -0,0 +1,176 @@ +@@ -0,0 +1,223 @@ +policy_module(docker, 1.0.0) + +######################################## +# +# Declarations +# ++## ++##

++## Allow docker to transition to unconfined conateiners ++##

++## ++gen_tunable(docker_transition_unconfined, false) + +type docker_t; +type docker_exec_t; +init_daemon_domain(docker_t, docker_exec_t) ++domain_subj_id_change_exemption(docker_t) ++domain_role_change_exemption(docker_t) + +type docker_var_lib_t; +files_type(docker_var_lib_t) @@ -22987,14 +23068,22 @@ index 0000000..4bfbc19 +type docker_unit_file_t; +systemd_unit_file(docker_unit_file_t) + ++type docker_devpts_t; ++term_pty(docker_devpts_t) ++ ++type docker_share_t; ++files_type(docker_share_t) ++ +######################################## +# +# docker local policy +# -+allow docker_t self:capability { chown fowner fsetid mknod net_admin }; ++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service }; +allow docker_t self:process { getattr signal_perms }; +allow docker_t self:fifo_file rw_fifo_file_perms; +allow docker_t self:unix_stream_socket create_stream_socket_perms; ++allow docker_t self:tcp_socket create_stream_socket_perms; ++allow docker_t self:udp_socket create_socket_perms; +allow docker_t self:capability2 block_suspend; + +manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) @@ -23011,6 +23100,12 @@ index 0000000..4bfbc19 +manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) +files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) + ++manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) ++manage_files_pattern(docker_t, docker_share_t, docker_share_t) ++manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) ++can_exec(docker_t, docker_share_t) ++docker_filetrans_named_content(docker_t) ++ +manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) @@ -23024,6 +23119,9 @@ index 0000000..4bfbc19 +manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) +files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) + ++allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; ++term_create_pty(docker_t, docker_devpts_t) ++ +kernel_read_system_state(docker_t) +kernel_read_network_state(docker_t) +kernel_read_all_sysctls(docker_t) @@ -23034,7 +23132,16 @@ index 0000000..4bfbc19 +corecmd_exec_shell(docker_t) + +corenet_tcp_bind_generic_node(docker_t) ++corenet_tcp_sendrecv_generic_if(docker_t) ++corenet_tcp_sendrecv_generic_node(docker_t) ++corenet_tcp_sendrecv_generic_port(docker_t) ++corenet_tcp_bind_all_ports(docker_t) +corenet_tcp_connect_http_port(docker_t) ++corenet_udp_sendrecv_generic_if(docker_t) ++corenet_udp_sendrecv_generic_node(docker_t) ++corenet_udp_sendrecv_all_ports(docker_t) ++corenet_udp_bind_generic_node(docker_t) ++corenet_udp_bind_all_ports(docker_t) + +files_read_etc_files(docker_t) + @@ -23053,6 +23160,8 @@ index 0000000..4bfbc19 + +mount_domtrans(docker_t) + ++seutil_read_default_contexts(docker_t) ++ +sysnet_dns_name_resolve(docker_t) +sysnet_exec_ifconfig(docker_t) + @@ -23092,17 +23201,21 @@ index 0000000..4bfbc19 +dev_rw_loop_control(docker_t) +dev_rw_lvm_control(docker_t) + ++files_getattr_isid_type_dirs(docker_t) +files_manage_isid_type_dirs(docker_t) +files_manage_isid_type_files(docker_t) +files_manage_isid_type_symlinks(docker_t) +files_manage_isid_type_chr_files(docker_t) ++files_manage_isid_type_blk_files(docker_t) +files_exec_isid_files(docker_t) +files_mounton_isid(docker_t) +files_mounton_non_security(docker_t) ++files_mounton_isid_type_chr_file(docker_t) + +fs_mount_all_fs(docker_t) +fs_unmount_all_fs(docker_t) +fs_remount_all_fs(docker_t) ++files_mounton_isid(docker_t) +fs_manage_cgroup_dirs(docker_t) +fs_manage_cgroup_files(docker_t) +fs_relabelfrom_xattr_fs(docker_t) @@ -23124,6 +23237,7 @@ index 0000000..4bfbc19 + virt_exec(docker_t) + virt_stream_connect(docker_t) + virt_stream_connect_sandbox(docker_t) ++ virt_exec_sandbox_files(docker_t) + virt_manage_sandbox_files(docker_t) + virt_relabel_sandbox_filesystem(docker_t) + # for lxc @@ -23131,9 +23245,15 @@ index 0000000..4bfbc19 + virt_mounton_sandbox_file(docker_t) +') + ++tunable_policy(`docker_transition_unconfined',` ++ unconfined_transition(docker_t, docker_share_t) ++ unconfined_transition(docker_t, docker_var_lib_t) ++') ++ +optional_policy(` + unconfined_domain(docker_t) +') ++ diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 --- a/dovecot.fc @@ -25075,10 +25195,10 @@ index 0872e50..95bb886 100644 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) diff --git a/fcoe.te b/fcoe.te -index 79b9273..76b7ed5 100644 +index 79b9273..6bf3534 100644 --- a/fcoe.te +++ b/fcoe.te -@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t) +@@ -20,25 +20,27 @@ files_pid_file(fcoemon_var_run_t) # Local policy # @@ -25103,6 +25223,13 @@ index 79b9273..76b7ed5 100644 logging_send_syslog_msg(fcoemon_t) + miscfiles_read_localization(fcoemon_t) + ++userdom_dgram_send(fcoemon_t) ++ + optional_policy(` + lldpad_dgram_send(fcoemon_t) + ') diff --git a/fetchmail.fc b/fetchmail.fc index 2486e2a..fef9bff 100644 --- a/fetchmail.fc @@ -26273,7 +26400,7 @@ index d062080..97fb494 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..6edd471 100644 +index e50f33c..bbdaf90 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -26377,7 +26504,7 @@ index e50f33c..6edd471 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t) +@@ -254,32 +268,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -26403,6 +26530,7 @@ index e50f33c..6edd471 100644 +tunable_policy(`ftpd_use_fusefs',` + fs_manage_fusefs_dirs(ftpd_t) + fs_manage_fusefs_files(ftpd_t) ++ fs_manage_fusefs_symlinks(ftpd_t) +',` + fs_search_fusefs(ftpd_t) +') @@ -26434,7 +26562,7 @@ index e50f33c..6edd471 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,22 +331,19 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -26462,7 +26590,7 @@ index e50f33c..6edd471 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -360,7 +388,7 @@ optional_policy(` +@@ -360,7 +389,7 @@ optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) @@ -26471,7 +26599,7 @@ index e50f33c..6edd471 100644 ') optional_policy(` -@@ -410,21 +438,20 @@ optional_policy(` +@@ -410,21 +439,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -26495,7 +26623,7 @@ index e50f33c..6edd471 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -437,23 +465,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -26536,7 +26664,7 @@ index e50f33c..6edd471 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -475,21 +514,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -37150,7 +37278,7 @@ index ee0c7cc..4ac8f2d 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index d7d9b09..562c288 100644 +index d7d9b09..523cf1b 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -37163,6 +37291,15 @@ index d7d9b09..562c288 100644 type slapd_lock_t; files_lock_file(slapd_lock_t) +@@ -46,7 +49,7 @@ files_pid_file(slapd_var_run_t) + + allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; + dontaudit slapd_t self:capability sys_tty_config; +-allow slapd_t self:process setsched; ++allow slapd_t self:process { setsched signal } ; + allow slapd_t self:fifo_file rw_fifo_file_perms; + allow slapd_t self:tcp_socket { accept listen }; + @@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -37592,7 +37729,7 @@ index d18c960..fb5b674 100644 domain_system_change_exemption($1) role_transition $2 lldpad_initrc_exec_t system_r; diff --git a/lldpad.te b/lldpad.te -index 648def0..b17392a 100644 +index 648def0..07f58a5 100644 --- a/lldpad.te +++ b/lldpad.te @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) @@ -37604,7 +37741,7 @@ index 648def0..b17392a 100644 allow lldpad_t self:shm create_shm_perms; allow lldpad_t self:fifo_file rw_fifo_file_perms; allow lldpad_t self:unix_stream_socket { accept listen }; -@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t) +@@ -51,12 +51,14 @@ kernel_request_load_module(lldpad_t) dev_read_sysfs(lldpad_t) @@ -37617,6 +37754,11 @@ index 648def0..b17392a 100644 optional_policy(` fcoe_dgram_send_fcoemon(lldpad_t) + ') ++ ++optional_policy(` ++ networkmanager_dgram_send(lldpad_t) ++') diff --git a/loadkeys.te b/loadkeys.te index 6cbb977..bd5406a 100644 --- a/loadkeys.te @@ -42172,10 +42314,10 @@ index 0000000..b694afc +') + diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..cb1e8b0 100644 +index 6ffaba2..0804d06 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,67 @@ +@@ -1,38 +1,69 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -42233,7 +42375,7 @@ index 6ffaba2..cb1e8b0 100644 -/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) - +- -/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) @@ -42244,6 +42386,7 @@ index 6ffaba2..cb1e8b0 100644 -/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) -/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ +ifdef(`distro_redhat',` +/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) @@ -42271,6 +42414,8 @@ index 6ffaba2..cb1e8b0 100644 + +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + ++/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++ +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) + +ifdef(`distro_redhat',` @@ -48937,7 +49082,7 @@ index a1fb3c3..dfb99d2 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 0e8508c..ee2e3de 100644 +index 0e8508c..647712a 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -49214,7 +49359,7 @@ index 0e8508c..ee2e3de 100644 ## ## ## -@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',` +@@ -227,33 +310,152 @@ interface(`networkmanager_read_pid_files',` ## ## # @@ -49279,9 +49424,7 @@ index 0e8508c..ee2e3de 100644 + gen_require(` + type NetworkManager_var_lib_t; + ') - -- files_search_pids($1) -- admin_pattern($1, NetworkManager_var_run_t) ++ + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +') + @@ -49325,6 +49468,26 @@ index 0e8508c..ee2e3de 100644 + allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; +') + ++####################################### ++## ++## Send to NetworkManager with a unix dgram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_dgram_send',` ++ gen_require(` ++ type NetworkManager_t, NetworkManager_var_run_t; ++ ') + + files_search_pids($1) +- admin_pattern($1, NetworkManager_var_run_t) ++ dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) ++') ++ +######################################## +## +## Transition to networkmanager named content @@ -49369,7 +49532,7 @@ index 0e8508c..ee2e3de 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..5863fc0 100644 +index 0b48a30..a732e30 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -49626,34 +49789,38 @@ index 0b48a30..5863fc0 100644 ') ') -@@ -231,18 +257,23 @@ optional_policy(` +@@ -231,18 +257,27 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) + dnsmasq_systemctl(NetworkManager_t) -+') -+ -+optional_policy(` -+ hal_write_log(NetworkManager_t) ') optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) -+ howl_signal(NetworkManager_t) ++ hal_write_log(NetworkManager_t) ') optional_policy(` - hal_write_log(NetworkManager_t) -+ gnome_dontaudit_search_config(NetworkManager_t) ++ howl_signal(NetworkManager_t) ') optional_policy(` - howl_signal(NetworkManager_t) ++ gnome_dontaudit_search_config(NetworkManager_t) ++') ++ ++optional_policy(` ++ iscsid_domtrans(NetworkManager_t) ++') ++ ++optional_policy(` + iodined_domtrans(NetworkManager_t) ') optional_policy(` -@@ -250,6 +281,10 @@ optional_policy(` +@@ -250,6 +285,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -49664,7 +49831,7 @@ index 0b48a30..5863fc0 100644 ') optional_policy(` -@@ -257,11 +292,14 @@ optional_policy(` +@@ -257,11 +296,14 @@ optional_policy(` ') optional_policy(` @@ -49681,7 +49848,7 @@ index 0b48a30..5863fc0 100644 ') optional_policy(` -@@ -274,10 +312,17 @@ optional_policy(` +@@ -274,10 +316,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -49699,7 +49866,7 @@ index 0b48a30..5863fc0 100644 ') optional_policy(` -@@ -289,6 +334,7 @@ optional_policy(` +@@ -289,6 +338,7 @@ optional_policy(` ') optional_policy(` @@ -49707,7 +49874,7 @@ index 0b48a30..5863fc0 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +342,7 @@ optional_policy(` +@@ -296,7 +346,7 @@ optional_policy(` ') optional_policy(` @@ -49716,7 +49883,7 @@ index 0b48a30..5863fc0 100644 ') optional_policy(` -@@ -307,6 +353,7 @@ optional_policy(` +@@ -307,6 +357,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -49724,7 +49891,7 @@ index 0b48a30..5863fc0 100644 ') optional_policy(` -@@ -320,13 +367,19 @@ optional_policy(` +@@ -320,13 +371,19 @@ optional_policy(` ') optional_policy(` @@ -49734,21 +49901,21 @@ index 0b48a30..5863fc0 100644 + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t) + systemd_hostnamed_read_config(NetworkManager_t) ++') ++ ++optional_policy(` ++ ssh_exec(NetworkManager_t) ') optional_policy(` - # unconfined_dgram_send(NetworkManager_t) - unconfined_stream_connect(NetworkManager_t) -+ ssh_exec(NetworkManager_t) -+') -+ -+optional_policy(` + udev_exec(NetworkManager_t) + udev_read_db(NetworkManager_t) ') optional_policy(` -@@ -356,6 +409,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -57757,6 +57924,259 @@ index 3ad10b5..49baca5 100644 seutil_sigchld_newrole(cardmgr_t) ') +diff --git a/pcp.fc b/pcp.fc +new file mode 100644 +index 0000000..59d23a4 +--- /dev/null ++++ b/pcp.fc +@@ -0,0 +1,20 @@ ++/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmwie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0) ++ ++/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) ++/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) ++/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0) ++/usr/libexec/pcp/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0) ++/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0) ++ ++/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0) ++ ++/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0) ++ ++/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0) ++ +diff --git a/pcp.if b/pcp.if +new file mode 100644 +index 0000000..9ca6d26 +--- /dev/null ++++ b/pcp.if +@@ -0,0 +1,80 @@ ++## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation ++ ++###################################### ++## ++## Creates types and rules for a basic ++## pcp daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`pcp_domain_template',` ++ gen_require(` ++ attribute pcp_domain; ++ ') ++ ++ type pcp_$1_t, pcp_domain; ++ type pcp_$1_exec_t; ++ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t) ++ ++ type pcp_$1_initrc_exec_t; ++ init_script_file(pcp_$1_initrc_exec_t) ++ ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pcp environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`pcp_admin',` ++ gen_require(` ++ type pcp_pmcd_t; ++ type pcp_pmlogger_t; ++ type pcp_pmproxy_t; ++ type pcp_pmwebd_t; ++ type pcp_pmie_t; ++ type pcp_pmmgr_t; ++ type pcp_var_run_t; ++ ') ++ ++ allow $1 pcp_pmcd_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmcd_t) ++ ++ allow $1 pcp_pmlogger_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmlogger_t) ++ ++ allow $1 pcp_pmproxy_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmproxy_t) ++ ++ allow $1 pcp_pmwebd_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmwebd_t) ++ ++ allow $1 pcp_pmie_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmie_t) ++ ++ allow $1 pcp_pmmgr_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmmgr_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pcp_pmcd_t:process ptrace; ++ allow $1 pcp_pmlogger_t:process ptrace; ++ allow $1 pcp_pmproxy_t:process ptrace; ++ allow $1 pcp_pmwebd_t:process ptrace; ++ allow $1 pcp_pmie_t:process ptrace; ++ allow $1 pcp_pmmgr_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, pcp_var_run_t) ++') +diff --git a/pcp.te b/pcp.te +new file mode 100644 +index 0000000..51d765d +--- /dev/null ++++ b/pcp.te +@@ -0,0 +1,135 @@ ++policy_module(pcp, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute pcp_domain; ++ ++pcp_domain_template(pmcd) ++pcp_domain_template(pmlogger) ++pcp_domain_template(pmproxy) ++pcp_domain_template(pmwebd) ++pcp_domain_template(pmie) ++pcp_domain_template(pmmgr) ++ ++type pcp_log_t; ++logging_log_file(pcp_log_t) ++ ++type pcp_var_lib_t; ++files_type(pcp_var_lib_t) ++ ++type pcp_var_run_t; ++files_pid_file(pcp_var_run_t) ++ ++type pcp_tmp_t; ++files_tmp_file(pcp_tmp_t) ++ ++type pcp_tmpfs_t; ++files_tmpfs_file(pcp_tmpfs_t) ++ ++######################################## ++# ++# pcp domain local policy ++# ++ ++allow pcp_domain self:capability { setuid setgid dac_override }; ++ ++manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t) ++manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t) ++logging_log_filetrans(pcp_domain, pcp_log_t, { dir }) ++ ++manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir}) ++ ++manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++files_pid_filetrans(pcp_domain, pcp_var_run_t, { file }) ++ ++manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) ++manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) ++files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file }) ++ ++manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) ++manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) ++fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file }) ++ ++dev_read_urand(pcp_domain) ++ ++auth_read_passwd(pcp_domain) ++ ++miscfiles_read_generic_certs(pcp_domain) ++ ++sysnet_read_config(pcp_domain) ++ ++######################################## ++# ++# pcp_pmcd local policy ++# ++ ++allow pcp_pmcd_t self:process { setsched signal }; ++allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmcd_t self:tcp_socket create_socket_perms; ++allow pcp_pmcd_t self:tcp_socket listen; ++allow pcp_pmcd_t self:udp_socket create_socket_perms; ++allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; ++ ++kernel_read_system_state(pcp_pmcd_t) ++kernel_read_network_state(pcp_pmcd_t) ++kernel_read_state(pcp_pmcd_t) ++ ++corecmd_exec_bin(pcp_pmcd_t) ++ ++dev_read_sysfs(pcp_pmcd_t) ++ ++domain_read_all_domains_state(pcp_pmcd_t) ++ ++auth_use_nsswitch(pcp_pmcd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(pcp_pmcd_t) ++ ++ optional_policy(` ++ avahi_dbus_chat(pcp_pmcd_t) ++ ') ++') ++ ++######################################## ++# ++# pcp_pmproxy local policy ++# ++ ++allow pcp_pmproxy_t self:process setsched; ++allow pcp_pmproxy_t self:tcp_socket listen; ++allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmproxy_t self:tcp_socket create_socket_perms; ++allow pcp_pmproxy_t self:udp_socket create_socket_perms; ++ ++auth_use_nsswitch(pcp_pmproxy_t) ++ ++######################################## ++# ++# pcp_pmwebd local policy ++# ++ ++allow pcp_pmwebd_t self:tcp_socket listen; ++allow pcp_pmwebd_t self:tcp_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(pcp_pmwebd_t) ++ ++######################################## ++# ++# pcp_pmmgr local policy ++# ++ ++allow pcp_pmmgr_t self:process { setpgid signal signull }; ++ ++kernel_read_system_state(pcp_pmmgr_t) ++ ++corecmd_exec_bin(pcp_pmmgr_t) ++ ++auth_use_nsswitch(pcp_pmmgr_t) diff --git a/pcscd.if b/pcscd.if index 43d50f9..7f77d32 100644 --- a/pcscd.if @@ -57966,7 +58386,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..e4f2a0a 100644 +index 7bcf327..fb427b9 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -57990,7 +58410,7 @@ index 7bcf327..e4f2a0a 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,293 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,297 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -58137,7 +58557,8 @@ index 7bcf327..e4f2a0a 100644 +# pegasus openlmi system (networking) local policy +# + -+allow pegasus_openlmi_system_t self:capability { net_admin }; ++allow pegasus_openlmi_system_t self:capability { net_admin sys_boot }; ++allow pegasus_openlmi_system_t self:process signal_perms; + +allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms; + @@ -58146,6 +58567,8 @@ index 7bcf327..e4f2a0a 100644 +dev_rw_sysfs(pegasus_openlmi_system_t) +dev_read_urand(pegasus_openlmi_system_t) + ++init_read_utmp(pegasus_openlmi_system_t) ++ +systemd_config_power_services(pegasus_openlmi_system_t) +systemd_dbus_chat_logind(pegasus_openlmi_system_t) + @@ -58217,6 +58640,7 @@ index 7bcf327..e4f2a0a 100644 + +seutil_read_file_contexts(pegasus_openlmi_storage_t) + ++storage_raw_read_removable_device(pegasus_openlmi_storage_t) +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) + @@ -58289,7 +58713,7 @@ index 7bcf327..e4f2a0a 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +326,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +330,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -58320,7 +58744,7 @@ index 7bcf327..e4f2a0a 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +352,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +356,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -58353,7 +58777,7 @@ index 7bcf327..e4f2a0a 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +380,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +384,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -58365,7 +58789,7 @@ index 7bcf327..e4f2a0a 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +396,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +400,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -58401,7 +58825,7 @@ index 7bcf327..e4f2a0a 100644 ') optional_policy(` -@@ -151,16 +430,24 @@ optional_policy(` +@@ -151,16 +434,24 @@ optional_policy(` ') optional_policy(` @@ -58430,7 +58854,7 @@ index 7bcf327..e4f2a0a 100644 ') optional_policy(` -@@ -168,7 +455,7 @@ optional_policy(` +@@ -168,7 +459,7 @@ optional_policy(` ') optional_policy(` @@ -59914,10 +60338,10 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..17f5d18 +index 0000000..b9d62b2 --- /dev/null +++ b/pki.te -@@ -0,0 +1,284 @@ +@@ -0,0 +1,285 @@ +policy_module(pki,10.0.11) + +######################################## @@ -60100,6 +60524,7 @@ index 0000000..17f5d18 + +corenet_tcp_bind_pki_ra_port(pki_ra_t) +# talk to other subsystems ++corenet_tcp_connect_http_port(pki_ra_t) +corenet_tcp_connect_pki_ca_port(pki_ra_t) +corenet_tcp_connect_smtp_port(pki_ra_t) + @@ -60231,7 +60656,7 @@ index 735500f..2ba6832 100644 -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/plymouthd.if b/plymouthd.if -index 30e751f..78fb7c6 100644 +index 30e751f..61feb3a 100644 --- a/plymouthd.if +++ b/plymouthd.if @@ -1,4 +1,4 @@ @@ -60419,7 +60844,7 @@ index 30e751f..78fb7c6 100644 gen_require(` type plymouthd_var_run_t; ') -@@ -233,36 +228,113 @@ interface(`plymouthd_read_pid_files',` +@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',` ######################################## ## @@ -60427,12 +60852,13 @@ index 30e751f..78fb7c6 100644 -## administrate an plymouthd environment. +## Allow the specified domain to read +## to plymouthd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`plymouthd_read_log',` + gen_require(` @@ -60455,26 +60881,27 @@ index 30e751f..78fb7c6 100644 +# +interface(`plymouthd_create_log',` + gen_require(` -+ type plymouthd_log_t; ++ type plymouthd_var_log_t; + ') + + logging_search_logs($1) -+ create_files_pattern($1, plymouthd_log_t, plymouthd_log_t) ++ create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) +') + -+ +######################################## +## +## Allow the specified domain to manage +## to plymouthd log files. - ## - ## ++## ++## ## - ## Domain allowed access. +-## Role allowed access. ++## Domain allowed access. ## ## --## -+# +-## + # +-interface(`plymouthd_admin',` +interface(`plymouthd_manage_log',` + gen_require(` + type plymouthd_var_log_t; @@ -60511,14 +60938,11 @@ index 30e751f..78fb7c6 100644 +## an plymouthd environment +## +## - ## --## Role allowed access. ++## +## Domain allowed access. - ## - ## --## - # --interface(`plymouthd_admin',` ++## ++## ++# +interface(`plymouthd_admin', ` gen_require(` type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; @@ -62968,7 +63392,7 @@ index 2e23946..d8a163f 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..f19bca4 100644 +index 191a66f..9e7ec0a 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -63070,8 +63494,9 @@ index 191a66f..f19bca4 100644 ######################################## # -# Common postfix domain local policy --# -- ++# Postfix master process local policy + # + -allow postfix_domain self:capability { sys_nice sys_chroot }; -dontaudit postfix_domain self:capability sys_tty_config; -allow postfix_domain self:process { signal_perms setpgid setsched }; @@ -63150,9 +63575,8 @@ index 191a66f..f19bca4 100644 -######################################## -# -# Common postfix user domain local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -63187,10 +63611,10 @@ index 191a66f..f19bca4 100644 +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; + +allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; ++ ++allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; -+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; -+ +manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -63229,24 +63653,24 @@ index 191a66f..f19bca4 100644 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") - +- -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") -+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") -+kernel_read_all_sysctls(postfix_master_t) ++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -can_exec(postfix_master_t, postfix_exec_t) - -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -- ++kernel_read_all_sysctls(postfix_master_t) + -corenet_all_recvfrom_unlabeled(postfix_master_t) corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) @@ -63555,7 +63979,7 @@ index 191a66f..f19bca4 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,21 +433,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -63575,7 +63999,24 @@ index 191a66f..f19bca4 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +484,26 @@ optional_policy(` + + write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) ++write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) + + write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) + +@@ -549,6 +458,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + corecmd_exec_bin(postfix_pipe_t) + + optional_policy(` ++ cyrus_stream_connect(postfix_pipe_t) ++') ++ ++optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) + ') + +@@ -576,19 +489,26 @@ optional_policy(` ######################################## # @@ -63607,7 +64048,7 @@ index 191a66f..f19bca4 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +518,7 @@ optional_policy(` +@@ -603,10 +523,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -63619,7 +64060,7 @@ index 191a66f..f19bca4 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +533,24 @@ optional_policy(` +@@ -621,17 +538,24 @@ optional_policy(` ####################################### # @@ -63647,7 +64088,7 @@ index 191a66f..f19bca4 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +566,77 @@ optional_policy(` +@@ -647,67 +571,77 @@ optional_policy(` ######################################## # @@ -63743,7 +64184,7 @@ index 191a66f..f19bca4 100644 ') optional_policy(` -@@ -720,29 +649,30 @@ optional_policy(` +@@ -720,29 +654,30 @@ optional_policy(` ######################################## # @@ -63782,7 +64223,7 @@ index 191a66f..f19bca4 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +684,7 @@ optional_policy(` +@@ -754,6 +689,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -63790,7 +64231,7 @@ index 191a66f..f19bca4 100644 ') optional_policy(` -@@ -764,31 +695,99 @@ optional_policy(` +@@ -764,31 +700,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -75129,10 +75570,10 @@ index 56bc01f..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..8ea949c 100644 +index 2c2de9a..dc590fc 100644 --- a/rhcs.te +++ b/rhcs.te -@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) +@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) ## gen_tunable(fenced_can_ssh, false) @@ -75157,10 +75598,18 @@ index 2c2de9a..8ea949c 100644 +## +gen_tunable(cluster_use_execmem, false) + ++## ++##

++## Determine whether haproxy can ++## connect to all TCP ports. ++##

++## ++gen_tunable(haproxy_connect_any, false) ++ attribute cluster_domain; attribute cluster_log; attribute cluster_pid; -@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t; +@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t; init_script_file(foghorn_initrc_exec_t) rhcs_domain_template(gfs_controld) @@ -75448,7 +75897,7 @@ index 2c2de9a..8ea949c 100644 ') ##################################### -@@ -79,9 +349,11 @@ optional_policy(` +@@ -79,9 +357,11 @@ optional_policy(` # dlm_controld local policy # @@ -75461,7 +75910,7 @@ index 2c2de9a..8ea949c 100644 stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -75494,7 +75943,7 @@ index 2c2de9a..8ea949c 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -75505,7 +75954,7 @@ index 2c2de9a..8ea949c 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) +@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) corenet_sendrecv_zented_server_packets(fenced_t) corenet_tcp_bind_zented_port(fenced_t) @@ -75514,7 +75963,7 @@ index 2c2de9a..8ea949c 100644 corenet_tcp_sendrecv_zented_port(fenced_t) corenet_sendrecv_http_client_packets(fenced_t) -@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -75525,7 +75974,7 @@ index 2c2de9a..8ea949c 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -75534,7 +75983,7 @@ index 2c2de9a..8ea949c 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +467,8 @@ optional_policy(` +@@ -182,7 +475,8 @@ optional_policy(` ') optional_policy(` @@ -75544,7 +75993,7 @@ index 2c2de9a..8ea949c 100644 ') optional_policy(` -@@ -190,12 +476,12 @@ optional_policy(` +@@ -190,12 +484,12 @@ optional_policy(` ') optional_policy(` @@ -75560,7 +76009,7 @@ index 2c2de9a..8ea949c 100644 ') optional_policy(` -@@ -203,6 +489,13 @@ optional_policy(` +@@ -203,6 +497,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -75574,7 +76023,7 @@ index 2c2de9a..8ea949c 100644 ####################################### # # foghorn local policy -@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -75595,7 +76044,7 @@ index 2c2de9a..8ea949c 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -75604,7 +76053,7 @@ index 2c2de9a..8ea949c 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -75637,16 +76086,27 @@ index 2c2de9a..8ea949c 100644 +corenet_tcp_connect_commplex_link_port(haproxy_t) +corenet_tcp_connect_commplex_main_port(haproxy_t) +corenet_tcp_bind_commplex_main_port(haproxy_t) ++corenet_tcp_bind_http_port(haproxy_t) ++corenet_tcp_bind_http_cache_port(haproxy_t) + +corenet_tcp_connect_fmpro_internal_port(haproxy_t) ++corenet_tcp_connect_http_port(haproxy_t) ++corenet_tcp_connect_http_cache_port(haproxy_t) +corenet_tcp_connect_rtp_media_port(haproxy_t) + +sysnet_dns_name_resolve(haproxy_t) + ++tunable_policy(`haproxy_connect_any',` ++ corenet_tcp_connect_all_ports(haproxy_t) ++ corenet_tcp_bind_all_ports(haproxy_t) ++ corenet_sendrecv_all_packets(haproxy_t) ++ corenet_tcp_sendrecv_all_ports(haproxy_t) ++') ++ ###################################### # # qdiskd local policy -@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -76865,6 +77325,68 @@ index 9702ed2..a265af9 100644 optional_policy(` ccs_stream_connect(ricci_modstorage_t) +diff --git a/rkhunter.fc b/rkhunter.fc +new file mode 100644 +index 0000000..645a9cc +--- /dev/null ++++ b/rkhunter.fc +@@ -0,0 +1 @@ ++/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0) +diff --git a/rkhunter.if b/rkhunter.if +new file mode 100644 +index 0000000..0be4cee +--- /dev/null ++++ b/rkhunter.if +@@ -0,0 +1,39 @@ ++## policy for rkhunter ++ ++######################################## ++## ++## Append rkhunter lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkhunter_append_lib_files',` ++ gen_require(` ++ type rkhunter_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rkhunter lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkhunter_manage_lib_files',` ++ gen_require(` ++ type rkhunter_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t) ++') +diff --git a/rkhunter.te b/rkhunter.te +new file mode 100644 +index 0000000..aa2d09e +--- /dev/null ++++ b/rkhunter.te +@@ -0,0 +1,4 @@ ++policy_module(rhhunter, 1.0) ++ ++type rkhunter_var_lib_t; ++files_type(rkhunter_var_lib_t) diff --git a/rlogin.fc b/rlogin.fc index f111877..e361ee9 100644 --- a/rlogin.fc @@ -81381,7 +81903,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..e4ae518 100644 +index 57c034b..5410377 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -82023,7 +82545,7 @@ index 57c034b..e4ae518 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +560,41 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +560,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -82086,10 +82608,11 @@ index 57c034b..e4ae518 100644 +optional_policy(` + ctdbd_stream_connect(nmbd_t) + ctdbd_manage_var_files(nmbd_t) ++ ctdbd_manage_lib_files(nmbd_t) ') optional_policy(` -@@ -600,19 +607,26 @@ optional_policy(` +@@ -600,19 +608,26 @@ optional_policy(` ######################################## # @@ -82097,7 +82620,7 @@ index 57c034b..e4ae518 100644 +# smbcontrol local policy # -+ ++allow smbcontrol_t self:capability2 block_suspend; allow smbcontrol_t self:process signal; -allow smbcontrol_t self:fifo_file rw_fifo_file_perms; +# internal communication is often done using fifo and unix sockets. @@ -82109,11 +82632,11 @@ index 57c034b..e4ae518 100644 -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) +allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) - ++ +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) +allow smbcontrol_t winbind_t:process { signal signull }; -+ + +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) -samba_rw_var_files(smbcontrol_t) @@ -82121,7 +82644,7 @@ index 57c034b..e4ae518 100644 samba_search_var(smbcontrol_t) samba_read_winbind_pid(smbcontrol_t) -@@ -620,16 +634,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +635,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -82139,7 +82662,7 @@ index 57c034b..e4ae518 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +647,23 @@ optional_policy(` +@@ -637,22 +648,23 @@ optional_policy(` ######################################## # @@ -82171,7 +82694,7 @@ index 57c034b..e4ae518 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +672,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +673,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -82207,7 +82730,7 @@ index 57c034b..e4ae518 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +699,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +700,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -82299,7 +82822,7 @@ index 57c034b..e4ae518 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +778,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +779,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -82323,7 +82846,7 @@ index 57c034b..e4ae518 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +792,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +793,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -82366,7 +82889,7 @@ index 57c034b..e4ae518 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +822,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +823,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -82380,7 +82903,7 @@ index 57c034b..e4ae518 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -834,16 +846,19 @@ optional_policy(` +@@ -834,16 +847,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -82404,7 +82927,7 @@ index 57c034b..e4ae518 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +868,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +869,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -82415,7 +82938,7 @@ index 57c034b..e4ae518 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +879,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +880,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -82445,7 +82968,7 @@ index 57c034b..e4ae518 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +902,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +903,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -82466,7 +82989,7 @@ index 57c034b..e4ae518 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +920,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +921,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -82477,7 +83000,7 @@ index 57c034b..e4ae518 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +928,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +929,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -82519,7 +83042,7 @@ index 57c034b..e4ae518 100644 ') optional_policy(` -@@ -952,31 +976,29 @@ optional_policy(` +@@ -952,31 +977,29 @@ optional_policy(` # Winbind helper local policy # @@ -82557,7 +83080,7 @@ index 57c034b..e4ae518 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1012,38 @@ optional_policy(` +@@ -990,25 +1013,38 @@ optional_policy(` ######################################## # @@ -85715,7 +86238,7 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..d686e4a 100644 +index 49b12ae..b8b6cf4 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -85724,7 +86247,7 @@ index 49b12ae..d686e4a 100644 ######################################## # -@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2) +@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.11.2) type setroubleshootd_t alias setroubleshoot_t; type setroubleshootd_exec_t; @@ -85756,6 +86279,8 @@ index 49b12ae..d686e4a 100644 allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; ++dontaudit setroubleshootd_t self:capability net_admin; ++ +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run +allow setroubleshootd_t self:process { execmem execstack }; @@ -85786,7 +86311,7 @@ index 49b12ae..d686e4a 100644 manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t) +@@ -61,14 +70,13 @@ corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) corecmd_read_all_executables(setroubleshootd_t) @@ -85804,7 +86329,7 @@ index 49b12ae..d686e4a 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) +@@ -76,10 +84,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t) @@ -85816,7 +86341,7 @@ index 49b12ae..d686e4a 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t) +@@ -101,33 +108,32 @@ selinux_read_policy(setroubleshootd_t) term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) @@ -85857,7 +86382,7 @@ index 49b12ae..d686e4a 100644 ') optional_policy(` -@@ -135,10 +139,18 @@ optional_policy(` +@@ -135,10 +141,18 @@ optional_policy(` ') optional_policy(` @@ -85876,7 +86401,7 @@ index 49b12ae..d686e4a 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -148,26 +160,36 @@ optional_policy(` +@@ -148,26 +162,36 @@ optional_policy(` ######################################## # @@ -85915,7 +86440,7 @@ index 49b12ae..d686e4a 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +199,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -86718,10 +87243,29 @@ index ca32e89..98278dd 100644 + ') diff --git a/slpd.te b/slpd.te -index 66ac42a..1a4c952 100644 +index 66ac42a..5efa3fd 100644 --- a/slpd.te +++ b/slpd.te -@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) +@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t) + # Local policy + # + +-allow slpd_t self:capability { kill setgid setuid }; ++allow slpd_t self:capability { kill net_admin setgid setuid }; + allow slpd_t self:process signal; + allow slpd_t self:fifo_file rw_fifo_file_perms; + allow slpd_t self:tcp_socket { accept listen }; +@@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file) + manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) + files_pid_filetrans(slpd_t, slpd_var_run_t, file) + ++kernel_read_system_state(slpd_t) ++kernel_read_network_state(slpd_t) ++ + corenet_all_recvfrom_unlabeled(slpd_t) + corenet_all_recvfrom_netlabel(slpd_t) + corenet_tcp_sendrecv_generic_if(slpd_t) +@@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) corenet_tcp_bind_svrloc_port(slpd_t) corenet_udp_bind_svrloc_port(slpd_t) @@ -86732,6 +87276,8 @@ index 66ac42a..1a4c952 100644 auth_use_nsswitch(slpd_t) -miscfiles_read_localization(slpd_t) ++logging_send_syslog_msg(slpd_t) ++ +sysnet_dns_name_resolve(slpd_t) diff --git a/slrnpull.te b/slrnpull.te index 5437237..3dfc982 100644 @@ -87433,10 +87979,10 @@ index 0000000..94105ee +') diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..ad232be +index 0000000..9530409 --- /dev/null +++ b/snapper.te -@@ -0,0 +1,33 @@ +@@ -0,0 +1,34 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -87463,6 +88009,7 @@ index 0000000..ad232be +miscfiles_read_localization(snapperd_t) + +optional_policy(` ++ dbus_system_domain(snapperd_t, snapperd_exec_t) + dbus_system_bus_client(snapperd_t) + dbus_connect_system_bus(snapperd_t) +') @@ -96292,7 +96839,7 @@ index c30da4c..6351bcb 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..09db35b 100644 +index 9dec06c..15562ad 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -97307,7 +97854,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -860,74 +658,245 @@ interface(`virt_read_lib_files',` +@@ -860,74 +658,263 @@ interface(`virt_read_lib_files',` ## ## # @@ -97370,12 +97917,10 @@ index 9dec06c..09db35b 100644 + manage_dirs_pattern($1, virt_image_t, virt_image_t) + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. ++') ++ ++######################################## ++## +## Execute virt server in the virt domain. +## +## @@ -97395,10 +97940,12 @@ index 9dec06c..09db35b 100644 + allow $1 virtd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, virtd_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. +## Ptrace the svirt domain +## +## @@ -97417,6 +97964,24 @@ index 9dec06c..09db35b 100644 + +####################################### +## ++## Execute Sandbox Files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_exec_sandbox_files',` ++ gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++ ++ can_exec($1, svirt_sandbox_file_t) ++') ++ ++####################################### ++## +## Manage Sandbox Files ## ## @@ -97575,7 +98140,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -935,19 +904,17 @@ interface(`virt_read_log',` +@@ -935,19 +922,17 @@ interface(`virt_read_log',` ## ## # @@ -97599,7 +98164,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -955,20 +922,17 @@ interface(`virt_append_log',` +@@ -955,20 +940,17 @@ interface(`virt_append_log',` ## ## # @@ -97624,7 +98189,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -976,18 +940,17 @@ interface(`virt_manage_log',` +@@ -976,18 +958,17 @@ interface(`virt_manage_log',` ## ## # @@ -97647,7 +98212,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -995,36 +958,57 @@ interface(`virt_search_images',` +@@ -995,36 +976,57 @@ interface(`virt_search_images',` ## ## # @@ -97724,7 +98289,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -1032,20 +1016,28 @@ interface(`virt_read_images',` +@@ -1032,20 +1034,28 @@ interface(`virt_read_images',` ## ## # @@ -97760,7 +98325,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -1053,37 +1045,131 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1063,131 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -97784,7 +98349,7 @@ index 9dec06c..09db35b 100644 ## -## +## -+## + ## +## Prefix for the domain. +## +## @@ -97809,7 +98374,7 @@ index 9dec06c..09db35b 100644 +## Make the specified type usable as a lxc domain +## +## - ## ++## +## Type to be used as a lxc domain +## +## @@ -97891,7 +98456,7 @@ index 9dec06c..09db35b 100644 + attribute svirt_sandbox_domain; + ') + -+ allow $1 svirt_sandbox_domain:process transition; ++ allow $1 svirt_sandbox_domain:process { transition signal_perms }; + role $2 types svirt_sandbox_domain; + allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; + @@ -97906,7 +98471,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -1091,36 +1177,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1195,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -97980,7 +98545,7 @@ index 9dec06c..09db35b 100644 ## ## ## -@@ -1136,50 +1240,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1258,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -98053,7 +98618,7 @@ index 9dec06c..09db35b 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..af9d192 100644 +index 1f22fba..82a523e 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,194 @@ @@ -98068,7 +98633,7 @@ index 1f22fba..af9d192 100644 +gen_require(` + class passwd rootok; + class passwd passwd; -+ ') ++') + +attribute virsh_transition_domain; +attribute virt_ptynode; @@ -98237,10 +98802,10 @@ index 1f22fba..af9d192 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; ++ ++type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; -+type qemu_exec_t, virt_file_type; -+ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -98581,11 +99146,11 @@ index 1f22fba..af9d192 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -98750,14 +99315,14 @@ index 1f22fba..af9d192 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -99006,24 +99571,22 @@ index 1f22fba..af9d192 100644 -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) -- ++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) ++read_files_pattern(virt_domain, virt_content_t, virt_content_t) ++dontaudit virt_domain virt_content_t:file write_file_perms; ++dontaudit virt_domain virt_content_t:dir write; + -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) -+read_files_pattern(virt_domain, virt_content_t, virt_content_t) -+dontaudit virt_domain virt_content_t:file write_file_perms; -+dontaudit virt_domain virt_content_t:dir write; ++kernel_read_net_sysctls(virt_domain) -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -+kernel_read_net_sysctls(virt_domain) - --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -99034,12 +99597,12 @@ index 1f22fba..af9d192 100644 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) --allow virsh_t svirt_lxc_domain:process transition; +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --can_exec(virsh_t, virsh_exec_t) +-allow virsh_t svirt_lxc_domain:process transition; +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -99070,7 +99633,8 @@ index 1f22fba..af9d192 100644 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; -+ + +-can_exec(virsh_t, virsh_exec_t) +dontaudit virt_domain virt_tmpfs_type:file { read write }; + +append_files_pattern(virt_domain, virt_log_t, virt_log_t) @@ -99156,7 +99720,7 @@ index 1f22fba..af9d192 100644 + sssd_dontaudit_read_lib(virt_domain) + sssd_dontaudit_read_public_files(virt_domain) +') - ++ +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) @@ -99221,7 +99785,7 @@ index 1f22fba..af9d192 100644 + xserver_stream_connect(virt_domain) + ') +') -+ + +######################################## +# +# xm local policy @@ -99486,7 +100050,7 @@ index 1f22fba..af9d192 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1110,271 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1110,272 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -99624,8 +100188,9 @@ index 1f22fba..af9d192 100644 +') + +optional_policy(` -+ docker_read_lib_files(svirt_sandbox_domain) ++ docker_read_share_files(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ docker_use_ptys(svirt_sandbox_domain) +') + +optional_policy(` @@ -99896,7 +100461,7 @@ index 1f22fba..af9d192 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1387,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1388,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -99911,7 +100476,7 @@ index 1f22fba..af9d192 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1405,8 @@ optional_policy(` +@@ -1183,9 +1406,8 @@ optional_policy(` ######################################## # @@ -99922,7 +100487,7 @@ index 1f22fba..af9d192 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1419,198 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1420,198 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -100232,10 +100797,10 @@ index 0000000..044be2f +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..7918651 +index 0000000..b4d2dac --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,27 @@ +@@ -0,0 +1,42 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -100250,17 +100815,32 @@ index 0000000..7918651 +type vmtools_unit_file_t; +systemd_unit_file(vmtools_unit_file_t) + ++type vmtools_tmp_t; ++files_tmp_file(vmtools_tmp_t) ++ +######################################## +# +# vmtools local policy +# ++allow vmtools_t self:capability { sys_time sys_rawio }; +allow vmtools_t self:fifo_file rw_fifo_file_perms; +allow vmtools_t self:unix_stream_socket create_stream_socket_perms; +allow vmtools_t self:unix_dgram_socket create_socket_perms; + -+auth_use_nsswitch(vmtools_t) ++manage_dirs_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t) ++manage_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t) ++manage_lnk_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t) ++files_tmp_filetrans(vmtools_t, vmtools_tmp_t, { file dir }) ++ ++kernel_read_system_state(vmtools_t) ++kernel_read_network_state(vmtools_t) ++ ++corecmd_exec_shell(vmtools_t) + +dev_read_urand(vmtools_t) ++dev_getattr_all_blk_files(vmtools_t) ++ ++auth_use_nsswitch(vmtools_t) + +logging_send_syslog_msg(vmtools_t) diff --git a/vmware.if b/vmware.if diff --git a/selinux-policy.spec b/selinux-policy.spec index cd8b928..2a7e95f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 120%{?dist} +Release: 121%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,48 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 27 2014 Miroslav Grepl 3.12.1-121 +- Allow gdm to create /var/gdm with correct labeling +- Allow domains to append rkhunterl lib files. #1057982 +- Allow systemd_tmpfiles_t net_admin to communicate with journald +- Add interface to getattr on an isid_type for any type of file +- Update libs_filetrans_named_content() to have support for /usr/lib/debug directory +- Allow initrc_t domtrans to authconfig if unconfined is enabled +- Allow docker and mount on devpts chr_file +- Allow docker to transition to unconfined_t if boolean set +- init calling needs to be optional in domain.te +- Allow uncofined domain types to handle transient unit files +- Fix labeling for vfio devices +- Allow net_admin capability and send system log msgs +- Allow lldpad send dgram to NM +- Add networkmanager_dgram_send() +- rkhunter_var_lib_t is correct type +- Back port pcp policy from rawhide +- Allow openlmi-storage to read removable devices +- Allow system cron jobs to manage rkhunter lib files +- Add rkhunter_manage_lib_files() +- Fix ftpd_use_fusefs boolean to allow manage also symlinks +- Allow smbcontrob block_suspend cap2 +- Allow slpd to read network and system state info +- Allow NM domtrans to iscsid_t if iscsiadm is executed +- Allow slapd to send a signal itself +- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. +- Fix plymouthd_create_log() interface +- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package +- Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container +- Allow postfix and cyrus-imapd to work out of box +- Allow fcoemon to talk with unpriv user domain using unix_stream_socket +- Dontaudit domains that are calling into journald to net_admin +- Add rules to allow vmtools to do what it does +- snapperd is D-Bus service +- Allow OpenLMI PowerManagement to call 'systemctl --force reboot' +- Add haproxy_connect_any boolean +- Allow haproxy also to use http cache port by default +- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications +- Allow docker to use the network and build images +- Allow docker to read selinux files for labeling, and mount on devpts chr_file +- Allow domains that transition to svirt_sandbox to send it signals + * Tue Jan 21 2014 Miroslav Grepl 3.12.1-120 - Allow apache to write to the owncloud data directory in /var/www/html... - Allow consolekit to create log dir