From 578b67080c085144afdf9906b1b344ab3abaa4c4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 13 2015 23:13:22 +0000 Subject: * Wed Apr 14 2015 Lukas Vrabec 3.13.1-123 - Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) - Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to stream connect to networkmanager. - Allow dnssec_trigger_t to create resolv files labeled as net_conf_t - Fix labeling for keystone CGI scripts. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 49db009..c471c0e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6125,7 +6125,7 @@ index b31c054..1f28afb 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..be13cd9 100644 +index 76f285e..4311238 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7101,45 +7101,45 @@ index 76f285e..be13cd9 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3814,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3814,7 @@ interface(`dev_rw_printer',` ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) +## Relabel the printer device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_printer',` -+ gen_require(` -+ type printer_device_t; -+ ') -+ -+ allow $1 printer_device_t:chr_file relabel_chr_file_perms; -+') -+ -+######################################## -+## -+## Read and write the printer device. ## ## ## -@@ -3262,12 +3840,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3822,31 @@ interface(`dev_rw_printer',` ## ## # -interface(`dev_read_printk',` -+interface(`dev_manage_printer',` ++interface(`dev_relabel_printer',` gen_require(` - type device_t, printk_device_t; -+ type device_t, printer_device_t; ++ type printer_device_t; ') - read_chr_files_pattern($1, device_t, printk_device_t) ++ allow $1 printer_device_t:chr_file relabel_chr_file_perms; ++') ++ ++######################################## ++## ++## Read and write the printer device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_printer',` ++ gen_require(` ++ type device_t, printer_device_t; ++ ') ++ + manage_chr_files_pattern($1, device_t, printer_device_t) + dev_filetrans_printer_named_dev($1) ') @@ -7163,7 +7163,7 @@ index 76f285e..be13cd9 100644 ') ######################################## -@@ -3855,6 +4434,96 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,6 +4434,114 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7221,6 +7221,24 @@ index 76f285e..be13cd9 100644 + +######################################## +## ++## Dontaudit attempts to mount a filesystem on /sys ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_mounton_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ dontaudit $1 sysfs_t:dir mounton; ++') ++ ++######################################## ++## +## Mount sysfs filesystems. +## +## @@ -7260,7 +7278,7 @@ index 76f285e..be13cd9 100644 ## Search the sysfs directories. ## ## -@@ -3904,6 +4573,7 @@ interface(`dev_list_sysfs',` +@@ -3904,6 +4591,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -7268,7 +7286,7 @@ index 76f285e..be13cd9 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3946,23 +4616,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3946,23 +4634,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -7289,7 +7307,7 @@ index 76f285e..be13cd9 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` - gen_require(` ++ gen_require(` + type cpu_online_t; + ') + @@ -7308,7 +7326,7 @@ index 76f285e..be13cd9 100644 +## +# +interface(`dev_relabel_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; type sysfs_t; ') @@ -7322,7 +7340,7 @@ index 76f285e..be13cd9 100644 ######################################## ## ## Read hardware state information. -@@ -4016,6 +4712,62 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4730,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -7385,7 +7403,7 @@ index 76f285e..be13cd9 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +4865,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4883,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -7411,7 +7429,7 @@ index 76f285e..be13cd9 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +4894,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +4912,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -7420,7 +7438,7 @@ index 76f285e..be13cd9 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5180,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5198,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -7432,7 +7450,7 @@ index 76f285e..be13cd9 100644 ## ## ## -@@ -4419,17 +5190,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5208,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7455,7 +7473,7 @@ index 76f285e..be13cd9 100644 ## ## ## -@@ -4437,12 +5208,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5226,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7471,7 +7489,7 @@ index 76f285e..be13cd9 100644 ') ######################################## -@@ -4539,6 +5310,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5328,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7606,7 +7624,7 @@ index 76f285e..be13cd9 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5456,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5474,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7631,7 +7649,7 @@ index 76f285e..be13cd9 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5679,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5697,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7676,7 +7694,7 @@ index 76f285e..be13cd9 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5806,966 @@ interface(`dev_unconfined',` +@@ -4851,3 +5824,966 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -9051,7 +9069,7 @@ index 6a1e4d1..549967a 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..7da29ff 100644 +index cf04cb5..f372320 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -9097,7 +9115,7 @@ index cf04cb5..7da29ff 100644 # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,51 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +110,55 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -9126,6 +9144,10 @@ index cf04cb5..7da29ff 100644 dev_rw_zero(domain) term_use_controlling_term(domain) ++# Allow all domains to read /dev/urandom. It is needed by all apps/services ++# linked to libgcrypt. There is no harm to allow it by default. ++dev_read_urand(domain) ++ # list the root directory files_list_root(domain) +# allow all domains to search through base_file_type directory, since users @@ -9150,7 +9172,7 @@ index cf04cb5..7da29ff 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +173,19 @@ tunable_policy(`global_ssp',` +@@ -121,8 +177,19 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -9170,7 +9192,7 @@ index cf04cb5..7da29ff 100644 ') optional_policy(` -@@ -133,6 +196,9 @@ optional_policy(` +@@ -133,6 +200,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -9180,7 +9202,7 @@ index cf04cb5..7da29ff 100644 ') ######################################## -@@ -147,12 +213,18 @@ optional_policy(` +@@ -147,12 +217,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -9200,7 +9222,7 @@ index cf04cb5..7da29ff 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +238,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +242,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -14063,7 +14085,7 @@ index f962f76..1a36ae2 100644 + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1a03abd..32a40f8 100644 +index 1a03abd..3221f80 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.18.1) @@ -14258,7 +14280,8 @@ index 1a03abd..32a40f8 100644 +allow files_unconfined_type file_type:service *; # Mount/unmount any filesystem with the context= option. - allow files_unconfined_type file_type:filesystem *; +-allow files_unconfined_type file_type:filesystem *; ++allow files_unconfined_type file_type:filesystem all_filesystem_perms; -tunable_policy(`allow_execmod',` +tunable_policy(`selinuxuser_execmod',` @@ -14306,7 +14329,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..75c7b9d 100644 +index 8416beb..19d6aba 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -14595,74 +14618,386 @@ index 8416beb..75c7b9d 100644 ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## -@@ -1793,6 +1954,205 @@ interface(`fs_read_eventpollfs',` +@@ -1793,63 +1954,70 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') +-######################################## + +####################################### -+## + ## +-## Mount a FUSE filesystem. +## Search directories +## on a ecrypt filesystem. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`fs_mount_fusefs',` +- gen_require(` +- type fusefs_t; +- ') +interface(`fs_search_ecryptfs',` + gen_require(` + type ecryptfs_t; + ') -+ + +- allow $1 fusefs_t:filesystem mount; + allow $1 ecryptfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unmount a FUSE filesystem. +## Create, read, write, and delete directories +## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_unmount_fusefs',` +interface(`fs_manage_ecryptfs_dirs',` -+ gen_require(` + gen_require(` +- type fusefs_t; + type ecryptfs_t; -+ ') -+ + ') + +- allow $1 fusefs_t:filesystem unmount; + manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t) + allow $1 ecryptfs_t:dir manage_dir_perms; -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Mounton a FUSEFS filesystem. +## Create, read, write, and delete files +## on a FUSEFS filesystem. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## + ## +## -+# + # +-interface(`fs_mounton_fusefs',` +- gen_require(` +- type fusefs_t; +- ') +interface(`fs_read_ecryptfs_files',` + gen_require(` + type ecryptfs_t; + ') -+ + +- allow $1 fusefs_t:dir mounton; + read_files_pattern($1, ecryptfs_t, ecryptfs_t) + ') + + ######################################## + ## +-## Search directories ++## Create, read, write, and delete files + ## on a FUSEFS filesystem. + ## + ## +@@ -1859,18 +2027,19 @@ interface(`fs_mounton_fusefs',` + ## + ## + # +-interface(`fs_search_fusefs',` ++interface(`fs_manage_ecryptfs_files',` + gen_require(` +- type fusefs_t; ++ type ecryptfs_t; + ') + +- allow $1 fusefs_t:dir search_dir_perms; ++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t) + ') + + ######################################## + ## +-## Do not audit attempts to list the contents +-## of directories on a FUSEFS filesystem. ++## Do not audit attempts to create, ++## read, write, and delete files ++## on a FUSEFS filesystem. + ## + ## + ## +@@ -1878,135 +2047,151 @@ interface(`fs_search_fusefs',` + ## + ## + # +-interface(`fs_dontaudit_list_fusefs',` ++interface(`fs_dontaudit_manage_ecryptfs_files',` + gen_require(` +- type fusefs_t; ++ type ecryptfs_t; + ') + +- dontaudit $1 fusefs_t:dir list_dir_perms; ++ dontaudit $1 ecryptfs_t:file manage_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete directories +-## on a FUSEFS filesystem. ++## Read symbolic links on a FUSEFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_manage_fusefs_dirs',` ++interface(`fs_read_ecryptfs_symlinks',` + gen_require(` +- type fusefs_t; ++ type ecryptfs_t; + ') + +- allow $1 fusefs_t:dir manage_dir_perms; ++ allow $1 ecryptfs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) + ') + +-######################################## ++####################################### + ## +-## Do not audit attempts to create, read, +-## write, and delete directories +-## on a FUSEFS filesystem. ++## Dontaudit append files on ecrypt filesystem. + ## + ## +-## +-## Domain to not audit. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`fs_dontaudit_manage_fusefs_dirs',` ++interface(`fs_dontaudit_append_ecryptfs_files',` + gen_require(` +- type fusefs_t; ++ type ecryptfs_t; + ') +- +- dontaudit $1 fusefs_t:dir manage_dir_perms; ++ dontaudit $1 ecryptfs_t:file append; + ') + + ######################################## + ## +-## Read, a FUSEFS filesystem. ++## Manage symbolic links on a FUSEFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_read_fusefs_files',` ++interface(`fs_manage_ecryptfs_symlinks',` + gen_require(` +- type fusefs_t; ++ type ecryptfs_t; + ') + +- read_files_pattern($1, fusefs_t, fusefs_t) ++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) + ') + + ######################################## + ## +-## Execute files on a FUSEFS filesystem. ++## Execute a file on a FUSE filesystem ++## in the specified domain. + ## ++## ++##

++## Execute a file on a FUSE filesystem ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. This is not suggested. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## home directories on FUSE filesystems, ++## in particular used by the ssh-agent policy. ++##

++## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. + ## + ## +-## + # +-interface(`fs_exec_fusefs_files',` ++interface(`fs_ecryptfs_domtrans',` + gen_require(` +- type fusefs_t; ++ type ecryptfs_t; + ') + +- exec_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 ecryptfs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, ecryptfs_t, $2) + ') + + ######################################## + ## +-## Create, read, write, and delete files +-## on a FUSEFS filesystem. ++## Mount a FUSE filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_manage_fusefs_files',` ++interface(`fs_mount_fusefs',` + gen_require(` + type fusefs_t; + ') + +- manage_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 fusefs_t:filesystem mount; + ') + + ######################################## + ## +-## Do not audit attempts to create, +-## read, write, and delete files +-## on a FUSEFS filesystem. ++## Unmount a FUSE filesystem. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_unmount_fusefs',` + gen_require(` + type fusefs_t; + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; ++ allow $1 fusefs_t:filesystem unmount; + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. ++## Mounton a FUSEFS filesystem. + ## + ## + ## +@@ -2014,41 +2199,297 @@ interface(`fs_dontaudit_manage_fusefs_files',` + ## + ## + # +-interface(`fs_read_fusefs_symlinks',` ++interface(`fs_mounton_fusefs',` + gen_require(` + type fusefs_t; + ') + +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 fusefs_t:dir mounton; + ') + + ######################################## + ## +-## Get the attributes of an hugetlbfs +-## filesystem. ++## Search directories ++## on a FUSEFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_getattr_hugetlbfs',` ++interface(`fs_search_fusefs',` + gen_require(` +- type hugetlbfs_t; ++ type fusefs_t; + ') + +- allow $1 hugetlbfs_t:filesystem getattr; ++ allow $1 fusefs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## List hugetlbfs. ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_list_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:dir list_dir_perms; +') + +######################################## +## -+## Create, read, write, and delete files ++## Create, read, write, and delete directories +## on a FUSEFS filesystem. +## +## @@ -14672,18 +15007,18 @@ index 8416beb..75c7b9d 100644 +## +## +# -+interface(`fs_manage_ecryptfs_files',` ++interface(`fs_manage_fusefs_dirs',` + gen_require(` -+ type ecryptfs_t; ++ type fusefs_t; + ') + -+ manage_files_pattern($1, ecryptfs_t, ecryptfs_t) ++ allow $1 fusefs_t:dir manage_dir_perms; +') + +######################################## +## -+## Do not audit attempts to create, -+## read, write, and delete files ++## Do not audit attempts to create, read, ++## write, and delete directories +## on a FUSEFS filesystem. +## +## @@ -14692,119 +15027,113 @@ index 8416beb..75c7b9d 100644 +## +## +# -+interface(`fs_dontaudit_manage_ecryptfs_files',` ++interface(`fs_dontaudit_manage_fusefs_dirs',` + gen_require(` -+ type ecryptfs_t; ++ type fusefs_t; + ') + -+ dontaudit $1 ecryptfs_t:file manage_file_perms; ++ dontaudit $1 fusefs_t:dir manage_dir_perms; +') + +######################################## +## -+## Read symbolic links on a FUSEFS filesystem. ++## Read, a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`fs_read_ecryptfs_symlinks',` ++interface(`fs_read_fusefs_files',` + gen_require(` -+ type ecryptfs_t; ++ type fusefs_t; + ') + -+ allow $1 ecryptfs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ++ read_files_pattern($1, fusefs_t, fusefs_t) +') + -+####################################### ++######################################## +## -+## Dontaudit append files on ecrypt filesystem. ++## Execute files on a FUSEFS filesystem. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## ++## +# -+interface(`fs_dontaudit_append_ecryptfs_files',` ++interface(`fs_exec_fusefs_files',` + gen_require(` -+ type ecryptfs_t; ++ type fusefs_t; + ') -+ dontaudit $1 ecryptfs_t:file append; ++ ++ exec_files_pattern($1, fusefs_t, fusefs_t) +') + +######################################## +## -+## Manage symbolic links on a FUSEFS filesystem. ++## Create, read, write, and delete files ++## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`fs_manage_ecryptfs_symlinks',` ++interface(`fs_manage_fusefs_files',` + gen_require(` -+ type ecryptfs_t; ++ type fusefs_t; + ') + -+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ++ manage_files_pattern($1, fusefs_t, fusefs_t) +') + +######################################## +## -+## Execute a file on a FUSE filesystem -+## in the specified domain. ++## Do not audit attempts to create, ++## read, write, and delete files ++## on a FUSEFS filesystem. +## -+## -+##

-+## Execute a file on a FUSE filesystem -+## in the specified domain. This allows -+## the specified domain to execute any file -+## on these filesystems in the specified -+## domain. This is not suggested. -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+##

-+## This interface was added to handle -+## home directories on FUSE filesystems, -+## in particular used by the ssh-agent policy. -+##

-+## +## +## -+## Domain allowed to transition. ++## Domain to not audit. +## +## -+## ++# ++interface(`fs_dontaudit_manage_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read symbolic links on a FUSEFS filesystem. ++## ++## +## -+## The type of the new process. ++## Domain allowed access. +## +## +# -+interface(`fs_ecryptfs_domtrans',` ++interface(`fs_read_fusefs_symlinks',` + gen_require(` -+ type ecryptfs_t; ++ type fusefs_t; + ') + -+ allow $1 ecryptfs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, ecryptfs_t, $2) ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) +') + - ######################################## - ## - ## Mount a FUSE filesystem. -@@ -2025,6 +2385,87 @@ interface(`fs_read_fusefs_symlinks',` - - ######################################## - ## ++######################################## ++## +## Manage symbolic links on a FUSEFS filesystem. +## +## @@ -14886,9 +15215,33 @@ index 8416beb..75c7b9d 100644 + +######################################## +## - ## Get the attributes of an hugetlbfs - ## filesystem. - ## ++## Get the attributes of an hugetlbfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:filesystem getattr; ++') ++ ++######################################## ++## ++## List hugetlbfs. ++## ++## ++## ++## Domain allowed access. + ## + ## + # @@ -2080,6 +2521,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## @@ -15181,19 +15534,10 @@ index 8416beb..75c7b9d 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3255,17 +3853,53 @@ interface(`fs_list_nfsd_fs',` - ## - ## - # --interface(`fs_getattr_nfsd_files',` -+interface(`fs_getattr_nfsd_files',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+') -+ +@@ -3263,6 +3861,24 @@ interface(`fs_getattr_nfsd_files',` + getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + +####################################### +## +## read files on an nfsd filesystem @@ -15212,9 +15556,14 @@ index 8416beb..75c7b9d 100644 + read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + -+######################################## -+## -+## Read and write NFS server files. + ######################################## + ## + ## Read and write NFS server files. +@@ -3283,6 +3899,24 @@ interface(`fs_rw_nfsd_fs',` + + ######################################## + ## ++## Manage NFS server files. +## +## +## @@ -15222,37 +15571,19 @@ index 8416beb..75c7b9d 100644 +## +## +# -+interface(`fs_rw_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - -- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - - ######################################## - ## --## Read and write NFS server files. -+## Manage NFS server files. - ## - ## - ## -@@ -3273,12 +3907,12 @@ interface(`fs_getattr_nfsd_files',` - ## - ## - # --interface(`fs_rw_nfsd_fs',` +interface(`fs_manage_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - -- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - - ######################################## ++') ++ ++######################################## ++## + ## Allow the type to associate to ramfs filesystems. + ## + ## @@ -3392,7 +4026,7 @@ interface(`fs_search_ramfs',` ######################################## @@ -15280,11 +15611,12 @@ index 8416beb..75c7b9d 100644 ## ## ## -@@ -3815,6 +4449,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3743,25 +4377,61 @@ interface(`fs_getattr_rpc_pipefs',` - ######################################## + ######################################### ## -+## Mount on tmpfs directories. +-## Read and write RPC pipe filesystem named pipes. ++## Read and write RPC pipe filesystem named pipes. +## +## +## @@ -15292,20 +15624,119 @@ index 8416beb..75c7b9d 100644 +## +## +# -+interface(`fs_mounton_tmpfs', ` ++interface(`fs_rw_rpc_named_pipes',` ++ gen_require(` ++ type rpc_pipefs_t; ++ ') ++ ++ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## Mount a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mount_tmpfs',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:dir mounton; ++ allow $1 tmpfs_t:filesystem mount; +') + +######################################## +## - ## Get the attributes of a tmpfs - ## filesystem. ++## Dontaudit remount a tmpfs filesystem. ## -@@ -3908,7 +4560,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`fs_rw_rpc_named_pipes',` ++interface(`fs_dontaudit_remount_tmpfs',` + gen_require(` +- type rpc_pipefs_t; ++ type tmpfs_t; + ') + +- allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 tmpfs_t:filesystem remount; + ') + + ######################################## + ## +-## Mount a tmpfs filesystem. ++## Remount a tmpfs filesystem. + ## + ## + ## +@@ -3769,17 +4439,17 @@ interface(`fs_rw_rpc_named_pipes',` + ## + ## + # +-interface(`fs_mount_tmpfs',` ++interface(`fs_remount_tmpfs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:filesystem mount; ++ allow $1 tmpfs_t:filesystem remount; + ') + + ######################################## + ## +-## Remount a tmpfs filesystem. ++## Unmount a tmpfs filesystem. + ## + ## + ## +@@ -3787,17 +4457,17 @@ interface(`fs_mount_tmpfs',` + ## + ## + # +-interface(`fs_remount_tmpfs',` ++interface(`fs_unmount_tmpfs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:filesystem remount; ++ allow $1 tmpfs_t:filesystem unmount; + ') + + ######################################## + ## +-## Unmount a tmpfs filesystem. ++## Mount on tmpfs directories. + ## + ## + ## +@@ -3805,12 +4475,12 @@ interface(`fs_remount_tmpfs',` + ## + ## + # +-interface(`fs_unmount_tmpfs',` ++interface(`fs_mounton_tmpfs', ` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:filesystem unmount; ++ allow $1 tmpfs_t:dir mounton; + ') + + ######################################## +@@ -3908,7 +4578,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -15314,7 +15745,7 @@ index 8416beb..75c7b9d 100644 ## ## ## -@@ -3916,17 +4568,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +4586,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -15335,7 +15766,7 @@ index 8416beb..75c7b9d 100644 ## ## ## -@@ -3934,17 +4586,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +4604,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -15356,7 +15787,7 @@ index 8416beb..75c7b9d 100644 ## ## ## -@@ -3952,17 +4604,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +4622,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -15396,7 +15827,7 @@ index 8416beb..75c7b9d 100644 ## ## ## -@@ -3970,31 +4641,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +4659,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -15452,7 +15883,7 @@ index 8416beb..75c7b9d 100644 ') ######################################## -@@ -4105,7 +4793,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +4811,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -15461,7 +15892,7 @@ index 8416beb..75c7b9d 100644 ') ######################################## -@@ -4165,6 +4853,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +4871,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -15486,7 +15917,7 @@ index 8416beb..75c7b9d 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +4908,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +4926,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -15495,7 +15926,7 @@ index 8416beb..75c7b9d 100644 ## ## ## -@@ -4221,6 +4927,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +4945,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -15556,7 +15987,7 @@ index 8416beb..75c7b9d 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5038,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5056,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -15601,7 +16032,7 @@ index 8416beb..75c7b9d 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5095,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5113,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -15627,7 +16058,7 @@ index 8416beb..75c7b9d 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5320,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5338,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -15636,7 +16067,7 @@ index 8416beb..75c7b9d 100644 ') ######################################## -@@ -4549,7 +5368,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5386,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -15645,7 +16076,7 @@ index 8416beb..75c7b9d 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5415,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5433,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -15672,7 +16103,7 @@ index 8416beb..75c7b9d 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +5510,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +5528,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -15698,7 +16129,7 @@ index 8416beb..75c7b9d 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +5770,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +5788,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -15889,7 +16320,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..f45a698 100644 +index e100d88..991e1a5 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -16516,7 +16947,7 @@ index e100d88..f45a698 100644 ## Unconfined access to kernel module resources. ##
## -@@ -2972,5 +3280,583 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3280,628 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -16757,7 +17188,7 @@ index e100d88..f45a698 100644 + ') + + write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) -+') + ') + +######################################## +## @@ -17100,7 +17531,52 @@ index e100d88..f45a698 100644 + ') + + allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms; - ') ++') ++ ++######################################## ++## ++## Execute an unlabeled file in the specified domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`kernel_unlabeled_domtrans',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ++ domain_transition_pattern($1, unlabeled_t, $2) ++ type_transition $1 unlabeled_t:process $2; ++') ++ ++######################################## ++## ++## Make general progams without labeles an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which unlabeled_t is an entrypoint. ++## ++## ++# ++interface(`kernel_unlabeled_entry_type',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ domain_entry_file($1, unlabeled_t) ++') ++ diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 8dbab4c..96d9a91 100644 --- a/policy/modules/kernel/kernel.te @@ -18602,10 +19078,10 @@ index 156c333..02f5a3c 100644 + dev_manage_generic_blk_files(fixed_disk_raw_write) +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 0ea25b6..01b968e 100644 +index 0ea25b6..37069ae 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -14,11 +14,12 @@ +@@ -14,12 +14,13 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) @@ -18615,10 +19091,12 @@ index 0ea25b6..01b968e 100644 +/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) +-/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) +/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) - /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) ++/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) @@ -42,3 +43,7 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) @@ -34352,7 +34830,7 @@ index b50c5fe..13da95a 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..8c67cd0 100644 +index 4e94884..7ab6191 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -34470,7 +34948,7 @@ index 4e94884..8c67cd0 100644 - allow $1 devlog_t:lnk_file read_lnk_file_perms; - allow $1 devlog_t:sock_file write_sock_file_perms; -+ allow $1 devlog_t:lnk_file manage_sock_file_perms; ++ allow $1 devlog_t:lnk_file manage_lnk_file_perms; + dev_filetrans($1, devlog_t, lnk_file, "log") + init_pid_filetrans($1, devlog_t, sock_file, "syslog") + logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") @@ -37728,7 +38206,7 @@ index d43f3b1..870bc36 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..8a23b62 100644 +index 3822072..8893bcf 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -38365,7 +38843,7 @@ index 3822072..8a23b62 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1618,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -38397,7 +38875,6 @@ index 3822072..8a23b62 100644 + mls_file_read_all_levels($1) + + selinux_get_enforce_mode($1) -+ selinux_set_enforce_mode($1) + + seutil_manage_bin_policy($1) + @@ -38489,7 +38966,7 @@ index 3822072..8a23b62 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..90ff61b 100644 +index dc46420..f064846 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -38880,7 +39357,7 @@ index dc46420..90ff61b 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +514,87 @@ optional_policy(` +@@ -440,81 +514,88 @@ optional_policy(` # semodule local policy # @@ -38920,6 +39397,7 @@ index dc46420..90ff61b 100644 -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: ++selinux_set_enforce_mode(semanage_t) selinux_set_all_booleans(semanage_t) +can_exec(semanage_t, semanage_exec_t) @@ -39021,7 +39499,7 @@ index dc46420..90ff61b 100644 ') ######################################## -@@ -522,111 +602,197 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +603,197 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -39364,10 +39842,10 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 40edc18..b328c40 100644 +index 40edc18..95f4458 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -17,23 +17,27 @@ ifdef(`distro_debian',` +@@ -17,23 +17,29 @@ ifdef(`distro_debian',` /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -39382,6 +39860,8 @@ index 40edc18..b328c40 100644 /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0) ++/etc/resolv-secure.conf.* gen_context(system_u:object_r:net_conf_t,s0) ++/etc/\.resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) @@ -39400,7 +39880,7 @@ index 40edc18..b328c40 100644 # # /sbin -@@ -44,6 +48,7 @@ ifdef(`distro_redhat',` +@@ -44,6 +50,7 @@ ifdef(`distro_redhat',` /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) @@ -39408,7 +39888,7 @@ index 40edc18..b328c40 100644 /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -@@ -55,6 +60,21 @@ ifdef(`distro_redhat',` +@@ -55,6 +62,21 @@ ifdef(`distro_redhat',` # # /usr # @@ -39430,7 +39910,7 @@ index 40edc18..b328c40 100644 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # -@@ -77,3 +97,6 @@ ifdef(`distro_debian',` +@@ -77,3 +99,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') @@ -39438,7 +39918,7 @@ index 40edc18..b328c40 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..8dbfc5b 100644 +index 2cea692..fd3a212 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -39807,7 +40287,7 @@ index 2cea692..8dbfc5b 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1010,122 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1010,125 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -39877,6 +40357,9 @@ index 2cea692..8dbfc5b 100644 + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") ++ files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf") ++ files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger") ++ files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") @@ -41847,10 +42330,10 @@ index 0000000..d2a8fc7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..85428ce +index 0000000..f3a8fe7 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,712 @@ +@@ -0,0 +1,713 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -42094,7 +42577,7 @@ index 0000000..85428ce +# systemd-networkd local policy +# + -+allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap }; ++allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap }; +allow systemd_networkd_t self:process { getcap setcap }; + +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -42108,6 +42591,7 @@ index 0000000..85428ce +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + +kernel_dgram_send(systemd_networkd_t) ++kernel_request_load_module(systemd_networkd_t) + +dev_read_sysfs(systemd_networkd_t) + @@ -43965,7 +44449,7 @@ index db75976..1ee08ec 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..6498859 100644 +index 9dc60c6..41ef467 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44566,7 +45050,7 @@ index 9dc60c6..6498859 100644 ') ') -@@ -491,51 +664,68 @@ template(`userdom_common_user_template',` +@@ -491,51 +664,69 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -44620,6 +45104,7 @@ index 9dc60c6..6498859 100644 + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) ++ dev_rw_inherited_input_dev($1_usertype) - files_exec_etc_files($1_t) - files_search_locks($1_t) @@ -44659,7 +45144,7 @@ index 9dc60c6..6498859 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +736,132 @@ template(`userdom_common_user_template',` +@@ -546,93 +737,132 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -44830,7 +45315,7 @@ index 9dc60c6..6498859 100644 ') optional_policy(` -@@ -642,23 +871,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +872,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -44859,7 +45344,7 @@ index 9dc60c6..6498859 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +898,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +899,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -44868,7 +45353,7 @@ index 9dc60c6..6498859 100644 ') optional_policy(` -@@ -680,9 +907,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +908,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -44881,7 +45366,7 @@ index 9dc60c6..6498859 100644 ') ') -@@ -693,32 +920,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +921,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -44928,7 +45413,7 @@ index 9dc60c6..6498859 100644 ') ') -@@ -743,17 +973,32 @@ template(`userdom_common_user_template',` +@@ -743,17 +974,32 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -44965,7 +45450,7 @@ index 9dc60c6..6498859 100644 userdom_change_password_template($1) -@@ -761,83 +1006,107 @@ template(`userdom_login_user_template', ` +@@ -761,83 +1007,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -45109,7 +45594,7 @@ index 9dc60c6..6498859 100644 ') ####################################### -@@ -868,6 +1137,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1138,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -45122,7 +45607,7 @@ index 9dc60c6..6498859 100644 ############################## # # Local policy -@@ -907,53 +1182,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1183,137 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -45278,7 +45763,7 @@ index 9dc60c6..6498859 100644 ') ####################################### -@@ -987,27 +1346,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1347,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -45316,7 +45801,7 @@ index 9dc60c6..6498859 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1383,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1384,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -45390,7 +45875,7 @@ index 9dc60c6..6498859 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1448,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1449,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -45401,7 +45886,7 @@ index 9dc60c6..6498859 100644 ') ') -@@ -1079,7 +1486,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1487,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -45412,7 +45897,7 @@ index 9dc60c6..6498859 100644 ') ############################## -@@ -1095,6 +1504,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1505,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -45420,7 +45905,7 @@ index 9dc60c6..6498859 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1515,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1516,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -45437,7 +45922,7 @@ index 9dc60c6..6498859 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1532,7 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1533,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -45445,7 +45930,7 @@ index 9dc60c6..6498859 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1550,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1551,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -45461,7 +45946,7 @@ index 9dc60c6..6498859 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1569,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1570,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -45506,7 +45991,7 @@ index 9dc60c6..6498859 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1612,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1613,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -45515,7 +46000,7 @@ index 9dc60c6..6498859 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1621,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1622,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -45538,7 +46023,7 @@ index 9dc60c6..6498859 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1671,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1672,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -45547,7 +46032,7 @@ index 9dc60c6..6498859 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1681,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1682,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -45556,7 +46041,7 @@ index 9dc60c6..6498859 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1695,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1696,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -45568,7 +46053,7 @@ index 9dc60c6..6498859 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1709,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1710,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -45611,7 +46096,7 @@ index 9dc60c6..6498859 100644 ') optional_policy(` -@@ -1357,14 +1794,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1795,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -45630,7 +46115,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -1397,12 +1837,51 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1838,51 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -45683,7 +46168,7 @@ index 9dc60c6..6498859 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +1988,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1989,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -45715,7 +46200,7 @@ index 9dc60c6..6498859 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2054,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2055,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -45730,7 +46215,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -1570,9 +2077,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2078,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -45742,7 +46227,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -1613,6 +2122,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2123,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -45767,7 +46252,7 @@ index 9dc60c6..6498859 100644 ## Relabel to user home directories. ## ## -@@ -1629,6 +2156,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1629,6 +2157,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -45810,7 +46295,7 @@ index 9dc60c6..6498859 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1704,10 +2267,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2268,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -45825,7 +46310,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -1741,10 +2306,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2307,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -45840,7 +46325,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -1769,7 +2336,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2337,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -45849,7 +46334,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -1777,19 +2344,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2345,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -45873,7 +46358,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -1797,55 +2362,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2363,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -45944,7 +46429,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -1853,18 +2418,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2419,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -45972,7 +46457,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -1872,41 +2438,178 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,41 +2439,178 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -46166,7 +46651,7 @@ index 9dc60c6..6498859 100644 ## ## # -@@ -1938,7 +2641,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2642,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -46175,7 +46660,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -1946,10 +2649,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2650,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -46188,7 +46673,7 @@ index 9dc60c6..6498859 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2660,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2661,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -46197,7 +46682,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -1966,12 +2668,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2669,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -46266,7 +46751,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -2007,8 +2763,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2764,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -46276,7 +46761,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -2024,20 +2779,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2780,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -46301,7 +46786,7 @@ index 9dc60c6..6498859 100644 ######################################## ## -@@ -2120,7 +2869,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2870,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -46310,7 +46795,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2128,19 +2877,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2878,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -46334,7 +46819,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2148,12 +2895,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2896,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -46350,7 +46835,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -2388,18 +3135,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3136,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -46408,7 +46893,7 @@ index 9dc60c6..6498859 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3197,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3198,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -46417,7 +46902,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -2455,6 +3238,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3239,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -46443,7 +46928,7 @@ index 9dc60c6..6498859 100644 ######################################## ## -@@ -2538,7 +3340,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3341,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -46452,7 +46937,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2546,19 +3348,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3349,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -46475,7 +46960,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2566,19 +3368,19 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,19 +3369,19 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -46498,7 +46983,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2586,12 +3388,53 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2586,12 +3389,53 @@ interface(`userdom_manage_user_tmp_pipes',` ## ## # @@ -46554,7 +47039,7 @@ index 9dc60c6..6498859 100644 files_search_tmp($1) ') -@@ -2661,6 +3504,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3505,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -46576,7 +47061,7 @@ index 9dc60c6..6498859 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3530,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3531,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -46598,7 +47083,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2692,19 +3545,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3546,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -46621,7 +47106,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2713,13 +3560,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3561,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -46682,7 +47167,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -2814,6 +3704,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3705,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -46707,7 +47192,7 @@ index 9dc60c6..6498859 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3740,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3741,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -46750,7 +47235,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -2856,14 +3776,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3777,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -46788,7 +47273,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -2882,8 +3821,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3822,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -46818,7 +47303,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -2955,69 +3913,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3914,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -46919,7 +47404,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -3025,12 +3982,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3983,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -46934,7 +47419,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -3094,7 +4051,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4052,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -46943,7 +47428,7 @@ index 9dc60c6..6498859 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4067,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4068,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -46977,7 +47462,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -3214,7 +4155,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4156,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -47004,7 +47489,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -3269,12 +4228,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4229,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -47020,7 +47505,7 @@ index 9dc60c6..6498859 100644 ## ## ## -@@ -3282,49 +4242,125 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,49 +4243,125 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -47160,7 +47645,7 @@ index 9dc60c6..6498859 100644 ') ######################################## -@@ -3382,6 +4418,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4419,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -47203,7 +47688,7 @@ index 9dc60c6..6498859 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4474,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4475,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -47264,7 +47749,7 @@ index 9dc60c6..6498859 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4561,1687 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4562,1687 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index cf8f382..6d743c7 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -6,21 +6,19 @@ index 0000000..bea5755 @@ -0,0 +1 @@ +TAGS diff --git a/abrt.fc b/abrt.fc -index 1a93dc5..7a7d67e 100644 +index 1a93dc5..f2b26f5 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,31 +1,48 @@ +@@ -1,31 +1,46 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -+HOME_DIR/\.config/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) ++/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) ++/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) -/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -+ +/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0) + +/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) @@ -548,7 +546,7 @@ index 058d908..158acba 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..ab4ab96 100644 +index eb50f07..7f6a8b6 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1008,7 +1006,7 @@ index eb50f07..ab4ab96 100644 # -allow abrt_dump_oops_t self:capability dac_override; -+allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override }; ++allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override }; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; @@ -1051,7 +1049,7 @@ index eb50f07..ab4ab96 100644 ####################################### # -@@ -404,25 +512,54 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1070,6 +1068,10 @@ index eb50f07..ab4ab96 100644 logging_read_all_logs(abrt_watch_log_t) +logging_send_syslog_msg(abrt_watch_log_t) + ++optional_policy(` ++ gnome_list_home_config(abrt_watch_log_t) ++') ++ +tunable_policy(`abrt_upload_watch_anon_write',` + miscfiles_manage_public_files(abrt_upload_watch_t) +') @@ -1108,7 +1110,7 @@ index eb50f07..ab4ab96 100644 ') ####################################### -@@ -430,10 +567,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -24843,10 +24845,10 @@ index 0000000..457d4dd +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..7f0943f +index 0000000..46f4d2c --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,63 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -24891,6 +24893,7 @@ index 0000000..7f0943f +domain_use_interactive_fds(dnssec_trigger_t) + +files_read_etc_runtime_files(dnssec_trigger_t) ++files_dontaudit_list_tmp(dnssec_trigger_t) + +logging_send_syslog_msg(dnssec_trigger_t) + @@ -24898,6 +24901,7 @@ index 0000000..7f0943f + +sysnet_dns_name_resolve(dnssec_trigger_t) +sysnet_manage_config(dnssec_trigger_t) ++sysnet_filetrans_named_content(dnssec_trigger_t) + +optional_policy(` + bind_domtrans(dnssec_trigger_t) @@ -24905,7 +24909,9 @@ index 0000000..7f0943f + bind_read_dnssec_keys(dnssec_trigger_t) +') + -+ ++optional_policy(` ++ networkmanager_stream_connect(dnssec_trigger_t) ++') diff --git a/dnssectrigger.te b/dnssectrigger.te index c7bb4e7..e6fe2f40 100644 --- a/dnssectrigger.te @@ -39792,7 +39798,7 @@ index 628b78b..fe65617 100644 - -miscfiles_read_localization(keyboardd_t) diff --git a/keystone.fc b/keystone.fc -index b273d80..9b6e9bd 100644 +index b273d80..6b2b50d 100644 --- a/keystone.fc +++ b/keystone.fc @@ -1,7 +1,13 @@ @@ -39802,7 +39808,7 @@ index b273d80..9b6e9bd 100644 /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) -+/usr/share/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0) ++/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0) + /var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0) @@ -46189,10 +46195,10 @@ index 0000000..f5b98e6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..1bf717f +index 0000000..86766b0 --- /dev/null +++ b/mock.te -@@ -0,0 +1,277 @@ +@@ -0,0 +1,278 @@ +policy_module(mock,1.0.0) + +## @@ -46327,6 +46333,7 @@ index 0000000..1bf717f +term_search_ptys(mock_t) +term_mount_pty_fs(mock_t) +term_unmount_pty_fs(mock_t) ++term_use_ptmx(mock_t) + +auth_use_nsswitch(mock_t) + @@ -46809,17 +46816,16 @@ index 0000000..e7220a5 +logging_send_syslog_msg(mon_procd_t) + diff --git a/mongodb.fc b/mongodb.fc -index 6fcfc31..1719247 100644 +index 6fcfc31..91adcaf 100644 --- a/mongodb.fc +++ b/mongodb.fc -@@ -1,9 +1,14 @@ +@@ -1,9 +1,13 @@ /etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) -/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) -+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0) /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 775acc1..9c3b13e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 122%{?dist} +Release: 123%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Apr 14 2015 Lukas Vrabec 3.13.1-123 +- Allow abrtd to list home config. BZ(1199658) +- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) +- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) +- Allow mock_t to use ptmx. BZ(1181333) +- Allow dnssec_trigger_t to stream connect to networkmanager. +- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t +- Fix labeling for keystone CGI scripts. + * Tue Apr 07 2015 Lukas Vrabec 3.13.1-122 - Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) - Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)