From 4e78831f23280183cabda881ae79dd90a35ac3a8 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 20 2014 21:37:54 +0000 Subject: - Add cron unconfined role support for uncofined SELinux user - Call kernel_rw_usermodehelper_state() in init.te - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Fix calling usermodehelper to use _state in interface name - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Call kernel_read_usermodhelper/kernel_rw_usermodhelper - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 8ba89c5..4a3079c 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -26925,7 +26925,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..76da5dd 100644 +index 24e7804..197d939 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -27563,69 +27563,113 @@ index 24e7804..76da5dd 100644 ') ######################################## -@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',` +@@ -1314,7 +1593,7 @@ interface(`init_signal_script',` + ######################################## ## - ## Send and receive messages from --## init scripts over dbus. -+## init over dbus. +-## Send null signals to init scripts. ++## Send kill signals to init scripts. ## ## ## -@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',` +@@ -1322,17 +1601,17 @@ interface(`init_signal_script',` ## ## # --interface(`init_dbus_chat_script',` -+interface(`init_dbus_chat',` +-interface(`init_signull_script',` ++interface(`init_sigkill_script',` gen_require(` -- type initrc_t; -+ type init_t; - class dbus send_msg; + type initrc_t; ') -- allow $1 initrc_t:dbus send_msg; -- allow initrc_t $1:dbus send_msg; -+ allow $1 init_t:dbus send_msg; -+ allow init_t $1:dbus send_msg; +- allow $1 initrc_t:process signull; ++ allow $1 initrc_t:process sigkill; ') ######################################## ## --## Read and write the init script pty. -+## Send and receive messages from -+## init scripts over dbus. +-## Read and write init script unnamed pipes. ++## Send null signals to init scripts. ## --## --##

--## Read and write the init script pty. This + ## + ##

+@@ -1340,17 +1619,17 @@ interface(`init_signull_script',` + ## + ## + # +-interface(`init_rw_script_pipes',` ++interface(`init_signull_script',` + gen_require(` + type initrc_t; + ') + +- allow $1 initrc_t:fifo_file { read write }; ++ allow $1 initrc_t:process signull; + ') + + ######################################## + ## +-## Send UDP network traffic to init scripts. (Deprecated) ++## Read and write init script unnamed pipes. + ## + ## + ## +@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',` + ## + ## + # +-interface(`init_udp_send_script',` ++interface(`init_rw_script_pipes',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ allow $1 initrc_t:fifo_file { read write }; ++') ++ ++######################################## ++## ++## Send UDP network traffic to init scripts. (Deprecated) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_udp_send_script',` + refpolicywarn(`$0($*) has been deprecated.') + ') + +@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',` + ######################################## + ## + ## Send and receive messages from ++## init over dbus. ++## +## +## +## Domain allowed access. +## +## +# -+interface(`init_dbus_chat_script',` ++interface(`init_dbus_chat',` + gen_require(` -+ type initrc_t; ++ type init_t; + class dbus send_msg; + ') + -+ allow $1 initrc_t:dbus send_msg; -+ allow initrc_t $1:dbus send_msg; ++ allow $1 init_t:dbus send_msg; ++ allow init_t $1:dbus send_msg; +') + +######################################## +## -+## Read and write the init script pty. -+## -+## -+##

-+## Read and write the init script pty. This - ## pty is generally opened by the open_init_pty - ## portion of the run_init program so that the - ## daemon does not require direct access to -@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',` ++## Send and receive messages from + ## init scripts over dbus. + ## + ## +@@ -1526,6 +1844,25 @@ interface(`init_getattr_script_status_files',` ######################################## ##

@@ -27651,7 +27695,7 @@ index 24e7804..76da5dd 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1584,6 +1921,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -27676,7 +27720,7 @@ index 24e7804..76da5dd 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',` +@@ -1656,6 +2011,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -27720,7 +27764,7 @@ index 24e7804..76da5dd 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1744,7 +2136,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -27729,7 +27773,7 @@ index 24e7804..76da5dd 100644 ') ######################################## -@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1785,6 +2177,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -27863,7 +27907,7 @@ index 24e7804..76da5dd 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2338,360 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index f02fdf7..497806f 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -3067,10 +3067,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..ecca81c 100644 +index 550a69e..fc53125 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,161 +1,205 @@ +@@ -1,161 +1,206 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3321,6 +3321,7 @@ index 550a69e..ecca81c 100644 /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -8415,13 +8416,14 @@ index 536ec3c..271b976 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..1742ebf 100644 +index 2b9a3a1..ab80059 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,71 @@ +@@ -1,54 +1,74 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -8444,12 +8446,14 @@ index 2b9a3a1..1742ebf 100644 + +/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0) +/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0) ++/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0) /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) @@ -9992,10 +9996,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..b3aa772 +index 0000000..00e1ff2 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,54 @@ +@@ -0,0 +1,58 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10033,6 +10037,7 @@ index 0000000..b3aa772 +kernel_dontaudit_access_check_proc(bumblebee_t) + +corecmd_exec_shell(bumblebee_t) ++corecmd_exec_bin(bumblebee_t) + +dev_read_sysfs(bumblebee_t) + @@ -10045,7 +10050,10 @@ index 0000000..b3aa772 +sysnet_dns_name_resolve(bumblebee_t) + +xserver_domtrans(bumblebee_t) ++xserver_signal(bumblebee_t) ++xserver_stream_connect(bumblebee_t) +xserver_manage_xkb_libs(bumblebee_t) ++corenet_tcp_connect_xserver_port(bumblebee_t) + +optional_policy(` + apm_stream_connect(bumblebee_t) @@ -14623,7 +14631,7 @@ index c086302..4f33119 100644 /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) diff --git a/couchdb.if b/couchdb.if -index 83d6744..afa2f78 100644 +index 83d6744..36d5a7d 100644 --- a/couchdb.if +++ b/couchdb.if @@ -2,6 +2,44 @@ @@ -14671,7 +14679,7 @@ index 83d6744..afa2f78 100644 ## All of the rules required to ## administrate an couchdb environment. ## -@@ -10,6 +48,127 @@ +@@ -10,6 +48,149 @@ ## Domain allowed access. ## ## @@ -14761,6 +14769,28 @@ index 83d6744..afa2f78 100644 + allow $1 couchdb_var_run_t:dir search_dir_perms; +') + ++####################################### ++## ++## Allow domain to manage couchdb content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_manage_files',` ++ gen_require(` ++ type couchdb_var_run_t; ++ type couchdb_log_t; ++ type couchdb_var_lib_t; ++ ') ++ ++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t) ++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) ++') ++ +######################################## +## +## Execute couchdb server in the couchdb domain. @@ -14799,7 +14829,7 @@ index 83d6744..afa2f78 100644 ## ## ## Role allowed access. -@@ -19,14 +178,19 @@ +@@ -19,14 +200,19 @@ # interface(`couchdb_admin',` gen_require(` @@ -14820,7 +14850,7 @@ index 83d6744..afa2f78 100644 init_labeled_script_domtrans($1, couchdb_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 couchdb_initrc_exec_t system_r; -@@ -46,4 +210,13 @@ interface(`couchdb_admin',` +@@ -46,4 +232,13 @@ interface(`couchdb_admin',` files_search_pids($1) admin_pattern($1, couchdb_var_run_t) @@ -22631,10 +22661,10 @@ index ef36d73..fddd51f 100644 sysnet_etc_filetrans_config(dnssec_triggerd_t) diff --git a/docker.fc b/docker.fc new file mode 100644 -index 0000000..484dd44 +index 0000000..b24266e --- /dev/null +++ b/docker.fc -@@ -0,0 +1,12 @@ +@@ -0,0 +1,14 @@ +/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) + +/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) @@ -22644,16 +22674,17 @@ index 0000000..484dd44 +/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) +/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) + ++/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0) ++ +/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) + -+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0) -\ No newline at end of file ++ diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..543baf1 +index 0000000..c77a25f --- /dev/null +++ b/docker.if -@@ -0,0 +1,250 @@ +@@ -0,0 +1,257 @@ + +## The open-source application container engine. + @@ -22849,6 +22880,23 @@ index 0000000..543baf1 + ps_process_pattern($1, docker_t) +') + ++######################################## ++## ++## Read and write docker shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_rw_sem',` ++ gen_require(` ++ type docker_t; ++ ') ++ ++ allow $1 docker_t:sem rw_sem_perms; ++') + +######################################## +## @@ -22865,7 +22913,9 @@ index 0000000..543baf1 + gen_require(` + type docker_t; + type docker_var_lib_t, docker_var_run_t; -+ type docker_unit_file_t; ++ type docker_unit_file_t; ++ type docker_lock_t; ++ type docker_log_t; + ') + + allow $1 docker_t:process { ptrace signal_perms }; @@ -22877,6 +22927,12 @@ index 0000000..543baf1 + files_search_pids($1) + admin_pattern($1, docker_var_run_t) + ++ files_search_locks($1) ++ admin_pattern($1, docker_lock_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, docker_log_t) ++ + docker_systemctl($1) + admin_pattern($1, docker_unit_file_t) + allow $1 docker_unit_file_t:service all_service_perms; @@ -22886,30 +22942,12 @@ index 0000000..543baf1 + systemd_read_fifo_file_passwd_run($1) + ') +') -+ -+######################################## -+## -+## Read and write docker shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_rw_sem',` -+ gen_require(` -+ type docker_t; -+ ') -+ -+ allow $1 docker_t:sem rw_sem_perms; -+') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..5c6eaab +index 0000000..4bfbc19 --- /dev/null +++ b/docker.te -@@ -0,0 +1,157 @@ +@@ -0,0 +1,176 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -22924,6 +22962,9 @@ index 0000000..5c6eaab +type docker_var_lib_t; +files_type(docker_var_lib_t) + ++type docker_lock_t; ++files_lock_file(docker_lock_t) ++ +type docker_log_t; +logging_log_file(docker_log_t) + @@ -22946,6 +22987,10 @@ index 0000000..5c6eaab +allow docker_t self:unix_stream_socket create_stream_socket_perms; +allow docker_t self:capability2 block_suspend; + ++manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) ++manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) ++files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc") ++ +manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) +manage_files_pattern(docker_t, docker_log_t, docker_log_t) +manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) @@ -22989,6 +23034,8 @@ index 0000000..5c6eaab + +auth_use_nsswitch(docker_t) + ++init_read_state(docker_t) ++ +logging_send_audit_msgs(docker_t) +logging_send_syslog_msg(docker_t) + @@ -23012,7 +23059,8 @@ index 0000000..5c6eaab +# + +allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; -+allow docker_t self:process { getcap setcap setpgid setsched signal_perms }; ++allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; ++ +allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; +allow docker_t self:netlink_audit_socket create_netlink_socket_perms; +allow docker_t self:unix_dgram_socket create_socket_perms; @@ -23048,10 +23096,12 @@ index 0000000..5c6eaab +fs_manage_cgroup_dirs(docker_t) +fs_manage_cgroup_files(docker_t) +fs_relabelfrom_xattr_fs(docker_t) ++fs_relabelfrom_tmpfs(docker_t) + +term_use_generic_ptys(docker_t) +term_use_ptmx(docker_t) +term_getattr_pty_fs(docker_t) ++term_relabel_pty_fs(docker_t) + +modutils_domtrans_insmod(docker_t) + @@ -23066,6 +23116,13 @@ index 0000000..5c6eaab + virt_stream_connect_sandbox(docker_t) + virt_manage_sandbox_files(docker_t) + virt_relabel_sandbox_filesystem(docker_t) ++ # for lxc ++ virt_transition_svirt_sandbox(docker_t, system_r) ++ virt_mounton_sandbox_file(docker_t) ++') ++ ++optional_policy(` ++ unconfined_domain(docker_t) +') diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 @@ -31626,10 +31683,10 @@ index 0000000..b7ca833 +') diff --git a/hypervkvp.te b/hypervkvp.te new file mode 100644 -index 0000000..b2d134d +index 0000000..97144bc --- /dev/null +++ b/hypervkvp.te -@@ -0,0 +1,74 @@ +@@ -0,0 +1,79 @@ +policy_module(hypervkvp, 1.0.0) + +######################################## @@ -31684,8 +31741,13 @@ index 0000000..b2d134d +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) + ++kernel_read_system_state(hypervkvp_t) ++kernel_read_network_state(hypervkvp_t) ++ +files_dontaudit_search_home(hypervkvp_t) + ++auth_read_passwd(hypervkvp_t) ++ +logging_send_syslog_msg(hypervkvp_t) + +sysnet_dns_name_resolve(hypervkvp_t) @@ -37683,7 +37745,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..efdfd9d 100644 +index 7bab8e5..5773c24 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,18 @@ @@ -37938,7 +38000,7 @@ index 7bab8e5..efdfd9d 100644 ') optional_policy(` -@@ -228,10 +257,20 @@ optional_policy(` +@@ -228,10 +257,21 @@ optional_policy(` ') optional_policy(` @@ -37952,6 +38014,7 @@ index 7bab8e5..efdfd9d 100644 + +optional_policy(` squid_domtrans(logrotate_t) ++ squid_read_config(logrotate_t) ') optional_policy(` @@ -37959,7 +38022,7 @@ index 7bab8e5..efdfd9d 100644 su_exec(logrotate_t) ') -@@ -241,13 +280,11 @@ optional_policy(` +@@ -241,13 +281,11 @@ optional_policy(` ####################################### # @@ -40308,10 +40371,10 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 92508b2..2213a03 100644 +index 92508b2..9c51c34 100644 --- a/milter.te +++ b/milter.te -@@ -1,77 +1,117 @@ +@@ -1,77 +1,121 @@ -policy_module(milter, 1.4.2) +policy_module(milter, 1.4.0) @@ -40358,6 +40421,8 @@ index 92508b2..2213a03 100644 allow milter_domains self:fifo_file rw_fifo_file_perms; -allow milter_domains self:tcp_socket { accept listen }; + ++allow milter_domains self:process signull; ++ +# Allow communication with MTA over a TCP socket +allow milter_domains self:tcp_socket create_stream_socket_perms; @@ -40399,6 +40464,8 @@ index 92508b2..2213a03 100644 + +kernel_read_kernel_sysctls(dkim_milter_t) + ++corenet_udp_bind_all_ports(dkim_milter_t) ++ +auth_use_nsswitch(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) @@ -40457,7 +40524,7 @@ index 92508b2..2213a03 100644 optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +119,45 @@ optional_policy(` +@@ -79,30 +123,45 @@ optional_policy(` ######################################## # @@ -40655,10 +40722,10 @@ index 0000000..c713b27 +/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0) diff --git a/mirrormanager.if b/mirrormanager.if new file mode 100644 -index 0000000..adf2319 +index 0000000..fbb831d --- /dev/null +++ b/mirrormanager.if -@@ -0,0 +1,243 @@ +@@ -0,0 +1,237 @@ + +## policy for mirrormanager + @@ -40866,12 +40933,6 @@ index 0000000..adf2319 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`mirrormanager_admin',` + gen_require(` @@ -41280,10 +41341,10 @@ index 0000000..6568bfe +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..92c3b35 +index 0000000..fc64201 --- /dev/null +++ b/mock.te -@@ -0,0 +1,275 @@ +@@ -0,0 +1,276 @@ +policy_module(mock,1.0.0) + +## @@ -41331,6 +41392,7 @@ index 0000000..92c3b35 +# + +allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_t self:capability2 block_suspend; +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; +# Needed because mock can run java and mono withing build environment +allow mock_t self:process { execmem execstack }; @@ -44098,10 +44160,24 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..33b18c8 100644 +index 7c8afcc..b8c9bf1 100644 --- a/mpd.te +++ b/mpd.te -@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) +@@ -7,6 +7,13 @@ policy_module(mpd, 1.0.4) + + ## + ##

++## Allow mpd execmem/execstack. ++##

++## ++gen_tunable(mpd_execmem, false) ++ ++## ++##

+ ## Determine whether mpd can traverse + ## user home directories. + ##

+@@ -62,18 +69,25 @@ files_type(mpd_var_lib_t) type mpd_user_data_t; userdom_user_home_content(mpd_user_data_t) # customizable @@ -44128,7 +44204,7 @@ index 7c8afcc..33b18c8 100644 allow mpd_t mpd_data_t:dir manage_dir_perms; allow mpd_t mpd_data_t:file manage_file_perms; -@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +@@ -104,13 +118,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir) @@ -44152,7 +44228,7 @@ index 7c8afcc..33b18c8 100644 corenet_all_recvfrom_netlabel(mpd_t) corenet_tcp_sendrecv_generic_if(mpd_t) corenet_tcp_sendrecv_generic_node(mpd_t) -@@ -139,9 +155,9 @@ dev_read_sound(mpd_t) +@@ -139,9 +162,9 @@ dev_read_sound(mpd_t) dev_write_sound(mpd_t) dev_read_sysfs(mpd_t) @@ -44163,12 +44239,16 @@ index 7c8afcc..33b18c8 100644 fs_list_inotifyfs(mpd_t) fs_rw_anon_inodefs_files(mpd_t) fs_search_auto_mountpoints(mpd_t) -@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t) +@@ -150,15 +173,30 @@ auth_use_nsswitch(mpd_t) logging_send_syslog_msg(mpd_t) -miscfiles_read_localization(mpd_t) +userdom_home_reader(mpd_t) ++ ++tunable_policy(`mpd_execmem',` ++ allow mpd_t self:process { execstack execmem }; ++') tunable_policy(`mpd_enable_homedirs',` - userdom_search_user_home_dirs(mpd_t) @@ -44192,7 +44272,7 @@ index 7c8afcc..33b18c8 100644 ') tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',` -@@ -191,7 +218,7 @@ optional_policy(` +@@ -191,7 +229,7 @@ optional_policy(` ') optional_policy(` @@ -44201,7 +44281,7 @@ index 7c8afcc..33b18c8 100644 ') optional_policy(` -@@ -199,6 +226,16 @@ optional_policy(` +@@ -199,6 +237,16 @@ optional_policy(` ') optional_policy(` @@ -49265,7 +49345,7 @@ index 0e8508c..ee2e3de 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..34207b9 100644 +index 0b48a30..5863fc0 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -49420,7 +49500,7 @@ index 0b48a30..34207b9 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +149,31 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +149,33 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -49441,6 +49521,8 @@ index 0b48a30..34207b9 100644 init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +init_signull_script(NetworkManager_t) ++init_signal_script(NetworkManager_t) ++init_sigkill_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -49453,7 +49535,7 @@ index 0b48a30..34207b9 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +188,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -49490,7 +49572,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -196,10 +229,6 @@ optional_policy(` +@@ -196,10 +231,6 @@ optional_policy(` ') optional_policy(` @@ -49501,7 +49583,7 @@ index 0b48a30..34207b9 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +239,11 @@ optional_policy(` +@@ -210,16 +241,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -49520,7 +49602,7 @@ index 0b48a30..34207b9 100644 ') ') -@@ -231,18 +255,23 @@ optional_policy(` +@@ -231,18 +257,23 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -49547,7 +49629,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -250,6 +279,10 @@ optional_policy(` +@@ -250,6 +281,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -49558,7 +49640,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -257,11 +290,14 @@ optional_policy(` +@@ -257,11 +292,14 @@ optional_policy(` ') optional_policy(` @@ -49575,7 +49657,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -274,10 +310,17 @@ optional_policy(` +@@ -274,10 +312,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -49593,7 +49675,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -289,6 +332,7 @@ optional_policy(` +@@ -289,6 +334,7 @@ optional_policy(` ') optional_policy(` @@ -49601,7 +49683,7 @@ index 0b48a30..34207b9 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +340,7 @@ optional_policy(` +@@ -296,7 +342,7 @@ optional_policy(` ') optional_policy(` @@ -49610,7 +49692,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -307,6 +351,7 @@ optional_policy(` +@@ -307,6 +353,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -49618,7 +49700,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -320,13 +365,19 @@ optional_policy(` +@@ -320,13 +367,19 @@ optional_policy(` ') optional_policy(` @@ -49642,7 +49724,7 @@ index 0b48a30..34207b9 100644 ') optional_policy(` -@@ -356,6 +407,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +409,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -71115,7 +71197,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..136b017 100644 +index 3698b51..a422fca 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -71176,7 +71258,7 @@ index 3698b51..136b017 100644 corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -68,20 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -71212,10 +71294,9 @@ index 3698b51..136b017 100644 +logging_send_syslog_msg(rabbitmq_beam_t) + +optional_policy(` ++ couchdb_manage_files(rabbitmq_beam_t) + couchdb_manage_lib_files(rabbitmq_beam_t) + couchdb_read_conf_files(rabbitmq_beam_t) -+ couchdb_read_log_files(rabbitmq_beam_t) -+ couchdb_search_pid_dirs(rabbitmq_beam_t) +') + +optional_policy(` @@ -71231,7 +71312,7 @@ index 3698b51..136b017 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -75020,7 +75101,7 @@ index 56bc01f..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..9b2ddd8 100644 +index 2c2de9a..8ea949c 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -75396,15 +75477,16 @@ index 2c2de9a..9b2ddd8 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -140,6 +425,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) +@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) corenet_sendrecv_zented_server_packets(fenced_t) corenet_tcp_bind_zented_port(fenced_t) +corenet_udp_bind_zented_port(fenced_t) ++corenet_tcp_connect_zented_port(fenced_t) corenet_tcp_sendrecv_zented_port(fenced_t) corenet_sendrecv_http_client_packets(fenced_t) -@@ -148,9 +434,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -75415,7 +75497,7 @@ index 2c2de9a..9b2ddd8 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +444,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -75424,7 +75506,7 @@ index 2c2de9a..9b2ddd8 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +466,8 @@ optional_policy(` +@@ -182,7 +467,8 @@ optional_policy(` ') optional_policy(` @@ -75434,7 +75516,7 @@ index 2c2de9a..9b2ddd8 100644 ') optional_policy(` -@@ -190,12 +475,12 @@ optional_policy(` +@@ -190,12 +476,12 @@ optional_policy(` ') optional_policy(` @@ -75450,7 +75532,7 @@ index 2c2de9a..9b2ddd8 100644 ') optional_policy(` -@@ -203,6 +488,13 @@ optional_policy(` +@@ -203,6 +489,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -75464,7 +75546,7 @@ index 2c2de9a..9b2ddd8 100644 ####################################### # # foghorn local policy -@@ -221,16 +513,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -75485,7 +75567,7 @@ index 2c2de9a..9b2ddd8 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +551,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -75494,7 +75576,7 @@ index 2c2de9a..9b2ddd8 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +571,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -75536,7 +75618,7 @@ index 2c2de9a..9b2ddd8 100644 ###################################### # # qdiskd local policy -@@ -321,6 +646,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -78809,7 +78891,7 @@ index 0628d50..e9dbd7e 100644 + allow rpm_script_t $1:process sigchld; ') diff --git a/rpm.te b/rpm.te -index 5cbe81c..ab091de 100644 +index 5cbe81c..e1d9ae1 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -79150,7 +79232,7 @@ index 5cbe81c..ab091de 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,30 +329,51 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -79177,6 +79259,9 @@ index 5cbe81c..ab091de 100644 +files_exec_usr_files(rpm_script_t) +files_relabel_all_files(rpm_script_t) + ++init_disable_services(rpm_script_t) ++init_enable_services(rpm_script_t) ++init_reload_services(rpm_script_t) init_domtrans_script(rpm_script_t) init_telinit(rpm_script_t) @@ -79208,7 +79293,7 @@ index 5cbe81c..ab091de 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +379,65 @@ ifdef(`distro_redhat',` +@@ -363,41 +382,69 @@ ifdef(`distro_redhat',` ') ') @@ -79223,6 +79308,10 @@ index 5cbe81c..ab091de 100644 +') + +optional_policy(` ++ bind_systemctl(rpm_script_t) ++') ++ ++optional_policy(` + certmonger_dbus_chat(rpm_script_t) +') + @@ -79284,7 +79373,7 @@ index 5cbe81c..ab091de 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +449,6 @@ optional_policy(` +@@ -409,6 +456,6 @@ optional_policy(` ') optional_policy(` @@ -93323,10 +93412,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..2ddef5c +index 0000000..ed78f6f --- /dev/null +++ b/thumb.te -@@ -0,0 +1,150 @@ +@@ -0,0 +1,154 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -93442,6 +93531,10 @@ index 0000000..2ddef5c +xserver_use_user_fonts(thumb_t) + +optional_policy(` ++ bumblebee_stream_connect(thumb_t) ++') ++ ++optional_policy(` + dbus_dontaudit_stream_connect_session_bus(thumb_t) + dbus_dontaudit_chat_session_bus(thumb_t) +') @@ -96171,7 +96264,7 @@ index c30da4c..6351bcb 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..3ad56e3 100644 +index 9dec06c..09db35b 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -97186,44 +97279,40 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -860,74 +658,227 @@ interface(`virt_read_lib_files',` +@@ -860,74 +658,245 @@ interface(`virt_read_lib_files',` ## ## # -interface(`virt_manage_lib_files',` +interface(`virt_manage_cache',` - gen_require(` -- type virt_var_lib_t; ++ gen_require(` + type virt_cache_t; - ') - -- files_search_var_lib($1) -- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ ') ++ + files_search_var($1) + manage_dirs_pattern($1, virt_cache_t, virt_cache_t) + manage_files_pattern($1, virt_cache_t, virt_cache_t) + manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. ++') ++ ++######################################## ++## +## Allow domain to manage virt image files - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`virt_manage_images',` -+ gen_require(` -+ type virt_var_lib_t; + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; -+ ') -+ + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + manage_dirs_pattern($1, virt_image_type, virt_image_type) @@ -97253,10 +97342,12 @@ index 9dec06c..3ad56e3 100644 + manage_dirs_pattern($1, virt_image_t, virt_image_t) + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. +## Execute virt server in the virt domain. +## +## @@ -97283,12 +97374,10 @@ index 9dec06c..3ad56e3 100644 +## Ptrace the svirt domain +## +## - ## --## The type of the object to be created. ++## +## Domain allowed to transition. - ## - ## --## ++## ++## +# +interface(`virt_ptrace',` + gen_require(` @@ -97301,14 +97390,13 @@ index 9dec06c..3ad56e3 100644 +####################################### +## +## Manage Sandbox Files -+## -+## + ## + ## ## --## The object class of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## --## +-## +# +interface(`virt_manage_sandbox_files',` + gen_require(` @@ -97326,16 +97414,14 @@ index 9dec06c..3ad56e3 100644 +## +## ## --## The name of the object being created. +-## The type of the object to be created. +## Domain allowed access. ## ## --## - # --interface(`virt_pid_filetrans',` +-## ++# +interface(`virt_relabel_sandbox_filesystem',` - gen_require(` -- type virt_var_run_t; ++ gen_require(` + type svirt_sandbox_file_t; + ') + @@ -97344,16 +97430,40 @@ index 9dec06c..3ad56e3 100644 + +####################################### +## -+## Connect to virt over a unix domain stream socket. ++## Mounton Sandbox Files +## +## -+## + ## +-## The object class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# -+interface(`virt_stream_connect_sandbox',` ++interface(`virt_mounton_sandbox_file',` + gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++ ++ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton; ++') ++ ++####################################### ++## ++## Connect to virt over a unix domain stream socket. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## +-## + # +-interface(`virt_pid_filetrans',` ++interface(`virt_stream_connect_sandbox',` + gen_require(` +- type virt_var_run_t; + attribute svirt_sandbox_domain; + type svirt_sandbox_file_t; ') @@ -97437,7 +97547,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -935,19 +886,17 @@ interface(`virt_read_log',` +@@ -935,19 +904,17 @@ interface(`virt_read_log',` ## ## # @@ -97461,7 +97571,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -955,20 +904,17 @@ interface(`virt_append_log',` +@@ -955,20 +922,17 @@ interface(`virt_append_log',` ## ## # @@ -97486,7 +97596,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -976,18 +922,17 @@ interface(`virt_manage_log',` +@@ -976,18 +940,17 @@ interface(`virt_manage_log',` ## ## # @@ -97509,7 +97619,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -995,36 +940,57 @@ interface(`virt_search_images',` +@@ -995,36 +958,57 @@ interface(`virt_search_images',` ## ## # @@ -97586,7 +97696,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -1032,20 +998,28 @@ interface(`virt_read_images',` +@@ -1032,20 +1016,28 @@ interface(`virt_read_images',` ## ## # @@ -97622,7 +97732,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -1053,37 +1027,129 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1045,131 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -97646,7 +97756,7 @@ index 9dec06c..3ad56e3 100644 ## -## +## - ## ++## +## Prefix for the domain. +## +## @@ -97671,7 +97781,7 @@ index 9dec06c..3ad56e3 100644 +## Make the specified type usable as a lxc domain +## +## -+## + ## +## Type to be used as a lxc domain +## +## @@ -97757,7 +97867,9 @@ index 9dec06c..3ad56e3 100644 + role $2 types svirt_sandbox_domain; + allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; + ++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; + allow svirt_sandbox_domain $1:process sigchld; ++ ps_process_pattern($1, svirt_sandbox_domain) +') + +######################################## @@ -97766,7 +97878,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -1091,36 +1157,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1177,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -97840,7 +97952,7 @@ index 9dec06c..3ad56e3 100644 ## ## ## -@@ -1136,50 +1220,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1240,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -97882,7 +97994,8 @@ index 9dec06c..3ad56e3 100644 - - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -- ++ allow $1 virt_domain:process signal_perms; + - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t }) - @@ -97891,8 +98004,7 @@ index 9dec06c..3ad56e3 100644 - - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) -+ allow $1 virt_domain:process signal_perms; - +- - files_search_var($1) - admin_pattern($1, svirt_cache_t) - diff --git a/selinux-policy.spec b/selinux-policy.spec index 7f72cb9..b842728 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 118%{?dist} +Release: 119%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,29 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 20 2014 Miroslav Grepl 3.12.1-118 +- Add cron unconfined role support for uncofined SELinux user +- Call kernel_rw_usermodehelper_state() in init.te +- Call corenet_udp_bind_all_ports() in milter.te +- Allow fence_virtd to connect to zented port +- Fix header for mirrormanager_admin() +- Allow dkim-milter to bind udp ports +- Allow milter domains to send signull itself +- Allow block_suspend for yum running as mock_t +- Allow beam.smp to manage couchdb files +- Add couchdb_manage_files() +- Add labeling for /var/log/php_errors.log +- Allow bumblebee to stream connect to xserver +- Allow bumblebee to send a signal to xserver +- gnome-thumbnail to stream connect to bumblebee +- Fix calling usermodehelper to use _state in interface name +- Allow xkbcomp running as bumblebee_t to execute bin_t +- Allow logrotate to read squid.conf +- Additional rules to get docker and lxc to play well with SELinux +- Call kernel_read_usermodhelper/kernel_rw_usermodhelper +- Allow bumbleed to connect to xserver port +- Allow pegasus_openlmi_storage_t to read hwdata + * Thu Jan 16 2014 Miroslav Grepl 3.12.1-118 - Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config()