From 571c88df1bcf38a08af1a094bf68550234f831b7 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 10 2012 10:09:47 +0000 Subject: * Tue Apr 10 2012 Miroslav Grepl 3.10.0-112 - upowered needs to setsched on the kernel - Allow mpd_t to manage log files - Allow xdm_t to create /var/run/systemd/multi-session-x - Add rules for missedfont.log to be used by thumb.fc - Additional access required for virt_qmf_t - Allow dhclient to dbus chat with the firewalld - Add label for lvmetad - Allow systemd_logind_t to remove userdomain sock_files - Allow cups to execute usr_t files - Fix labeling on nvidia shared libraries - wdmd_t needs access to sssd and /etc/passwd - Add boolean to allow ftp servers to run in passive mode - Allow namepspace_init_t to relabelto/from a different user system_u from t - Fix using httpd_use_fusefs - Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it --- diff --git a/policy-F16.patch b/policy-F16.patch index 8e93f9c..aa998e5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -67442,10 +67442,10 @@ index 0000000..8d7c751 +') diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te new file mode 100644 -index 0000000..5ddf179 +index 0000000..2f7149c --- /dev/null +++ b/policy/modules/apps/namespace.te -@@ -0,0 +1,44 @@ +@@ -0,0 +1,45 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -67473,6 +67473,7 @@ index 0000000..5ddf179 +corecmd_exec_shell(namespace_init_t) + +domain_use_interactive_fds(namespace_init_t) ++domain_obj_id_change_exemption(namespace_init_t) + +files_read_etc_files(namespace_init_t) +files_polyinstantiate_all(namespace_init_t) @@ -70572,11 +70573,12 @@ index 2533ea0..92f0ecb 100644 +') diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc new file mode 100644 -index 0000000..930fa33 +index 0000000..3a7c395 --- /dev/null +++ b/policy/modules/apps/thumb.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,15 @@ +HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) ++HOME_DIR/missfont\.log gen_context(system_u:object_r:thumb_home_t,s0) + +/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) +/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) @@ -70592,10 +70594,10 @@ index 0000000..930fa33 +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if new file mode 100644 -index 0000000..79515db +index 0000000..9127cec --- /dev/null +++ b/policy/modules/apps/thumb.if -@@ -0,0 +1,103 @@ +@@ -0,0 +1,125 @@ + +## policy for thumb + @@ -70677,6 +70679,7 @@ index 0000000..79515db + + allow $2 thumb_t:dbus send_msg; + allow thumb_t $2:dbus send_msg; ++ thumb_filetrans_home_content($2) +') + +######################################## @@ -70699,12 +70702,33 @@ index 0000000..79515db + allow $1 thumb_t:dbus send_msg; + allow thumb_t $1:dbus send_msg; +') ++ ++######################################## ++## ++## Create thumb content in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thumb_filetrans_home_content',` ++ ++ gen_require(` ++ type thumb_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails") ++ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log") ++') diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..95befd6 +index 0000000..62dd2ef --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,96 @@ +@@ -0,0 +1,97 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -70744,6 +70768,7 @@ index 0000000..95befd6 +manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t) +manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") ++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") + +manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) @@ -75575,7 +75600,7 @@ index 6a1e4d1..ffaa90a 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..d8ec4d2 100644 +index fae1ab1..6d455ba 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -75676,7 +75701,7 @@ index fae1ab1..d8ec4d2 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -158,5 +199,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +199,256 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -75799,6 +75824,10 @@ index fae1ab1..d8ec4d2 100644 +') + +optional_policy(` ++ thumb_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) + userdom_filetrans_home_content(unconfined_domain_type) +') @@ -95973,7 +96002,7 @@ index 305ddf4..4d70951 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..c50598f 100644 +index 0f28095..a1527a7 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -96042,7 +96071,7 @@ index 0f28095..c50598f 100644 term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -@@ -220,6 +228,7 @@ corecmd_exec_bin(cupsd_t) +@@ -220,11 +228,13 @@ corecmd_exec_bin(cupsd_t) domain_use_interactive_fds(cupsd_t) @@ -96050,7 +96079,13 @@ index 0f28095..c50598f 100644 files_list_spool(cupsd_t) files_read_etc_files(cupsd_t) files_read_etc_runtime_files(cupsd_t) -@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t) + # read python modules + files_read_usr_files(cupsd_t) ++files_exec_usr_files(cupsd_t) + # for /var/lib/defoma + files_read_var_lib_files(cupsd_t) + files_list_world_readable(cupsd_t) +@@ -270,12 +280,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -96063,7 +96098,7 @@ index 0f28095..c50598f 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -287,6 +290,8 @@ optional_policy(` +@@ -287,6 +291,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -96072,7 +96107,7 @@ index 0f28095..c50598f 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -297,8 +302,10 @@ optional_policy(` +@@ -297,8 +303,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -96083,7 +96118,7 @@ index 0f28095..c50598f 100644 ') ') -@@ -311,10 +318,22 @@ optional_policy(` +@@ -311,10 +319,22 @@ optional_policy(` ') optional_policy(` @@ -96106,7 +96141,7 @@ index 0f28095..c50598f 100644 mta_send_mail(cupsd_t) ') -@@ -322,6 +341,8 @@ optional_policy(` +@@ -322,6 +342,8 @@ optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -96115,7 +96150,7 @@ index 0f28095..c50598f 100644 ') optional_policy(` -@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -96126,7 +96161,7 @@ index 0f28095..c50598f 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -393,6 +415,10 @@ dev_read_sysfs(cupsd_config_t) +@@ -393,6 +416,10 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -96137,7 +96172,7 @@ index 0f28095..c50598f 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +451,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +452,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -96151,7 +96186,7 @@ index 0f28095..c50598f 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +479,10 @@ optional_policy(` +@@ -453,6 +480,10 @@ optional_policy(` ') optional_policy(` @@ -96162,7 +96197,7 @@ index 0f28095..c50598f 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +497,10 @@ optional_policy(` +@@ -467,6 +498,10 @@ optional_policy(` ') optional_policy(` @@ -96173,7 +96208,7 @@ index 0f28095..c50598f 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -537,6 +571,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,6 +572,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -96181,7 +96216,7 @@ index 0f28095..c50598f 100644 dev_read_urand(cupsd_lpd_t) dev_read_rand(cupsd_lpd_t) -@@ -587,23 +622,22 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,23 +623,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -96214,7 +96249,7 @@ index 0f28095..c50598f 100644 ') ######################################## -@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -96223,7 +96258,7 @@ index 0f28095..c50598f 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +719,9 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +720,9 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -96233,7 +96268,7 @@ index 0f28095..c50598f 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +734,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -97658,7 +97693,7 @@ index f706b99..d41e4fe 100644 + #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..f5e84bd 100644 +index f231f17..fb64f1d 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -16,6 +16,7 @@ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) @@ -97750,7 +97785,7 @@ index f231f17..f5e84bd 100644 optional_policy(` dbus_system_bus_client(devicekit_disk_t) -@@ -178,55 +194,84 @@ optional_policy(` +@@ -178,55 +194,85 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -97799,6 +97834,7 @@ index f231f17..f5e84bd 100644 +kernel_rw_vm_sysctls(devicekit_power_t) kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) ++kernel_setsched(devicekit_power_t) corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) @@ -97840,7 +97876,7 @@ index f231f17..f5e84bd 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,7 +280,12 @@ optional_policy(` +@@ -235,7 +281,12 @@ optional_policy(` ') optional_policy(` @@ -97853,7 +97889,7 @@ index f231f17..f5e84bd 100644 ') optional_policy(` -@@ -261,14 +311,21 @@ optional_policy(` +@@ -261,14 +312,21 @@ optional_policy(` ') optional_policy(` @@ -97876,7 +97912,7 @@ index f231f17..f5e84bd 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +333,30 @@ optional_policy(` +@@ -276,9 +334,30 @@ optional_policy(` ') optional_policy(` @@ -101218,10 +101254,10 @@ index 0000000..b468a30 +/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0) diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if new file mode 100644 -index 0000000..62acfff +index 0000000..c4c7510 --- /dev/null +++ b/policy/modules/services/firewalld.if -@@ -0,0 +1,109 @@ +@@ -0,0 +1,130 @@ +## policy for firewalld + +######################################## @@ -101286,6 +101322,27 @@ index 0000000..62acfff + +######################################## +## ++## Send and receive messages from ++## firewalld over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`firewalld_dbus_chat',` ++ gen_require(` ++ type firewalld_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 firewalld_t:dbus send_msg; ++ allow firewalld_t $1:dbus send_msg; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an firewalld environment +## @@ -101587,10 +101644,10 @@ index 9d3201b..6e75e3d 100644 + allow $1 ftpd_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..c183d8c 100644 +index 8a74a83..14b822a 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te -@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false) +@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false) ## ##

@@ -101601,6 +101658,13 @@ index 8a74a83..c183d8c 100644 + +## +##

++## Allow ftp servers to use bind to all unreserved ports for passive mode ++##

++## ++gen_tunable(ftpd_use_passive_mode, false) ++ ++## ++##

+## Allow ftp servers to connect to all ports > 1023 +##

+## @@ -101611,7 +101675,7 @@ index 8a74a83..c183d8c 100644 ## Allow ftp to read and write files in the user home directories ##

## -@@ -48,7 +62,7 @@ gen_tunable(ftp_home_dir, false) +@@ -48,7 +69,7 @@ gen_tunable(ftp_home_dir, false) ## ##

## Allow anon internal-sftp to upload files, used for @@ -101620,7 +101684,7 @@ index 8a74a83..c183d8c 100644 ## public_content_rw_t. ##

## -@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false) +@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false) ## gen_tunable(sftpd_full_access, false) @@ -101635,7 +101699,7 @@ index 8a74a83..c183d8c 100644 type anon_sftpd_t; typealias anon_sftpd_t alias sftpd_anon_t; domain_type(anon_sftpd_t) -@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t) +@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -101645,7 +101709,7 @@ index 8a74a83..c183d8c 100644 type ftpd_lock_t; files_lock_file(ftpd_lock_t) -@@ -115,6 +140,10 @@ ifdef(`enable_mcs',` +@@ -115,6 +147,10 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) ') @@ -101656,7 +101720,7 @@ index 8a74a83..c183d8c 100644 ######################################## # # anon-sftp local policy -@@ -122,6 +151,7 @@ ifdef(`enable_mcs',` +@@ -122,6 +158,7 @@ ifdef(`enable_mcs',` files_read_etc_files(anon_sftpd_t) @@ -101664,7 +101728,7 @@ index 8a74a83..c183d8c 100644 miscfiles_read_public_files(anon_sftpd_t) tunable_policy(`sftpd_anon_write',` -@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',` +@@ -133,7 +170,7 @@ tunable_policy(`sftpd_anon_write',` # ftpd local policy # @@ -101673,7 +101737,7 @@ index 8a74a83..c183d8c 100644 dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; -@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file) +@@ -151,7 +188,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file) manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) @@ -101681,7 +101745,7 @@ index 8a74a83..c183d8c 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file +@@ -163,13 +199,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) @@ -101697,7 +101761,7 @@ index 8a74a83..c183d8c 100644 # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -@@ -177,7 +206,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) +@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -101706,7 +101770,7 @@ index 8a74a83..c183d8c 100644 dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) -@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t) +@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t) corenet_tcp_bind_ftp_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) @@ -101718,7 +101782,7 @@ index 8a74a83..c183d8c 100644 corenet_sendrecv_ftp_server_packets(ftpd_t) domain_use_interactive_fds(ftpd_t) -@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t) +@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) fs_search_fusefs(ftpd_t) @@ -101734,7 +101798,7 @@ index 8a74a83..c183d8c 100644 init_rw_utmp(ftpd_t) -@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` +@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` tunable_policy(`allow_ftpd_full_access',` allow ftpd_t self:capability { dac_override dac_read_search }; @@ -101742,12 +101806,16 @@ index 8a74a83..c183d8c 100644 + files_manage_non_security_files(ftpd_t) +') + ++tunable_policy(`ftpd_use_passive_mode',` ++ corenet_tcp_bind_all_unreserved_ports(ftpd_t) ++') ++ +tunable_policy(`ftpd_connect_all_unreserved',` + corenet_tcp_connect_all_unreserved_ports(ftpd_t) ') tunable_policy(`ftp_home_dir',` -@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',` +@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -101765,7 +101833,7 @@ index 8a74a83..c183d8c 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -309,6 +342,10 @@ optional_policy(` +@@ -309,6 +353,10 @@ optional_policy(` ') optional_policy(` @@ -101776,7 +101844,7 @@ index 8a74a83..c183d8c 100644 selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) -@@ -316,6 +353,25 @@ optional_policy(` +@@ -316,6 +364,25 @@ optional_policy(` ') optional_policy(` @@ -101802,7 +101870,7 @@ index 8a74a83..c183d8c 100644 inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -347,16 +403,17 @@ optional_policy(` +@@ -347,16 +414,17 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -101822,7 +101890,7 @@ index 8a74a83..c183d8c 100644 ######################################## # -@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t) +@@ -365,18 +433,33 @@ userdom_use_user_terminals(ftpdctl_t) files_read_etc_files(sftpd_t) @@ -101859,7 +101927,7 @@ index 8a74a83..c183d8c 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -394,19 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` +@@ -394,19 +477,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -108682,6 +108750,16 @@ index 83f002c..fa8a3d5 100644 corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) +diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc +index ddc14d6..c74bf3d 100644 +--- a/policy/modules/services/mpd.fc ++++ b/policy/modules/services/mpd.fc +@@ -6,3 +6,5 @@ + /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) + /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) + /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) ++ ++/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if index d72276f..cb8c563 100644 --- a/policy/modules/services/mpd.if @@ -108700,7 +108778,7 @@ index d72276f..cb8c563 100644 mpd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te -index 7f68872..36ff69d 100644 +index 7f68872..72c1f8a 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -108713,7 +108791,18 @@ index 7f68872..36ff69d 100644 manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) -@@ -103,6 +106,10 @@ logging_send_syslog_msg(mpd_t) +@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) + + read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) + ++manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t) ++manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t) ++logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file }) ++ + manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) + manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) + manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +@@ -103,6 +110,10 @@ logging_send_syslog_msg(mpd_t) miscfiles_read_localization(mpd_t) @@ -108724,7 +108813,7 @@ index 7f68872..36ff69d 100644 optional_policy(` alsa_read_rw_config(mpd_t) ') -@@ -122,5 +129,14 @@ optional_policy(` +@@ -122,5 +133,14 @@ optional_policy(` ') optional_policy(` @@ -130426,7 +130515,7 @@ index 7c5d8d8..c542fe7 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..794917a 100644 +index 3eca020..9386b72 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0) @@ -131001,7 +131090,7 @@ index 3eca020..794917a 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +645,393 @@ files_search_all(virt_domain) +@@ -440,25 +645,396 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -131361,11 +131450,14 @@ index 3eca020..794917a 100644 +# +# virt_qmf local policy +# -+allow virt_qmf_t self:process signal; ++allow virt_qmf_t self:capability { sys_nice sys_tty_config }; ++allow virt_qmf_t self:process { setsched signal }; +allow virt_qmf_t self:fifo_file rw_fifo_file_perms; +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms; +allow virt_qmf_t self:tcp_socket create_stream_socket_perms; ++allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; + ++kernel_read_system_state(virt_qmf_t) +kernel_read_network_state(virt_qmf_t) + +dev_list_sysfs(virt_qmf_t) @@ -131624,10 +131716,10 @@ index 0000000..8e3570d +') diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te new file mode 100644 -index 0000000..c0f3e2f +index 0000000..b6db3b3 --- /dev/null +++ b/policy/modules/services/wdmd.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,47 @@ +policy_module(wdmd,1.0.0) + +######################################## @@ -131670,6 +131762,8 @@ index 0000000..c0f3e2f + +fs_read_anon_inodefs_files(wdmd_t) + ++auth_use_nsswitch(wdmd_t) ++ +logging_send_syslog_msg(wdmd_t) + +miscfiles_read_localization(wdmd_t) @@ -131684,7 +131778,7 @@ index aa6e5a8..42a0efb 100644 ######################################## ## diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 4966c94..44a9ef5 100644 +index 4966c94..bc7b581 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,34 @@ @@ -131787,7 +131881,7 @@ index 4966c94..44a9ef5 100644 /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -@@ -90,17 +115,44 @@ ifdef(`distro_debian', ` +@@ -90,17 +115,45 @@ ifdef(`distro_debian', ` /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -131825,6 +131919,7 @@ index 4966c94..44a9ef5 100644 + +/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) ++/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -133072,7 +133167,7 @@ index 130ced9..4a0455e 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..b0f5722 100644 +index 143c893..2659b5c 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -133610,7 +133705,7 @@ index 143c893..b0f5722 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +610,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -133635,6 +133730,7 @@ index 143c893..b0f5722 100644 # Run telinit->init to shutdown. init_telinit(xdm_t) +init_dbus_chat(xdm_t) ++init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x") libs_exec_lib_files(xdm_t) @@ -133651,7 +133747,7 @@ index 143c893..b0f5722 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,24 +649,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -133701,7 +133797,7 @@ index 143c893..b0f5722 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +699,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -133723,7 +133819,7 @@ index 143c893..b0f5722 100644 ') optional_policy(` -@@ -519,12 +721,63 @@ optional_policy(` +@@ -519,12 +722,63 @@ optional_policy(` ') optional_policy(` @@ -133787,7 +133883,7 @@ index 143c893..b0f5722 100644 hostname_exec(xdm_t) ') -@@ -542,28 +795,69 @@ optional_policy(` +@@ -542,28 +796,69 @@ optional_policy(` ') optional_policy(` @@ -133866,7 +133962,7 @@ index 143c893..b0f5722 100644 ') optional_policy(` -@@ -575,6 +869,14 @@ optional_policy(` +@@ -575,6 +870,14 @@ optional_policy(` ') optional_policy(` @@ -133881,7 +133977,7 @@ index 143c893..b0f5722 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +901,8 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +902,8 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -133891,7 +133987,7 @@ index 143c893..b0f5722 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +916,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -133907,7 +134003,7 @@ index 143c893..b0f5722 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +943,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -133929,7 +134025,7 @@ index 143c893..b0f5722 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +963,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -133937,7 +134033,7 @@ index 143c893..b0f5722 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,21 +990,28 @@ dev_rw_apm_bios(xserver_t) +@@ -672,21 +991,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -133968,7 +134064,7 @@ index 143c893..b0f5722 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1022,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -133982,7 +134078,7 @@ index 143c893..b0f5722 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1041,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1042,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -133991,7 +134087,7 @@ index 143c893..b0f5722 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1048,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1049,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -134006,7 +134102,7 @@ index 143c893..b0f5722 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1107,40 @@ optional_policy(` +@@ -778,16 +1108,40 @@ optional_policy(` ') optional_policy(` @@ -134048,7 +134144,7 @@ index 143c893..b0f5722 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1149,10 @@ optional_policy(` +@@ -796,6 +1150,10 @@ optional_policy(` ') optional_policy(` @@ -134059,7 +134155,7 @@ index 143c893..b0f5722 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1168,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -134073,7 +134169,7 @@ index 143c893..b0f5722 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1179,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -134082,7 +134178,7 @@ index 143c893..b0f5722 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,26 +1192,21 @@ init_use_fds(xserver_t) +@@ -835,26 +1193,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -134117,7 +134213,7 @@ index 143c893..b0f5722 100644 ') optional_policy(` -@@ -862,6 +1214,10 @@ optional_policy(` +@@ -862,6 +1215,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -134128,7 +134224,7 @@ index 143c893..b0f5722 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1261,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -134137,7 +134233,7 @@ index 143c893..b0f5722 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1315,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1316,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -134169,7 +134265,7 @@ index 143c893..b0f5722 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1361,31 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1362,31 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -139385,7 +139481,7 @@ index ddbd8be..fad18e0 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..75a2fbd 100644 +index 560dc48..989999b 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -28,26 +28,24 @@ ifdef(`distro_redhat',` @@ -139419,9 +139515,12 @@ index 560dc48..75a2fbd 100644 ') ifdef(`distro_gentoo',` -@@ -62,7 +60,6 @@ ifdef(`distro_gentoo',` +@@ -60,9 +58,8 @@ ifdef(`distro_gentoo',` + # + # /opt # - /opt/.*\.so gen_context(system_u:object_r:lib_t,s0) +-/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) ++/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) @@ -139440,7 +139539,7 @@ index 560dc48..75a2fbd 100644 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -119,64 +122,62 @@ ifdef(`distro_redhat',` +@@ -119,64 +122,63 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -139507,6 +139606,7 @@ index 560dc48..75a2fbd 100644 +/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -139539,7 +139639,7 @@ index 560dc48..75a2fbd 100644 ') ifdef(`distro_gentoo',` -@@ -195,7 +196,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -195,7 +197,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -139547,7 +139647,7 @@ index 560dc48..75a2fbd 100644 /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -203,86 +203,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -203,86 +204,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -139692,7 +139792,7 @@ index 560dc48..75a2fbd 100644 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -303,8 +304,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -303,8 +305,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -139702,7 +139802,7 @@ index 560dc48..75a2fbd 100644 ') dnl end distro_redhat # -@@ -312,17 +312,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -140980,10 +141080,10 @@ index b6ec597..9c495b2 100644 optional_policy(` diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..1121047 100644 +index 879bb1e..63893d1 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc -@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',` +@@ -28,23 +28,28 @@ ifdef(`distro_gentoo',` # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -141009,7 +141109,11 @@ index 879bb1e..1121047 100644 /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -88,8 +92,66 @@ ifdef(`distro_gentoo',` ++/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) +@@ -88,8 +93,67 @@ ifdef(`distro_gentoo',` # # /usr # @@ -141030,6 +141134,7 @@ index 879bb1e..1121047 100644 +/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -141078,7 +141183,7 @@ index 879bb1e..1121047 100644 # # /var -@@ -97,5 +159,7 @@ ifdef(`distro_gentoo',` +@@ -97,5 +161,7 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -144059,7 +144164,7 @@ index ff80d0a..22c9f0d 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..92fa1e9 100644 +index 34d0ec5..400efc0 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -144205,7 +144310,18 @@ index 34d0ec5..92fa1e9 100644 ') optional_policy(` -@@ -171,6 +203,8 @@ optional_policy(` +@@ -161,6 +193,10 @@ optional_policy(` + dbus_connect_system_bus(dhcpc_t) + + optional_policy(` ++ firewalld_dbus_chat(dhcpc_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(dhcpc_t) + ') + ') +@@ -171,6 +207,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -144214,7 +144330,7 @@ index 34d0ec5..92fa1e9 100644 ') optional_policy(` -@@ -192,17 +226,31 @@ optional_policy(` +@@ -192,17 +230,31 @@ optional_policy(` ') optional_policy(` @@ -144246,7 +144362,7 @@ index 34d0ec5..92fa1e9 100644 ') optional_policy(` -@@ -213,6 +261,11 @@ optional_policy(` +@@ -213,6 +265,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -144258,7 +144374,7 @@ index 34d0ec5..92fa1e9 100644 ') optional_policy(` -@@ -255,6 +308,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +312,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -144266,7 +144382,7 @@ index 34d0ec5..92fa1e9 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -273,11 +327,17 @@ corenet_rw_tun_tap_dev(ifconfig_t) +@@ -273,11 +331,17 @@ corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -144284,7 +144400,7 @@ index 34d0ec5..92fa1e9 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -290,7 +350,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -290,7 +354,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -144293,7 +144409,7 @@ index 34d0ec5..92fa1e9 100644 init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) -@@ -301,11 +361,11 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +365,11 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -144308,7 +144424,7 @@ index 34d0ec5..92fa1e9 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +374,22 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +378,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -144331,7 +144447,7 @@ index 34d0ec5..92fa1e9 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +400,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +404,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -144346,7 +144462,7 @@ index 34d0ec5..92fa1e9 100644 ') optional_policy(` -@@ -335,7 +416,15 @@ optional_policy(` +@@ -335,7 +420,15 @@ optional_policy(` ') optional_policy(` @@ -144363,7 +144479,7 @@ index 34d0ec5..92fa1e9 100644 ') optional_policy(` -@@ -356,3 +445,9 @@ optional_policy(` +@@ -356,3 +449,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -145090,10 +145206,10 @@ index 0000000..a7e3666 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f4dd2ab +index 0000000..68bf0f6 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,402 @@ +@@ -0,0 +1,403 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -145223,6 +145339,7 @@ index 0000000..f4dd2ab +userdom_manage_user_tmp_dirs(systemd_logind_t) +userdom_manage_user_tmp_files(systemd_logind_t) +userdom_manage_user_tmp_symlinks(systemd_logind_t) ++userdom_manage_user_tmp_sockets(systemd_logind_t) + +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index f194a4f..8f80045 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 111%{?dist} +Release: 112%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -489,6 +489,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 10 2012 Miroslav Grepl 3.10.0-112 +- upowered needs to setsched on the kernel +- Allow mpd_t to manage log files +- Allow xdm_t to create /var/run/systemd/multi-session-x +- Add rules for missedfont.log to be used by thumb.fc +- Additional access required for virt_qmf_t +- Allow dhclient to dbus chat with the firewalld +- Add label for lvmetad +- Allow systemd_logind_t to remove userdomain sock_files +- Allow cups to execute usr_t files +- Fix labeling on nvidia shared libraries +- wdmd_t needs access to sssd and /etc/passwd +- Add boolean to allow ftp servers to run in passive mode +- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with +- Fix using httpd_use_fusefs +- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox + * Fri Apr 6 2012 Miroslav Grepl 3.10.0-111 - Rename rdate port to time port, and allow gnomeclock to connect to it - We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda