From 4e5d63b465da35e7b4b7771d871b76592afed52c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 05 2014 17:15:58 +0000 Subject: - Fix labeling for /root/\.yubico - userdom_search_admin_dir() calling needs to be optional in kernel.te - Dontaudit leaked xserver_misc_device_t into plugins - Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy - Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains - Bootloader wants to look at init state - Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm - init reads kdbump etc files - Add support for tcp/9697 - Fix labeling for /var/run/user//gvfs - Add support for us_cli ports - fix sysnet_use_ldap - Allow mysql to execute ifconfig if Red Hat OpenStack - ALlow stap-server to get attr on all fs - Fix mail_pool_t to mail_spool_t - Dontaudit leaked xserver_misc_device_t into plugins - Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains - Add new labeling for /var/spool/smtpd - Allow httpd_t to kill passenger - Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets - Allow nova-scheduler to read passwd/utmp files - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 1d74ecc..f7786c2 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1022,7 +1022,7 @@ index 4705ab6..b7e7ea5 100644 +## +gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs -index 216b3d1..275d3d9 100644 +index 216b3d1..064ec83 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -1032,7 +1032,7 @@ index 216b3d1..275d3d9 100644 # # Define sensitivities # -@@ -69,53 +71,50 @@ gen_levels(1,mcs_num_cats) +@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } @@ -1069,6 +1069,12 @@ index 216b3d1..275d3d9 100644 - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); ++ ++mlsconstrain key { create link read search setattr view write } ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); ++ ++mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. @@ -1103,7 +1109,7 @@ index 216b3d1..275d3d9 100644 mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -@@ -135,6 +134,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d +@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d mlsconstrain { db_tuple } { insert relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); @@ -1113,7 +1119,7 @@ index 216b3d1..275d3d9 100644 # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); -@@ -166,4 +168,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -1138,10 +1144,20 @@ index 216b3d1..275d3d9 100644 + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls -index f11e5e2..656f7a7 100644 +index f11e5e2..9e0c245 100644 --- a/policy/mls +++ b/policy/mls -@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s +@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } + # these access vectors have no MLS restrictions + # filesystem { transition associate } + +- +- +- + # + # MLS policy for the socket classes + # +@@ -195,7 +192,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or @@ -1151,7 +1167,19 @@ index f11e5e2..656f7a7 100644 # used by netlabel to restrict normal domains to same level connections mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom -@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv } +@@ -252,6 +250,11 @@ mlsconstrain msg receive + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + ++mlsconstrain key { create link read search setattr view write } ++ (( l1 eq l2 ) or ++ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ++ ( t1 == mlsprocwrite )); ++ + # the ipc "write" ops (implicit single level) + mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( l1 eq l2 ) or +@@ -361,9 +364,6 @@ mlsconstrain { peer packet } { recv } (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); @@ -1334,7 +1362,7 @@ index cc8df9d..90467f3 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index 0fd5c5f..32514ee 100644 +index 0fd5c5f..643341a 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -20,13 +20,20 @@ type bootloader_t; @@ -1419,15 +1447,16 @@ index 0fd5c5f..32514ee 100644 # for nscd files_dontaudit_search_pids(bootloader_t) # for blkid.tab -@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t) +@@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) + ++init_read_state(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) -@@ -118,19 +142,20 @@ init_rw_script_pipes(bootloader_t) +@@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t) libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) @@ -1453,7 +1482,7 @@ index 0fd5c5f..32514ee 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -174,6 +199,10 @@ ifdef(`distro_redhat',` +@@ -174,6 +200,10 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -1464,7 +1493,7 @@ index 0fd5c5f..32514ee 100644 fstools_exec(bootloader_t) ') -@@ -183,6 +212,14 @@ optional_policy(` +@@ -183,6 +213,14 @@ optional_policy(` ') optional_policy(` @@ -1479,7 +1508,7 @@ index 0fd5c5f..32514ee 100644 kudzu_domtrans(bootloader_t) ') -@@ -195,17 +232,18 @@ optional_policy(` +@@ -195,17 +233,18 @@ optional_policy(` optional_policy(` modutils_exec_insmod(bootloader_t) @@ -5418,7 +5447,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..dd4a176 100644 +index b191055..1463ef3 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5677,7 +5706,7 @@ index b191055..dd4a176 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,52 +268,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,66 +268,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5686,7 +5715,7 @@ index b191055..dd4a176 100644 network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) -+network_port(neutron, tcp,9696,s0) ++network_port(neutron, tcp,9696,s0, tcp,9697,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) @@ -5746,7 +5775,11 @@ index b191055..dd4a176 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) -@@ -271,10 +331,10 @@ network_port(varnishd, tcp,6081-6082,s0) + network_port(ups, tcp,3493,s0) + network_port(utcpserver) # no defined portcon + network_port(uucpd, tcp,540,s0) ++network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0) + network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5759,7 +5792,7 @@ index b191055..dd4a176 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +348,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +349,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5786,7 +5819,7 @@ index b191055..dd4a176 100644 ######################################## # -@@ -333,6 +397,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +398,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5795,7 +5828,7 @@ index b191055..dd4a176 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +411,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +412,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5960,7 +5993,7 @@ index b31c054..5e37a40 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..fb27ae5 100644 +index 76f285e..d86836b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7022,7 +7055,15 @@ index 76f285e..fb27ae5 100644 ## -## Read hardware state information. +## Do not audit attempts to search sysfs. -+## + ## +-## +-##

+-## Allow the specified domain to read the contents of +-## the sysfs filesystem. This filesystem contains +-## information, parameters, and other settings on the +-## hardware installed on the system. +-##

+-## +## +## +## Domain to not audit. @@ -7120,15 +7161,7 @@ index 76f285e..fb27ae5 100644 +######################################## +## +## Relabel cpu online hardware state information. - ## --## --##

--## Allow the specified domain to read the contents of --## the sysfs filesystem. This filesystem contains --## information, parameters, and other settings on the --## hardware installed on the system. --##

--## ++## +## +## +## Domain allowed access. @@ -7461,10 +7494,28 @@ index 76f285e..fb27ae5 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5532,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## ++## Dontaudit attempts to Read and write X server miscellaneous devices. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_leaked_xserver_misc',` ++ gen_require(` ++ type xserver_misc_device_t; ++ ') ++ ++ dontaudit $1 xserver_misc_device_t:chr_file { read write }; ++') ++ ++######################################## ++## +## Read and write X server miscellaneous devices. +## +## @@ -7488,7 +7539,7 @@ index 76f285e..fb27ae5 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',` +@@ -4851,3 +5659,946 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8744,7 +8795,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..e0615d1 100644 +index cf04cb5..71f4c33 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8785,7 +8836,7 @@ index cf04cb5..e0615d1 100644 # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +110,51 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -8816,9 +8867,10 @@ index cf04cb5..e0615d1 100644 # list the root directory files_list_root(domain) -+# allow all domains to search through default_t directory, since users sometimes -+# place labels within these directories. (samba_share_t) for example. -+files_search_default(domain) ++# allow all domains to search through base_file_type directory, since users ++# sometimes place labels within these directories. (samba_share_t) for example. ++files_search_base_file_types(domain) ++ +files_read_inherited_tmp_files(domain) +files_append_inherited_tmp_files(domain) +files_read_all_base_ro_files(domain) @@ -8827,6 +8879,9 @@ index cf04cb5..e0615d1 100644 +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) + ++optional_policy(` ++ userdom_search_admin_dir(domain) ++') + +tunable_policy(`domain_kernel_load_modules',` + kernel_request_load_module(domain) @@ -8834,7 +8889,7 @@ index cf04cb5..e0615d1 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +173,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -8853,7 +8908,7 @@ index cf04cb5..e0615d1 100644 ') optional_policy(` -@@ -133,6 +191,9 @@ optional_policy(` +@@ -133,6 +195,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -8863,7 +8918,7 @@ index cf04cb5..e0615d1 100644 ') ######################################## -@@ -147,12 +208,18 @@ optional_policy(` +@@ -147,12 +212,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -8883,7 +8938,7 @@ index cf04cb5..e0615d1 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +233,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +237,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9479,7 +9534,7 @@ index b876c48..bbd0e79 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..337a00e 100644 +index f962f76..ec9e64a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -9799,7 +9854,7 @@ index f962f76..337a00e 100644 ## Read all files. ## ## -@@ -683,12 +906,107 @@ interface(`files_read_non_security_files',` +@@ -683,12 +906,125 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -9879,6 +9934,24 @@ index f962f76..337a00e 100644 + +######################################## +## ++## Search all base file dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_base_file_types',` ++ gen_require(` ++ attribute base_file_type; ++ ') ++ ++ allow $1 base_file_type:dir search_dir_perms; ++') ++ ++######################################## ++## +## Relabel all base file types. +## +## @@ -9907,7 +9980,7 @@ index f962f76..337a00e 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ## -@@ -953,6 +1271,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1289,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -9933,7 +10006,7 @@ index f962f76..337a00e 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,8 +1328,8 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,8 +1346,8 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -9944,7 +10017,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -1000,43 +1337,81 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -1000,12 +1355,50 @@ interface(`files_dontaudit_getattr_all_sockets',` ## ## # @@ -9957,87 +10030,48 @@ index f962f76..337a00e 100644 - dontaudit $1 non_security_file_type:sock_file getattr; + dontaudit $1 file_type:sock_file read; - ') - - ######################################## - ## --## Read all block nodes with file types. -+## Do not audit attempts to read -+## of all security file types. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_all_blk_files',` -+interface(`files_dontaudit_read_all_non_security_files',` - gen_require(` -- attribute file_type; -+ attribute non_security_file_type; - ') - -- read_blk_files_pattern($1, file_type, file_type) -+ dontaudit $1 non_security_file_type:file read_file_perms; - ') - - ######################################## - ## --## Read all character nodes with file types. -+## Do not audit attempts to get the attributes -+## of non security named sockets. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_all_chr_files',` -+interface(`files_dontaudit_getattr_non_security_sockets',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:sock_file getattr; +') + +######################################## +## -+## Read all block nodes with file types. ++## Do not audit attempts to read ++## of all security file types. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_read_all_blk_files',` ++interface(`files_dontaudit_read_all_non_security_files',` + gen_require(` -+ attribute file_type; ++ attribute non_security_file_type; + ') + -+ read_blk_files_pattern($1, file_type, file_type) ++ dontaudit $1 non_security_file_type:file read_file_perms; +') + +######################################## +## -+## Read all character nodes with file types. ++## Do not audit attempts to get the attributes ++## of non security named sockets. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_read_all_chr_files',` - gen_require(` - attribute file_type; - ') -@@ -1073,10 +1448,8 @@ interface(`files_relabel_all_files',` ++interface(`files_dontaudit_getattr_non_security_sockets',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:sock_file getattr; + ') + + ######################################## +@@ -1073,10 +1466,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -10050,7 +10084,7 @@ index f962f76..337a00e 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1555,6 @@ interface(`files_list_all',` +@@ -1182,24 +1573,6 @@ interface(`files_list_all',` ######################################## ## @@ -10075,7 +10109,7 @@ index f962f76..337a00e 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1798,6 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,9 +1816,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -10085,7 +10119,7 @@ index f962f76..337a00e 100644 ') ############################################# -@@ -1601,6 +1953,24 @@ interface(`files_setattr_all_mountpoints',` +@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## @@ -10110,7 +10144,7 @@ index f962f76..337a00e 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1691,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1691,6 +2079,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -10135,7 +10169,7 @@ index f962f76..337a00e 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1709,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1709,6 +2115,42 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -10178,7 +10212,7 @@ index f962f76..337a00e 100644 ## List the contents of the root directory. ## ## -@@ -1725,6 +2149,23 @@ interface(`files_list_root',` +@@ -1725,6 +2167,23 @@ interface(`files_list_root',` allow $1 root_t:dir list_dir_perms; allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ') @@ -10202,7 +10236,7 @@ index f962f76..337a00e 100644 ######################################## ## -@@ -1765,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',` +@@ -1765,6 +2224,26 @@ interface(`files_dontaudit_rw_root_dir',` ######################################## ## @@ -10229,7 +10263,7 @@ index f962f76..337a00e 100644 ## Create an object in the root directory, with a private ## type using a type transition. ## -@@ -1892,25 +2353,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1892,25 +2371,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -10261,7 +10295,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -1923,7 +2384,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2402,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -10270,7 +10304,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -1946,6 +2407,24 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2425,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10295,7 +10329,7 @@ index f962f76..337a00e 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2678,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10320,7 +10354,7 @@ index f962f76..337a00e 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3142,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3160,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10345,7 +10379,7 @@ index f962f76..337a00e 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3231,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3249,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10353,7 +10387,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -2724,7 +3240,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3258,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10362,7 +10396,7 @@ index f962f76..337a00e 100644 ## ## # -@@ -2780,6 +3296,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3314,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10388,7 +10422,7 @@ index f962f76..337a00e 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3333,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3351,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10413,7 +10447,7 @@ index f962f76..337a00e 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3516,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3534,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10438,7 +10472,7 @@ index f962f76..337a00e 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3556,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3574,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -10449,7 +10483,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -3031,18 +3564,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3582,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10471,7 +10505,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -3060,12 +3592,32 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,23 +3610,44 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -10484,9 +10518,11 @@ index f962f76..337a00e 100644 ## -## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## +-## + # +-interface(`files_rw_etc_runtime_files',` +interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` + type etc_runtime_t; @@ -10503,10 +10539,14 @@ index f962f76..337a00e 100644 +## +## +## Domain allowed access. - ## - ## - ## -@@ -3077,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',` ++## ++## ++## ++# ++interface(`files_rw_etc_runtime_files',` + gen_require(` + type etc_t, etc_runtime_t; + ') allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10514,7 +10554,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3098,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3669,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10522,7 +10562,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3142,10 +3696,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3714,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -10573,7 +10613,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3161,10 +3753,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3771,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -10586,7 +10626,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3180,10 +3772,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3790,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -10599,7 +10639,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3199,10 +3791,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3809,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -10612,7 +10652,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3218,10 +3810,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3828,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -10655,9 +10695,8 @@ index f962f76..337a00e 100644 +interface(`files_mounton_isid',` + gen_require(` + type unlabeled_t; - ') - -- delete_dirs_pattern($1, file_t, file_t) ++ ') ++ + allow $1 unlabeled_t:dir mounton; +') + @@ -10675,13 +10714,14 @@ index f962f76..337a00e 100644 +interface(`files_relabelfrom_isid_type',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- delete_dirs_pattern($1, file_t, file_t) + dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; ') ######################################## -@@ -3237,10 +3885,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +3903,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -10694,7 +10734,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3256,10 +3904,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +3922,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -10726,7 +10766,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3275,10 +3942,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +3960,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -10739,7 +10779,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3294,10 +3961,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +3979,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -10752,7 +10792,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3313,10 +3980,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +3998,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -10765,7 +10805,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3332,10 +3999,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4017,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -10778,7 +10818,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3351,10 +4018,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4036,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -10791,7 +10831,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3370,10 +4037,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4055,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -10804,7 +10844,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3389,10 +4056,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4074,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -10817,7 +10857,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3408,10 +4075,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4093,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -10830,7 +10870,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3427,10 +4094,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4112,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -10843,7 +10883,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3446,10 +4113,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4131,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -10856,14 +10896,15 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3465,10 +4132,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4150,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` - type file_t; + type unlabeled_t; -+ ') -+ + ') + +- allow $1 file_t:blk_file rw_blk_file_perms; + allow $1 unlabeled_t:blk_file rw_blk_file_perms; +') + @@ -10881,14 +10922,13 @@ index f962f76..337a00e 100644 +interface(`files_rw_inherited_isid_type_files',` + gen_require(` + type unlabeled_t; - ') - -- allow $1 file_t:blk_file rw_blk_file_perms; ++ ') ++ + allow $1 unlabeled_t:file rw_inherited_file_perms; ') ######################################## -@@ -3484,10 +4170,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4188,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -10901,7 +10941,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3503,10 +4189,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4207,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -10914,7 +10954,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -3814,20 +4500,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4518,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10958,7 +10998,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -4217,6 +4921,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +4939,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11131,7 +11171,7 @@ index f962f76..337a00e 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5109,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5127,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -11158,7 +11198,7 @@ index f962f76..337a00e 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5142,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5160,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -11197,7 +11237,7 @@ index f962f76..337a00e 100644 ## ## # -@@ -4289,6 +5199,7 @@ interface(`files_search_tmp',` +@@ -4289,6 +5217,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -11205,7 +11245,7 @@ index f962f76..337a00e 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5236,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5254,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -11213,7 +11253,7 @@ index f962f76..337a00e 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5246,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5264,7 @@ interface(`files_list_tmp',` ## ## ## @@ -11222,7 +11262,7 @@ index f962f76..337a00e 100644 ## ## # -@@ -4346,21 +5258,41 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,13 +5276,32 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -11235,13 +11275,11 @@ index f962f76..337a00e 100644 ## -## -## Domain allowed access. --## +## +## Domain not to audit. +## - ## - # --interface(`files_delete_tmp_dir_entry',` ++## ++# +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; @@ -11258,11 +11296,10 @@ index f962f76..337a00e 100644 +## +## +## Domain allowed access. -+## -+## -+# -+interface(`files_delete_tmp_dir_entry',` - gen_require(` + ## + ## + # +@@ -4361,6 +5310,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -11270,7 +11307,7 @@ index f962f76..337a00e 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5334,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5352,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -11303,7 +11340,7 @@ index f962f76..337a00e 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5414,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5432,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -11346,7 +11383,7 @@ index f962f76..337a00e 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5468,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5486,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -11407,7 +11444,7 @@ index f962f76..337a00e 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5567,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5585,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11416,7 +11453,7 @@ index f962f76..337a00e 100644 ## ## # -@@ -4579,7 +5627,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5645,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -11425,7 +11462,7 @@ index f962f76..337a00e 100644 ## ## # -@@ -4611,6 +5659,44 @@ interface(`files_read_all_tmp_files',` +@@ -4611,6 +5677,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11470,7 +11507,7 @@ index f962f76..337a00e 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5750,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5768,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11487,7 +11524,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -5112,6 +6208,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6226,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -11512,7 +11549,7 @@ index f962f76..337a00e 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6355,24 @@ interface(`files_list_var',` +@@ -5241,6 +6373,24 @@ interface(`files_list_var',` ######################################## ## @@ -11537,7 +11574,7 @@ index f962f76..337a00e 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6460,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6478,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -11546,7 +11583,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -5527,6 +6659,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6677,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -11572,7 +11609,7 @@ index f962f76..337a00e 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6747,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6765,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11598,7 +11635,7 @@ index f962f76..337a00e 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6811,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6829,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11607,7 +11644,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -5649,12 +6819,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6837,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11623,7 +11660,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -5672,6 +6843,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6861,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11631,7 +11668,7 @@ index f962f76..337a00e 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6870,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6888,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11659,7 +11696,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -5706,13 +6897,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6915,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11676,7 +11713,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -5731,7 +6921,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6939,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11685,7 +11722,7 @@ index f962f76..337a00e 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6954,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6972,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11693,7 +11730,7 @@ index f962f76..337a00e 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6968,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +6986,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11702,7 +11739,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -5787,13 +6976,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +6994,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11737,7 +11774,7 @@ index f962f76..337a00e 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7018,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7036,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11755,7 +11792,7 @@ index f962f76..337a00e 100644 ') ######################################## -@@ -5834,9 +7042,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7060,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11766,7 +11803,7 @@ index f962f76..337a00e 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7084,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7102,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11776,7 +11813,7 @@ index f962f76..337a00e 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7106,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7124,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11786,7 +11823,7 @@ index f962f76..337a00e 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7143,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7161,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11796,7 +11833,7 @@ index f962f76..337a00e 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7182,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7200,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11805,7 +11842,7 @@ index f962f76..337a00e 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7202,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7220,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11854,7 +11891,7 @@ index f962f76..337a00e 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7266,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7284,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11880,7 +11917,7 @@ index f962f76..337a00e 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7299,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7317,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11889,7 +11926,7 @@ index f962f76..337a00e 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7318,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7336,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11898,7 +11935,7 @@ index f962f76..337a00e 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7338,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7356,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11907,7 +11944,7 @@ index f962f76..337a00e 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7400,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7418,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11915,7 +11952,7 @@ index f962f76..337a00e 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7428,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7446,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11940,7 +11977,7 @@ index f962f76..337a00e 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7459,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7477,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11949,7 +11986,7 @@ index f962f76..337a00e 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7526,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7544,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -12012,7 +12049,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6305,42 +7570,35 @@ interface(`files_delete_all_pids',` +@@ -6305,42 +7588,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -12062,7 +12099,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6348,18 +7606,18 @@ interface(`files_manage_all_pids',` +@@ -6348,18 +7624,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -12086,7 +12123,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6367,37 +7625,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,37 +7643,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -12138,7 +12175,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6405,18 +7666,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6405,18 +7684,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -12161,7 +12198,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6424,18 +7684,18 @@ interface(`files_list_spool',` +@@ -6424,18 +7702,18 @@ interface(`files_list_spool',` ## ## # @@ -12185,7 +12222,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6443,19 +7703,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6443,19 +7721,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -12210,7 +12247,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6463,55 +7722,43 @@ interface(`files_read_generic_spool',` +@@ -6463,55 +7740,43 @@ interface(`files_read_generic_spool',` ## ## # @@ -12281,7 +12318,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6519,53 +7766,68 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +7784,68 @@ interface(`files_spool_filetrans',` ## ## # @@ -12388,7 +12425,7 @@ index f962f76..337a00e 100644 ## ## ## -@@ -6573,10 +7835,784 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7853,784 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -12397,8 +12434,9 @@ index f962f76..337a00e 100644 gen_require(` - attribute files_unconfined_type; + attribute spoolfile; -+ ') -+ + ') + +- typeattribute $1 files_unconfined_type; + allow $1 spoolfile:sock_file create_sock_file_perms; +') + @@ -12661,10 +12699,10 @@ index f962f76..337a00e 100644 +interface(`files_unconfined',` + gen_require(` + attribute files_unconfined_type; - ') - - typeattribute $1 files_unconfined_type; - ') ++ ') ++ ++ typeattribute $1 files_unconfined_type; ++') + +######################################## +## @@ -13174,7 +13212,7 @@ index f962f76..337a00e 100644 + ') + + allow $1 etc_t:service status; -+') + ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..32a40f8 100644 --- a/policy/modules/kernel/files.te @@ -13378,7 +13416,7 @@ index 1a03abd..32a40f8 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0..2fc3436 100644 +index d7c11a0..6b3331d 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,23 +1,26 @@ @@ -13404,8 +13442,8 @@ index d7c11a0..2fc3436 100644 +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> -+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) -+/var/run/[^/]*/gvfs/.* <> ++/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) ++/var/run/user/[^/]*/gvfs/.* <> + +# for systemd systems: /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) @@ -26124,14 +26162,14 @@ index c6fdab7..af71c62 100644 sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 2479587..077c9bc 100644 +index 2479587..890e1e2 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ +HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) @@ -26219,7 +26257,7 @@ index 2479587..077c9bc 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..0bd3a26 100644 +index 3efd5b6..b07f3fe 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -26805,7 +26843,7 @@ index 3efd5b6..0bd3a26 100644 ') ######################################## -@@ -1805,3 +2029,262 @@ interface(`auth_unconfined',` +@@ -1805,3 +2029,280 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -27068,6 +27106,24 @@ index 3efd5b6..0bd3a26 100644 + + allow $1 login_pgm:process sigchld; +') ++ ++######################################## ++## ++## Manage the keyrings of all login programs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_login_manage_key',` ++ gen_require(` ++ attribute login_pgm; ++ ') ++ ++ allow $1 login_pgm:key manage_key_perms; ++') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 09b791d..ff0708e 100644 --- a/policy/modules/system/authlogin.te @@ -29680,7 +29736,7 @@ index 79a45f6..89b43aa 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..e5c555c 100644 +index 17eda24..43c0bc6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29950,7 +30006,7 @@ index 17eda24..e5c555c 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +301,235 @@ ifdef(`distro_gentoo',` +@@ -186,29 +301,236 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -29986,6 +30042,7 @@ index 17eda24..e5c555c 100644 optional_policy(` - auth_rw_login_records(init_t) + kdump_read_crash(init_t) ++ kdump_read_config(init_t) ') optional_policy(` @@ -30194,7 +30251,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -216,7 +537,31 @@ optional_policy(` +@@ -216,7 +538,31 @@ optional_policy(` ') optional_policy(` @@ -30226,7 +30283,7 @@ index 17eda24..e5c555c 100644 ') ######################################## -@@ -225,9 +570,9 @@ optional_policy(` +@@ -225,9 +571,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30238,7 +30295,7 @@ index 17eda24..e5c555c 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +604,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30255,7 +30312,7 @@ index 17eda24..e5c555c 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +629,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30298,7 +30355,7 @@ index 17eda24..e5c555c 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +666,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30310,7 +30367,7 @@ index 17eda24..e5c555c 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +678,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30321,7 +30378,7 @@ index 17eda24..e5c555c 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +689,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30331,7 +30388,7 @@ index 17eda24..e5c555c 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +698,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30339,7 +30396,7 @@ index 17eda24..e5c555c 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +705,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30347,7 +30404,7 @@ index 17eda24..e5c555c 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +713,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30365,7 +30422,7 @@ index 17eda24..e5c555c 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +731,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30379,7 +30436,7 @@ index 17eda24..e5c555c 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +746,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30393,7 +30450,7 @@ index 17eda24..e5c555c 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +758,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +759,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30404,7 +30461,7 @@ index 17eda24..e5c555c 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +771,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +772,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30412,7 +30469,7 @@ index 17eda24..e5c555c 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +790,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +791,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30436,7 +30493,7 @@ index 17eda24..e5c555c 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +823,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +824,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30444,7 +30501,7 @@ index 17eda24..e5c555c 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +857,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +858,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30455,7 +30512,7 @@ index 17eda24..e5c555c 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +881,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +882,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30464,7 +30521,7 @@ index 17eda24..e5c555c 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +896,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +897,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30472,7 +30529,7 @@ index 17eda24..e5c555c 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +917,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +918,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30480,7 +30537,7 @@ index 17eda24..e5c555c 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +927,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +928,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30525,7 +30582,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -559,14 +972,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +973,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30557,7 +30614,7 @@ index 17eda24..e5c555c 100644 ') ') -@@ -577,6 +1007,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1008,39 @@ ifdef(`distro_suse',` ') ') @@ -30597,7 +30654,7 @@ index 17eda24..e5c555c 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1052,8 @@ optional_policy(` +@@ -589,6 +1053,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30606,7 +30663,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -610,6 +1075,7 @@ optional_policy(` +@@ -610,6 +1076,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30614,7 +30671,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -626,6 +1092,17 @@ optional_policy(` +@@ -626,6 +1093,17 @@ optional_policy(` ') optional_policy(` @@ -30632,7 +30689,7 @@ index 17eda24..e5c555c 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1119,13 @@ optional_policy(` +@@ -642,9 +1120,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30646,7 +30703,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -657,15 +1138,11 @@ optional_policy(` +@@ -657,15 +1139,11 @@ optional_policy(` ') optional_policy(` @@ -30664,7 +30721,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -686,6 +1163,15 @@ optional_policy(` +@@ -686,6 +1164,15 @@ optional_policy(` ') optional_policy(` @@ -30680,7 +30737,7 @@ index 17eda24..e5c555c 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1212,7 @@ optional_policy(` +@@ -726,6 +1213,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30688,7 +30745,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -743,7 +1230,13 @@ optional_policy(` +@@ -743,7 +1231,13 @@ optional_policy(` ') optional_policy(` @@ -30703,7 +30760,7 @@ index 17eda24..e5c555c 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1259,10 @@ optional_policy(` +@@ -766,6 +1260,10 @@ optional_policy(` ') optional_policy(` @@ -30714,7 +30771,7 @@ index 17eda24..e5c555c 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1272,20 @@ optional_policy(` +@@ -775,10 +1273,20 @@ optional_policy(` ') optional_policy(` @@ -30735,7 +30792,7 @@ index 17eda24..e5c555c 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1294,10 @@ optional_policy(` +@@ -787,6 +1295,10 @@ optional_policy(` ') optional_policy(` @@ -30746,7 +30803,7 @@ index 17eda24..e5c555c 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1319,6 @@ optional_policy(` +@@ -808,8 +1320,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30755,7 +30812,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -818,6 +1327,10 @@ optional_policy(` +@@ -818,6 +1328,10 @@ optional_policy(` ') optional_policy(` @@ -30766,7 +30823,7 @@ index 17eda24..e5c555c 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1340,12 @@ optional_policy(` +@@ -827,10 +1341,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30779,7 +30836,7 @@ index 17eda24..e5c555c 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1372,60 @@ optional_policy(` +@@ -857,21 +1373,60 @@ optional_policy(` ') optional_policy(` @@ -30841,7 +30898,7 @@ index 17eda24..e5c555c 100644 ') optional_policy(` -@@ -887,6 +1441,10 @@ optional_policy(` +@@ -887,6 +1442,10 @@ optional_policy(` ') optional_policy(` @@ -30852,7 +30909,7 @@ index 17eda24..e5c555c 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1455,218 @@ optional_policy(` +@@ -897,3 +1456,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f21df75..8be0c99 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3575,7 +3575,7 @@ index 7caefc3..0d9db0a 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..51b128e 100644 +index f6eb485..61f36b6 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3591,7 +3591,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -13,118 +13,125 @@ +@@ -13,118 +13,126 @@ # template(`apache_content_template',` gen_require(` @@ -3708,7 +3708,6 @@ index f6eb485..51b128e 100644 + + can_exec($1_script_t, $1_script_exec_t) + allow $1_script_t $1_script_exec_t:dir list_dir_perms; -+ + allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) + append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) @@ -3725,6 +3724,8 @@ index f6eb485..51b128e 100644 + manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) + manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) + ++ allow $1_script_t httpd_t:unix_stream_socket { getattr read write }; ++ + # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -3812,7 +3813,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -133,47 +140,61 @@ template(`apache_content_template',` +@@ -133,47 +141,61 @@ template(`apache_content_template',` ## ## ## @@ -3903,7 +3904,7 @@ index f6eb485..51b128e 100644 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') -@@ -184,7 +205,7 @@ interface(`apache_role',` +@@ -184,7 +206,7 @@ interface(`apache_role',` ######################################## ## @@ -3912,7 +3913,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -204,7 +225,7 @@ interface(`apache_read_user_scripts',` +@@ -204,7 +226,7 @@ interface(`apache_read_user_scripts',` ######################################## ## @@ -3921,7 +3922,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -224,7 +245,7 @@ interface(`apache_read_user_content',` +@@ -224,7 +246,7 @@ interface(`apache_read_user_content',` ######################################## ## @@ -3930,7 +3931,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -241,27 +262,47 @@ interface(`apache_domtrans',` +@@ -241,27 +263,47 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -3985,7 +3986,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -279,7 +320,7 @@ interface(`apache_signal',` +@@ -279,7 +321,7 @@ interface(`apache_signal',` ######################################## ## @@ -3994,7 +3995,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -297,7 +338,7 @@ interface(`apache_signull',` +@@ -297,7 +339,7 @@ interface(`apache_signull',` ######################################## ## @@ -4003,7 +4004,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -315,8 +356,7 @@ interface(`apache_sigchld',` +@@ -315,8 +357,7 @@ interface(`apache_sigchld',` ######################################## ## @@ -4013,7 +4014,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -334,8 +374,8 @@ interface(`apache_use_fds',` +@@ -334,8 +375,8 @@ interface(`apache_use_fds',` ######################################## ## @@ -4024,7 +4025,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -348,13 +388,13 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +389,13 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -4041,7 +4042,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -372,8 +412,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -372,8 +413,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` ######################################## ## @@ -4052,7 +4053,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -391,8 +431,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +432,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -4062,7 +4063,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -417,7 +456,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +457,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -4072,7 +4073,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -435,7 +475,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +476,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -4082,7 +4083,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -453,7 +494,8 @@ interface(`apache_list_cache',` +@@ -453,7 +495,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -4092,7 +4093,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -471,7 +513,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +514,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -4102,7 +4103,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -489,7 +532,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +533,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -4112,7 +4113,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -507,49 +551,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +552,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -4175,7 +4176,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -570,8 +616,8 @@ interface(`apache_manage_config',` +@@ -570,8 +617,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -4186,7 +4187,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -608,16 +654,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +655,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -4228,7 +4229,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -639,7 +707,8 @@ interface(`apache_read_log',` +@@ -639,7 +708,8 @@ interface(`apache_read_log',` ######################################## ## @@ -4238,7 +4239,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -657,10 +726,29 @@ interface(`apache_append_log',` +@@ -657,10 +727,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -4270,7 +4271,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -678,8 +766,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +767,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -4281,7 +4282,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -687,20 +775,21 @@ interface(`apache_dontaudit_append_log',` +@@ -687,20 +776,21 @@ interface(`apache_dontaudit_append_log',` ## ## # @@ -4311,7 +4312,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -708,19 +797,21 @@ interface(`apache_manage_log',` +@@ -708,19 +798,21 @@ interface(`apache_manage_log',` ## ## # @@ -4337,7 +4338,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -738,7 +829,8 @@ interface(`apache_dontaudit_search_modules',` +@@ -738,7 +830,8 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -4347,7 +4348,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -746,17 +838,19 @@ interface(`apache_dontaudit_search_modules',` +@@ -746,17 +839,19 @@ interface(`apache_dontaudit_search_modules',` ## ## # @@ -4370,7 +4371,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -764,19 +858,19 @@ interface(`apache_list_modules',` +@@ -764,19 +859,19 @@ interface(`apache_list_modules',` ## ## # @@ -4394,7 +4395,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -784,19 +878,19 @@ interface(`apache_exec_modules',` +@@ -784,19 +879,19 @@ interface(`apache_exec_modules',` ## ## # @@ -4419,7 +4420,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -809,13 +903,50 @@ interface(`apache_domtrans_rotatelogs',` +@@ -809,13 +904,50 @@ interface(`apache_domtrans_rotatelogs',` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') @@ -4472,7 +4473,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -829,13 +960,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +961,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4489,7 +4490,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -844,6 +976,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +977,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4497,7 +4498,7 @@ index f6eb485..51b128e 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +988,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +989,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -4604,7 +4605,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -888,10 +1087,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1088,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4623,7 +4624,7 @@ index f6eb485..51b128e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1107,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1108,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4635,7 +4636,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -941,7 +1146,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1147,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4644,7 +4645,7 @@ index f6eb485..51b128e 100644 ## to the specified role. ## ## -@@ -954,6 +1159,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1160,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4652,7 +4653,7 @@ index f6eb485..51b128e 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1172,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1173,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4662,7 +4663,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -979,12 +1186,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1187,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4678,7 +4679,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1002,7 +1210,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1211,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4687,7 +4688,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1015,13 +1223,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1224,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4702,7 +4703,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1041,7 +1248,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1249,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4711,7 +4712,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1059,8 +1266,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1267,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4721,7 +4722,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1071,18 +1277,21 @@ interface(`apache_search_sys_scripts',` +@@ -1071,18 +1278,21 @@ interface(`apache_search_sys_scripts',` # interface(`apache_manage_all_user_content',` gen_require(` @@ -4749,7 +4750,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1100,7 +1309,8 @@ interface(`apache_search_sys_script_state',` +@@ -1100,7 +1310,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4759,7 +4760,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1117,10 +1327,29 @@ interface(`apache_read_tmp_files',` +@@ -1117,10 +1328,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4791,7 +4792,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1133,7 +1362,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1133,7 +1363,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4800,7 +4801,7 @@ index f6eb485..51b128e 100644 ') ######################################## -@@ -1142,6 +1371,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1142,6 +1372,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4810,7 +4811,7 @@ index f6eb485..51b128e 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1171,8 +1403,30 @@ interface(`apache_cgi_domain',` +@@ -1171,8 +1404,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4843,7 +4844,7 @@ index f6eb485..51b128e 100644 ## ## ## -@@ -1189,18 +1443,19 @@ interface(`apache_cgi_domain',` +@@ -1189,18 +1444,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4872,7 +4873,7 @@ index f6eb485..51b128e 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1210,10 +1465,10 @@ interface(`apache_admin',` +@@ -1210,10 +1466,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4886,7 +4887,7 @@ index f6eb485..51b128e 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1479,141 @@ interface(`apache_admin',` +@@ -1224,9 +1480,141 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5033,7 +5034,7 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..a25874f 100644 +index 6649962..da729da 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -6352,7 +6353,7 @@ index 6649962..a25874f 100644 ') optional_policy(` -@@ -842,20 +1031,39 @@ optional_policy(` +@@ -842,20 +1031,40 @@ optional_policy(` ') optional_policy(` @@ -6363,6 +6364,7 @@ index 6649962..a25874f 100644 + +optional_policy(` + passenger_exec(httpd_t) ++ passenger_kill(httpd_t) + passenger_manage_pid_content(httpd_t) +') + @@ -6398,7 +6400,7 @@ index 6649962..a25874f 100644 ') optional_policy(` -@@ -863,19 +1071,35 @@ optional_policy(` +@@ -863,19 +1072,35 @@ optional_policy(` ') optional_policy(` @@ -6434,7 +6436,7 @@ index 6649962..a25874f 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1107,183 @@ optional_policy(` +@@ -883,65 +1108,183 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6640,7 +6642,7 @@ index 6649962..a25874f 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1292,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1293,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6795,7 +6797,7 @@ index 6649962..a25874f 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1376,106 @@ optional_policy(` +@@ -1083,172 +1377,106 @@ optional_policy(` ') ') @@ -7032,7 +7034,7 @@ index 6649962..a25874f 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1483,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1484,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7129,7 +7131,7 @@ index 6649962..a25874f 100644 ######################################## # -@@ -1321,8 +1558,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1559,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7146,7 +7148,7 @@ index 6649962..a25874f 100644 ') ######################################## -@@ -1330,49 +1574,38 @@ optional_policy(` +@@ -1330,49 +1575,38 @@ optional_policy(` # User content local policy # @@ -7211,7 +7213,7 @@ index 6649962..a25874f 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1615,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1616,101 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -24107,10 +24109,10 @@ index 0000000..1048292 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..4b54a05 +index 0000000..47c8698 --- /dev/null +++ b/docker.te -@@ -0,0 +1,268 @@ +@@ -0,0 +1,270 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24211,6 +24213,7 @@ index 0000000..4b54a05 +manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; +files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) @@ -24249,6 +24252,7 @@ index 0000000..4b54a05 + +fs_read_cgroup_files(docker_t) +fs_read_tmpfs_symlinks(docker_t) ++fs_getattr_all_fs(docker_t) + +storage_raw_rw_fixed_disk(docker_t) + @@ -44602,10 +44606,10 @@ index 0000000..39f4a04 +') diff --git a/motion.te b/motion.te new file mode 100644 -index 0000000..b694afc +index 0000000..c7f4eb5 --- /dev/null +++ b/motion.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,65 @@ +policy_module(motion, 1.0.0) + +######################################## @@ -44634,7 +44638,7 @@ index 0000000..b694afc +# motion local policy +# +allow motion_t self:udp_socket { create connect getattr }; -+allow motion_t self:tcp_socket { bind create setopt listen }; ++allow motion_t self:tcp_socket create_stream_socket_perms; +allow motion_t self:netlink_route_socket r_netlink_socket_perms; + +manage_dirs_pattern(motion_t, motion_log_t, motion_log_t) @@ -44651,6 +44655,7 @@ index 0000000..b694afc + +corenet_tcp_bind_http_cache_port(motion_t) +corenet_tcp_bind_transproxy_port(motion_t) ++corenet_tcp_bind_us_cli_port(motion_t) +corenet_tcp_connect_http_port(motion_t) +corenet_tcp_bind_generic_node(motion_t) + @@ -45576,7 +45581,7 @@ index 6194b80..cafb2b0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..ad56dac 100644 +index 11ac8e4..7bb38c6 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -46014,7 +46019,7 @@ index 11ac8e4..ad56dac 100644 ') optional_policy(` -@@ -300,259 +324,247 @@ optional_policy(` +@@ -300,259 +324,248 @@ optional_policy(` ######################################## # @@ -46230,6 +46235,7 @@ index 11ac8e4..ad56dac 100644 -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) ++dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t) domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) @@ -46409,7 +46415,7 @@ index 11ac8e4..ad56dac 100644 ') optional_policy(` -@@ -560,7 +572,11 @@ optional_policy(` +@@ -560,7 +573,11 @@ optional_policy(` ') optional_policy(` @@ -46422,7 +46428,7 @@ index 11ac8e4..ad56dac 100644 ') optional_policy(` -@@ -568,108 +584,131 @@ optional_policy(` +@@ -568,108 +585,131 @@ optional_policy(` ') optional_policy(` @@ -46980,15 +46986,17 @@ index 65a246a..fa86320 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..cb2791a 100644 +index f42896c..1e1a679 100644 --- a/mta.fc +++ b/mta.fc -@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +@@ -1,34 +1,45 @@ +-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) -HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) -HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) ++HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) @@ -47010,10 +47018,10 @@ index f42896c..cb2791a 100644 +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) +') + -+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) +/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) +/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -47040,8 +47048,9 @@ index f42896c..cb2791a 100644 /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ++/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..e968c28 100644 +index ed81cac..8f217ea 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -47981,7 +47990,7 @@ index ed81cac..e968c28 100644 ## ## ## -@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -48108,6 +48117,7 @@ index ed81cac..e968c28 100644 + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") +') + +######################################## @@ -48132,6 +48142,7 @@ index ed81cac..e968c28 100644 + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") +') + +######################################## @@ -49770,7 +49781,7 @@ index 687af38..a77dc09 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..494cd37 100644 +index 7584bbe..ef51f2b 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) @@ -49847,7 +49858,7 @@ index 7584bbe..494cd37 100644 manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) -@@ -95,50 +92,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -95,50 +92,57 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -49906,6 +49917,7 @@ index 7584bbe..494cd37 100644 -miscfiles_read_localization(mysqld_t) +sysnet_read_config(mysqld_t) ++sysnet_exec_ifconfig(mysqld_t) -userdom_search_user_home_dirs(mysqld_t) -userdom_dontaudit_use_unpriv_user_fds(mysqld_t) @@ -49921,7 +49933,7 @@ index 7584bbe..494cd37 100644 ') optional_policy(` -@@ -146,6 +149,10 @@ optional_policy(` +@@ -146,6 +150,10 @@ optional_policy(` ') optional_policy(` @@ -49932,7 +49944,7 @@ index 7584bbe..494cd37 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +162,18 @@ optional_policy(` +@@ -155,21 +163,18 @@ optional_policy(` ####################################### # @@ -49959,7 +49971,7 @@ index 7584bbe..494cd37 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +181,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +182,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -49970,7 +49982,7 @@ index 7584bbe..494cd37 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +190,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -50006,7 +50018,7 @@ index 7584bbe..494cd37 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +219,7 @@ optional_policy(` +@@ -209,7 +220,7 @@ optional_policy(` ######################################## # @@ -50015,7 +50027,7 @@ index 7584bbe..494cd37 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +229,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -50033,7 +50045,7 @@ index 7584bbe..494cd37 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +242,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -52987,10 +52999,10 @@ index 0000000..28936b4 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..bd2f08f +index 0000000..f429163 --- /dev/null +++ b/nova.te -@@ -0,0 +1,318 @@ +@@ -0,0 +1,311 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -53261,18 +53273,15 @@ index 0000000..bd2f08f +allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; +allow nova_scheduler_t self:udp_socket create_socket_perms; + -+#optional_policy(` -+# unconfined_domain(nova_scheduler_t) -+#') ++auth_read_passwd(nova_scheduler_t) ++ ++init_read_utmp(nova_scheduler_t) + +####################################### +# +# nova vncproxy local policy +# + -+#optional_policy(` -+# unconfined_domain(nova_vncproxy_t) -+#') + +####################################### +# @@ -53291,10 +53300,6 @@ index 0000000..bd2f08f + lvm_domtrans(nova_volume_t) +') + -+#optional_policy(` -+# unconfined_domain(nova_volume_t) -+#') -+ +####################################### +# +# nova sudo domain local policy @@ -60036,7 +60041,7 @@ index 2c389ea..9155bd0 100644 + +/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/passenger.if b/passenger.if -index bf59ef7..0ec51d4 100644 +index bf59ef7..2d8335f 100644 --- a/passenger.if +++ b/passenger.if @@ -15,17 +15,16 @@ interface(`passenger_domtrans',` @@ -60092,7 +60097,7 @@ index bf59ef7..0ec51d4 100644 ## ## ## -@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',` +@@ -53,6 +69,112 @@ interface(`passenger_read_lib_files',` type passenger_var_lib_t; ') @@ -60121,7 +60126,7 @@ index bf59ef7..0ec51d4 100644 + manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + files_search_var_lib($1) -+') + ') + +##################################### +## @@ -60186,7 +60191,26 @@ index bf59ef7..0ec51d4 100644 + files_search_tmp($1) + manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) - ') ++') ++ ++######################################## ++## ++## Send kill signals to passenger. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_kill',` ++ gen_require(` ++ type passenger_t; ++ ') ++ ++ allow $1 passenger_t:process sigkill; ++') ++ diff --git a/passenger.te b/passenger.te index 08ec33b..24ce7e8 100644 --- a/passenger.te @@ -73437,10 +73461,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..e95fc34 100644 +index 8644d8b..96f804c 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,129 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,131 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -73485,7 +73509,8 @@ index 8644d8b..e95fc34 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin }; ++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw }; ++ +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit signal_perms }; +allow neutron_t self:fifo_file rw_fifo_file_perms; @@ -73521,6 +73546,7 @@ index 8644d8b..e95fc34 100644 -can_exec(quantum_t, quantum_tmp_t) +kernel_rw_kernel_sysctl(neutron_t) ++kernel_rw_net_sysctls(neutron_t) +kernel_read_system_state(neutron_t) +kernel_read_network_state(neutron_t) +kernel_request_load_module(neutron_t) @@ -73581,45 +73607,45 @@ index 8644d8b..e95fc34 100644 +sysnet_exec_ifconfig(neutron_t) +sysnet_manage_ifconfig_run(neutron_t) +sysnet_filetrans_named_content_ifconfig(neutron_t) ++ ++optional_policy(` ++ brctl_domtrans(neutron_t) ++') optional_policy(` - brctl_domtrans(quantum_t) -+ brctl_domtrans(neutron_t) ++ dnsmasq_domtrans(neutron_t) ++ dnsmasq_signal(neutron_t) ++ dnsmasq_read_state(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ dnsmasq_domtrans(neutron_t) -+ dnsmasq_signal(neutron_t) -+ dnsmasq_read_state(neutron_t) ++ iptables_domtrans(neutron_t) +') - mysql_tcp_connect(quantum_t) +optional_policy(` -+ iptables_domtrans(neutron_t) - ') - - optional_policy(` -- postgresql_stream_connect(quantum_t) -- postgresql_unpriv_client(quantum_t) + mysql_stream_connect(neutron_t) + mysql_read_db_lnk_files(neutron_t) + mysql_read_config(neutron_t) + mysql_tcp_connect(neutron_t) -+') + ') -- postgresql_tcp_connect(quantum_t) -+optional_policy(` + optional_policy(` +- postgresql_stream_connect(quantum_t) +- postgresql_unpriv_client(quantum_t) + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + postgresql_tcp_connect(neutron_t) - ') -+ ++') + +- postgresql_tcp_connect(quantum_t) +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) -+') + ') + +optional_policy(` + sudo_exec(neutron_t) @@ -93156,7 +93182,7 @@ index a240455..16a04bf 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..8edae62 100644 +index 2d8db1f..83033bf 100644 --- a/sssd.te +++ b/sssd.te @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) @@ -93224,7 +93250,7 @@ index 2d8db1f..8edae62 100644 files_list_var_lib(sssd_t) fs_list_inotifyfs(sssd_t) -@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t) +@@ -94,17 +88,20 @@ selinux_validate_context(sssd_t) seutil_read_file_contexts(sssd_t) # sssd wants to write /etc/selinux//logins/ for SELinux PAM module @@ -93242,7 +93268,12 @@ index 2d8db1f..8edae62 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +107,34 @@ logging_send_syslog_msg(sssd_t) ++# Bogus allow because we don't handle keyring properly in code. ++auth_login_manage_key(sssd_t) + + init_read_utmp(sssd_t) + +@@ -112,18 +109,34 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -93452,10 +93483,10 @@ index 0000000..80c6480 +') diff --git a/stapserver.te b/stapserver.te new file mode 100644 -index 0000000..2540ebd +index 0000000..0522744 --- /dev/null +++ b/stapserver.te -@@ -0,0 +1,113 @@ +@@ -0,0 +1,114 @@ +policy_module(systemtap, 1.1.0) + +######################################## @@ -93530,6 +93561,7 @@ index 0000000..2540ebd +files_search_kernel_modules(stapserver_t) + +fs_search_cgroup_dirs(stapserver_t) ++fs_getattr_all_fs(stapserver_t) + +auth_use_nsswitch(stapserver_t) + @@ -93971,10 +94003,10 @@ index 0000000..df82c36 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..3faae22 +index 0000000..159ae72 --- /dev/null +++ b/swift.te -@@ -0,0 +1,87 @@ +@@ -0,0 +1,89 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -94051,6 +94083,8 @@ index 0000000..3faae22 + +files_dontaudit_search_home(swift_t) + ++fs_getattr_all_fs(swift_t) ++ +auth_use_nsswitch(swift_t) + +libs_exec_ldconfig(swift_t) @@ -101108,7 +101142,7 @@ index facdee8..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..25f4104 100644 +index f03dcf5..a26950d 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,212 @@ @@ -102572,7 +102606,7 @@ index f03dcf5..25f4104 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1133,297 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1133,299 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -102629,6 +102663,7 @@ index f03dcf5..25f4104 100644 +allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:passwd rootok; ++allow svirt_sandbox_domain self:filesystem associate; + +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; @@ -102799,6 +102834,7 @@ index f03dcf5..25f4104 100644 + docker_manage_lib_files(svirt_lxc_net_t) + docker_manage_lib_dirs(svirt_lxc_net_t) + docker_read_share_files(svirt_sandbox_domain) ++ docker_exec_lib(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) + docker_use_ptys(svirt_sandbox_domain) +') @@ -102829,8 +102865,8 @@ index f03dcf5..25f4104 100644 +') + +tunable_policy(`virt_use_samba',` -+ fs_manage_nfs_files(svirt_sandbox_domain) + fs_manage_cifs_files(svirt_sandbox_domain) ++ fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_read_cifs_symlinks(svirt_sandbox_domain) ') @@ -103007,7 +103043,7 @@ index f03dcf5..25f4104 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1436,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1438,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -103022,7 +103058,7 @@ index f03dcf5..25f4104 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1454,8 @@ optional_policy(` +@@ -1192,9 +1456,8 @@ optional_policy(` ######################################## # @@ -103033,7 +103069,7 @@ index f03dcf5..25f4104 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1468,218 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1470,218 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 150d041..69704c9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 48%{?dist} +Release: 49%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,32 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon May 5 2014 Miroslav Grepl 3.13.1-49 +- Fix labeling for /root/\.yubico +- userdom_search_admin_dir() calling needs to be optional in kernel.te +- Dontaudit leaked xserver_misc_device_t into plugins +- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy +- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains +- Bootloader wants to look at init state +- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm +- init reads kdbump etc files +- Add support for tcp/9697 +- Fix labeling for /var/run/user//gvfs +- Add support for us_cli ports +- fix sysnet_use_ldap +- Allow mysql to execute ifconfig if Red Hat OpenStack +- ALlow stap-server to get attr on all fs +- Fix mail_pool_t to mail_spool_t +- Dontaudit leaked xserver_misc_device_t into plugins +- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains +- Add new labeling for /var/spool/smtpd +- Allow httpd_t to kill passenger +- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets +- Allow nova-scheduler to read passwd/utmp files +- Additional rules required by openstack, needs backport to F20 and RHEL7 +- Additional access required by docker +- ALlow motion to use tcp/8082 port + * Fri Apr 25 2014 Miroslav Grepl 3.13.1-48 - Fix virt_use_samba boolean - Looks like all domains that use dbus libraries are now reading /dev/urand