From 4a142bb80ca390bf35b74b41f9809587650fd97f Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 03 2011 19:59:03 +0000 Subject: - Make a lot of modules independent - Update to make new seunshare/sandbox work - allow virt_domains to use inherited noxattrs file systems - Dont allow svirt_t to send kill signals - Cleanup policy to allow less modules in base - Cleanup to allow minimal files in base policy --- diff --git a/policy-F15.patch b/policy-F15.patch index e59db95..b77ec54 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -338,19 +338,56 @@ index a7c7971..d073f49 100644 manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) files_search_var_lib(alsa_t) +diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te +index 46d467c..d841424 100644 +--- a/policy/modules/admin/amanda.te ++++ b/policy/modules/admin/amanda.te +@@ -200,12 +200,14 @@ files_search_pids(amanda_recover_t) + + auth_use_nsswitch(amanda_recover_t) + +-fstools_domtrans(amanda_t) +-fstools_signal(amanda_t) +- + logging_search_logs(amanda_recover_t) + + miscfiles_read_localization(amanda_recover_t) + + userdom_use_user_terminals(amanda_recover_t) + userdom_search_user_home_content(amanda_recover_t) ++ ++optional_policy(` ++ fstools_domtrans(amanda_t) ++ fstools_signal(amanda_t) ++') diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te -index e81bdbd..63ab279 100644 +index e81bdbd..dd1522d 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te -@@ -30,6 +30,7 @@ modutils_domtrans_insmod(anaconda_t) - modutils_domtrans_depmod(anaconda_t) +@@ -26,10 +26,8 @@ libs_domtrans_ldconfig(anaconda_t) + + logging_send_syslog_msg(anaconda_t) +-modutils_domtrans_insmod(anaconda_t) +-modutils_domtrans_depmod(anaconda_t) +- seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -@@ -51,7 +52,7 @@ optional_policy(` +@@ -38,6 +36,10 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(anaconda_t) ++ modutils_domtrans_depmod(anaconda_t) ++') ++optional_policy(` + rpm_domtrans(anaconda_t) + rpm_domtrans_script(anaconda_t) + ') +@@ -51,7 +53,7 @@ optional_policy(` ') optional_policy(` @@ -389,7 +426,7 @@ index 63eb96b..17a9f6d 100644 ## ## Execute bootloader interactively and do diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index d3da8f2..9799904 100644 +index d3da8f2..a9c9ff2 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -23,7 +23,7 @@ role system_r types bootloader_t; @@ -401,6 +438,28 @@ index d3da8f2..9799904 100644 # # The temp file is used for initrd creation; +@@ -121,8 +121,6 @@ logging_rw_generic_logs(bootloader_t) + + miscfiles_read_localization(bootloader_t) + +-modutils_domtrans_insmod_uncond(bootloader_t) +- + seutil_read_bin_policy(bootloader_t) + seutil_read_loadpolicy(bootloader_t) + seutil_dontaudit_search_config(bootloader_t) +@@ -162,8 +160,10 @@ ifdef(`distro_redhat',` + files_manage_isid_type_blk_files(bootloader_t) + files_manage_isid_type_chr_files(bootloader_t) + +- # for mke2fs +- mount_domtrans(bootloader_t) ++ optional_policy(` ++ # for mke2fs ++ mount_domtrans(bootloader_t) ++ ') + + optional_policy(` + unconfined_domain(bootloader_t) @@ -171,6 +171,10 @@ ifdef(`distro_redhat',` ') @@ -412,6 +471,14 @@ index d3da8f2..9799904 100644 fstools_exec(bootloader_t) ') +@@ -197,6 +201,7 @@ optional_policy(` + modutils_exec_insmod(bootloader_t) + modutils_exec_depmod(bootloader_t) + modutils_exec_update_mods(bootloader_t) ++ modutils_domtrans_insmod_uncond(bootloader_t) + ') + + optional_policy(` diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if index 2c2cdb6..73b3814 100644 --- a/policy/modules/admin/brctl.if @@ -506,6 +573,29 @@ index cd5e005..24f73ca 100644 ') optional_policy(` +diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te +index 5e062bc..8854858 100644 +--- a/policy/modules/admin/ddcprobe.te ++++ b/policy/modules/admin/ddcprobe.te +@@ -42,10 +42,14 @@ libs_read_lib_files(ddcprobe_t) + + miscfiles_read_localization(ddcprobe_t) + +-modutils_read_module_deps(ddcprobe_t) +- + userdom_use_user_terminals(ddcprobe_t) + userdom_use_all_users_fds(ddcprobe_t) + +-#reh why? this does not seem even necessary to function properly +-kudzu_getattr_exec_files(ddcprobe_t) ++optional_policy(` ++ #reh why? this does not seem even necessary to function properly ++ kudzu_getattr_exec_files(ddcprobe_t) ++') ++ ++optional_policy(` ++ modutils_read_module_deps(ddcprobe_t) ++') diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 72bc6d8..ed02103 100644 --- a/policy/modules/admin/dmesg.te @@ -532,7 +622,7 @@ index 72bc6d8..ed02103 100644 ') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te -index 6776b69..86cff15 100644 +index 6776b69..a1482b0 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -18,7 +18,7 @@ role system_r types dpkg_t; @@ -544,6 +634,50 @@ index 6776b69..86cff15 100644 type dpkg_tmp_t; files_tmp_file(dpkg_tmp_t) +@@ -193,14 +193,19 @@ domain_signull_all_domains(dpkg_t) + files_read_etc_runtime_files(dpkg_t) + files_exec_usr_files(dpkg_t) + miscfiles_read_localization(dpkg_t) +-modutils_domtrans_depmod(dpkg_t) +-modutils_domtrans_insmod(dpkg_t) + seutil_domtrans_loadpolicy(dpkg_t) + seutil_domtrans_setfiles(dpkg_t) + userdom_use_all_users_fds(dpkg_t) ++ + optional_policy(` + mta_send_mail(dpkg_t) + ') ++ ++optional_policy(` ++ modutils_domtrans_depmod(dpkg_t) ++ modutils_domtrans_insmod(dpkg_t) ++') ++ + optional_policy(` + usermanage_domtrans_groupadd(dpkg_t) + usermanage_domtrans_useradd(dpkg_t) +@@ -299,9 +304,6 @@ logging_send_syslog_msg(dpkg_script_t) + + miscfiles_read_localization(dpkg_script_t) + +-modutils_domtrans_depmod(dpkg_script_t) +-modutils_domtrans_insmod(dpkg_script_t) +- + seutil_domtrans_loadpolicy(dpkg_script_t) + seutil_domtrans_setfiles(dpkg_script_t) + +@@ -321,6 +323,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_depmod(dpkg_script_t) ++ modutils_domtrans_insmod(dpkg_script_t) ++') ++ ++optional_policy(` + mta_send_mail(dpkg_script_t) + ') + diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index 8fa451c..bc5bfc4 100644 --- a/policy/modules/admin/firstboot.if @@ -575,10 +709,22 @@ index 8fa451c..bc5bfc4 100644 ## ## diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te -index c4d8998..6f193f8 100644 +index c4d8998..dbdc14c 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te -@@ -103,6 +103,10 @@ optional_policy(` +@@ -75,11 +75,6 @@ logging_send_syslog_msg(firstboot_t) + + miscfiles_read_localization(firstboot_t) + +-modutils_domtrans_insmod(firstboot_t) +-modutils_domtrans_depmod(firstboot_t) +-modutils_read_module_config(firstboot_t) +-modutils_read_module_deps(firstboot_t) +- + userdom_use_user_terminals(firstboot_t) + # Add/remove user home directories + userdom_manage_user_home_content_dirs(firstboot_t) +@@ -103,8 +98,18 @@ optional_policy(` ') optional_policy(` @@ -588,8 +734,16 @@ index c4d8998..6f193f8 100644 +optional_policy(` nis_use_ypbind(firstboot_t) ') ++optional_policy(` ++ modutils_domtrans_insmod(firstboot_t) ++ modutils_domtrans_depmod(firstboot_t) ++ modutils_read_module_config(firstboot_t) ++ modutils_read_module_deps(firstboot_t) ++') -@@ -125,6 +129,7 @@ optional_policy(` + optional_policy(` + samba_rw_config(firstboot_t) +@@ -125,6 +130,7 @@ optional_policy(` ') optional_policy(` @@ -626,26 +780,51 @@ index 4198ff5..df3f4d6 100644 #################################### ## ## Manage kdump configuration file. +diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te +index 4f7bd3c..3405a10 100644 +--- a/policy/modules/admin/kudzu.te ++++ b/policy/modules/admin/kudzu.te +@@ -111,11 +111,6 @@ logging_send_syslog_msg(kudzu_t) + miscfiles_read_hwdata(kudzu_t) + miscfiles_read_localization(kudzu_t) + +-modutils_read_module_config(kudzu_t) +-modutils_read_module_deps(kudzu_t) +-modutils_rename_module_config(kudzu_t) +-modutils_delete_module_config(kudzu_t) +-modutils_domtrans_insmod(kudzu_t) + + sysnet_read_config(kudzu_t) + +@@ -128,6 +123,14 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_read_module_config(kudzu_t) ++ modutils_read_module_deps(kudzu_t) ++ modutils_rename_module_config(kudzu_t) ++ modutils_delete_module_config(kudzu_t) ++ modutils_domtrans_insmod(kudzu_t) ++') ++ ++optional_policy(` + nscd_socket_use(kudzu_t) + ') + diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..a874b65 100644 +index 7090dae..ce5af6e 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t) +@@ -119,14 +119,10 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -+userdom_dontaudit_list_admin_dir(logrotate_t) - - cron_system_entry(logrotate_t, logrotate_exec_t) - cron_search_spool(logrotate_t) - +- +-cron_system_entry(logrotate_t, logrotate_exec_t) +-cron_search_spool(logrotate_t) +- -mta_send_mail(logrotate_t) -+#mta_send_mail(logrotate_t) -+mta_base_mail_template(logrotate) -+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) -+role system_r types logrotate_mail_t; -+logging_read_all_logs(logrotate_mail_t) -+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) ++userdom_dontaudit_list_admin_dir(logrotate_t) ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; @@ -653,6 +832,41 @@ index 7090dae..a874b65 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) +@@ -166,6 +162,11 @@ optional_policy(` + ') + + optional_policy(` ++ cron_system_entry(logrotate_t, logrotate_exec_t) ++ cron_search_spool(logrotate_t) ++') ++ ++optional_policy(` + cups_domtrans(logrotate_t) + ') + +@@ -203,7 +204,6 @@ optional_policy(` + psad_domtrans(logrotate_t) + ') + +- + optional_policy(` + samba_exec_log(logrotate_t) + ') +@@ -228,3 +228,14 @@ optional_policy(` + optional_policy(` + varnishd_manage_log(logrotate_t) + ') ++ ++####################################### ++# ++# logrotate_mail local policy ++# ++ ++mta_base_mail_template(logrotate) ++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) ++role system_r types logrotate_mail_t; ++logging_read_all_logs(logrotate_mail_t) ++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc index 3c7b1e8..1e155f5 100644 --- a/policy/modules/admin/logwatch.fc @@ -736,24 +950,23 @@ index 56c43c0..de535e4 100644 +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) + diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..8498ed1 100644 +index 5671977..24a6ad6 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te -@@ -7,9 +7,13 @@ policy_module(mcelog, 1.1.0) +@@ -7,8 +7,11 @@ policy_module(mcelog, 1.1.0) type mcelog_t; type mcelog_exec_t; +init_system_domain(mcelog_t, mcelog_exec_t) application_domain(mcelog_t, mcelog_exec_t) - cron_system_entry(mcelog_t, mcelog_exec_t) - +-cron_system_entry(mcelog_t, mcelog_exec_t) ++ +type mcelog_var_run_t; +files_pid_file(mcelog_var_run_t) -+ + ######################################## # - # mcelog local policy -@@ -17,10 +21,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t) +@@ -17,10 +20,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t) allow mcelog_t self:capability sys_admin; @@ -772,6 +985,14 @@ index 5671977..8498ed1 100644 files_read_etc_files(mcelog_t) +@@ -30,3 +41,7 @@ mls_file_read_all_levels(mcelog_t) + logging_send_syslog_msg(mcelog_t) + + miscfiles_read_localization(mcelog_t) ++ ++optional_policy(` ++ cron_system_entry(mcelog_t, mcelog_exec_t) ++') diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 0e19d80..9d58abe 100644 --- a/policy/modules/admin/mrtg.te @@ -878,10 +1099,10 @@ index 0000000..8c2e044 + diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te new file mode 100644 -index 0000000..67296b9 +index 0000000..104253d --- /dev/null +++ b/policy/modules/admin/ncftool.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,87 @@ +policy_module(ncftool, 1.0.0) + +######################################## @@ -935,10 +1156,6 @@ index 0000000..67296b9 + +miscfiles_read_localization(ncftool_t) + -+modutils_list_module_config(ncftool_t) -+modutils_read_module_config(ncftool_t) -+modutils_domtrans_insmod(ncftool_t) -+ +sysnet_delete_dhcpc_pid(ncftool_t) +sysnet_domtrans_dhcpc(ncftool_t) +sysnet_domtrans_ifconfig(ncftool_t) @@ -957,7 +1174,7 @@ index 0000000..67296b9 +') + +optional_policy(` -+ dbus_system_bus_client(ncftool_t) ++ dbus_system_bus_client(ncftool_t) +') + +optional_policy(` @@ -965,11 +1182,13 @@ index 0000000..67296b9 +') + +optional_policy(` -+ iptables_initrc_domtrans(ncftool_t) ++ netutils_domtrans(ncftool_t) +') + +optional_policy(` -+ netutils_domtrans(ncftool_t) ++ modutils_list_module_config(ncftool_t) ++ modutils_read_module_config(ncftool_t) ++ modutils_domtrans_insmod(ncftool_t) +') diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index c6ca761..46e0767 100644 @@ -1111,7 +1330,7 @@ index e0791b9..c083ea8 100644 + term_dontaudit_use_all_ptys(traceroute_t) +') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te -index c633aea..b773bc3 100644 +index c633aea..c489eec 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -43,7 +43,7 @@ type portage_db_t; @@ -1123,6 +1342,17 @@ index c633aea..b773bc3 100644 type portage_cache_t; files_type(portage_cache_t) +@@ -107,7 +107,9 @@ miscfiles_read_localization(gcc_config_t) + + userdom_use_user_terminals(gcc_config_t) + +-consoletype_exec(gcc_config_t) ++optional_policy(` ++ consoletype_exec(gcc_config_t) ++') + + optional_policy(` + seutil_use_newrole_fds(gcc_config_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index af55369..f77e897 100644 --- a/policy/modules/admin/prelink.te @@ -1526,7 +1756,7 @@ index d33daa8..c76708e 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..31f474e 100644 +index 47a8f7d..f5a60bd 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -1620,7 +1850,13 @@ index 47a8f7d..31f474e 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -338,12 +351,15 @@ modutils_domtrans_insmod(rpm_script_t) +@@ -332,18 +345,18 @@ logging_send_syslog_msg(rpm_script_t) + + miscfiles_read_localization(rpm_script_t) + +-modutils_domtrans_depmod(rpm_script_t) +-modutils_domtrans_insmod(rpm_script_t) +- seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1636,7 +1872,19 @@ index 47a8f7d..31f474e 100644 ') ') -@@ -377,8 +393,9 @@ optional_policy(` +@@ -368,6 +381,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_depmod(rpm_script_t) ++ modutils_domtrans_insmod(rpm_script_t) ++') ++ ++optional_policy(` + tzdata_domtrans(rpm_t) + tzdata_domtrans(rpm_script_t) + ') +@@ -377,8 +395,9 @@ optional_policy(` ') optional_policy(` @@ -1648,14 +1896,37 @@ index 47a8f7d..31f474e 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te -index c8ef84b..e241334 100644 +index c8ef84b..40ceffb 100644 --- a/policy/modules/admin/sectoolm.te +++ b/policy/modules/admin/sectoolm.te -@@ -84,6 +84,7 @@ logging_send_syslog_msg(sectoolm_t) +@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t) + + auth_use_nsswitch(sectoolm_t) + +-# tests related to network +-hostname_exec(sectoolm_t) +- +-# tests related to network +-iptables_domtrans(sectoolm_t) +- + libs_exec_ld_so(sectoolm_t) + + logging_send_syslog_msg(sectoolm_t) +@@ -84,6 +78,17 @@ logging_send_syslog_msg(sectoolm_t) sysnet_domtrans_ifconfig(sectoolm_t) userdom_manage_user_tmp_sockets(sectoolm_t) +userdom_dgram_send(sectoolm_t) ++ ++optional_policy(` ++ # tests related to network ++ hostname_exec(sectoolm_t) ++') ++ ++optional_policy(` ++ # tests related to network ++ iptables_domtrans(sectoolm_t) ++') optional_policy(` mount_exec(sectoolm_t) @@ -1943,10 +2214,18 @@ index 8966ec9..a54882c 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te -index bc00875..3c1b37b 100644 +index bc00875..b47c0f4 100644 --- a/policy/modules/admin/smoltclient.te +++ b/policy/modules/admin/smoltclient.te -@@ -46,6 +46,7 @@ fs_list_auto_mountpoints(smoltclient_t) +@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0) + type smoltclient_t; + type smoltclient_exec_t; + application_domain(smoltclient_t, smoltclient_exec_t) +-cron_system_entry(smoltclient_t, smoltclient_exec_t) + + type smoltclient_tmp_t; + files_tmp_file(smoltclient_tmp_t) +@@ -46,6 +45,7 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_files(smoltclient_t) @@ -1954,6 +2233,43 @@ index bc00875..3c1b37b 100644 files_read_usr_files(smoltclient_t) auth_use_nsswitch(smoltclient_t) +@@ -55,6 +55,10 @@ logging_send_syslog_msg(smoltclient_t) + miscfiles_read_localization(smoltclient_t) + + optional_policy(` ++ cron_system_entry(smoltclient_t, smoltclient_exec_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(smoltclient_t) + ') + +diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te +index fe1c377..7660180 100644 +--- a/policy/modules/admin/sosreport.te ++++ b/policy/modules/admin/sosreport.te +@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t) + + miscfiles_read_localization(sosreport_t) + +-# needed by modinfo +-modutils_read_module_deps(sosreport_t) +- + sysnet_read_config(sosreport_t) + + optional_policy(` +@@ -110,6 +107,11 @@ optional_policy(` + ') + + optional_policy(` ++ # needed by modinfo ++ modutils_read_module_deps(sosreport_t) ++') ++ ++optional_policy(` + fstools_domtrans(sosreport_t) + ') + diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 8c5fa3c..1a46f56 100644 --- a/policy/modules/admin/su.if @@ -2063,8 +2379,33 @@ index 2731fa1..3443ba2 100644 +type sudo_db_t; +files_type(sudo_db_t) + +diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te +index d5aaf0e..689b2fd 100644 +--- a/policy/modules/admin/sxid.te ++++ b/policy/modules/admin/sxid.te +@@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t) + + miscfiles_read_localization(sxid_t) + +-mount_exec(sxid_t) +- + sysnet_read_config(sxid_t) + + userdom_dontaudit_use_unpriv_user_fds(sxid_t) + +-cron_system_entry(sxid_t, sxid_exec_t) ++optional_policy(` ++ cron_system_entry(sxid_t, sxid_exec_t) ++') ++ ++optional_policy(` ++ mount_exec(sxid_t) ++') + + optional_policy(` + mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..c59c3cd 100644 +index 6a5004b..9b0f49e 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -2087,7 +2428,18 @@ index 6a5004b..c59c3cd 100644 files_getattr_all_dirs(tmpreaper_t) files_getattr_all_files(tmpreaper_t) -@@ -52,7 +56,9 @@ optional_policy(` +@@ -38,7 +42,9 @@ logging_send_syslog_msg(tmpreaper_t) + miscfiles_read_localization(tmpreaper_t) + miscfiles_delete_man_pages(tmpreaper_t) + +-cron_system_entry(tmpreaper_t, tmpreaper_exec_t) ++optional_policy(` ++ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) ++') + + ifdef(`distro_redhat',` + userdom_list_user_home_content(tmpreaper_t) +@@ -52,7 +58,9 @@ optional_policy(` ') optional_policy(` @@ -2097,7 +2449,7 @@ index 6a5004b..c59c3cd 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,6 +72,14 @@ optional_policy(` +@@ -66,6 +74,14 @@ optional_policy(` ') optional_policy(` @@ -2125,6 +2477,27 @@ index d0f2a64..7df0825 100644 files_search_spool(tzdata_t) fs_getattr_xattr_fs(tzdata_t) +diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te +index 74354da..0852738 100644 +--- a/policy/modules/admin/usbmodules.te ++++ b/policy/modules/admin/usbmodules.te +@@ -34,8 +34,6 @@ init_use_fds(usbmodules_t) + + miscfiles_read_hwdata(usbmodules_t) + +-modutils_read_module_deps(usbmodules_t) +- + userdom_use_user_terminals(usbmodules_t) + + optional_policy(` +@@ -45,3 +43,7 @@ optional_policy(` + optional_policy(` + logging_send_syslog_msg(usbmodules_t) + ') ++ ++optional_policy(` ++ modutils_read_module_deps(usbmodules_t) ++') diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 81fb26f..cd18ca8 100644 --- a/policy/modules/admin/usermanage.if @@ -2287,6 +2660,27 @@ index 1f42250..3d36ae2 100644 ######################################## # # awstats cgi script policy +diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te +index 47d81d1..046a9de 100644 +--- a/policy/modules/apps/calamaris.te ++++ b/policy/modules/apps/calamaris.te +@@ -66,8 +66,6 @@ miscfiles_read_localization(calamaris_t) + + userdom_dontaudit_list_user_home_dirs(calamaris_t) + +-squid_read_log(calamaris_t) +- + optional_policy(` + apache_search_sys_content(calamaris_t) + ') +@@ -79,3 +77,7 @@ optional_policy(` + optional_policy(` + mta_send_mail(calamaris_t) + ') ++ ++optional_policy(` ++ squid_read_log(calamaris_t) ++') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 1403835..2e9a72c 100644 --- a/policy/modules/apps/cdrecord.te @@ -2862,10 +3256,10 @@ index 0000000..7fe26f3 +') diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te new file mode 100644 -index 0000000..0bbd523 +index 0000000..f4c2d3f --- /dev/null +++ b/policy/modules/apps/firewallgui.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,74 @@ +policy_module(firewallgui,1.0.0) + +######################################## @@ -2900,7 +3294,6 @@ index 0000000..0bbd523 + +corecmd_exec_shell(firewallgui_t) +corecmd_exec_bin(firewallgui_t) -+consoletype_exec(firewallgui_t) + +dev_read_urand(firewallgui_t) +dev_read_sysfs(firewallgui_t) @@ -2912,26 +3305,35 @@ index 0000000..0bbd523 +files_search_kernel_modules(firewallgui_t) +files_list_kernel_modules(firewallgui_t) + -+iptables_domtrans(firewallgui_t) -+iptables_initrc_domtrans(firewallgui_t) -+ -+modutils_getattr_module_deps(firewallgui_t) -+ +miscfiles_read_localization(firewallgui_t) + +userdom_dontaudit_search_user_home_dirs(firewallgui_t) + -+nscd_dontaudit_search_pid(firewallgui_t) -+nscd_socket_use(firewallgui_t) ++optional_policy(` ++ consoletype_exec(firewallgui_t) ++') + +optional_policy(` + gnome_read_gconf_home_files(firewallgui_t) +') + +optional_policy(` -+ policykit_dbus_chat(firewallgui_t) ++ iptables_domtrans(firewallgui_t) ++ iptables_initrc_domtrans(firewallgui_t) ++') ++ ++optional_policy(` ++ modutils_getattr_module_deps(firewallgui_t) ++') ++ ++optional_policy(` ++ nscd_dontaudit_search_pid(firewallgui_t) ++ nscd_socket_use(firewallgui_t) +') + ++optional_policy(` ++ policykit_dbus_chat(firewallgui_t) ++') diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index 00a19e3..1354800 100644 --- a/policy/modules/apps/gnome.fc @@ -3890,7 +4292,7 @@ index f5afe78..c9d74ee 100644 userdom_search_user_home_dirs($1) ') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..fd62ccc 100644 +index 2505654..2417992 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0) @@ -3961,7 +4363,7 @@ index 2505654..fd62ccc 100644 ############################## # # Local Policy -@@ -75,3 +106,149 @@ optional_policy(` +@@ -75,3 +106,151 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -4096,9 +4498,11 @@ index 2505654..fd62ccc 100644 + +miscfiles_read_localization(gkeyringd_domain) + -+xserver_append_xdm_home_files(gkeyringd_domain) -+xserver_read_xdm_home_files(gkeyringd_domain) -+xserver_use_xdm_fds(gkeyringd_domain) ++optional_policy(` ++ xserver_append_xdm_home_files(gkeyringd_domain) ++ xserver_read_xdm_home_files(gkeyringd_domain) ++ xserver_use_xdm_fds(gkeyringd_domain) ++') + +optional_policy(` + gnome_read_home_config(gkeyringd_domain) @@ -4621,7 +5025,7 @@ index 167950d..ef63b20 100644 + ') ') diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te -index f63c4c2..3812a46 100644 +index f63c4c2..bf59895 100644 --- a/policy/modules/apps/kdumpgui.te +++ b/policy/modules/apps/kdumpgui.te @@ -14,6 +14,7 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) @@ -4632,7 +5036,7 @@ index f63c4c2..3812a46 100644 allow kdumpgui_t self:fifo_file rw_fifo_file_perms; allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -33,6 +34,7 @@ files_manage_etc_symlinks(kdumpgui_t) +@@ -33,27 +34,38 @@ files_manage_etc_symlinks(kdumpgui_t) # for blkid.tab files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) @@ -4640,12 +5044,26 @@ index f63c4c2..3812a46 100644 storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) -@@ -50,10 +52,16 @@ miscfiles_read_localization(kdumpgui_t) + + auth_use_nsswitch(kdumpgui_t) + +-consoletype_exec(kdumpgui_t) +- +-kdump_manage_config(kdumpgui_t) +-kdump_initrc_domtrans(kdumpgui_t) +- + logging_send_syslog_msg(kdumpgui_t) + + miscfiles_read_localization(kdumpgui_t) init_dontaudit_read_all_script_files(kdumpgui_t) +userdom_dontaudit_search_admin_dir(kdumpgui_t) + ++optional_policy(` ++ consoletype_exec(kdumpgui_t) ++') ++ optional_policy(` dev_rw_lvm_control(kdumpgui_t) ') @@ -4655,6 +5073,11 @@ index f63c4c2..3812a46 100644 +') + +optional_policy(` ++ kdump_manage_config(kdumpgui_t) ++ kdump_initrc_domtrans(kdumpgui_t) ++') ++ ++optional_policy(` policykit_dbus_chat(kdumpgui_t) ') diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if @@ -6920,7 +7343,7 @@ index c605046..97b3df2 100644 +miscfiles_read_localization(rssh_chroot_helper_t) + diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te -index 9ec1478..ceec04a 100644 +index 9ec1478..e3734df 100644 --- a/policy/modules/apps/sambagui.te +++ b/policy/modules/apps/sambagui.te @@ -27,9 +27,10 @@ corecmd_exec_bin(sambagui_t) @@ -6935,25 +7358,48 @@ index 9ec1478..ceec04a 100644 auth_use_nsswitch(sambagui_t) -@@ -39,6 +40,8 @@ miscfiles_read_localization(sambagui_t) +@@ -37,21 +38,32 @@ logging_send_syslog_msg(sambagui_t) + + miscfiles_read_localization(sambagui_t) - nscd_dontaudit_search_pid(sambagui_t) +-nscd_dontaudit_search_pid(sambagui_t) +-# handling with samba conf files +-samba_append_log(sambagui_t) +-samba_manage_config(sambagui_t) +-samba_manage_var_files(sambagui_t) +-samba_read_secrets(sambagui_t) +-samba_initrc_domtrans(sambagui_t) +-samba_domtrans_smbd(sambagui_t) +-samba_domtrans_nmbd(sambagui_t) +userdom_dontaudit_search_admin_dir(sambagui_t) -+ - # handling with samba conf files - samba_append_log(sambagui_t) - samba_manage_config(sambagui_t) -@@ -53,5 +56,9 @@ optional_policy(` + + optional_policy(` + consoletype_exec(sambagui_t) ') optional_policy(` ++ nscd_dontaudit_search_pid(sambagui_t) ++') ++ ++optional_policy(` + gnome_dontaudit_search_config(sambagui_t) +') + +optional_policy(` policykit_dbus_chat(sambagui_t) ') ++ ++optional_policy(` ++ # handling with samba conf files ++ samba_append_log(sambagui_t) ++ samba_manage_config(sambagui_t) ++ samba_manage_var_files(sambagui_t) ++ samba_read_secrets(sambagui_t) ++ samba_initrc_domtrans(sambagui_t) ++ samba_domtrans_smbd(sambagui_t) ++ samba_domtrans_nmbd(sambagui_t) ++') diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc new file mode 100644 index 0000000..6caef63 @@ -7275,10 +7721,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..e6e9f42 +index 0000000..f114a5d --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,465 @@ +@@ -0,0 +1,473 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7465,6 +7911,14 @@ index 0000000..e6e9f42 +allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; +term_create_pty(sandbox_x_domain,sandbox_devpts_t) + ++can_exec(sandbox_x_domain, sandbox_file_t) ++allow sandbox_x_domain sandbox_file_t:filesystem getattr; ++manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++ +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + +files_search_home(sandbox_x_domain) @@ -7799,7 +8253,7 @@ index 320df26..0e4ead0 100644 files_search_tmp($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..7455c19 100644 +index 1dc7a85..787df80 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -53,8 +53,14 @@ interface(`seunshare_run',` @@ -7818,7 +8272,7 @@ index 1dc7a85..7455c19 100644 ## ## ## Role allowed access. -@@ -66,15 +72,28 @@ interface(`seunshare_run',` +@@ -66,15 +72,31 @@ interface(`seunshare_run',` ## ## # @@ -7849,15 +8303,18 @@ index 1dc7a85..7455c19 100644 + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; + ++ corecmd_bin_domtrans($1_seunshare_t, $1_t) ++ corecmd_shell_domtrans($1_seunshare_t, $1_t) ++ + ifdef(`hide_broken_symptoms', ` + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..63db4fd 100644 +index 7590165..44aa6d1 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,47 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,48 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -7871,7 +8328,7 @@ index 7590165..63db4fd 100644 # # seunshare local policy # -+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice }; ++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; @@ -7894,6 +8351,7 @@ index 7590165..63db4fd 100644 +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) +files_manage_generic_tmp_dirs(seunshare_domain) ++files_relabelfrom_tmp_dirs(seunshare_domain) -auth_use_nsswitch(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) @@ -7907,9 +8365,9 @@ index 7590165..63db4fd 100644 -userdom_use_user_terminals(seunshare_t) +miscfiles_read_localization(seunshare_domain) -+ -+userdom_use_user_terminals(seunshare_domain) ++userdom_use_user_terminals(seunshare_domain) ++userdom_list_user_home_content(seunshare_domain) ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) @@ -9881,7 +10339,7 @@ index aad8c52..6ac24b0 100644 + dontaudit $1 domain:socket_class_set { read write }; +') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index bc534c1..2a6b5e1 100644 +index bc534c1..b70ea07 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.0) @@ -9974,7 +10432,7 @@ index bc534c1..2a6b5e1 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,85 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -9983,10 +10441,14 @@ index bc534c1..2a6b5e1 100644 +selinux_search_fs(domain) +selinux_dontaudit_read_fs(domain) + -+seutil_dontaudit_read_config(domain) ++optional_policy(` ++ seutil_dontaudit_read_config(domain) ++') + -+init_sigchld(domain) -+init_signull(domain) ++optional_policy(` ++ init_sigchld(domain) ++ init_signull(domain) ++') + +ifdef(`distro_redhat',` + files_search_mnt(domain) @@ -11415,7 +11877,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..c19e896 100644 +index dfe361a..fbbd1ce 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -11531,10 +11993,28 @@ index dfe361a..c19e896 100644 ## Create, read, write, and delete all noxattrfs directories. ## ## -@@ -1088,6 +1133,24 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## ++## Read/Write all inherited noxattrfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_noxattr_fs_files',` ++ gen_require(` ++ attribute noxattrfs; ++ ') ++ ++ allow $1 noxattrfs:file rw_inherited_file_perms; ++') ++ ++######################################## ++## +## Do not audit read all noxattrfs files. +## +## @@ -11556,7 +12036,7 @@ index dfe361a..c19e896 100644 ## Dont audit attempts to write to noxattrfs files. ## ## -@@ -1227,6 +1290,24 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -11564,7 +12044,7 @@ index dfe361a..c19e896 100644 +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# @@ -11578,10 +12058,28 @@ index dfe361a..c19e896 100644 + +######################################## +## ++## Read/Write inherited files on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1241,7 +1322,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -11590,7 +12088,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -1504,6 +1585,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -11616,7 +12114,7 @@ index dfe361a..c19e896 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1659,6 +1759,25 @@ interface(`fs_search_dos',` +@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',` ######################################## ## @@ -11642,7 +12140,7 @@ index dfe361a..c19e896 100644 ## Create, read, write, and delete dirs ## on a DOS filesystem. ## -@@ -1892,6 +2011,26 @@ interface(`fs_manage_fusefs_files',` +@@ -1892,6 +2047,26 @@ interface(`fs_manage_fusefs_files',` ######################################## ## @@ -11669,7 +12167,7 @@ index dfe361a..c19e896 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. -@@ -1931,7 +2070,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +2106,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -11697,7 +12195,7 @@ index dfe361a..c19e896 100644 ## ## ## -@@ -1946,6 +2104,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2140,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -11739,7 +12237,7 @@ index dfe361a..c19e896 100644 ######################################## ## -@@ -1999,6 +2192,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2228,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -11747,7 +12245,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -2331,6 +2525,7 @@ interface(`fs_read_nfs_files',` +@@ -2331,6 +2561,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -11755,7 +12253,7 @@ index dfe361a..c19e896 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2369,6 +2564,7 @@ interface(`fs_write_nfs_files',` +@@ -2369,6 +2600,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -11763,7 +12261,7 @@ index dfe361a..c19e896 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2395,6 +2591,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2627,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -11789,7 +12287,7 @@ index dfe361a..c19e896 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2650,24 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2686,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -11797,7 +12295,7 @@ index dfe361a..c19e896 100644 +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# @@ -11811,10 +12309,28 @@ index dfe361a..c19e896 100644 + +######################################## +## ++## Read/write inherited files on a NFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2682,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2736,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -11823,7 +12339,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -2637,6 +2870,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2924,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -11848,7 +12364,7 @@ index dfe361a..c19e896 100644 ## Read removable storage symbolic links. ## ## -@@ -2653,6 +2904,25 @@ interface(`fs_read_removable_symlinks',` +@@ -2653,6 +2958,25 @@ interface(`fs_read_removable_symlinks',` read_lnk_files_pattern($1, removable_t, removable_t) ') @@ -11874,7 +12390,7 @@ index dfe361a..c19e896 100644 ######################################## ## ## Read and write block nodes on removable filesystems. -@@ -2779,6 +3049,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2779,6 +3103,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -11882,7 +12398,7 @@ index dfe361a..c19e896 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +3090,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3144,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -11890,7 +12406,7 @@ index dfe361a..c19e896 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3117,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3171,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -11899,7 +12415,7 @@ index dfe361a..c19e896 100644 ## ## ## -@@ -2859,6 +3131,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3185,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -11907,7 +12423,7 @@ index dfe361a..c19e896 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3989,6 +4262,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4316,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -11950,7 +12466,7 @@ index dfe361a..c19e896 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4580,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4634,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -11959,7 +12475,7 @@ index dfe361a..c19e896 100644 ') ######################################## -@@ -4681,3 +4992,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5046,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -12228,7 +12744,7 @@ index 069d36c..adaabf4 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 5001b89..d513268 100644 +index 5001b89..160976e 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -12258,7 +12774,7 @@ index 5001b89..d513268 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -268,19 +272,31 @@ files_list_root(kernel_t) +@@ -268,19 +272,28 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -12277,20 +12793,29 @@ index 5001b89..d513268 100644 mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) +mls_fd_share_all_levels(kernel_t) -+ -+logging_manage_generic_logs(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') -+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + optional_policy(` hotplug_search_config(kernel_t) ') -@@ -357,6 +373,10 @@ optional_policy(` +@@ -296,6 +309,11 @@ optional_policy(` + + optional_policy(` + logging_send_syslog_msg(kernel_t) ++ logging_manage_generic_logs(kernel_t) ++') ++ ++optional_policy(` ++ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + ') + + optional_policy(` +@@ -357,6 +375,10 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -12794,10 +13319,10 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..62c9b17 100644 +index 2be17d2..e4d46e9 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,56 @@ policy_module(staff, 2.2.0) +@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) role staff_r; userdom_unpriv_user_template(staff) @@ -12835,14 +13360,6 @@ index 2be17d2..62c9b17 100644 + +miscfiles_read_hwdata(staff_usertype) + -+modutils_read_module_config(staff_usertype) -+modutils_read_module_deps(staff_usertype) -+ -+netutils_run_ping(staff_t, staff_r) -+netutils_run_traceroute(staff_t, staff_r) -+netutils_signal_ping(staff_t) -+netutils_kill_ping(staff_t) -+ +ifndef(`enable_mls',` + selinux_read_policy(staff_t) +') @@ -12854,7 +13371,7 @@ index 2be17d2..62c9b17 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +71,118 @@ optional_policy(` +@@ -27,25 +63,130 @@ optional_policy(` ') optional_policy(` @@ -12897,6 +13414,18 @@ index 2be17d2..62c9b17 100644 +') + +optional_policy(` ++ modutils_read_module_config(staff_usertype) ++ modutils_read_module_deps(staff_usertype) ++') ++ ++optional_policy(` ++ netutils_run_ping(staff_t, staff_r) ++ netutils_run_traceroute(staff_t, staff_r) ++ netutils_signal_ping(staff_t) ++ netutils_kill_ping(staff_t) ++') ++ ++optional_policy(` + oident_manage_user_content(staff_t) + oident_relabel_user_content(staff_t) +') @@ -12975,7 +13504,7 @@ index 2be17d2..62c9b17 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -89,10 +226,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +230,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -12986,7 +13515,7 @@ index 2be17d2..62c9b17 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +270,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +274,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -12997,7 +13526,7 @@ index 2be17d2..62c9b17 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +301,8 @@ ifndef(`distro_redhat',` +@@ -172,3 +305,8 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -13007,10 +13536,10 @@ index 2be17d2..62c9b17 100644 +') + diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 4a8d146..8839731 100644 +index 4a8d146..d721e34 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,41 @@ ifndef(`enable_mls',` +@@ -24,20 +24,40 @@ ifndef(`enable_mls',` # # Local policy # @@ -13037,7 +13566,6 @@ index 4a8d146..8839731 100644 +init_dbus_chat(sysadm_t) +init_script_role_transition(sysadm_r) + -+modutils_read_module_deps(sysadm_t) + +miscfiles_read_hwdata(sysadm_t) @@ -13052,7 +13580,7 @@ index 4a8d146..8839731 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +76,7 @@ ifndef(`enable_mls',` +@@ -55,6 +75,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -13060,7 +13588,7 @@ index 4a8d146..8839731 100644 ') tunable_policy(`allow_ptrace',` -@@ -69,7 +91,6 @@ optional_policy(` +@@ -69,7 +90,6 @@ optional_policy(` apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -13068,7 +13596,7 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -98,6 +119,10 @@ optional_policy(` +@@ -98,6 +118,10 @@ optional_policy(` ') optional_policy(` @@ -13079,7 +13607,7 @@ index 4a8d146..8839731 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -114,7 +139,7 @@ optional_policy(` +@@ -114,7 +138,7 @@ optional_policy(` ') optional_policy(` @@ -13088,7 +13616,7 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -124,6 +149,10 @@ optional_policy(` +@@ -124,6 +148,10 @@ optional_policy(` ') optional_policy(` @@ -13099,7 +13627,7 @@ index 4a8d146..8839731 100644 ddcprobe_run(sysadm_t, sysadm_r) ') -@@ -163,6 +192,13 @@ optional_policy(` +@@ -163,6 +191,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -13113,7 +13641,7 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -170,15 +206,15 @@ optional_policy(` +@@ -170,15 +205,15 @@ optional_policy(` ') optional_policy(` @@ -13132,7 +13660,12 @@ index 4a8d146..8839731 100644 ') optional_policy(` -@@ -202,14 +238,7 @@ optional_policy(` +@@ -198,18 +233,12 @@ optional_policy(` + modutils_run_depmod(sysadm_t, sysadm_r) + modutils_run_insmod(sysadm_t, sysadm_r) + modutils_run_update_mods(sysadm_t, sysadm_r) ++ modutils_read_module_deps(sysadm_t) + ') optional_policy(` mount_run(sysadm_t, sysadm_r) @@ -14048,10 +14581,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..daf56b2 +index 0000000..77c513d --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,497 @@ +@@ -0,0 +1,499 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -14153,9 +14686,11 @@ index 0000000..daf56b2 +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + -+mount_run_unconfined(unconfined_t, unconfined_r) -+# Unconfined running as system_r -+mount_domtrans_unconfined(unconfined_t) ++optional_policy(` ++ mount_run_unconfined(unconfined_t, unconfined_r) ++ # Unconfined running as system_r ++ mount_domtrans_unconfined(unconfined_t) ++') + +seutil_run_setsebool(unconfined_t, unconfined_r) +seutil_run_setfiles(unconfined_t, unconfined_r) @@ -14655,7 +15190,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..06b0e48 100644 +index e88b95f..9d37855 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -14689,12 +15224,14 @@ index e88b95f..06b0e48 100644 ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) -@@ -48,12 +48,21 @@ ifndef(`enable_mls',` - storage_raw_read_removable_device(xguest_t) +@@ -49,11 +49,23 @@ ifndef(`enable_mls',` ') ') -+# Dontaudit fusermount -+mount_dontaudit_exec_fusermount(xguest_t) + ++optional_policy(` ++ # Dontaudit fusermount ++ mount_dontaudit_exec_fusermount(xguest_t) ++') + +allow xguest_t self:process execmem; +kernel_dontaudit_request_load_module(xguest_t) @@ -14702,7 +15239,7 @@ index e88b95f..06b0e48 100644 +tunable_policy(`allow_execstack',` + allow xguest_t self:process execstack; +') - ++ # Allow mounting of file systems optional_policy(` tunable_policy(`xguest_mount_media',` @@ -14712,7 +15249,7 @@ index e88b95f..06b0e48 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -62,10 +71,9 @@ optional_policy(` +@@ -62,10 +74,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -14724,14 +15261,13 @@ index e88b95f..06b0e48 100644 ') ') -@@ -76,23 +84,99 @@ optional_policy(` +@@ -76,23 +87,98 @@ optional_policy(` ') optional_policy(` + chrome_role(xguest_r, xguest_usertype) +') + -+ +optional_policy(` hal_dbus_chat(xguest_t) ') @@ -14755,18 +15291,18 @@ index e88b95f..06b0e48 100644 + +optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) ++ mozilla_run_plugin(xguest_t, xguest_r) +') + +optional_policy(` -+ mozilla_run_plugin(xguest_t, xguest_r) ++ nsplugin_role(xguest_r, xguest_t) +') + +optional_policy(` -+ nsplugin_role(xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) + pcscd_read_pub_files(xguest_usertype) + pcscd_stream_connect(xguest_usertype) ') @@ -15364,10 +15900,10 @@ index 0000000..6bf0ad6 +') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te new file mode 100644 -index 0000000..4b9dc88 +index 0000000..dda9c93 --- /dev/null +++ b/policy/modules/services/aiccu.te -@@ -0,0 +1,71 @@ +@@ -0,0 +1,75 @@ +policy_module(aiccu, 1.0.0) + +######################################## @@ -15435,10 +15971,14 @@ index 0000000..4b9dc88 + +miscfiles_read_localization(aiccu_t) + -+modutils_domtrans_insmod(aiccu_t) ++optional_policy(` ++ modutils_domtrans_insmod(aiccu_t) ++') + -+sysnet_domtrans_ifconfig(aiccu_t) -+sysnet_dns_name_resolve(aiccu_t) ++optional_policy(` ++ sysnet_domtrans_ifconfig(aiccu_t) ++ sysnet_dns_name_resolve(aiccu_t) ++') diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if index 838d25b..0b0db39 100644 --- a/policy/modules/services/aide.if @@ -15678,7 +16218,7 @@ index ceb2142..e31d92a 100644 ') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index c3a1903..0140399 100644 +index c3a1903..19fb14a 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -47,7 +47,7 @@ files_type(amavis_spool_t) @@ -15716,10 +16256,39 @@ index c3a1903..0140399 100644 corenet_all_recvfrom_unlabeled(amavis_t) corenet_all_recvfrom_netlabel(amavis_t) -@@ -170,6 +171,10 @@ optional_policy(` +@@ -152,24 +153,32 @@ sysnet_use_ldap(amavis_t) + + userdom_dontaudit_search_user_home_dirs(amavis_t) + +-# Cron handling +-cron_use_fds(amavis_t) +-cron_use_system_job_fds(amavis_t) +-cron_rw_pipes(amavis_t) +- +-mta_read_config(amavis_t) +- + optional_policy(` + clamav_stream_connect(amavis_t) + clamav_domtrans_clamscan(amavis_t) ') optional_policy(` ++ #Cron handling ++ cron_use_fds(amavis_t) ++ cron_use_system_job_fds(amavis_t) ++ cron_rw_pipes(amavis_t) ++') ++ ++optional_policy(` + dcc_domtrans_client(amavis_t) + dcc_stream_connect_dccifd(amavis_t) + ') + + optional_policy(` ++ mta_read_config(amavis_t) ++') ++ ++optional_policy(` + nslcd_stream_connect(amavis_t) +') + @@ -17320,7 +17889,7 @@ index 1ea99b2..49e6c74 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..5fbd9b3 100644 +index 1c8c27e..ca71f13 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -17348,7 +17917,17 @@ index 1c8c27e..5fbd9b3 100644 dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -142,9 +146,8 @@ ifdef(`distro_redhat',` +@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t) + miscfiles_read_localization(apmd_t) + miscfiles_read_hwdata(apmd_t) + +-modutils_domtrans_insmod(apmd_t) +-modutils_read_module_config(apmd_t) +- + seutil_dontaudit_read_config(apmd_t) + + userdom_dontaudit_use_unpriv_user_fds(apmd_t) +@@ -142,9 +143,8 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) @@ -17359,7 +17938,7 @@ index 1c8c27e..5fbd9b3 100644 ') optional_policy(` -@@ -155,6 +158,15 @@ ifdef(`distro_redhat',` +@@ -155,6 +155,15 @@ ifdef(`distro_redhat',` netutils_domtrans(apmd_t) ') @@ -17375,6 +17954,18 @@ index 1c8c27e..5fbd9b3 100644 ',` # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) +@@ -205,6 +214,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(apmd_t) ++ modutils_read_module_config(apmd_t) ++') ++ ++optional_policy(` + pcmcia_domtrans_cardmgr(apmd_t) + pcmcia_domtrans_cardctl(apmd_t) + ') diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if index c804110..bdefbe1 100644 --- a/policy/modules/services/arpwatch.if @@ -17482,17 +18073,33 @@ index d80a16b..a43e006 100644 init_labeled_script_domtrans($1, automount_initrc_exec_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te -index 39799db..6189565 100644 +index 39799db..d174b05 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te -@@ -145,6 +145,7 @@ miscfiles_read_generic_certs(automount_t) +@@ -143,9 +143,6 @@ logging_search_logs(automount_t) + miscfiles_read_localization(automount_t) + miscfiles_read_generic_certs(automount_t) - # Run mount in the mount_t domain. - mount_domtrans(automount_t) -+mount_domtrans_showmount(automount_t) - mount_signal(automount_t) +-# Run mount in the mount_t domain. +-mount_domtrans(automount_t) +-mount_signal(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) + userdom_dontaudit_search_user_home_dirs(automount_t) +@@ -155,6 +152,13 @@ optional_policy(` + ') + + optional_policy(` ++ # Run mount in the mount_t domain. ++ mount_domtrans(automount_t) ++ mount_domtrans_showmount(automount_t) ++ mount_signal(automount_t) ++') ++ ++optional_policy(` + fstools_domtrans(automount_t) + ') + diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index 61c74bc..c6b0498 100644 --- a/policy/modules/services/avahi.if @@ -18329,10 +18936,10 @@ index 0000000..3964548 +') diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te new file mode 100644 -index 0000000..c63c8fa +index 0000000..b73c9f2 --- /dev/null +++ b/policy/modules/services/bugzilla.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,57 @@ +policy_module(bugzilla, 1.0) + +######################################## @@ -18375,12 +18982,14 @@ index 0000000..c63c8fa + +files_search_var_lib(httpd_bugzilla_script_t) + -+mta_send_mail(httpd_bugzilla_script_t) -+ +sysnet_read_config(httpd_bugzilla_script_t) +sysnet_use_ldap(httpd_bugzilla_script_t) + +optional_policy(` ++ mta_send_mail(httpd_bugzilla_script_t) ++') ++ ++optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) +') @@ -18466,10 +19075,10 @@ index 0000000..3b41945 +') diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te new file mode 100644 -index 0000000..575c16e +index 0000000..e7d2a5b --- /dev/null +++ b/policy/modules/services/cachefilesd.te -@@ -0,0 +1,143 @@ +@@ -0,0 +1,145 @@ +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. @@ -18535,7 +19144,9 @@ index 0000000..575c16e +# +# Permit RPM to deal with files in the cache +# -+rpm_use_script_fds(cachefilesd_t) ++optional_policy(` ++ rpm_use_script_fds(cachefilesd_t) ++') + +############################################################################### +# @@ -19231,7 +19842,7 @@ index 1f11572..7f6a7ab 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..f1571f1 100644 +index f758323..f2f0739 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ @@ -19276,7 +19887,29 @@ index f758323..f1571f1 100644 kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) -@@ -147,8 +151,10 @@ optional_policy(` +@@ -127,12 +131,16 @@ logging_send_syslog_msg(clamd_t) + + miscfiles_read_localization(clamd_t) + +-cron_use_fds(clamd_t) +-cron_use_system_job_fds(clamd_t) +-cron_rw_pipes(clamd_t) ++optional_policy(` ++ cron_use_fds(clamd_t) ++ cron_use_system_job_fds(clamd_t) ++ cron_rw_pipes(clamd_t) ++') + +-mta_read_config(clamd_t) +-mta_send_mail(clamd_t) ++optional_policy(` ++ mta_read_config(clamd_t) ++ mta_send_mail(clamd_t) ++') + + optional_policy(` + amavis_read_lib_files(clamd_t) +@@ -147,8 +155,10 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; @@ -19288,7 +19921,7 @@ index f758323..f1571f1 100644 ') ######################################## -@@ -178,10 +184,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +188,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -19307,7 +19940,7 @@ index f758323..f1571f1 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +201,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +205,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -19315,7 +19948,7 @@ index f758323..f1571f1 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +220,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +224,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -19338,7 +19971,7 @@ index f758323..f1571f1 100644 ######################################## # # clamscam local policy -@@ -248,9 +263,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) +@@ -248,9 +267,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) corenet_tcp_sendrecv_generic_node(clamscan_t) corenet_tcp_sendrecv_all_ports(clamscan_t) corenet_tcp_sendrecv_clamd_port(clamscan_t) @@ -19350,13 +19983,17 @@ index f758323..f1571f1 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -265,6 +282,9 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,7 +285,12 @@ miscfiles_read_public_files(clamscan_t) + clamav_stream_connect(clamscan_t) - mta_send_mail(clamscan_t) -+mta_read_queue(clamscan_t) -+ +-mta_send_mail(clamscan_t) +sysnet_read_config(clamscan_t) ++ ++optional_policy(` ++ mta_send_mail(clamscan_t) ++ mta_read_queue(clamscan_t) ++') optional_policy(` amavis_read_spool_files(clamscan_t) @@ -20139,7 +20776,7 @@ index 42c6bd7..8f23087 100644 + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index daf151d..16c0746 100644 +index daf151d..070e4cc 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t) @@ -20152,7 +20789,7 @@ index daf151d..16c0746 100644 ######################################## # # consolekit local policy -@@ -69,7 +72,10 @@ logging_send_audit_msgs(consolekit_t) +@@ -69,11 +72,12 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) @@ -20162,8 +20799,12 @@ index daf151d..16c0746 100644 +userdom_dontaudit_getattr_admin_home_files(consolekit_t) userdom_read_user_tmp_files(consolekit_t) - hal_ptrace(consolekit_t) -@@ -83,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',` +-hal_ptrace(consolekit_t) +- + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(consolekit_t) + ') +@@ -83,6 +87,14 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -20171,10 +20812,14 @@ index daf151d..16c0746 100644 +') + +optional_policy(` ++ hal_ptrace(consolekit_t) ++') ++ ++optional_policy(` dbus_system_domain(consolekit_t, consolekit_exec_t) optional_policy(` -@@ -99,6 +109,10 @@ optional_policy(` +@@ -99,6 +111,10 @@ optional_policy(` ') optional_policy(` @@ -20185,7 +20830,7 @@ index daf151d..16c0746 100644 policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) -@@ -106,9 +120,10 @@ optional_policy(` +@@ -106,9 +122,10 @@ optional_policy(` ') optional_policy(` @@ -20198,7 +20843,7 @@ index daf151d..16c0746 100644 xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -125,5 +140,6 @@ optional_policy(` +@@ -125,5 +142,6 @@ optional_policy(` optional_policy(` #reading .Xauthity @@ -21230,7 +21875,7 @@ index 305ddf4..777091a 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..cf33683 100644 +index 0f28095..1c96265 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -21281,7 +21926,20 @@ index 0f28095..cf33683 100644 kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) -@@ -297,8 +301,10 @@ optional_policy(` +@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t) + userdom_dontaudit_use_unpriv_user_fds(cupsd_t) + userdom_dontaudit_search_user_home_content(cupsd_t) + +-# Write to /var/spool/cups. +-lpd_manage_spool(cupsd_t) +-lpd_read_config(cupsd_t) +-lpd_exec_lpr(cupsd_t) +-lpd_relabel_spool(cupsd_t) +- + optional_policy(` + apm_domtrans_client(cupsd_t) + ') +@@ -297,8 +295,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -21292,7 +21950,22 @@ index 0f28095..cf33683 100644 ') ') -@@ -371,8 +377,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -315,6 +315,14 @@ optional_policy(` + ') + + optional_policy(` ++ # Write to /var/spool/cups. ++ lpd_manage_spool(cupsd_t) ++ lpd_read_config(cupsd_t) ++ lpd_exec_lpr(cupsd_t) ++ lpd_relabel_spool(cupsd_t) ++') ++ ++optional_policy(` + mta_send_mail(cupsd_t) + ') + +@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -21303,7 +21976,7 @@ index 0f28095..cf33683 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -425,6 +432,7 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -21311,6 +21984,11 @@ index 0f28095..cf33683 100644 cups_stream_connect(cupsd_config_t) +-lpd_read_config(cupsd_config_t) +- + ifdef(`distro_redhat',` + optional_policy(` + rpm_read_db(cupsd_config_t) @@ -453,6 +461,10 @@ optional_policy(` ') @@ -21322,7 +22000,18 @@ index 0f28095..cf33683 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -587,14 +599,16 @@ auth_use_nsswitch(cups_pdf_t) +@@ -467,6 +479,10 @@ optional_policy(` + ') + + optional_policy(` ++ lpd_read_config(cupsd_config_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(cupsd_config_t) + userdom_read_all_users_state(cupsd_config_t) + ') +@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -21334,13 +22023,15 @@ index 0f28095..cf33683 100644 userdom_manage_user_home_content_files(cups_pdf_t) +userdom_dontaudit_search_admin_dir(cups_pdf_t) - lpd_manage_spool(cups_pdf_t) - +-lpd_manage_spool(cups_pdf_t) - ++optional_policy(` ++ lpd_manage_spool(cups_pdf_t) ++') + tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) - fs_manage_nfs_dirs(cups_pdf_t) -@@ -606,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -21351,7 +22042,7 @@ index 0f28095..cf33683 100644 ######################################## # # HPLIP local policy -@@ -639,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -21360,7 +22051,7 @@ index 0f28095..cf33683 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +703,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -21368,6 +22059,19 @@ index 0f28095..cf33683 100644 logging_send_syslog_msg(hplip_t) +@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) + userdom_dontaudit_search_user_home_dirs(hplip_t) + userdom_dontaudit_search_user_home_content(hplip_t) + +-lpd_read_config(hplip_t) +-lpd_manage_spool(hplip_t) ++optional_policy(` ++ lpd_read_config(hplip_t) ++ lpd_manage_spool(hplip_t) ++') + + optional_policy(` + dbus_system_bus_client(hplip_t) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index c43ff4c..a9783e3 100644 --- a/policy/modules/services/cvs.if @@ -22145,7 +22849,7 @@ index f706b99..22b862e 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..10c33ed 100644 +index f231f17..0d11034 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -22190,7 +22894,7 @@ index f231f17..10c33ed 100644 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) -@@ -178,25 +186,47 @@ optional_policy(` +@@ -178,33 +186,53 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -22239,7 +22943,15 @@ index f231f17..10c33ed 100644 kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) -@@ -212,12 +242,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) + corecmd_exec_bin(devicekit_power_t) + corecmd_exec_shell(devicekit_power_t) + +-consoletype_exec(devicekit_power_t) +- + domain_read_all_domains_state(devicekit_power_t) + + dev_read_input(devicekit_power_t) +@@ -212,12 +240,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -22256,18 +22968,25 @@ index f231f17..10c33ed 100644 term_use_all_terms(devicekit_power_t) -@@ -225,8 +259,11 @@ auth_use_nsswitch(devicekit_power_t) +@@ -227,6 +259,7 @@ miscfiles_read_localization(devicekit_power_t) - miscfiles_read_localization(devicekit_power_t) - -+modutils_domtrans_insmod(devicekit_power_t) -+ sysnet_read_config(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t) +sysnet_domtrans_dhcpc(devicekit_power_t) userdom_read_all_users_state(devicekit_power_t) +@@ -235,6 +268,10 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(devicekit_power_t) ++') ++ ++optional_policy(` + cron_initrc_domtrans(devicekit_power_t) + ') + @@ -261,14 +298,21 @@ optional_policy(` ') @@ -22291,10 +23010,14 @@ index f231f17..10c33ed 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +320,21 @@ optional_policy(` +@@ -276,9 +320,25 @@ optional_policy(` ') optional_policy(` ++ modutils_domtrans_insmod(devicekit_power_t) ++') ++ ++optional_policy(` + mount_domtrans(devicekit_power_t) +') + @@ -22494,10 +23217,10 @@ index 0000000..60c81d6 +') diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te new file mode 100644 -index 0000000..b4d0dd0 +index 0000000..b7fc006 --- /dev/null +++ b/policy/modules/services/dirsrv-admin.te -@@ -0,0 +1,95 @@ +@@ -0,0 +1,100 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -22545,8 +23268,10 @@ index 0000000..b4d0dd0 +# Needed for stop and restart scripts +dirsrv_read_var_run(dirsrvadmin_t) + -+apache_domtrans(dirsrvadmin_t) -+apache_signal(dirsrvadmin_t) ++optional_policy(` ++ apache_domtrans(dirsrvadmin_t) ++ apache_signal(dirsrvadmin_t) ++') + +######################################## +# @@ -22555,44 +23280,47 @@ index 0000000..b4d0dd0 +# +# +# Create a domain for the CGI scripts -+apache_content_template(dirsrvadmin) -+ -+allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -+allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; -+allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; -+allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; -+allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; -+allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; -+allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; -+ -+kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) -+ -+corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t) -+corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) -+corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) -+corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) -+corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) -+ -+files_search_var_lib(httpd_dirsrvadmin_script_t) -+ -+sysnet_read_config(httpd_dirsrvadmin_script_t) -+ -+manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) -+ -+# The CGI scripts must be able to manage dirsrv-admin -+dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) -+dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) -+dirsrv_domtrans(httpd_dirsrvadmin_script_t) -+dirsrv_signal(httpd_dirsrvadmin_script_t) -+dirsrv_signull(httpd_dirsrvadmin_script_t) -+dirsrv_manage_log(httpd_dirsrvadmin_script_t) -+dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) -+dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) -+dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) -+dirsrv_manage_config(httpd_dirsrvadmin_script_t) -+dirsrv_read_share(httpd_dirsrvadmin_script_t) ++ ++optional_policy(` ++ apache_content_template(dirsrvadmin) ++ ++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; ++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; ++ ++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) ++ ++ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t) ++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) ++ ++ files_search_var_lib(httpd_dirsrvadmin_script_t) ++ ++ sysnet_read_config(httpd_dirsrvadmin_script_t) ++ ++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) ++ ++ # The CGI scripts must be able to manage dirsrv-admin ++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) ++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_domtrans(httpd_dirsrvadmin_script_t) ++ dirsrv_signal(httpd_dirsrvadmin_script_t) ++ dirsrv_signull(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_log(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) ++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_read_share(httpd_dirsrvadmin_script_t) ++') diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc new file mode 100644 index 0000000..3aae725 @@ -24182,7 +24910,7 @@ index 69dcd2a..a9a9116 100644 /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..eca06f7 100644 +index 8a74a83..826e699 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -24284,7 +25012,7 @@ index 8a74a83..eca06f7 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -316,6 +338,23 @@ optional_policy(` +@@ -316,6 +338,25 @@ optional_policy(` ') optional_policy(` @@ -24299,16 +25027,18 @@ index 8a74a83..eca06f7 100644 + ') +') + -+tunable_policy(`ftpd_connect_db',` -+ mysql_tcp_connect(ftpd_t) -+ postgresql_tcp_connect(ftpd_t) ++optional_policy(` ++ tunable_policy(`ftpd_connect_db',` ++ mysql_tcp_connect(ftpd_t) ++ postgresql_tcp_connect(ftpd_t) ++ ') +') + +optional_policy(` inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -347,10 +386,11 @@ optional_policy(` +@@ -347,10 +388,11 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -24321,7 +25051,7 @@ index 8a74a83..eca06f7 100644 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) # Allow ftpdctl to read config files -@@ -368,15 +408,28 @@ files_read_etc_files(sftpd_t) +@@ -368,15 +410,28 @@ files_read_etc_files(sftpd_t) # allow read access to /home by default userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) @@ -25169,10 +25899,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..74db53c 100644 +index 4fde46b..f757926 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,11 +15,14 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,19 +15,20 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -25188,7 +25918,23 @@ index 4fde46b..74db53c 100644 files_read_etc_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) -@@ -39,6 +42,15 @@ optional_policy(` + + auth_use_nsswitch(gnomeclock_t) + +-clock_domtrans(gnomeclock_t) +- + miscfiles_read_localization(gnomeclock_t) + miscfiles_manage_localization(gnomeclock_t) + miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +36,23 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) + userdom_read_all_users_state(gnomeclock_t) + + optional_policy(` ++ clock_domtrans(gnomeclock_t) ++') ++ ++optional_policy(` + consolekit_dbus_chat(gnomeclock_t) ') optional_policy(` @@ -25289,6 +26035,30 @@ index 03742d8..2a87d1e 100644 dbus_system_bus_client(gpsd_t) ') +diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if +index 2d0b4e1..804d347 100644 +--- a/policy/modules/services/hadoop.if ++++ b/policy/modules/services/hadoop.if +@@ -175,8 +175,6 @@ template(`hadoop_domain_template',` + files_read_etc_files(hadoop_$1_initrc_t) + files_read_usr_files(hadoop_$1_initrc_t) + +- consoletype_exec(hadoop_$1_initrc_t) +- + fs_getattr_xattr_fs(hadoop_$1_initrc_t) + fs_search_cgroup_dirs(hadoop_$1_initrc_t) + +@@ -196,6 +194,10 @@ template(`hadoop_domain_template',` + userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) + + optional_policy(` ++ consoletype_exec(hadoop_$1_initrc_t) ++ ') ++ ++ optional_policy(` + nscd_socket_use(hadoop_$1_initrc_t) + ') + ') diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index c98b0df..3b1a051 100644 --- a/policy/modules/services/hal.fc @@ -25408,7 +26178,7 @@ index 7cf6763..ce32fe5 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te -index 24c6253..f11fa08 100644 +index 24c6253..9376ea0 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -25438,7 +26208,23 @@ index 24c6253..f11fa08 100644 dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) -@@ -211,13 +215,19 @@ seutil_read_config(hald_t) +@@ -186,8 +190,6 @@ term_use_unallocated_ttys(hald_t) + + auth_use_nsswitch(hald_t) + +-fstools_getattr_swap_files(hald_t) +- + init_domtrans_script(hald_t) + init_read_utmp(hald_t) + #hal runs shutdown, probably need a shutdown domain +@@ -204,20 +206,25 @@ logging_search_logs(hald_t) + miscfiles_read_localization(hald_t) + miscfiles_read_hwdata(hald_t) + +-modutils_domtrans_insmod(hald_t) +-modutils_read_module_deps(hald_t) +- + seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) seutil_read_file_contexts(hald_t) @@ -25455,11 +26241,13 @@ index 24c6253..f11fa08 100644 userdom_dontaudit_search_user_home_dirs(hald_t) +userdom_stream_connect(hald_t) + -+netutils_domtrans(hald_t) ++optional_policy(` ++ netutils_domtrans(hald_t) ++') optional_policy(` alsa_domtrans(hald_t) -@@ -252,8 +262,7 @@ optional_policy(` +@@ -252,8 +259,7 @@ optional_policy(` ') optional_policy(` @@ -25469,7 +26257,7 @@ index 24c6253..f11fa08 100644 init_dbus_chat_script(hald_t) -@@ -263,11 +272,20 @@ optional_policy(` +@@ -263,15 +269,28 @@ optional_policy(` ') optional_policy(` @@ -25490,7 +26278,27 @@ index 24c6253..f11fa08 100644 gpm_dontaudit_getattr_gpmctl(hald_t) ') -@@ -302,7 +320,7 @@ optional_policy(` + optional_policy(` ++ fstools_getattr_swap_files(hald_t) ++') ++ ++optional_policy(` + hotplug_read_config(hald_t) + ') + +@@ -280,6 +299,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(hald_t) ++ modutils_read_module_deps(hald_t) ++') ++ ++optional_policy(` + mount_domtrans(hald_t) + ') + +@@ -302,7 +326,7 @@ optional_policy(` ') optional_policy(` @@ -25499,7 +26307,7 @@ index 24c6253..f11fa08 100644 policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) -@@ -318,6 +336,10 @@ optional_policy(` +@@ -318,6 +342,10 @@ optional_policy(` ') optional_policy(` @@ -25510,7 +26318,7 @@ index 24c6253..f11fa08 100644 udev_domtrans(hald_t) udev_read_db(hald_t) ') -@@ -338,6 +360,10 @@ optional_policy(` +@@ -338,6 +366,10 @@ optional_policy(` virt_manage_images(hald_t) ') @@ -25521,7 +26329,7 @@ index 24c6253..f11fa08 100644 ######################################## # # Hal acl local policy -@@ -358,6 +384,7 @@ files_search_var_lib(hald_acl_t) +@@ -358,6 +390,7 @@ files_search_var_lib(hald_acl_t) manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -25529,7 +26337,7 @@ index 24c6253..f11fa08 100644 corecmd_exec_bin(hald_acl_t) -@@ -388,7 +415,7 @@ logging_send_syslog_msg(hald_acl_t) +@@ -388,7 +421,7 @@ logging_send_syslog_msg(hald_acl_t) miscfiles_read_localization(hald_acl_t) optional_policy(` @@ -25538,17 +26346,30 @@ index 24c6253..f11fa08 100644 policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) -@@ -470,6 +497,10 @@ files_read_usr_files(hald_keymap_t) +@@ -470,6 +503,12 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) -+# This is caused by a bug in hald and PolicyKit. -+# Should be removed when this is fixed -+cron_read_system_job_lib_files(hald_t) ++optional_policy(` ++ # This is caused by a bug in hald and PolicyKit. ++ # Should be removed when this is fixed ++ cron_read_system_job_lib_files(hald_t) ++') + ######################################## # # Local hald dccm policy +@@ -524,7 +563,9 @@ files_read_usr_files(hald_dccm_t) + + miscfiles_read_localization(hald_dccm_t) + +-hal_dontaudit_rw_dgram_sockets(hald_dccm_t) ++optional_policy(` ++ hal_dontaudit_rw_dgram_sockets(hald_dccm_t) ++') + + optional_policy(` + dbus_system_bus_client(hald_dccm_t) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if index 87b4531..db2d189 100644 --- a/policy/modules/services/hddtemp.if @@ -27563,10 +28384,10 @@ index 0000000..f60483e +') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te new file mode 100644 -index 0000000..b7d8f2f +index 0000000..fa43044 --- /dev/null +++ b/policy/modules/services/mock.te -@@ -0,0 +1,123 @@ +@@ -0,0 +1,125 @@ +policy_module(mock,1.0.0) + +## @@ -27673,8 +28494,6 @@ index 0000000..b7d8f2f + +miscfiles_read_localization(mock_t) + -+mount_domtrans(mock_t) -+ +userdom_use_user_ptys(mock_t) + +tunable_policy(`mock_enable_homedirs',` @@ -27682,6 +28501,10 @@ index 0000000..b7d8f2f +') + +optional_policy(` ++ mount_domtrans(mock_t) ++') ++ ++optional_policy(` + rpm_exec(mock_t) + rpm_manage_db(mock_t) + rpm_entry_type(mock_t) @@ -27707,7 +28530,7 @@ index 3368699..7a7fc02 100644 # interface(`modemmanager_domtrans',` diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te -index b3ace16..7f18c33 100644 +index b3ace16..812a9ff 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; @@ -27720,7 +28543,7 @@ index b3ace16..7f18c33 100644 allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -28,6 +29,7 @@ dev_rw_modem(modemmanager_t) +@@ -28,13 +29,24 @@ dev_rw_modem(modemmanager_t) files_read_etc_files(modemmanager_t) @@ -27728,20 +28551,24 @@ index b3ace16..7f18c33 100644 term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -@@ -37,5 +39,13 @@ logging_send_syslog_msg(modemmanager_t) - networkmanager_dbus_chat(modemmanager_t) - optional_policy(` -+ devicekit_dbus_chat_power(modemmanager_t) + logging_send_syslog_msg(modemmanager_t) + +-networkmanager_dbus_chat(modemmanager_t) ++optional_policy(` ++ networkmanager_dbus_chat(modemmanager_t) +') + +optional_policy(` -+ policykit_dbus_chat(modemmanager_t) ++ devicekit_dbus_chat_power(modemmanager_t) +') + +optional_policy(` ++ policykit_dbus_chat(modemmanager_t) ++') + + optional_policy(` udev_read_db(modemmanager_t) - ') diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if index 657a9fc..88e7330 100644 --- a/policy/modules/services/mojomojo.if @@ -29161,7 +29988,7 @@ index e9c0982..f11e4f2 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..579f237 100644 +index 0a0d63c..91de41a 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -29228,7 +30055,7 @@ index 0a0d63c..579f237 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,6 +180,7 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -29236,12 +30063,12 @@ index 0a0d63c..579f237 100644 files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) -@@ -183,11 +189,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - hostname_exec(mysqld_safe_t) + logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) +-hostname_exec(mysqld_safe_t) +logging_send_syslog_msg(mysqld_safe_t) -+ + miscfiles_read_localization(mysqld_safe_t) mysql_manage_db_files(mysqld_safe_t) @@ -29250,7 +30077,13 @@ index 0a0d63c..579f237 100644 +mysql_signull(mysqld_safe_t) mysql_write_log(mysqld_safe_t) ++optional_policy(` ++ hostname_exec(mysqld_safe_t) ++') ++ ######################################## + # + # MySQL Manager Policy diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index 8581040..2367841 100644 --- a/policy/modules/services/nagios.if @@ -29598,7 +30431,7 @@ index 2324d9e..8069487 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..cd5c974 100644 +index 0619395..3a396a1 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -29652,9 +30485,18 @@ index 0619395..cd5c974 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -141,22 +157,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t) +@@ -133,30 +149,37 @@ logging_send_syslog_msg(NetworkManager_t) + miscfiles_read_localization(NetworkManager_t) + miscfiles_read_generic_certs(NetworkManager_t) + +-modutils_domtrans_insmod(NetworkManager_t) +- + seutil_read_config(NetworkManager_t) + + sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) ++sysnet_signull_dhcpc(NetworkManager_t) sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_read_dhcp_config(NetworkManager_t) sysnet_delete_dhcpc_pid(NetworkManager_t) @@ -29673,8 +30515,6 @@ index 0619395..cd5c974 100644 +userdom_read_home_certs(NetworkManager_t) userdom_read_user_home_content_files(NetworkManager_t) +userdom_dgram_send(NetworkManager_t) -+ -+cron_read_system_job_lib_files(NetworkManager_t) optional_policy(` avahi_domtrans(NetworkManager_t) @@ -29685,12 +30525,16 @@ index 0619395..cd5c974 100644 ') optional_policy(` -@@ -172,14 +198,17 @@ optional_policy(` +@@ -172,14 +195,21 @@ optional_policy(` ') optional_policy(` - consoletype_exec(NetworkManager_t) + consoletype_domtrans(NetworkManager_t) ++') ++ ++optional_policy(` ++ cron_read_system_job_lib_files(NetworkManager_t) ') optional_policy(` @@ -29704,7 +30548,7 @@ index 0619395..cd5c974 100644 ') ') -@@ -202,6 +231,17 @@ optional_policy(` +@@ -202,6 +232,17 @@ optional_policy(` ') optional_policy(` @@ -29722,15 +30566,19 @@ index 0619395..cd5c974 100644 iptables_domtrans(NetworkManager_t) ') -@@ -219,6 +259,7 @@ optional_policy(` +@@ -219,6 +260,11 @@ optional_policy(` ') optional_policy(` ++ modutils_domtrans_insmod(NetworkManager_t) ++') ++ ++optional_policy(` + openvpn_read_config(NetworkManager_t) openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -263,6 +304,7 @@ optional_policy(` +@@ -263,6 +309,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -30839,7 +31687,7 @@ index ceafba6..eca6852 100644 # pid files diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te -index 3185114..790742c 100644 +index 3185114..514e127 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -16,7 +16,7 @@ type pegasus_tmp_t; @@ -30890,7 +31738,7 @@ index 3185114..790742c 100644 corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) -@@ -95,13 +98,12 @@ files_getattr_all_dirs(pegasus_t) +@@ -95,17 +98,14 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -30905,8 +31753,12 @@ index 3185114..790742c 100644 +files_read_all_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) - hostname_exec(pegasus_t) -@@ -114,7 +116,6 @@ logging_send_syslog_msg(pegasus_t) +-hostname_exec(pegasus_t) +- + init_rw_utmp(pegasus_t) + init_stream_connect_script(pegasus_t) + +@@ -114,17 +114,28 @@ logging_send_syslog_msg(pegasus_t) miscfiles_read_localization(pegasus_t) @@ -30914,7 +31766,14 @@ index 3185114..790742c 100644 sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -@@ -125,6 +126,14 @@ optional_policy(` + userdom_dontaudit_search_user_home_dirs(pegasus_t) + + optional_policy(` ++ hostname_exec(pegasus_t) ++') ++ ++optional_policy(` + rpm_exec(pegasus_t) ') optional_policy(` @@ -30929,7 +31788,7 @@ index 3185114..790742c 100644 seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -@@ -136,3 +145,13 @@ optional_policy(` +@@ -136,3 +147,13 @@ optional_policy(` optional_policy(` unconfined_signull(pegasus_t) ') @@ -31213,10 +32072,10 @@ index 0000000..6403c17 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..5793840 +index 0000000..d8f53f3 --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,219 @@ +@@ -0,0 +1,223 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -31271,7 +32130,9 @@ index 0000000..5793840 + +domain_read_all_domains_state(piranha_fos_t) + -+consoletype_exec(piranha_fos_t) ++optional_policy(` ++ consoletype_exec(piranha_fos_t) ++') + +# start and stop services +init_domtrans_script(piranha_fos_t) @@ -31324,7 +32185,9 @@ index 0000000..5793840 + +files_read_usr_files(piranha_web_t) + -+consoletype_exec(piranha_web_t) ++optional_policy(` ++ consoletype_exec(piranha_web_t) ++') + +optional_policy(` + apache_read_config(piranha_web_t) @@ -31744,7 +32607,7 @@ index 27c739c..c65d18f 100644 /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if -index 48ff1e8..13cdc77 100644 +index 48ff1e8..be00a65 100644 --- a/policy/modules/services/policykit.if +++ b/policy/modules/services/policykit.if @@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',` @@ -31835,13 +32698,15 @@ index 48ff1e8..13cdc77 100644 ## # interface(`policykit_domtrans_resolve',` -@@ -206,4 +235,48 @@ interface(`policykit_read_lib',` +@@ -206,4 +235,50 @@ interface(`policykit_read_lib',` files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) + -+ # Broken placement -+ cron_read_system_job_lib_files($1) ++ optional_policy(` ++ # Broken placement ++ cron_read_system_job_lib_files($1) ++ ') +') + +####################################### @@ -33573,7 +34438,7 @@ index bc329d1..0589f97 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te -index d4000e0..93cbfa2 100644 +index d4000e0..312e537 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) @@ -33597,7 +34462,7 @@ index d4000e0..93cbfa2 100644 # tmp files manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -@@ -85,6 +86,7 @@ corenet_sendrecv_whois_client_packets(psad_t) +@@ -85,13 +86,12 @@ corenet_sendrecv_whois_client_packets(psad_t) dev_read_urand(psad_t) files_read_etc_runtime_files(psad_t) @@ -33605,6 +34470,24 @@ index d4000e0..93cbfa2 100644 fs_getattr_all_fs(psad_t) + auth_use_nsswitch(psad_t) + +-iptables_domtrans(psad_t) +- + logging_read_generic_logs(psad_t) + logging_read_syslog_config(psad_t) + logging_send_syslog_msg(psad_t) +@@ -101,6 +101,10 @@ miscfiles_read_localization(psad_t) + sysnet_exec_ifconfig(psad_t) + + optional_policy(` ++ iptables_domtrans(psad_t) ++') ++ ++optional_policy(` + mta_send_mail(psad_t) + mta_read_queue(psad_t) + ') diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if index 2855a44..0456b11 100644 --- a/policy/modules/services/puppet.if @@ -34832,7 +35715,7 @@ index 852840b..1244ab2 100644 + ') ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te -index 0a76027..88ac667 100644 +index 0a76027..364903e 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -49,6 +49,7 @@ fs_getattr_xattr_fs(remote_login_t) @@ -34852,27 +35735,32 @@ index 0a76027..88ac667 100644 miscfiles_read_localization(remote_login_t) -@@ -87,6 +88,7 @@ userdom_search_user_home_content(remote_login_t) +@@ -87,9 +88,7 @@ userdom_search_user_home_content(remote_login_t) # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) +- +-# Search for mail spool file. +-mta_getattr_spool(remote_login_t) +userdom_use_user_ptys(remote_login_t) - # Search for mail spool file. - mta_getattr_spool(remote_login_t) -@@ -106,15 +108,10 @@ optional_policy(` + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(remote_login_t) +@@ -106,15 +105,15 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(remote_login_t) -+ telnet_use_ptys(remote_login_t) ++ # Search for mail spool file. ++ mta_getattr_spool(remote_login_t) ') optional_policy(` - nscd_socket_use(remote_login_t) --') -- --optional_policy(` ++ telnet_use_ptys(remote_login_t) + ') + + optional_policy(` - unconfined_domain(remote_login_t) unconfined_shell_domtrans(remote_login_t) ') @@ -34982,7 +35870,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..f107bbb 100644 +index 00fa514..1ef4cc6 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -35034,7 +35922,15 @@ index 00fa514..f107bbb 100644 kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -78,14 +83,19 @@ domain_read_all_domains_state(rgmanager_t) +@@ -67,7 +72,6 @@ kernel_search_network_state(rgmanager_t) + + corecmd_exec_bin(rgmanager_t) + corecmd_exec_shell(rgmanager_t) +-consoletype_exec(rgmanager_t) + + # need to write to /dev/misc/dlm-control + dev_rw_dlm_control(rgmanager_t) +@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -35055,10 +35951,27 @@ index 00fa514..f107bbb 100644 storage_getattr_fixed_disk_dev(rgmanager_t) term_getattr_pty_fs(rgmanager_t) -@@ -118,6 +128,10 @@ optional_policy(` +-#term_use_ptmx(rgmanager_t) + + # needed by resources scripts + auth_read_all_files_except_shadow(rgmanager_t) +@@ -100,8 +108,6 @@ logging_send_syslog_msg(rgmanager_t) + + miscfiles_read_localization(rgmanager_t) + +-mount_domtrans(rgmanager_t) +- + tunable_policy(`rgmanager_can_network_connect',` + corenet_tcp_connect_all_ports(rgmanager_t) + ') +@@ -118,6 +124,14 @@ optional_policy(` ') optional_policy(` ++ consoletype_exec(rgmanager_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(rgmanager_t) +') + @@ -35066,7 +35979,7 @@ index 00fa514..f107bbb 100644 fstools_domtrans(rgmanager_t) ') -@@ -140,6 +154,11 @@ optional_policy(` +@@ -140,6 +154,15 @@ optional_policy(` ') optional_policy(` @@ -35075,6 +35988,10 @@ index 00fa514..f107bbb 100644 +') + +optional_policy(` ++ mount_domtrans(rgmanager_t) ++') ++ ++optional_policy(` mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') @@ -35684,7 +36601,7 @@ index f7826f9..3128dd8 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..052a1ff 100644 +index 33e72e8..b71d193 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -35750,7 +36667,43 @@ index 33e72e8..052a1ff 100644 domain_read_all_domains_state(ricci_modcluster_t) -@@ -241,8 +250,7 @@ optional_policy(` +@@ -209,13 +218,9 @@ logging_send_syslog_msg(ricci_modcluster_t) + + miscfiles_read_localization(ricci_modcluster_t) + +-modutils_domtrans_insmod(ricci_modcluster_t) +- +-mount_domtrans(ricci_modcluster_t) +- +-consoletype_exec(ricci_modcluster_t) +- +-ricci_stream_connect_modclusterd(ricci_modcluster_t) ++optional_policy(` ++ ricci_stream_connect_modclusterd(ricci_modcluster_t) ++') + + optional_policy(` + aisexec_stream_connect(ricci_modcluster_t) +@@ -233,6 +238,18 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(ricci_modcluster_t) ++') ++ ++optional_policy(` ++ mount_domtrans(ricci_modcluster_t) ++') ++ ++optional_policy(` ++ consoletype_exec(ricci_modcluster_t) ++') ++ ++optional_policy(` + nscd_socket_use(ricci_modcluster_t) + ') + +@@ -241,8 +258,7 @@ optional_policy(` ') optional_policy(` @@ -35760,7 +36713,7 @@ index 33e72e8..052a1ff 100644 ') ######################################## -@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; +@@ -261,6 +277,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -35771,7 +36724,7 @@ index 33e72e8..052a1ff 100644 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock +@@ -272,6 +292,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -35779,7 +36732,27 @@ index 33e72e8..052a1ff 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -444,6 +457,12 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t) + # Needed for running chkconfig + files_manage_etc_symlinks(ricci_modservice_t) + +-consoletype_exec(ricci_modservice_t) +- + init_domtrans_script(ricci_modservice_t) + + miscfiles_read_localization(ricci_modservice_t) +@@ -405,6 +424,10 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(ricci_modservice_t) ++') ++ ++optional_policy(` + nscd_dontaudit_search_pid(ricci_modservice_t) + ') + +@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -35792,6 +36765,50 @@ index 33e72e8..052a1ff 100644 storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) + +-fstools_domtrans(ricci_modstorage_t) +- + logging_send_syslog_msg(ricci_modstorage_t) + + miscfiles_read_localization(ricci_modstorage_t) + +-modutils_read_module_deps(ricci_modstorage_t) +- +-consoletype_exec(ricci_modstorage_t) +- +-mount_domtrans(ricci_modstorage_t) +- + optional_policy(` + aisexec_stream_connect(ricci_modstorage_t) + corosync_stream_connect(ricci_modstorage_t) +@@ -471,11 +492,27 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(ricci_modstorage_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(ricci_modstorage_t) ++') ++ ++optional_policy(` + lvm_domtrans(ricci_modstorage_t) + lvm_manage_config(ricci_modstorage_t) + ') + + optional_policy(` ++ modutils_read_module_deps(ricci_modstorage_t) ++') ++ ++optional_policy(` ++ mount_domtrans(ricci_modstorage_t) ++') ++ ++optional_policy(` + nscd_socket_use(ricci_modstorage_t) + ') + diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc index 2785337..c3c2775 100644 --- a/policy/modules/services/rlogin.fc @@ -35805,7 +36822,7 @@ index 2785337..c3c2775 100644 /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te -index 779fa44..0155ca7 100644 +index 779fa44..cdfebe3 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -35842,16 +36859,30 @@ index 779fa44..0155ca7 100644 files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -88,6 +87,9 @@ seutil_read_config(rlogind_t) +@@ -88,9 +87,9 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) +- +-remotelogin_domtrans(rlogind_t) +-remotelogin_signal(rlogind_t) +userdom_search_admin_dir(rlogind_t) +userdom_manage_user_tmp_files(rlogind_t) +userdom_tmp_filetrans_user_tmp(rlogind_t, file) - remotelogin_domtrans(rlogind_t) - remotelogin_signal(rlogind_t) + rlogin_read_home_content(rlogind_t) + +@@ -112,5 +111,10 @@ optional_policy(` + ') + + optional_policy(` ++ remotelogin_domtrans(rlogind_t) ++ remotelogin_signal(rlogind_t) ++') ++ ++optional_policy(` + tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) + ') diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc index 5c70c0c..6842295 100644 --- a/policy/modules/services/rpc.fc @@ -35955,7 +36986,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index 8e1ab72..e6821be 100644 +index 8e1ab72..eaa8036 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -36061,7 +37092,15 @@ index 8e1ab72..e6821be 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -218,6 +236,8 @@ tunable_policy(`allow_gssd_read_tmp',` +@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t) + + miscfiles_read_generic_certs(gssd_t) + +-mount_signal(gssd_t) +- + userdom_signal_all_users(gssd_t) + + tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) @@ -36070,6 +37109,17 @@ index 8e1ab72..e6821be 100644 ') optional_policy(` +@@ -229,6 +247,10 @@ optional_policy(` + ') + + optional_policy(` ++ mount_signal(gssd_t) ++') ++ ++optional_policy(` + pcscd_read_pub_files(gssd_t) + ') + diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc index f5c47d6..5a965e9 100644 --- a/policy/modules/services/rpcbind.fc @@ -36676,7 +37726,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..00a9125 100644 +index e30bb63..ef1edc6 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -36813,7 +37863,27 @@ index e30bb63..00a9125 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -677,7 +675,7 @@ samba_domtrans_nmbd(swat_t) +@@ -644,8 +642,6 @@ auth_use_nsswitch(smbmount_t) + + miscfiles_read_localization(smbmount_t) + +-mount_use_fds(smbmount_t) +- + locallogin_use_fds(smbmount_t) + + logging_search_logs(smbmount_t) +@@ -657,6 +653,10 @@ optional_policy(` + cups_read_rw_config(smbmount_t) + ') + ++optional_policy(` ++ mount_use_fds(smbmount_t) ++') ++ + ######################################## + # + # SWAT Local policy +@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -36822,7 +37892,7 @@ index e30bb63..00a9125 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +690,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -36837,7 +37907,7 @@ index e30bb63..00a9125 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +710,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -36845,7 +37915,7 @@ index e30bb63..00a9125 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +755,8 @@ logging_search_logs(swat_t) +@@ -754,6 +757,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -36854,7 +37924,7 @@ index e30bb63..00a9125 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +809,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -36876,7 +37946,7 @@ index e30bb63..00a9125 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +837,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -36884,7 +37954,7 @@ index e30bb63..00a9125 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +927,18 @@ optional_policy(` +@@ -922,6 +929,18 @@ optional_policy(` # optional_policy(` @@ -36903,7 +37973,7 @@ index e30bb63..00a9125 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +949,12 @@ optional_policy(` +@@ -932,9 +951,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -37219,7 +38289,7 @@ index 22dfeb4..d9f5dbc 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..b0ee422 100644 +index 086cd5f..43350e6 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) @@ -37250,7 +38320,16 @@ index 086cd5f..b0ee422 100644 corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -121,6 +126,14 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -112,8 +117,6 @@ logging_send_audit_msgs(setroubleshootd_t) + logging_send_syslog_msg(setroubleshootd_t) + logging_stream_connect_dispatcher(setroubleshootd_t) + +-modutils_read_module_config(setroubleshootd_t) +- + seutil_read_config(setroubleshootd_t) + seutil_read_file_contexts(setroubleshootd_t) + seutil_read_bin_policy(setroubleshootd_t) +@@ -121,6 +124,18 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -37262,10 +38341,14 @@ index 086cd5f..b0ee422 100644 +') + +optional_policy(` ++ modutils_read_module_config(setroubleshootd_t) ++') ++ ++optional_policy(` dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +165,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -152,6 +167,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) @@ -37273,7 +38356,7 @@ index 086cd5f..b0ee422 100644 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +178,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +180,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -39279,7 +40362,7 @@ index 58e7ec0..cf4cc85 100644 + allow $1 telnetd_devpts_t:chr_file rw_term_perms; +') diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te -index f40e67b..34c4c57 100644 +index f40e67b..8d1e658 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0) @@ -39323,8 +40406,12 @@ index f40e67b..34c4c57 100644 init_rw_utmp(telnetd_t) -@@ -85,11 +80,8 @@ remotelogin_domtrans(telnetd_t) +@@ -81,15 +76,10 @@ miscfiles_read_localization(telnetd_t) + + seutil_read_config(telnetd_t) +-remotelogin_domtrans(telnetd_t) +- userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) - @@ -39337,7 +40424,7 @@ index f40e67b..34c4c57 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -98,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -98,3 +88,12 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') @@ -39347,6 +40434,9 @@ index f40e67b..34c4c57 100644 + kerberos_manage_host_rcache(telnetd_t) +') + ++optional_policy(` ++ remotelogin_domtrans(telnetd_t) ++') diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 38bb312..414e03f 100644 --- a/policy/modules/services/tftp.if @@ -40404,7 +41494,7 @@ index 7c5d8d8..5e2f264 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..3e3dc01 100644 +index 3eca020..a541a0a 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) @@ -40715,7 +41805,7 @@ index 3eca020..3e3dc01 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +356,31 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -40743,11 +41833,21 @@ index 3eca020..3e3dc01 100644 +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) +userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) + -+consoletype_exec(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -329,6 +415,10 @@ optional_policy(` +@@ -313,6 +398,10 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(virtd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(virtd_t) + + optional_policy(` +@@ -329,6 +418,10 @@ optional_policy(` ') optional_policy(` @@ -40758,7 +41858,7 @@ index 3eca020..3e3dc01 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +455,8 @@ optional_policy(` +@@ -365,6 +458,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -40767,9 +41867,11 @@ index 3eca020..3e3dc01 100644 ') optional_policy(` -@@ -396,12 +488,25 @@ optional_policy(` +@@ -394,14 +489,26 @@ optional_policy(` + # virtual domains common policy + # - allow virt_domain self:capability { dac_read_search dac_override kill }; +-allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_file_perms; +allow virt_domain self:fifo_file rw_fifo_file_perms; @@ -40794,7 +41896,7 @@ index 3eca020..3e3dc01 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +527,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +529,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -40802,7 +41904,7 @@ index 3eca020..3e3dc01 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +535,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +537,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -40815,11 +41917,14 @@ index 3eca020..3e3dc01 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +548,11 @@ files_search_all(virt_domain) +@@ -440,6 +550,14 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) +fs_getattr_hugetlbfs(virt_domain) ++fs_rw_inherited_nfs_files(virt_domain) ++fs_rw_inherited_cifs_files(virt_domain) ++fs_rw_inherited_noxattr_fs_files(virt_domain) + +# I think we need these for now. +miscfiles_read_public_files(virt_domain) @@ -40827,7 +41932,7 @@ index 3eca020..3e3dc01 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +570,117 @@ optional_policy(` +@@ -457,8 +575,117 @@ optional_policy(` ') optional_policy(` @@ -41111,10 +42216,10 @@ index 0000000..b9104b7 +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 -index 0000000..ff32e95 +index 0000000..a7de540 --- /dev/null +++ b/policy/modules/services/vnstatd.te -@@ -0,0 +1,70 @@ +@@ -0,0 +1,73 @@ +policy_module(vnstatd, 1.0.0) + +######################################## @@ -41135,7 +42240,6 @@ index 0000000..ff32e95 +type vnstat_t; +type vnstat_exec_t; +application_domain(vnstat_t, vnstat_exec_t) -+cron_system_entry(vnstat_t, vnstat_exec_t) + +######################################## +# @@ -41161,6 +42265,10 @@ index 0000000..ff32e95 + +miscfiles_read_localization(vnstatd_t) + ++optional_policy(` ++ cron_system_entry(vnstat_t, vnstat_exec_t) ++') ++ +######################################## +# +# vnstat local policy @@ -41351,7 +42459,7 @@ index 6f1e3c7..ecfe665 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..88c2626 100644 +index da2601a..572b693 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -41989,7 +43097,7 @@ index da2601a..88c2626 100644 ') ######################################## -@@ -1243,10 +1453,393 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1453,392 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -42014,11 +43122,10 @@ index da2601a..88c2626 100644 +# +interface(`xserver_dontaudit_append_xdm_home_files',` + gen_require(` -+ type xdm_home_t, xserver_tmp_t; ++ type xdm_home_t; + ') + + dontaudit $1 xdm_home_t:file rw_inherited_file_perms; -+ dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files($1) @@ -42386,7 +43493,7 @@ index da2601a..88c2626 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index edc58df..f71b9e8 100644 +index edc58df..256a19a 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ @@ -43000,20 +44107,22 @@ index edc58df..f71b9e8 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -491,6 +697,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -491,6 +697,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') -+tunable_policy(`xdm_exec_bootloader',` -+ bootloader_exec(xdm_t) -+ files_read_boot_files(xdm_t) -+ files_read_boot_symlinks(xdm_t) ++optional_policy(` ++ tunable_policy(`xdm_exec_bootloader',` ++ bootloader_exec(xdm_t) ++ files_read_boot_files(xdm_t) ++ files_read_boot_symlinks(xdm_t) ++ ') +') + tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -504,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -504,11 +718,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -43035,7 +44144,7 @@ index edc58df..f71b9e8 100644 ') optional_policy(` -@@ -516,12 +738,54 @@ optional_policy(` +@@ -516,12 +740,54 @@ optional_policy(` ') optional_policy(` @@ -43090,7 +44199,7 @@ index edc58df..f71b9e8 100644 hostname_exec(xdm_t) ') -@@ -539,28 +803,64 @@ optional_policy(` +@@ -539,28 +805,65 @@ optional_policy(` ') optional_policy(` @@ -43127,6 +44236,7 @@ index edc58df..f71b9e8 100644 + rpm_exec(xdm_t) + rpm_read_db(xdm_t) + rpm_dontaudit_manage_db(xdm_t) ++ rpm_dontaudit_dbus_chat(xdm_t) +') + +optional_policy(` @@ -43164,7 +44274,7 @@ index edc58df..f71b9e8 100644 ') optional_policy(` -@@ -572,6 +872,10 @@ optional_policy(` +@@ -572,6 +875,10 @@ optional_policy(` ') optional_policy(` @@ -43175,7 +44285,7 @@ index edc58df..f71b9e8 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +900,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +903,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -43184,7 +44294,7 @@ index edc58df..f71b9e8 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -43200,7 +44310,7 @@ index edc58df..f71b9e8 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -630,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -630,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -43222,7 +44332,7 @@ index edc58df..f71b9e8 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -643,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -643,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -43230,7 +44340,7 @@ index edc58df..f71b9e8 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -669,7 +988,6 @@ dev_rw_apm_bios(xserver_t) +@@ -669,7 +991,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -43238,7 +44348,7 @@ index edc58df..f71b9e8 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -679,11 +997,17 @@ dev_wx_raw_memory(xserver_t) +@@ -679,11 +1000,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -43256,7 +44366,7 @@ index edc58df..f71b9e8 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1021,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -43270,14 +44380,23 @@ index edc58df..f71b9e8 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -717,15 +1046,19 @@ logging_send_audit_msgs(xserver_t) +@@ -708,8 +1040,6 @@ init_getpgid(xserver_t) + term_setattr_unallocated_ttys(xserver_t) + term_use_unallocated_ttys(xserver_t) + +-getty_use_fds(xserver_t) +- + locallogin_use_fds(xserver_t) + + logging_send_syslog_msg(xserver_t) +@@ -717,15 +1047,17 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) +- +-modutils_domtrans_insmod(xserver_t) +miscfiles_read_hwdata(xserver_t) - modutils_domtrans_insmod(xserver_t) - # read x_contexts seutil_read_default_contexts(xserver_t) +seutil_read_config(xserver_t) @@ -43290,7 +44409,7 @@ index edc58df..f71b9e8 100644 userdom_rw_user_tmpfs_files(xserver_t) xserver_use_user_fonts(xserver_t) -@@ -774,16 +1107,28 @@ optional_policy(` +@@ -774,16 +1106,36 @@ optional_policy(` ') optional_policy(` @@ -43298,6 +44417,14 @@ index edc58df..f71b9e8 100644 +') + +optional_policy(` ++ getty_use_fds(xserver_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(xserver_t) ++') ++ ++optional_policy(` rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') @@ -43320,7 +44447,7 @@ index edc58df..f71b9e8 100644 unconfined_domtrans(xserver_t) ') -@@ -792,6 +1137,10 @@ optional_policy(` +@@ -792,6 +1144,10 @@ optional_policy(` ') optional_policy(` @@ -43331,7 +44458,7 @@ index edc58df..f71b9e8 100644 xfs_stream_connect(xserver_t) ') -@@ -807,10 +1156,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -807,10 +1163,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -43345,7 +44472,7 @@ index edc58df..f71b9e8 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -818,7 +1167,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -818,7 +1174,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -43354,7 +44481,7 @@ index edc58df..f71b9e8 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -831,6 +1180,9 @@ init_use_fds(xserver_t) +@@ -831,6 +1187,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -43364,7 +44491,7 @@ index edc58df..f71b9e8 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -838,6 +1190,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -838,6 +1197,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -43376,7 +44503,7 @@ index edc58df..f71b9e8 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -846,11 +1203,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -846,11 +1210,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -43393,7 +44520,7 @@ index edc58df..f71b9e8 100644 ') optional_policy(` -@@ -858,6 +1218,10 @@ optional_policy(` +@@ -858,6 +1225,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -43404,7 +44531,7 @@ index edc58df..f71b9e8 100644 ######################################## # # Rules common to all X window domains -@@ -901,7 +1265,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -901,7 +1272,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -43413,7 +44540,7 @@ index edc58df..f71b9e8 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -955,11 +1319,31 @@ allow x_domain self:x_resource { read write }; +@@ -955,11 +1326,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -43445,7 +44572,7 @@ index edc58df..f71b9e8 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -981,18 +1365,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -981,18 +1372,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -44738,7 +45865,7 @@ index a97a096..ab1e16a 100644 /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index a442acc..133f7f8 100644 +index a442acc..9f99f16 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -44758,7 +45885,11 @@ index a442acc..133f7f8 100644 # Access to /initrd devices dev_getattr_usbfs_dirs(fsadm_t) # Access to /dev/mapper/control -@@ -117,6 +118,9 @@ fs_remount_xattr_fs(fsadm_t) +@@ -114,9 +115,13 @@ fs_rw_tmpfs_files(fsadm_t) + # remount file system to apply changes + fs_remount_xattr_fs(fsadm_t) + # for /dev/shm ++fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -44768,7 +45899,7 @@ index a442acc..133f7f8 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -130,6 +134,7 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -130,6 +135,7 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -44776,8 +45907,13 @@ index a442acc..133f7f8 100644 storage_swapon_fixed_disk(fsadm_t) term_use_console(fsadm_t) -@@ -147,7 +152,7 @@ modutils_read_module_deps(fsadm_t) +@@ -142,12 +148,9 @@ logging_send_syslog_msg(fsadm_t) + + miscfiles_read_localization(fsadm_t) +-modutils_read_module_config(fsadm_t) +-modutils_read_module_deps(fsadm_t) +- seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) @@ -44785,7 +45921,7 @@ index a442acc..133f7f8 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +171,19 @@ optional_policy(` +@@ -166,6 +169,24 @@ optional_policy(` ') optional_policy(` @@ -44802,10 +45938,15 @@ index a442acc..133f7f8 100644 +') + +optional_policy(` ++ modutils_read_module_config(fsadm_t) ++ modutils_read_module_deps(fsadm_t) ++') ++ ++optional_policy(` nis_use_ypbind(fsadm_t) ') -@@ -175,6 +193,14 @@ optional_policy(` +@@ -175,6 +196,14 @@ optional_policy(` ') optional_policy(` @@ -44855,6 +45996,32 @@ index c310775..d5fc685 100644 fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) +diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te +index 882c6a2..d0ff4ec 100644 +--- a/policy/modules/system/hotplug.te ++++ b/policy/modules/system/hotplug.te +@@ -105,9 +105,6 @@ libs_read_lib_files(hotplug_t) + miscfiles_read_hwdata(hotplug_t) + miscfiles_read_localization(hotplug_t) + +-modutils_domtrans_insmod(hotplug_t) +-modutils_read_module_deps(hotplug_t) +- + seutil_dontaudit_search_config(hotplug_t) + + sysnet_read_config(hotplug_t) +@@ -154,6 +151,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_domtrans_insmod(hotplug_t) ++ modutils_read_module_deps(hotplug_t) ++') ++ ++optional_policy(` + mount_domtrans(hotplug_t) + ') + diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 6fed22c..06e5395 100644 --- a/policy/modules/system/init.fc @@ -45430,7 +46597,7 @@ index cc83689..2657c0b 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 77e8ca8..2abb81b 100644 +index 77e8ca8..5740175 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -45575,12 +46742,15 @@ index 77e8ca8..2abb81b 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +229,100 @@ tunable_policy(`init_upstart',` +@@ -186,12 +229,103 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') +storage_raw_rw_fixed_disk(init_t) -+modutils_domtrans_insmod(init_t) ++ ++optional_policy(` ++ modutils_domtrans_insmod(init_t) ++') + +tunable_policy(`init_systemd',` + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -45676,7 +46846,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -199,10 +330,25 @@ optional_policy(` +@@ -199,10 +333,25 @@ optional_policy(` ') optional_policy(` @@ -45702,7 +46872,7 @@ index 77e8ca8..2abb81b 100644 unconfined_domain(init_t) ') -@@ -212,7 +358,7 @@ optional_policy(` +@@ -212,7 +361,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -45711,7 +46881,7 @@ index 77e8ca8..2abb81b 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +387,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +390,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -45726,7 +46896,7 @@ index 77e8ca8..2abb81b 100644 init_write_initctl(initrc_t) -@@ -258,11 +406,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +409,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -45750,7 +46920,7 @@ index 77e8ca8..2abb81b 100644 corecmd_exec_all_executables(initrc_t) -@@ -279,6 +439,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +442,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -45758,7 +46928,7 @@ index 77e8ca8..2abb81b 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +452,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +455,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -45766,7 +46936,7 @@ index 77e8ca8..2abb81b 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +460,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +463,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -45782,7 +46952,7 @@ index 77e8ca8..2abb81b 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +485,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +488,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -45794,7 +46964,7 @@ index 77e8ca8..2abb81b 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +504,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +507,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -45808,7 +46978,7 @@ index 77e8ca8..2abb81b 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +519,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +522,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -45817,7 +46987,7 @@ index 77e8ca8..2abb81b 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +533,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +536,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -45825,7 +46995,7 @@ index 77e8ca8..2abb81b 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +545,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +548,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -45833,15 +47003,15 @@ index 77e8ca8..2abb81b 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +566,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +569,12 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript -miscfiles_read_generic_certs(initrc_t) +miscfiles_manage_generic_cert_files(initrc_t) - modutils_read_module_config(initrc_t) - modutils_domtrans_insmod(initrc_t) +-modutils_read_module_config(initrc_t) +-modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) @@ -45849,7 +47019,7 @@ index 77e8ca8..2abb81b 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -478,7 +651,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +652,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -45858,7 +47028,7 @@ index 77e8ca8..2abb81b 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -524,6 +697,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +698,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -45882,7 +47052,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -531,10 +721,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +722,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -45900,7 +47070,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -549,6 +746,39 @@ ifdef(`distro_suse',` +@@ -549,6 +747,39 @@ ifdef(`distro_suse',` ') ') @@ -45940,7 +47110,7 @@ index 77e8ca8..2abb81b 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +791,8 @@ optional_policy(` +@@ -561,6 +792,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -45949,7 +47119,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -577,6 +809,7 @@ optional_policy(` +@@ -577,6 +810,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -45957,7 +47127,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -589,6 +822,11 @@ optional_policy(` +@@ -589,6 +823,11 @@ optional_policy(` ') optional_policy(` @@ -45969,7 +47139,7 @@ index 77e8ca8..2abb81b 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +843,13 @@ optional_policy(` +@@ -605,9 +844,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -45983,7 +47153,19 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -706,7 +948,13 @@ optional_policy(` +@@ -649,6 +892,11 @@ optional_policy(` + ') + + optional_policy(` ++ modutils_read_module_config(initrc_t) ++ modutils_domtrans_insmod(initrc_t) ++') ++ ++optional_policy(` + inn_exec_config(initrc_t) + ') + +@@ -706,7 +954,13 @@ optional_policy(` ') optional_policy(` @@ -45997,7 +47179,7 @@ index 77e8ca8..2abb81b 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +977,10 @@ optional_policy(` +@@ -729,6 +983,10 @@ optional_policy(` ') optional_policy(` @@ -46008,7 +47190,7 @@ index 77e8ca8..2abb81b 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +990,20 @@ optional_policy(` +@@ -738,10 +996,20 @@ optional_policy(` ') optional_policy(` @@ -46029,7 +47211,7 @@ index 77e8ca8..2abb81b 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1012,10 @@ optional_policy(` +@@ -750,6 +1018,10 @@ optional_policy(` ') optional_policy(` @@ -46040,7 +47222,7 @@ index 77e8ca8..2abb81b 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1037,6 @@ optional_policy(` +@@ -771,8 +1043,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -46049,7 +47231,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -781,14 +1045,21 @@ optional_policy(` +@@ -781,14 +1051,21 @@ optional_policy(` ') optional_policy(` @@ -46071,7 +47253,7 @@ index 77e8ca8..2abb81b 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -810,11 +1081,19 @@ optional_policy(` +@@ -810,11 +1087,19 @@ optional_policy(` ') optional_policy(` @@ -46092,7 +47274,7 @@ index 77e8ca8..2abb81b 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1103,25 @@ optional_policy(` +@@ -824,6 +1109,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -46118,7 +47300,7 @@ index 77e8ca8..2abb81b 100644 ') optional_policy(` -@@ -849,3 +1147,59 @@ optional_policy(` +@@ -849,3 +1153,37 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -46156,28 +47338,6 @@ index 77e8ca8..2abb81b 100644 +') + +init_rw_stream_sockets(daemon) -+ -+ifdef(`hide_broken_symptoms',` -+optional_policy(` -+gen_require(` -+ type system_dbusd_var_run_t; -+ type fsadm_t; -+ type avahi_var_run_t; -+') -+ -+fs_list_auto_mountpoints(fsadm_t) -+ -+fs_list_auto_mountpoints(lvm_t) -+fs_list_hugetlbfs(lvm_t) -+ -+allow init_t avahi_var_run_t:dir { write add_name }; -+allow init_t avahi_var_run_t:sock_file create; -+ -+allow init_t system_dbusd_var_run_t:dir { write add_name }; -+allow init_t system_dbusd_var_run_t:sock_file create; -+ -+') -+') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 07eba2b..942bea1 100644 --- a/policy/modules/system/ipsec.fc @@ -46319,7 +47479,7 @@ index 8232f91..8897e32 100644 + allow ipsec_mgmt_t $1:dbus send_msg; +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 98d6081..fbc8601 100644 +index 98d6081..ba4b965 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,7 +73,7 @@ role system_r types setkey_t; @@ -46421,15 +47581,19 @@ index 98d6081..fbc8601 100644 term_use_console(ipsec_mgmt_t) -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) +term_use_all_terms(ipsec_mgmt_t) -+ -+auth_dontaudit_read_login_records(ipsec_mgmt_t) ++auth_dontaudit_read_login_records(ipsec_mgmt_t) ++ +init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) -@@ -291,7 +308,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t) +@@ -287,11 +304,11 @@ logging_send_syslog_msg(ipsec_mgmt_t) + + miscfiles_read_localization(ipsec_mgmt_t) +-modutils_domtrans_insmod(ipsec_mgmt_t) +- seutil_dontaudit_search_config(ipsec_mgmt_t) +sysnet_manage_config(ipsec_mgmt_t) @@ -46438,7 +47602,7 @@ index 98d6081..fbc8601 100644 userdom_use_user_terminals(ipsec_mgmt_t) -@@ -300,6 +319,23 @@ optional_policy(` +@@ -300,6 +317,27 @@ optional_policy(` ') optional_policy(` @@ -46455,14 +47619,18 @@ index 98d6081..fbc8601 100644 +') + +optional_policy(` -+ iptables_domtrans(ipsec_mgmt_t) ++ iptables_domtrans(ipsec_mgmt_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(ipsec_mgmt_t) +') + +optional_policy(` nscd_socket_use(ipsec_mgmt_t) ') -@@ -386,6 +422,8 @@ miscfiles_read_localization(racoon_t) +@@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -46471,7 +47639,7 @@ index 98d6081..fbc8601 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -412,6 +450,7 @@ domain_ipsec_setcontext_all_domains(setkey_t) +@@ -412,6 +452,7 @@ domain_ipsec_setcontext_all_domains(setkey_t) files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -46479,7 +47647,7 @@ index 98d6081..fbc8601 100644 # allow setkey to set the context for ipsec SAs and policy. corenet_setcontext_all_spds(setkey_t) -@@ -423,4 +462,5 @@ miscfiles_read_localization(setkey_t) +@@ -423,4 +464,5 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) @@ -47604,7 +48772,7 @@ index 58bc27f..b95f0c0 100644 + allow $1 clvmd_tmpfs_t:file unlink; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..1440818 100644 +index a0a0ebf..f596c62 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -47703,7 +48871,7 @@ index a0a0ebf..1440818 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,8 +270,9 @@ files_read_etc_files(lvm_t) +@@ -253,17 +270,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -47714,7 +48882,11 @@ index a0a0ebf..1440818 100644 fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -264,6 +282,7 @@ fs_rw_anon_inodefs_files(lvm_t) + fs_dontaudit_read_removable_files(lvm_t) + fs_dontaudit_getattr_tmpfs_files(lvm_t) + fs_rw_anon_inodefs_files(lvm_t) ++fs_list_auto_mountpoints(lvm_t) ++fs_list_hugetlbfs(lvm_t) mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) @@ -47722,7 +48894,7 @@ index a0a0ebf..1440818 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -311,6 +330,11 @@ ifdef(`distro_redhat',` +@@ -311,6 +332,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -47734,7 +48906,7 @@ index a0a0ebf..1440818 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,6 +355,10 @@ optional_policy(` +@@ -331,6 +357,10 @@ optional_policy(` ') optional_policy(` @@ -47745,7 +48917,7 @@ index a0a0ebf..1440818 100644 modutils_domtrans_insmod(lvm_t) ') -@@ -339,6 +367,10 @@ optional_policy(` +@@ -339,6 +369,10 @@ optional_policy(` ') optional_policy(` @@ -48240,7 +49412,7 @@ index 8b5c196..83107f9 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..b842390 100644 +index 15832c7..e7aff81 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -48430,16 +49602,12 @@ index 15832c7..b842390 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,10 +212,17 @@ ifdef(`distro_ubuntu',` +@@ -141,10 +212,13 @@ ifdef(`distro_ubuntu',` ') ') +corecmd_exec_shell(mount_t) + -+modutils_domtrans_insmod(mount_t) -+ -+fstools_domtrans(mount_t) -+ tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) @@ -48448,7 +49616,7 @@ index 15832c7..b842390 100644 ') optional_policy(` -@@ -174,6 +252,8 @@ optional_policy(` +@@ -174,6 +248,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -48457,7 +49625,7 @@ index 15832c7..b842390 100644 ') optional_policy(` -@@ -181,6 +261,28 @@ optional_policy(` +@@ -181,6 +257,28 @@ optional_policy(` ') optional_policy(` @@ -48486,7 +49654,7 @@ index 15832c7..b842390 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +290,44 @@ optional_policy(` +@@ -188,13 +286,52 @@ optional_policy(` ') ') @@ -48500,6 +49668,14 @@ index 15832c7..b842390 100644 +') + +optional_policy(` ++ modutils_domtrans_insmod(mount_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(mount_t) ++') ++ ++optional_policy(` + rhcs_stream_connect_gfs_controld(mount_t) +') + @@ -48531,7 +49707,7 @@ index 15832c7..b842390 100644 ') ######################################## -@@ -203,6 +336,43 @@ optional_policy(` +@@ -203,6 +340,43 @@ optional_policy(` # optional_policy(` @@ -48576,6 +49752,30 @@ index 15832c7..b842390 100644 +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) +diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te +index 4d06ae3..a9918e0 100644 +--- a/policy/modules/system/pcmcia.te ++++ b/policy/modules/system/pcmcia.te +@@ -98,8 +98,6 @@ logging_send_syslog_msg(cardmgr_t) + + miscfiles_read_localization(cardmgr_t) + +-modutils_domtrans_insmod(cardmgr_t) +- + sysnet_domtrans_ifconfig(cardmgr_t) + # for /etc/resolv.conf + sysnet_etc_filetrans_config(cardmgr_t) +@@ -110,6 +108,10 @@ userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) + userdom_dontaudit_search_user_home_dirs(cardmgr_t) + + optional_policy(` ++ modutils_domtrans_insmod(cardmgr_t) ++') ++ ++optional_policy(` + seutil_dontaudit_read_config(cardmgr_t) + seutil_sigchld_newrole(cardmgr_t) + ') diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index ed9c70d..b961d53 100644 --- a/policy/modules/system/raid.fc @@ -49107,7 +50307,7 @@ index 170e2c7..540a936 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..d6a6763 100644 +index 7ed9819..c3dc5ba 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -49120,7 +50320,7 @@ index 7ed9819..d6a6763 100644 type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -57,8 +60,9 @@ domain_interactive_fd(newrole_t) +@@ -57,8 +60,13 @@ domain_interactive_fd(newrole_t) # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # @@ -49128,11 +50328,15 @@ index 7ed9819..d6a6763 100644 -files_type(policy_config_t) +#type policy_config_t; +#files_type(policy_config_t) ++gen_require(` ++ type semanage_store_t; ++') ++ +typealias semanage_store_t alias policy_config_t; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -74,7 +78,6 @@ type restorecond_t; +@@ -74,7 +82,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -49140,7 +50344,7 @@ index 7ed9819..d6a6763 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -88,26 +91,36 @@ role system_r types run_init_t; +@@ -88,26 +95,36 @@ role system_r types run_init_t; type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) @@ -49179,7 +50383,7 @@ index 7ed9819..d6a6763 100644 ######################################## # # Checkpolicy local policy -@@ -176,6 +189,7 @@ term_list_ptys(load_policy_t) +@@ -176,6 +193,7 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -49187,7 +50391,7 @@ index 7ed9819..d6a6763 100644 miscfiles_read_localization(load_policy_t) -@@ -204,7 +218,7 @@ ifdef(`hide_broken_symptoms',` +@@ -204,7 +222,7 @@ ifdef(`hide_broken_symptoms',` # Newrole local policy # @@ -49196,7 +50400,7 @@ index 7ed9819..d6a6763 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -216,7 +234,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -49205,7 +50409,7 @@ index 7ed9819..d6a6763 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -233,6 +247,7 @@ domain_use_interactive_fds(newrole_t) +@@ -233,6 +251,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -49213,7 +50417,7 @@ index 7ed9819..d6a6763 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -260,25 +275,30 @@ term_relabel_all_ptys(newrole_t) +@@ -260,25 +279,30 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -49250,7 +50454,7 @@ index 7ed9819..d6a6763 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -312,6 +332,8 @@ kernel_use_fds(restorecond_t) +@@ -312,6 +336,8 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -49259,7 +50463,7 @@ index 7ed9819..d6a6763 100644 fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -335,6 +357,8 @@ miscfiles_read_localization(restorecond_t) +@@ -335,6 +361,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -49268,7 +50472,7 @@ index 7ed9819..d6a6763 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -353,7 +377,7 @@ optional_policy(` +@@ -353,7 +381,7 @@ optional_policy(` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -49277,7 +50481,7 @@ index 7ed9819..d6a6763 100644 # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -380,6 +404,8 @@ selinux_compute_create_context(run_init_t) +@@ -380,6 +408,8 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -49286,7 +50490,7 @@ index 7ed9819..d6a6763 100644 auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_domtrans_upd_passwd(run_init_t) -@@ -405,6 +431,15 @@ ifndef(`direct_sysadm_daemon',` +@@ -405,6 +435,15 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -49302,7 +50506,7 @@ index 7ed9819..d6a6763 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,61 +455,22 @@ optional_policy(` +@@ -420,61 +459,22 @@ optional_policy(` # semodule local policy # @@ -49319,17 +50523,17 @@ index 7ed9819..d6a6763 100644 - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) -- --dev_read_urand(semanage_t) +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --domain_use_interactive_fds(semanage_t) +-corecmd_exec_bin(semanage_t) +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +-dev_read_urand(semanage_t) +- +-domain_use_interactive_fds(semanage_t) +- -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -49351,13 +50555,13 @@ index 7ed9819..d6a6763 100644 -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - +- -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) -- ++# Admins are creating pp files in random locations ++auth_read_all_files_except_shadow(semanage_t) + -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) @@ -49372,13 +50576,13 @@ index 7ed9819..d6a6763 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +483,64 @@ ifdef(`distro_debian',` +@@ -487,118 +487,64 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') +optional_policy(` + setrans_initrc_domtrans(semanage_t) -+ domain_system_change_exemption(semanage_t) ++ domain_system_change_exemption(semanage_t) + consoletype_exec(semanage_t) +') + @@ -49455,17 +50659,17 @@ index 7ed9819..d6a6763 100644 -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) -- --logging_send_syslog_msg(setfiles_t) +init_dontaudit_use_fds(setsebool_t) --miscfiles_read_localization(setfiles_t) +-logging_send_syslog_msg(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) +-miscfiles_read_localization(setfiles_t) +- -seutil_libselinux_linked(setfiles_t) +######################################## +# @@ -49803,7 +51007,7 @@ index 8e71fb7..065b98e 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index dfbe736..b8e873f 100644 +index dfbe736..8b2297c 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0) @@ -49875,7 +51079,7 @@ index dfbe736..b8e873f 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,9 +148,11 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) +@@ -130,13 +148,13 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) init_rw_utmp(dhcpc_t) @@ -49886,8 +51090,12 @@ index dfbe736..b8e873f 100644 +miscfiles_read_generic_certs(dhcpc_t) miscfiles_read_localization(dhcpc_t) - modutils_domtrans_insmod(dhcpc_t) -@@ -155,6 +175,14 @@ optional_policy(` +-modutils_domtrans_insmod(dhcpc_t) +- + userdom_use_user_terminals(dhcpc_t) + userdom_dontaudit_search_user_home_dirs(dhcpc_t) + +@@ -155,6 +173,14 @@ optional_policy(` ') optional_policy(` @@ -49902,7 +51110,7 @@ index dfbe736..b8e873f 100644 init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -171,6 +199,8 @@ optional_policy(` +@@ -171,6 +197,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -49911,10 +51119,14 @@ index dfbe736..b8e873f 100644 ') optional_policy(` -@@ -192,6 +222,13 @@ optional_policy(` +@@ -192,6 +220,17 @@ optional_policy(` ') optional_policy(` ++ modutils_domtrans_insmod(dhcpc_t) ++') ++ ++optional_policy(` + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) + networkmanager_read_lib_files(dhcpc_t) @@ -49925,7 +51137,7 @@ index dfbe736..b8e873f 100644 nis_read_ypbind_pid(dhcpc_t) ') -@@ -213,6 +250,10 @@ optional_policy(` +@@ -213,6 +252,10 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -49936,7 +51148,7 @@ index dfbe736..b8e873f 100644 ') optional_policy(` -@@ -276,8 +317,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +319,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -49948,7 +51160,11 @@ index dfbe736..b8e873f 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -305,6 +349,8 @@ modutils_domtrans_insmod(ifconfig_t) +@@ -301,10 +347,11 @@ logging_send_syslog_msg(ifconfig_t) + + miscfiles_read_localization(ifconfig_t) + +-modutils_domtrans_insmod(ifconfig_t) seutil_use_runinit_fds(ifconfig_t) @@ -49957,7 +51173,7 @@ index dfbe736..b8e873f 100644 userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -314,6 +360,10 @@ ifdef(`distro_ubuntu',` +@@ -314,6 +361,10 @@ ifdef(`distro_ubuntu',` ') ') @@ -49968,7 +51184,7 @@ index dfbe736..b8e873f 100644 ifdef(`hide_broken_symptoms',` optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) -@@ -325,12 +375,27 @@ ifdef(`hide_broken_symptoms',` +@@ -325,12 +376,31 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -49992,11 +51208,15 @@ index dfbe736..b8e873f 100644 +') + +optional_policy(` ++ modutils_domtrans_insmod(ifconfig_t) ++') ++ ++optional_policy(` + netutils_domtrans(dhcpc_t) ') optional_policy(` -@@ -355,3 +420,9 @@ optional_policy(` +@@ -355,3 +425,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -51310,7 +52530,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..296513f 100644 +index 28b88de..e4b6f01 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -52526,15 +53746,19 @@ index 28b88de..296513f 100644 term_use_all_terms($1_t) -@@ -1142,6 +1384,7 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1383,10 @@ template(`userdom_admin_user_template',` + logging_send_syslog_msg($1_t) - modutils_domtrans_insmod($1_t) -+ modutils_domtrans_depmod($1_t) +- modutils_domtrans_insmod($1_t) ++ optional_policy(` ++ modutils_domtrans_insmod($1_t) ++ modutils_domtrans_depmod($1_t) ++ ') # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1453,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1455,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -52543,7 +53767,7 @@ index 28b88de..296513f 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1467,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1469,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -52551,7 +53775,7 @@ index 28b88de..296513f 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1483,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1485,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -52559,7 +53783,7 @@ index 28b88de..296513f 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1526,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1528,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -52597,7 +53821,7 @@ index 28b88de..296513f 100644 ubac_constrained($1) ') -@@ -1395,6 +1668,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1670,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -52605,7 +53829,7 @@ index 28b88de..296513f 100644 files_search_home($1) ') -@@ -1441,6 +1715,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1717,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -52620,7 +53844,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1456,9 +1738,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1740,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -52632,7 +53856,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1515,10 +1799,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1801,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -52645,7 +53869,7 @@ index 28b88de..296513f 100644 ## ## ## -@@ -1526,35 +1810,71 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,33 +1812,69 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -52681,8 +53905,7 @@ index 28b88de..296513f 100644 -## -## +## - ## --## Domain allowed to transition. ++## +## Domain allowed access. +## +## @@ -52733,12 +53956,10 @@ index 28b88de..296513f 100644 +##

+## +## -+## -+## Domain allowed to transition. + ## + ## Domain allowed to transition. ## - ## - ## -@@ -1589,6 +1909,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1911,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -52747,7 +53968,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1603,10 +1925,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1927,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -52762,7 +53983,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1649,6 +1973,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1975,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -52788,7 +54009,7 @@ index 28b88de..296513f 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2043,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2045,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -52821,7 +54042,7 @@ index 28b88de..296513f 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2079,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2081,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -52839,7 +54060,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1810,8 +2176,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2178,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -52849,7 +54070,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -1827,21 +2192,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2194,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -52875,7 +54096,7 @@ index 28b88de..296513f 100644 ######################################## ## ## Do not audit attempts to execute user home files. -@@ -2182,7 +2541,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2543,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -52884,7 +54105,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -2435,13 +2794,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2796,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -52900,7 +54121,7 @@ index 28b88de..296513f 100644 ## ## ## -@@ -2462,26 +2822,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2824,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -52927,7 +54148,7 @@ index 28b88de..296513f 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3155,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3157,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -52936,7 +54157,7 @@ index 28b88de..296513f 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3171,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3173,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -52952,7 +54173,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -2917,7 +3259,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3261,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -52961,7 +54182,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -2972,7 +3314,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3316,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -53008,7 +54229,7 @@ index 28b88de..296513f 100644 ') ######################################## -@@ -3009,6 +3389,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3391,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -53016,7 +54237,7 @@ index 28b88de..296513f 100644 kernel_search_proc($1) ') -@@ -3139,3 +3520,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3522,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -54243,7 +55464,7 @@ index 77d41b6..4aa96c6 100644 files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index 4350ba0..630c03d 100644 +index 4350ba0..c8b1d3b 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1) @@ -54274,16 +55495,52 @@ index 4350ba0..630c03d 100644 ######################################## # # blktap local policy -@@ -341,6 +338,8 @@ xen_stream_connect_xenstore(xend_t) +@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t) - netutils_domtrans(xend_t) + logging_send_syslog_msg(xend_t) -+virt_read_config(xend_t) -+ +-lvm_domtrans(xend_t) +- + miscfiles_read_localization(xend_t) + miscfiles_read_hwdata(xend_t) + +-mount_domtrans(xend_t) + + sysnet_domtrans_dhcpc(xend_t) + sysnet_signal_dhcpc(xend_t) +@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) + + xen_stream_connect_xenstore(xend_t) + +-netutils_domtrans(xend_t) +- optional_policy(` brctl_domtrans(xend_t) ') -@@ -413,9 +412,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -349,6 +341,22 @@ optional_policy(` + consoletype_exec(xend_t) + ') + ++optional_policy(` ++ lvm_domtrans(xend_t) ++') ++ ++optional_policy(` ++ mount_domtrans(xend_t) ++') ++ ++optional_policy(` ++ netutils_domtrans(xend_t) ++') ++ ++optional_policy(` ++ virt_read_config(xend_t) ++') ++ + ######################################## + # + # Xen console local policy +@@ -413,9 +421,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -54295,7 +55552,7 @@ index 4350ba0..630c03d 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +442,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +451,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -54307,7 +55564,7 @@ index 4350ba0..630c03d 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +459,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +468,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -54404,7 +55661,7 @@ index 4350ba0..630c03d 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +474,4 @@ optional_policy(` +@@ -559,8 +483,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index c725318..32d2dc5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.15 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,14 @@ exit 0 %endif %changelog +* Thu Mar 3 2011 Miroslav Grepl 3.9.15-6 +- Make a lot of modules independent +- Update to make new seunshare/sandbox work +- allow virt_domains to use inherited noxattrs file systems +- Dont allow svirt_t to send kill signals +- Cleanup policy to allow less modules in base +- Cleanup to allow minimal files in base policy + * Tue Mar 1 2011 Miroslav Grepl 3.9.15-5 - gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd