From 730301d1ae4892587a75bb4d2322f392c8847b07 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 03 2017 12:00:48 +0000 Subject: * Mon Apr 03 2017 Lukas Vrabec - 3.13.1-225.12 - Allow drbd load modules - Revert "Add sys_module capability for drbd" - Fix cockpit module - Allow sssd responders to run as socket activated services - Allow radius_t domain ptrace - Update pcp SELinux module to reflect all pcp changes - Revert "Remove tomcat_t domain from unconfined domains" - Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_t - Allow pcp_pmcd_t domain search for network sysctl Allow pcp_pmcd_t domain sys_ptrace capability - Update targetd policy - Label /run/haproxy.sock socket as haproxy_var_run_t - Allow oddjob_mkhomedir_t to mamange autofs_t dirs. - Allow tomcat to connect on http_cache_port_t - Allow nova domain search for httpd configuration. - Add sys_module capability for drbd - Allow cloud_init to send dbus messages to the init system - Dontaudit postfix domains to request modules - Add haproxy_t domain fowner capability - Allow domain transition from ntpd_t to hwclock_t domains - Allow cockpit_session_t setrlimit and sys_resource - Dontaudit svirt_t read state of libvirtd domain - Update httpd and gssproxy modules to reflects latest changes in freeipa - Make fwupd_var_lib_t type mountpoint. BZ(1429341) - Remove tomcat_t domain from unconfined domains - Create new boolean: sanlock_enable_home_dirs() - Allow mdadm_t domain to read/write nvme_device_t - Allow cyrus stream connect to gssproxy - Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules - Allow colord_t to read systemd hwdb.bin file - Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t - Allow ptp4l wake_alarm capability - Add nmbd_t capability2 block_suspend - Add domain transition from sosreport_t to iptables_t --- diff --git a/container-selinux.tgz b/container-selinux.tgz index ebb3ecc..bea3569 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index b5ecae0..3ca1b3f 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -6461,7 +6461,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..1ed65a0 100644 +index b31c054..0becf07 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6504,7 +6504,7 @@ index b31c054..1ed65a0 100644 /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) +/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) ++/dev/mei[0-9]* -c gen_context(system_u:object_r:mei_device_t,s0) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/memory_bandwidth -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) @@ -6632,7 +6632,7 @@ index b31c054..1ed65a0 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..72f99c0 100644 +index 76f285e..881eeef 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7731,7 +7731,7 @@ index 76f285e..72f99c0 100644 ') ######################################## -@@ -3144,6 +3767,61 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3767,80 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -7790,10 +7790,29 @@ index 76f285e..72f99c0 100644 + +######################################## +## ++## Read/Write Non-Volatile Memory Host Controller Interface. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_nvme',` ++ gen_require(` ++ type nvme_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, nvme_device_t) ++ rw_blk_files_pattern($1, device_t, nvme_device_t) ++') ++ ++######################################## ++## ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3841,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3860,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -7818,7 +7837,7 @@ index 76f285e..72f99c0 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3950,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3969,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -7845,7 +7864,7 @@ index 76f285e..72f99c0 100644 ## ## ## -@@ -3262,12 +3976,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3995,13 @@ interface(`dev_rw_printer',` ## ## # @@ -7862,7 +7881,7 @@ index 76f285e..72f99c0 100644 ') ######################################## -@@ -3399,7 +4114,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4133,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7871,7 +7890,7 @@ index 76f285e..72f99c0 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4128,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4147,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7880,7 +7899,7 @@ index 76f285e..72f99c0 100644 ') ######################################## -@@ -3855,7 +4570,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4589,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7889,7 +7908,7 @@ index 76f285e..72f99c0 100644 ## ## ## -@@ -3863,91 +4578,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4597,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8000,7 +8019,7 @@ index 76f285e..72f99c0 100644 ## ## ## -@@ -3955,68 +4668,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,60 +4687,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8066,38 +8085,30 @@ index 76f285e..72f99c0 100644 ') - rw_files_pattern($1, sysfs_t, sysfs_t) -- read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- -- list_dirs_pattern($1, sysfs_t, sysfs_t) + dontaudit $1 sysfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Read and write the TPM device. ++') ++ ++######################################## ++## +## List the contents of the sysfs directories. - ## - ## - ## -@@ -4024,17 +4722,262 @@ interface(`dev_rw_sysfs',` - ## - ## - # --interface(`dev_rw_tpm',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_list_sysfs',` - gen_require(` -- type device_t, tpm_device_t; ++ gen_require(` + type sysfs_t; - ') - -- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ ') ++ + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + list_dirs_pattern($1, sysfs_t, sysfs_t) - ') - - ######################################## - ## --## Read from pseudo random number generator devices (e.g., /dev/urandom). ++') ++ ++######################################## ++## +## Write in a sysfs directories. +## +## @@ -8242,13 +8253,13 @@ index 76f285e..72f99c0 100644 + ') + + rw_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + + list_dirs_pattern($1, sysfs_t, sysfs_t) +@@ -4016,6 +4903,81 @@ interface(`dev_rw_sysfs',` + + ######################################## + ## +## Relabel hardware state directories. +## +## @@ -8324,29 +8335,10 @@ index 76f285e..72f99c0 100644 + +######################################## +## -+## Read and write the TPM device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_tpm',` -+ gen_require(` -+ type device_t, tpm_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, tpm_device_t) -+') -+ -+######################################## -+## -+## Read from pseudo random number generator devices (e.g., /dev/urandom). + ## Read and write the TPM device. ## - ## - ##

-@@ -4113,6 +5056,25 @@ interface(`dev_write_urand',` + ## +@@ -4113,6 +5075,25 @@ interface(`dev_write_urand',` ######################################## ##

@@ -8372,7 +8364,7 @@ index 76f285e..72f99c0 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +5085,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +5104,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -8381,12 +8373,62 @@ index 76f285e..72f99c0 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',` +@@ -4409,9 +5390,9 @@ interface(`dev_rw_usbfs',` + read_lnk_files_pattern($1, usbfs_t, usbfs_t) + ') + +-######################################## ++###################################### + ## +-## Get the attributes of video4linux devices. ++## Read and write userio device. + ## + ## + ## +@@ -4419,17 +5400,17 @@ interface(`dev_rw_usbfs',` + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_rw_userio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, userio_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, userio_device_t) + ') + +-###################################### ++######################################## + ## +-## Read and write userio device. ++## Get the attributes of video4linux devices. + ## + ## + ## +@@ -4437,12 +5418,12 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_getattr_video_dev',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, v4l_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## +@@ -4539,6 +5520,134 @@ interface(`dev_write_video_dev',` ######################################## ## --## Allow caller to get a list of usb hardware. -+## Allow caller to get a list of usb hardware. ++## Get the attributes of vfio devices. +## +## +## @@ -8394,40 +8436,36 @@ index 76f285e..72f99c0 100644 +## +## +# -+interface(`dev_list_usbfs',` ++interface(`dev_getattr_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type device_t, vfio_device_t; + ') + -+ read_lnk_files_pattern($1, usbfs_t, usbfs_t) -+ getattr_files_pattern($1, usbfs_t, usbfs_t) -+ -+ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ getattr_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## -+## Set the attributes of usbfs filesystem. ++## Do not audit attempts to get the attributes ++## of vfio device nodes. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dev_setattr_usbfs_files',` ++interface(`dev_dontaudit_getattr_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type vfio_device_t; + ') + -+ setattr_files_pattern($1, usbfs_t, usbfs_t) -+ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ dontaudit $1 vfio_device_t:chr_file getattr; +') + +######################################## +## -+## Read USB hardware information using -+## the usbfs filesystem interface. ++## Set the attributes of vfio device nodes. +## +## +## @@ -8435,39 +8473,36 @@ index 76f285e..72f99c0 100644 +## +## +# -+interface(`dev_read_usbfs',` ++interface(`dev_setattr_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type device_t, vfio_device_t; + ') + -+ read_files_pattern($1, usbfs_t, usbfs_t) -+ read_lnk_files_pattern($1, usbfs_t, usbfs_t) -+ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ setattr_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## -+## Allow caller to modify usb hardware configuration files. ++## Do not audit attempts to set the attributes ++## of vfio device nodes. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dev_rw_usbfs',` ++interface(`dev_dontaudit_setattr_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type vfio_device_t; + ') + -+ list_dirs_pattern($1, usbfs_t, usbfs_t) -+ rw_files_pattern($1, usbfs_t, usbfs_t) -+ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ dontaudit $1 vfio_device_t:chr_file setattr; +') + -+###################################### ++######################################## +## -+## Read and write userio device. ++## Read the vfio devices. +## +## +## @@ -8475,17 +8510,17 @@ index 76f285e..72f99c0 100644 +## +## +# -+interface(`dev_rw_userio_dev',` ++interface(`dev_read_vfio_dev',` + gen_require(` -+ type device_t, userio_device_t; ++ type device_t, vfio_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, userio_device_t) ++ read_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## -+## Get the attributes of video4linux devices. ++## Write the vfio devices. +## +## +## @@ -8493,36 +8528,42 @@ index 76f285e..72f99c0 100644 +## +## +# -+interface(`dev_getattr_video_dev',` ++interface(`dev_write_vfio_dev',` + gen_require(` -+ type device_t, v4l_device_t; ++ type device_t, vfio_device_t; + ') + -+ getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ write_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## -+## Do not audit attempts to get the attributes -+## of video4linux device nodes. ++## Read and write the VFIO devices. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_getattr_video_dev',` ++interface(`dev_rw_vfio_dev',` + gen_require(` -+ type v4l_device_t; ++ type device_t, vfio_device_t; + ') + -+ dontaudit $1 v4l_device_t:chr_file getattr; ++ rw_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## -+## Set the attributes of video4linux device nodes. + ## Allow read/write the vhost net device + ## + ## +@@ -4557,6 +5666,24 @@ interface(`dev_rw_vhost',` + + ######################################## + ## ++## Allow read/write inheretid the vhost net device +## +## +## @@ -8530,296 +8571,20 @@ index 76f285e..72f99c0 100644 +## +## +# -+interface(`dev_setattr_video_dev',` ++interface(`dev_rw_inherited_vhost',` + gen_require(` -+ type device_t, v4l_device_t; ++ type device_t, vhost_device_t; + ') + -+ setattr_chr_files_pattern($1, device_t, v4l_device_t) ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## -+## Do not audit attempts to set the attributes -+## of video4linux device nodes. + ## Read and write VMWare devices. ## ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`dev_list_usbfs',` -+interface(`dev_dontaudit_setattr_video_dev',` - gen_require(` -- type usbfs_t; -+ type v4l_device_t; - ') - -- read_lnk_files_pattern($1, usbfs_t, usbfs_t) -- getattr_files_pattern($1, usbfs_t, usbfs_t) -- -- list_dirs_pattern($1, usbfs_t, usbfs_t) -+ dontaudit $1 v4l_device_t:chr_file setattr; - ') - - ######################################## - ## --## Set the attributes of usbfs filesystem. -+## Read the video4linux devices. - ## - ## - ## -@@ -4359,19 +5473,17 @@ interface(`dev_list_usbfs',` - ## - ## - # --interface(`dev_setattr_usbfs_files',` -+interface(`dev_read_video_dev',` - gen_require(` -- type usbfs_t; -+ type device_t, v4l_device_t; - ') - -- setattr_files_pattern($1, usbfs_t, usbfs_t) -- list_dirs_pattern($1, usbfs_t, usbfs_t) -+ read_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## - ## --## Read USB hardware information using --## the usbfs filesystem interface. -+## Write the video4linux devices. - ## - ## - ## -@@ -4379,19 +5491,17 @@ interface(`dev_setattr_usbfs_files',` - ## - ## - # --interface(`dev_read_usbfs',` -+interface(`dev_write_video_dev',` - gen_require(` -- type usbfs_t; -+ type device_t, v4l_device_t; - ') - -- read_files_pattern($1, usbfs_t, usbfs_t) -- read_lnk_files_pattern($1, usbfs_t, usbfs_t) -- list_dirs_pattern($1, usbfs_t, usbfs_t) -+ write_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## - ## --## Allow caller to modify usb hardware configuration files. -+## Get the attributes of vfio devices. - ## - ## - ## -@@ -4399,37 +5509,36 @@ interface(`dev_read_usbfs',` - ## - ## - # --interface(`dev_rw_usbfs',` -+interface(`dev_getattr_vfio_dev',` - gen_require(` -- type usbfs_t; -+ type device_t, vfio_device_t; - ') - -- list_dirs_pattern($1, usbfs_t, usbfs_t) -- rw_files_pattern($1, usbfs_t, usbfs_t) -- read_lnk_files_pattern($1, usbfs_t, usbfs_t) -+ getattr_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Get the attributes of video4linux devices. -+## Do not audit attempts to get the attributes -+## of vfio device nodes. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`dev_getattr_video_dev',` -+interface(`dev_dontaudit_getattr_vfio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type vfio_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, v4l_device_t) -+ dontaudit $1 vfio_device_t:chr_file getattr; - ') - --###################################### -+######################################## - ## --## Read and write userio device. -+## Set the attributes of vfio device nodes. - ## - ## - ## -@@ -4437,18 +5546,18 @@ interface(`dev_getattr_video_dev',` - ## - ## - # --interface(`dev_rw_userio_dev',` -+interface(`dev_setattr_vfio_dev',` - gen_require(` -- type device_t, userio_device_t; -+ type device_t, vfio_device_t; - ') - -- rw_chr_files_pattern($1, device_t, userio_device_t) -+ setattr_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of video4linux device nodes. -+## Do not audit attempts to set the attributes -+## of vfio device nodes. - ## - ## - ## -@@ -4456,17 +5565,17 @@ interface(`dev_rw_userio_dev',` - ## - ## - # --interface(`dev_dontaudit_getattr_video_dev',` -+interface(`dev_dontaudit_setattr_vfio_dev',` - gen_require(` -- type v4l_device_t; -+ type vfio_device_t; - ') - -- dontaudit $1 v4l_device_t:chr_file getattr; -+ dontaudit $1 vfio_device_t:chr_file setattr; - ') - - ######################################## - ## --## Set the attributes of video4linux device nodes. -+## Read the vfio devices. - ## - ## - ## -@@ -4474,36 +5583,35 @@ interface(`dev_dontaudit_getattr_video_dev',` - ## - ## - # --interface(`dev_setattr_video_dev',` -+interface(`dev_read_vfio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, vfio_device_t; - ') - -- setattr_chr_files_pattern($1, device_t, v4l_device_t) -+ read_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Do not audit attempts to set the attributes --## of video4linux device nodes. -+## Write the vfio devices. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_setattr_video_dev',` -+interface(`dev_write_vfio_dev',` - gen_require(` -- type v4l_device_t; -+ type device_t, vfio_device_t; - ') - -- dontaudit $1 v4l_device_t:chr_file setattr; -+ write_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Read the video4linux devices. -+## Read and write the VFIO devices. - ## - ## - ## -@@ -4511,17 +5619,17 @@ interface(`dev_dontaudit_setattr_video_dev',` - ## - ## - # --interface(`dev_read_video_dev',` -+interface(`dev_rw_vfio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, vfio_device_t; - ') - -- read_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Write the video4linux devices. -+## Allow read/write the vhost net device - ## - ## - ## -@@ -4529,17 +5637,17 @@ interface(`dev_read_video_dev',` - ## - ## - # --interface(`dev_write_video_dev',` -+interface(`dev_rw_vhost',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, vhost_device_t; - ') - -- write_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, vhost_device_t) - ') - - ######################################## - ## --## Allow read/write the vhost net device -+## Allow read/write inheretid the vhost net device - ## - ## - ## -@@ -4547,12 +5655,12 @@ interface(`dev_write_video_dev',` - ## - ## - # --interface(`dev_rw_vhost',` -+interface(`dev_rw_inherited_vhost',` - gen_require(` - type device_t, vhost_device_t; - ') - -- rw_chr_files_pattern($1, device_t, vhost_device_t) -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## -@@ -4630,6 +5738,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5757,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8844,7 +8609,7 @@ index 76f285e..72f99c0 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5888,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5907,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8889,7 +8654,7 @@ index 76f285e..72f99c0 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',` +@@ -4851,3 +6034,1022 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -10097,7 +9862,7 @@ index 0b1a871..29965c3 100644 +dev_getattr_all(devices_unconfined_type) + diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..1a2713b 100644 +index 6a1e4d1..08fd8e4 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -10343,7 +10108,7 @@ index 6a1e4d1..1a2713b 100644 ## Unconfined access to domains. ## ## -@@ -1530,4 +1632,82 @@ interface(`domain_unconfined',` +@@ -1530,4 +1632,101 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -10425,12 +10190,31 @@ index 6a1e4d1..1a2713b 100644 + ') + + allow $1 domain:process setrlimit; ++') ++ ++######################################## ++## ++## Allow set resource limits to all domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`domain_rlimitinh_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:process rlimitinh; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..43876e0 100644 +index cf04cb5..0d258dc 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te -@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) +@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0) # # Declarations # @@ -10467,13 +10251,21 @@ index cf04cb5..43876e0 100644 ## gen_tunable(mmap_low_allowed, false) ++## ++##

++## Allow all domains write to kmsg_device, ++## while kernel is executed with systemd.log_target=kmsg parameter. ++##

++## ++gen_tunable(domain_can_write_kmsg, false) ++ # Mark process types as domains attribute domain; +attribute named_filetrans_domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,55 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +118,59 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -10524,13 +10316,17 @@ index cf04cb5..43876e0 100644 + userdom_search_admin_dir(domain) +') + ++tunable_policy(`domain_can_write_kmsg',` ++ dev_write_kmsg(domain) ++') ++ +tunable_policy(`domain_kernel_load_modules',` + kernel_request_load_module(domain) +') ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +177,19 @@ tunable_policy(`global_ssp',` +@@ -121,8 +189,19 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -10550,7 +10346,7 @@ index cf04cb5..43876e0 100644 ') optional_policy(` -@@ -133,6 +200,9 @@ optional_policy(` +@@ -133,6 +212,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -10560,7 +10356,7 @@ index cf04cb5..43876e0 100644 ') ######################################## -@@ -145,14 +215,21 @@ optional_policy(` +@@ -145,14 +227,21 @@ optional_policy(` # be used on an attribute. # Use/sendto/connectto sockets created by any domain. @@ -10583,7 +10379,7 @@ index cf04cb5..43876e0 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +237,382 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +249,382 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -10968,7 +10764,7 @@ index cf04cb5..43876e0 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..03f9342 100644 +index b876c48..d7cfba9 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -11088,7 +10884,7 @@ index b876c48..03f9342 100644 /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /mnt/[^/]*/.* <> -@@ -150,10 +162,10 @@ ifdef(`distro_debian',` +@@ -150,17 +162,22 @@ ifdef(`distro_debian',` # # /opt # @@ -11101,20 +10897,20 @@ index b876c48..03f9342 100644 # # /proc -@@ -161,6 +173,12 @@ ifdef(`distro_debian',` - /proc -d <> + # +-/proc -d <> /proc/.* <> +ifdef(`distro_redhat',` +/rhev -d gen_context(system_u:object_r:mnt_t,s0) +/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) -+/rhev/[^/]*/.* <> ++/rhev/[^/]*/.* gen_context(system_u:object_r:mnt_t,s0) +') + # # /run # -@@ -169,6 +187,7 @@ ifdef(`distro_debian',` +@@ -169,6 +186,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) @@ -11122,7 +10918,7 @@ index b876c48..03f9342 100644 # # /selinux # -@@ -178,13 +197,14 @@ ifdef(`distro_debian',` +@@ -178,13 +196,14 @@ ifdef(`distro_debian',` # # /srv # @@ -11139,7 +10935,7 @@ index b876c48..03f9342 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +214,11 @@ ifdef(`distro_debian',` +@@ -194,9 +213,11 @@ ifdef(`distro_debian',` # # /usr # @@ -11152,7 +10948,7 @@ index b876c48..03f9342 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +226,9 @@ ifdef(`distro_debian',` +@@ -204,15 +225,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -11169,7 +10965,7 @@ index b876c48..03f9342 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +236,6 @@ ifdef(`distro_debian',` +@@ -220,8 +235,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -11178,7 +10974,7 @@ index b876c48..03f9342 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,19 +243,33 @@ ifndef(`distro_redhat',` +@@ -229,19 +242,33 @@ ifndef(`distro_redhat',` # # /var # @@ -11215,7 +11011,7 @@ index b876c48..03f9342 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +284,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +283,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -11230,7 +11026,7 @@ index b876c48..03f9342 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +301,5 @@ ifdef(`distro_debian',` +@@ -271,3 +300,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -20486,7 +20282,7 @@ index e100d88..7a08793 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..88c7112 100644 +index 8dbab4c..a2f0d06 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -20549,7 +20345,15 @@ index 8dbab4c..88c7112 100644 type proc_xen_t, proc_type; files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) -@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) +@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) + + # /proc/net/rpc directory and files + type sysctl_rpc_t, sysctl_type; ++fs_associate_proc(sysctl_rpc_t) + genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) + + # /proc/sys/crypto directory and files +@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) type sysctl_kernel_t, sysctl_type; genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) @@ -20564,7 +20368,7 @@ index 8dbab4c..88c7112 100644 # /proc/sys/net directory and files type sysctl_net_t, sysctl_type; genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) -@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) +@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) @@ -20575,7 +20379,7 @@ index 8dbab4c..88c7112 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -20590,7 +20394,7 @@ index 8dbab4c..88c7112 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +223,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -20598,7 +20402,7 @@ index 8dbab4c..88c7112 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -20606,7 +20410,7 @@ index 8dbab4c..88c7112 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +278,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -20632,7 +20436,7 @@ index 8dbab4c..88c7112 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +301,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -20642,7 +20446,7 @@ index 8dbab4c..88c7112 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,13 +315,23 @@ files_list_root(kernel_t) +@@ -277,13 +316,23 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -20666,7 +20470,7 @@ index 8dbab4c..88c7112 100644 ifdef(`distro_redhat',` # Bugzilla 222337 -@@ -291,11 +339,29 @@ ifdef(`distro_redhat',` +@@ -291,11 +340,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -20696,7 +20500,7 @@ index 8dbab4c..88c7112 100644 ') optional_policy(` -@@ -305,6 +371,19 @@ optional_policy(` +@@ -305,6 +372,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -20716,7 +20520,7 @@ index 8dbab4c..88c7112 100644 ') optional_policy(` -@@ -312,6 +391,11 @@ optional_policy(` +@@ -312,6 +392,11 @@ optional_policy(` ') optional_policy(` @@ -20728,7 +20532,7 @@ index 8dbab4c..88c7112 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +416,6 @@ optional_policy(` +@@ -332,9 +417,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -20738,7 +20542,7 @@ index 8dbab4c..88c7112 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +424,7 @@ optional_policy(` +@@ -343,9 +425,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -20749,7 +20553,7 @@ index 8dbab4c..88c7112 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +433,7 @@ optional_policy(` +@@ -354,7 +434,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -20758,7 +20562,7 @@ index 8dbab4c..88c7112 100644 ') ') -@@ -364,9 +443,22 @@ optional_policy(` +@@ -364,9 +444,22 @@ optional_policy(` ') optional_policy(` @@ -20781,7 +20585,7 @@ index 8dbab4c..88c7112 100644 ######################################## # # Unlabeled process local policy -@@ -388,6 +480,8 @@ optional_policy(` +@@ -388,6 +481,8 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; @@ -20790,7 +20594,7 @@ index 8dbab4c..88c7112 100644 # load_module() calls stop_machine() which # calls sched_setscheduler() allow can_load_kernmodule self:capability sys_nice; -@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +494,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -35300,7 +35104,7 @@ index 79a45f6..6126f21 100644 + allow $1 init_var_lib_t:dir search_dir_perms; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..25e49cf 100644 +index 17eda24..b7c9304 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -35505,15 +35309,17 @@ index 17eda24..25e49cf 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +236,25 @@ domain_signal_all_domains(init_t) +@@ -139,14 +236,26 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) +- +-files_read_etc_files(init_t) +domain_read_all_domains_state(init_t) +domain_getattr_all_domains(init_t) +domain_setrlimit_all_domains(init_t) - --files_read_etc_files(init_t) ++domain_rlimitinh_all_domains(init_t) ++ +files_read_config_files(init_t) +files_read_all_pids(init_t) +files_read_system_conf_files(init_t) @@ -35532,7 +35338,7 @@ index 17eda24..25e49cf 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +263,73 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +264,73 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -35595,10 +35401,10 @@ index 17eda24..25e49cf 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) -+ -+udev_manage_rules_files(init_t) -miscfiles_read_localization(init_t) ++udev_manage_rules_files(init_t) ++ +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) @@ -35611,7 +35417,7 @@ index 17eda24..25e49cf 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +338,275 @@ ifdef(`distro_gentoo',` +@@ -186,29 +339,275 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -35850,18 +35656,18 @@ index 17eda24..25e49cf 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) ++') ++ ++optional_policy(` ++ lldpad_relabel_tmpfs(init_t) ') optional_policy(` - auth_rw_login_records(init_t) -+ lldpad_relabel_tmpfs(init_t) ++ consolekit_manage_log(init_t) ') optional_policy(` -+ consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -35882,21 +35688,21 @@ index 17eda24..25e49cf 100644 +optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) -+') -+ -+optional_policy(` -+ plymouthd_stream_connect(init_t) -+ plymouthd_exec_plymouth(init_t) -+ plymouthd_filetrans_named_content(init_t) ') optional_policy(` - nscd_use(init_t) ++ plymouthd_stream_connect(init_t) ++ plymouthd_exec_plymouth(init_t) ++ plymouthd_filetrans_named_content(init_t) ++') ++ ++optional_policy(` + ssh_getattr_server_keys(init_t) ') optional_policy(` -@@ -216,7 +614,30 @@ optional_policy(` +@@ -216,7 +615,30 @@ optional_policy(` ') optional_policy(` @@ -35928,7 +35734,7 @@ index 17eda24..25e49cf 100644 ') ######################################## -@@ -225,9 +646,9 @@ optional_policy(` +@@ -225,9 +647,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -35940,7 +35746,7 @@ index 17eda24..25e49cf 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +679,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +680,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -35957,7 +35763,7 @@ index 17eda24..25e49cf 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +704,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +705,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -36000,7 +35806,7 @@ index 17eda24..25e49cf 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +741,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +742,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -36012,7 +35818,7 @@ index 17eda24..25e49cf 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +753,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +754,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -36023,7 +35829,7 @@ index 17eda24..25e49cf 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +764,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +765,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -36033,7 +35839,7 @@ index 17eda24..25e49cf 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +773,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +774,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -36041,7 +35847,7 @@ index 17eda24..25e49cf 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +780,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +781,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -36049,7 +35855,7 @@ index 17eda24..25e49cf 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +788,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +789,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -36067,7 +35873,7 @@ index 17eda24..25e49cf 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +806,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +807,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -36081,7 +35887,7 @@ index 17eda24..25e49cf 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +821,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +822,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -36095,7 +35901,7 @@ index 17eda24..25e49cf 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +834,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +835,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -36106,7 +35912,7 @@ index 17eda24..25e49cf 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +847,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +848,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -36114,7 +35920,7 @@ index 17eda24..25e49cf 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +866,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +867,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -36138,7 +35944,7 @@ index 17eda24..25e49cf 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +899,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +900,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -36146,7 +35952,7 @@ index 17eda24..25e49cf 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +933,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +934,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -36157,7 +35963,7 @@ index 17eda24..25e49cf 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +957,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +958,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -36166,7 +35972,7 @@ index 17eda24..25e49cf 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +972,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +973,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -36174,7 +35980,7 @@ index 17eda24..25e49cf 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +993,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +994,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -36182,7 +35988,7 @@ index 17eda24..25e49cf 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1003,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1004,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -36227,7 +36033,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -559,14 +1048,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1049,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -36259,7 +36065,7 @@ index 17eda24..25e49cf 100644 ') ') -@@ -577,6 +1083,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1084,39 @@ ifdef(`distro_suse',` ') ') @@ -36299,7 +36105,7 @@ index 17eda24..25e49cf 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1128,8 @@ optional_policy(` +@@ -589,6 +1129,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -36308,7 +36114,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -610,6 +1151,7 @@ optional_policy(` +@@ -610,6 +1152,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -36316,7 +36122,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -626,6 +1168,17 @@ optional_policy(` +@@ -626,6 +1169,17 @@ optional_policy(` ') optional_policy(` @@ -36334,7 +36140,7 @@ index 17eda24..25e49cf 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1195,13 @@ optional_policy(` +@@ -642,9 +1196,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -36348,7 +36154,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -657,15 +1214,11 @@ optional_policy(` +@@ -657,15 +1215,11 @@ optional_policy(` ') optional_policy(` @@ -36366,7 +36172,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -686,6 +1239,15 @@ optional_policy(` +@@ -686,6 +1240,15 @@ optional_policy(` ') optional_policy(` @@ -36382,7 +36188,7 @@ index 17eda24..25e49cf 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1288,7 @@ optional_policy(` +@@ -726,6 +1289,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -36390,7 +36196,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -743,7 +1306,13 @@ optional_policy(` +@@ -743,7 +1307,13 @@ optional_policy(` ') optional_policy(` @@ -36405,7 +36211,7 @@ index 17eda24..25e49cf 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1335,10 @@ optional_policy(` +@@ -766,6 +1336,10 @@ optional_policy(` ') optional_policy(` @@ -36416,7 +36222,7 @@ index 17eda24..25e49cf 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1348,20 @@ optional_policy(` +@@ -775,10 +1349,20 @@ optional_policy(` ') optional_policy(` @@ -36437,7 +36243,7 @@ index 17eda24..25e49cf 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1370,10 @@ optional_policy(` +@@ -787,6 +1371,10 @@ optional_policy(` ') optional_policy(` @@ -36448,7 +36254,7 @@ index 17eda24..25e49cf 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1395,6 @@ optional_policy(` +@@ -808,8 +1396,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -36457,7 +36263,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -818,6 +1403,10 @@ optional_policy(` +@@ -818,6 +1404,10 @@ optional_policy(` ') optional_policy(` @@ -36468,7 +36274,7 @@ index 17eda24..25e49cf 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1416,12 @@ optional_policy(` +@@ -827,10 +1417,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -36481,7 +36287,7 @@ index 17eda24..25e49cf 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1448,62 @@ optional_policy(` +@@ -857,21 +1449,62 @@ optional_policy(` ') optional_policy(` @@ -36545,7 +36351,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -887,6 +1519,10 @@ optional_policy(` +@@ -887,6 +1520,10 @@ optional_policy(` ') optional_policy(` @@ -36556,7 +36362,7 @@ index 17eda24..25e49cf 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1533,218 @@ optional_policy(` +@@ -897,3 +1534,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -37419,10 +37225,10 @@ index 312cd04..102b975 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..63c7fc0 100644 +index 73a1c4e..1ca98b8 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,48 @@ +@@ -1,22 +1,49 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -37485,6 +37291,7 @@ index 73a1c4e..63c7fc0 100644 +/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0) + +/var/lock/subsys/iptables -- gen_context(system_u:object_r:iptables_lock_t,s0) ++/var/lock/subsys/ip6tables -- gen_context(system_u:object_r:iptables_lock_t,s0) + +/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if @@ -37765,7 +37572,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..5d62107 100644 +index 73bb3c0..a70bee5 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -37943,7 +37750,7 @@ index 73bb3c0..5d62107 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +315,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +315,158 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -38097,6 +37904,8 @@ index 73bb3c0..5d62107 100644 + +/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:lib_t,s0) ++ +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40552,10 +40361,10 @@ index 79048c4..262c9ec 100644 udev_read_pid_files(lvm_t) ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..cf3a4a6 100644 +index 9fe8e01..c62c761 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc -@@ -9,11 +9,15 @@ ifdef(`distro_gentoo',` +@@ -9,11 +9,16 @@ ifdef(`distro_gentoo',` # /etc # /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) @@ -40567,13 +40376,14 @@ index 9fe8e01..cf3a4a6 100644 +/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/etc/(letsencrypt|certbot)/(live|archive)(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/ipa/nssdb(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) +/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0) ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -37,24 +41,20 @@ ifdef(`distro_redhat',` +@@ -37,24 +42,20 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -40603,7 +40413,7 @@ index 9fe8e01..cf3a4a6 100644 /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -77,7 +77,7 @@ ifdef(`distro_redhat',` +@@ -77,7 +78,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -40612,7 +40422,7 @@ index 9fe8e01..cf3a4a6 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +90,7 @@ ifdef(`distro_debian',` +@@ -90,6 +91,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -45132,14 +44942,14 @@ index a392fc4..b7497fc 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..a0ed66f +index 0000000..21963a2 --- /dev/null +++ b/policy/modules/system/systemd.fc @@ -0,0 +1,72 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + -+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) ++/etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) + @@ -47019,7 +46829,7 @@ index 0000000..86e3d01 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0c415d2 +index 0000000..5146f85 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,980 @@ @@ -47443,6 +47253,7 @@ index 0000000..0c415d2 + +optional_policy(` + unconfined_dbus_acquire_svc(systemd_networkd_t) ++ unconfined_dbus_send(systemd_networkd_t) +') + +####################################### @@ -47712,8 +47523,7 @@ index 0000000..0c415d2 + +manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) -+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" ) -+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" ) ++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file) + +kernel_dgram_send(systemd_hostnamed_t) +kernel_read_xen_state(systemd_hostnamed_t) diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index f484928..89e228b 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..d53d1e0 100644 +index eb50f07..a6d7fa7 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -838,11 +838,11 @@ index eb50f07..d53d1e0 100644 +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) +logging_read_syslog_pid(abrt_t) -+ + +auth_use_nsswitch(abrt_t) + +init_read_utmp(abrt_t) - ++ +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) @@ -870,7 +870,7 @@ index eb50f07..d53d1e0 100644 ') optional_policy(` -@@ -222,6 +255,32 @@ optional_policy(` +@@ -222,6 +255,36 @@ optional_policy(` ') optional_policy(` @@ -886,6 +886,10 @@ index eb50f07..d53d1e0 100644 +') + +optional_policy(` ++ mta_send_mail(abrt_t) ++') ++ ++optional_policy(` + mcelog_read_log(abrt_t) +') + @@ -903,7 +907,7 @@ index eb50f07..d53d1e0 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,15 +293,22 @@ optional_policy(` +@@ -234,18 +297,25 @@ optional_policy(` ') optional_policy(` @@ -922,11 +926,17 @@ index eb50f07..d53d1e0 100644 rpm_signull(abrt_t) ') +-optional_policy(` +- sendmail_domtrans(abrt_t) +-') +# to run mailx plugin ++#optional_policy(` ++# sendmail_domtrans(abrt_t) ++#') + optional_policy(` - sendmail_domtrans(abrt_t) - ') -@@ -253,9 +319,21 @@ optional_policy(` + sosreport_domtrans(abrt_t) +@@ -253,9 +323,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -949,7 +959,7 @@ index eb50f07..d53d1e0 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +344,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +348,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -964,7 +974,7 @@ index eb50f07..d53d1e0 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +363,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +367,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -972,7 +982,7 @@ index eb50f07..d53d1e0 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +372,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +376,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -993,7 +1003,7 @@ index eb50f07..d53d1e0 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +393,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +397,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1020,7 +1030,7 @@ index eb50f07..d53d1e0 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +429,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +433,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1034,7 +1044,7 @@ index eb50f07..d53d1e0 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +447,11 @@ optional_policy(` +@@ -343,10 +451,11 @@ optional_policy(` ####################################### # @@ -1048,7 +1058,7 @@ index eb50f07..d53d1e0 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +470,79 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +474,79 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1132,7 +1142,7 @@ index eb50f07..d53d1e0 100644 ####################################### # -@@ -404,25 +550,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +554,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1195,7 +1205,7 @@ index eb50f07..d53d1e0 100644 ') ####################################### -@@ -430,10 +611,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +615,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -5518,7 +5528,7 @@ index f6eb485..fe461a3 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..248b38c 100644 +index 6649962..2e31ff5 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6772,7 +6782,7 @@ index 6649962..248b38c 100644 ') optional_policy(` -@@ -786,35 +969,60 @@ optional_policy(` +@@ -786,35 +969,61 @@ optional_policy(` ') optional_policy(` @@ -6795,7 +6805,8 @@ index 6649962..248b38c 100644 - ldap_tcp_connect(httpd_t) - ') +optional_policy(` -+ ipa_search_lib(httpd_t) ++ ipa_read_lib(httpd_t) ++ ipa_manage_pid_files(httpd_t) +') + +optional_policy(` @@ -6846,7 +6857,7 @@ index 6649962..248b38c 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1030,30 @@ optional_policy(` +@@ -822,8 +1031,30 @@ optional_policy(` ') optional_policy(` @@ -6877,7 +6888,7 @@ index 6649962..248b38c 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1062,8 @@ optional_policy(` +@@ -832,6 +1063,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6886,7 +6897,7 @@ index 6649962..248b38c 100644 ') optional_policy(` -@@ -842,20 +1074,44 @@ optional_policy(` +@@ -842,20 +1075,44 @@ optional_policy(` ') optional_policy(` @@ -6937,7 +6948,7 @@ index 6649962..248b38c 100644 ') optional_policy(` -@@ -863,16 +1119,31 @@ optional_policy(` +@@ -863,16 +1120,31 @@ optional_policy(` ') optional_policy(` @@ -6971,7 +6982,7 @@ index 6649962..248b38c 100644 ') optional_policy(` -@@ -883,65 +1154,189 @@ optional_policy(` +@@ -883,65 +1155,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7183,7 +7194,7 @@ index 6649962..248b38c 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1345,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1346,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7337,7 +7348,7 @@ index 6649962..248b38c 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1430,107 @@ optional_policy(` +@@ -1083,172 +1431,107 @@ optional_policy(` ') ') @@ -7575,7 +7586,7 @@ index 6649962..248b38c 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1538,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1539,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7672,7 +7683,7 @@ index 6649962..248b38c 100644 ######################################## # -@@ -1321,8 +1613,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1614,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7689,7 +7700,7 @@ index 6649962..248b38c 100644 ') ######################################## -@@ -1330,49 +1629,40 @@ optional_policy(` +@@ -1330,49 +1630,40 @@ optional_policy(` # User content local policy # @@ -7755,7 +7766,7 @@ index 6649962..248b38c 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1672,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1673,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -13585,7 +13596,7 @@ index 32e8265..ac74503 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..bc73da9 100644 +index e5b621c..eba4e6d 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13616,7 +13627,16 @@ index e5b621c..bc73da9 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) + kernel_read_system_state(chronyd_t) + kernel_read_network_state(chronyd_t) + ++clock_read_adjtime(chronyd_t) ++ + corenet_all_recvfrom_unlabeled(chronyd_t) + corenet_all_recvfrom_netlabel(chronyd_t) + corenet_udp_sendrecv_generic_if(chronyd_t) +@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -14574,10 +14594,10 @@ index 0000000..55fe0d6 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..af630a4 +index 0000000..27c0ed9 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,247 @@ +@@ -0,0 +1,249 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -14659,6 +14679,8 @@ index 0000000..af630a4 +manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t) +logging_log_filetrans(cloud_init_t, cloud_log_t, { file }) + ++init_dbus_chat(cloud_init_t) ++ +kernel_read_network_state(cloud_init_t) + +corenet_tcp_connect_http_port(cloud_init_t) @@ -15102,10 +15124,10 @@ index 5f306dd..cf347c6 100644 ') diff --git a/cockpit.fc b/cockpit.fc new file mode 100644 -index 0000000..9ed6fdc +index 0000000..bf80173 --- /dev/null +++ b/cockpit.fc -@@ -0,0 +1,12 @@ +@@ -0,0 +1,13 @@ +# cockpit stuff + +/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) @@ -15114,6 +15136,7 @@ index 0000000..9ed6fdc +/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + +/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) + @@ -15314,10 +15337,10 @@ index 0000000..d5920c0 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..e7b8c7e +index 0000000..0167d62 --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,115 @@ +@@ -0,0 +1,120 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -15408,8 +15431,11 @@ index 0000000..e7b8c7e +# + +# cockpit-session changes to the actual logged in user -+allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid }; -+allow cockpit_session_t self:process { setexec setsched signal_perms }; ++allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid sys_resource}; ++allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit }; ++ ++read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) ++list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) + +manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) +manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) @@ -15422,6 +15448,8 @@ index 0000000..e7b8c7e +auth_manage_shadow(cockpit_session_t) +auth_write_login_records(cockpit_session_t) + ++corenet_tcp_bind_ssh_port(cockpit_session_t) ++ +# cockpit-session can execute cockpit-agent as the user +userdom_spec_domtrans_all_users(cockpit_session_t) +usermanage_read_crack_db(cockpit_session_t) @@ -15830,7 +15858,7 @@ index 8e27a37..c69be28 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 9f2dfb2..def3424 100644 +index 9f2dfb2..86836f9 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.1.0) @@ -15893,7 +15921,7 @@ index 9f2dfb2..def3424 100644 storage_getattr_fixed_disk_dev(colord_t) storage_getattr_removable_dev(colord_t) -@@ -100,19 +106,16 @@ init_read_state(colord_t) +@@ -100,19 +106,17 @@ init_read_state(colord_t) auth_use_nsswitch(colord_t) @@ -15908,6 +15936,7 @@ index 9f2dfb2..def3424 100644 - fs_read_nfs_files(colord_t) -') +systemd_read_logind_sessions_files(colord_t) ++systemd_hwdb_manage_config(colord_t) -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(colord_t) @@ -15920,7 +15949,7 @@ index 9f2dfb2..def3424 100644 optional_policy(` cups_read_config(colord_t) -@@ -120,6 +123,13 @@ optional_policy(` +@@ -120,6 +124,13 @@ optional_policy(` cups_read_state(colord_t) cups_stream_connect(colord_t) cups_dbus_chat(colord_t) @@ -15934,7 +15963,7 @@ index 9f2dfb2..def3424 100644 ') optional_policy(` -@@ -134,6 +144,23 @@ optional_policy(` +@@ -134,6 +145,23 @@ optional_policy(` ') optional_policy(` @@ -19257,7 +19286,7 @@ index 1303b30..f13c532 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..e8010ba 100644 +index 7de3859..65e947c 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -19974,7 +20003,7 @@ index 7de3859..e8010ba 100644 ') optional_policy(` -@@ -598,7 +618,23 @@ optional_policy(` +@@ -598,7 +618,27 @@ optional_policy(` ') optional_policy(` @@ -19995,10 +20024,14 @@ index 7de3859..e8010ba 100644 + +optional_policy(` + rkhunter_manage_lib_files(system_cronjob_t) ++') ++ ++optional_policy(` ++ rhsmcertd_dbus_chat(system_cronjob_t) ') optional_policy(` -@@ -607,7 +643,12 @@ optional_policy(` +@@ -607,7 +647,12 @@ optional_policy(` ') optional_policy(` @@ -20011,7 +20044,7 @@ index 7de3859..e8010ba 100644 ') optional_policy(` -@@ -615,12 +656,27 @@ optional_policy(` +@@ -615,12 +660,27 @@ optional_policy(` ') optional_policy(` @@ -20041,7 +20074,7 @@ index 7de3859..e8010ba 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +688,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20075,7 +20108,7 @@ index 7de3859..e8010ba 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +721,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -21964,7 +21997,7 @@ index 83bfda6..92d9fb2 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index 4283f2d..21a3620 100644 +index 4283f2d..30b684c 100644 --- a/cyrus.te +++ b/cyrus.te @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t) @@ -22017,7 +22050,7 @@ index 4283f2d..21a3620 100644 miscfiles_read_generic_certs(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) -@@ -121,6 +121,10 @@ optional_policy(` +@@ -121,6 +121,14 @@ optional_policy(` ') optional_policy(` @@ -22025,10 +22058,14 @@ index 4283f2d..21a3620 100644 +') + +optional_policy(` ++ gssproxy_stream_connect(cyrus_t) ++') ++ ++optional_policy(` kerberos_read_keytab(cyrus_t) kerberos_use(cyrus_t) ') -@@ -134,8 +138,8 @@ optional_policy(` +@@ -134,8 +142,8 @@ optional_policy(` ') optional_policy(` @@ -23897,14 +23934,14 @@ index 583a527..91c4104 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/devicekit.fc b/devicekit.fc -index ae49c9d..6eb0842 100644 +index ae49c9d..99a54eb 100644 --- a/devicekit.fc +++ b/devicekit.fc @@ -11,6 +11,8 @@ /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_exec_t,s0) ++/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/bin/udisksctl -- gen_context(system_u:object_r:devicekit_exec_t,s0) /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) @@ -25439,7 +25476,7 @@ index 0000000..b3784d8 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..89f1271 +index 0000000..f9f9806 --- /dev/null +++ b/dirsrv.te @@ -0,0 +1,203 @@ @@ -25524,7 +25561,7 @@ index 0000000..89f1271 + +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) -+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file) ++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { dir file }) +files_setattr_lock_dirs(dirsrv_t) + +manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) @@ -27327,10 +27364,10 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..6b232ae 100644 +index f2516cc..af2c2ad 100644 --- a/drbd.te +++ b/drbd.te -@@ -18,38 +18,71 @@ files_type(drbd_var_lib_t) +@@ -18,38 +18,72 @@ files_type(drbd_var_lib_t) type drbd_lock_t; files_lock_file(drbd_lock_t) @@ -27373,7 +27410,8 @@ index f2516cc..6b232ae 100644 +files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir}) kernel_read_system_state(drbd_t) - ++kernel_load_module(drbd_t) ++ +auth_use_nsswitch(drbd_t) + +can_exec(drbd_t, drbd_exec_t) @@ -27381,7 +27419,7 @@ index f2516cc..6b232ae 100644 +corecmd_exec_bin(drbd_t) + +corenet_tcp_connect_http_port(drbd_t) -+ + dev_read_rand(drbd_t) dev_read_sysfs(drbd_t) dev_read_urand(drbd_t) @@ -30725,10 +30763,10 @@ index 0000000..daef190 +') diff --git a/fwupd.te b/fwupd.te new file mode 100644 -index 0000000..e0bb02d +index 0000000..7bf263a --- /dev/null +++ b/fwupd.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,70 @@ +policy_module(fwupd, 1.0.0) + +######################################## @@ -30748,6 +30786,7 @@ index 0000000..e0bb02d + +type fwupd_var_lib_t; +files_type(fwupd_var_lib_t) ++files_mountpoint(fwupd_var_lib_t) + +type fwupd_unit_file_t; +systemd_unit_file(fwupd_unit_file_t) @@ -30774,13 +30813,18 @@ index 0000000..e0bb02d +manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) +files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir }) + ++kernel_dgram_send(fwupd_t) ++ +auth_read_passwd(fwupd_t) + +dev_rw_sysfs(fwupd_t) +dev_rw_generic_usb_dev(fwupd_t) ++dev_read_raw_memory(fwupd_t) + +fs_getattr_all_fs(fwupd_t) + ++logging_send_syslog_msg(fwupd_t) ++ +udev_read_pid_files(fwupd_t) + +optional_policy(` @@ -36730,10 +36774,10 @@ index 0000000..2277038 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..dc1385d +index 0000000..5e43ca7 --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,70 @@ +@@ -0,0 +1,74 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -36796,6 +36840,10 @@ index 0000000..dc1385d +userdom_manage_user_tmp_files(gssproxy_t) + +optional_policy(` ++ ipa_read_lib(gssproxy_t) ++') ++ ++optional_policy(` + kerberos_use(gssproxy_t) + kerberos_filetrans_named_content(gssproxy_t) +') @@ -45839,10 +45887,10 @@ index 0000000..7ba5060 + diff --git a/linuxptp.te b/linuxptp.te new file mode 100644 -index 0000000..9f7ea8e +index 0000000..7acdb2d --- /dev/null +++ b/linuxptp.te -@@ -0,0 +1,179 @@ +@@ -0,0 +1,180 @@ +policy_module(linuxptp, 1.0.0) + + @@ -45995,6 +46043,7 @@ index 0000000..9f7ea8e +allow ptp4l_t self:shm create_shm_perms; +allow ptp4l_t self:udp_socket create_socket_perms; +allow ptp4l_t self:capability { net_admin net_raw sys_time }; ++allow ptp4l_t self:capability2 { wake_alarm }; +allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms; + +allow ptp4l_t phc2sys_t:unix_dgram_socket sendto; @@ -60800,10 +60849,10 @@ index 0000000..e328327 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..6c813d7 +index 0000000..a10559b --- /dev/null +++ b/nova.te -@@ -0,0 +1,199 @@ +@@ -0,0 +1,203 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -60943,6 +60992,10 @@ index 0000000..6c813d7 +libs_exec_ldconfig(nova_domain) + +optional_policy(` ++ apache_search_config(nova_domain) ++') ++ ++optional_policy(` + mysql_stream_connect(nova_domain) + mysql_read_db_lnk_files(nova_domain) +') @@ -63174,7 +63227,7 @@ index e96a309..4245308 100644 +') + diff --git a/ntp.te b/ntp.te -index f81b113..ab4d914 100644 +index f81b113..76db00a 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -63248,7 +63301,7 @@ index f81b113..ab4d914 100644 auth_use_nsswitch(ntpd_t) -@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t) +@@ -124,12 +124,14 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -63257,7 +63310,15 @@ index f81b113..ab4d914 100644 userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_user_home_dirs(ntpd_t) -@@ -152,9 +150,18 @@ optional_policy(` + optional_policy(` ++ clock_domtrans(ntpd_t) ++') ++ ++optional_policy(` + cron_system_entry(ntpd_t, ntpdate_exec_t) + ') + +@@ -152,9 +154,18 @@ optional_policy(` ') optional_policy(` @@ -64387,7 +64448,7 @@ index c87bd2a..6180fba 100644 + allow $1 oddjob_mkhomedir_exec_t:file entrypoint; ') diff --git a/oddjob.te b/oddjob.te -index e403097..45d387d 100644 +index e403097..9080b3f 100644 --- a/oddjob.te +++ b/oddjob.te @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0) @@ -64444,7 +64505,7 @@ index e403097..45d387d 100644 locallogin_dontaudit_use_fds(oddjob_t) -@@ -66,27 +66,27 @@ optional_policy(` +@@ -66,27 +66,29 @@ optional_policy(` ') optional_policy(` @@ -64466,6 +64527,8 @@ index e403097..45d387d 100644 kernel_read_system_state(oddjob_mkhomedir_t) ++fs_manage_auto_mountpoints(oddjob_mkhomedir_t) ++ +mls_file_upgrade(oddjob_mkhomedir_t) + auth_use_nsswitch(oddjob_mkhomedir_t) @@ -64477,7 +64540,7 @@ index e403097..45d387d 100644 selinux_get_fs_mount(oddjob_mkhomedir_t) selinux_validate_context(oddjob_mkhomedir_t) selinux_compute_access_vector(oddjob_mkhomedir_t) -@@ -98,8 +98,11 @@ seutil_read_config(oddjob_mkhomedir_t) +@@ -98,8 +100,11 @@ seutil_read_config(oddjob_mkhomedir_t) seutil_read_file_contexts(oddjob_mkhomedir_t) seutil_read_default_contexts(oddjob_mkhomedir_t) @@ -67655,7 +67718,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..34682ff 100644 +index 44dbc99..9e70db7 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -67698,12 +67761,12 @@ index 44dbc99..34682ff 100644 +allow openvswitch_t self:netlink_socket create_socket_perms; +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; +allow openvswitch_t self:netlink_generic_socket create_socket_perms; ++ ++can_exec(openvswitch_t, openvswitch_exec_t) -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -+can_exec(openvswitch_t, openvswitch_exec_t) -+ +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) @@ -67721,7 +67784,7 @@ index 44dbc99..34682ff 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -63,35 +67,52 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +@@ -63,35 +67,59 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -67758,6 +67821,7 @@ index 44dbc99..34682ff 100644 -files_read_etc_files(openvswitch_t) +files_read_kernel_modules(openvswitch_t) ++files_load_kernel_modules(openvswitch_t) fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) @@ -67769,6 +67833,8 @@ index 44dbc99..34682ff 100644 logging_send_syslog_msg(openvswitch_t) -miscfiles_read_localization(openvswitch_t) ++init_read_script_state(openvswitch_t) ++ +modutils_exec_insmod(openvswitch_t) +modutils_list_module_config(openvswitch_t) +modutils_read_module_config(openvswitch_t) @@ -67777,6 +67843,10 @@ index 44dbc99..34682ff 100644 sysnet_dns_name_resolve(openvswitch_t) optional_policy(` ++ hostname_exec(openvswitch_t) ++') ++ ++optional_policy(` iptables_domtrans(openvswitch_t) ') + @@ -69300,10 +69370,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..04a0b20 +index 0000000..e55bf80 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,299 @@ +@@ -0,0 +1,308 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -69414,7 +69484,7 @@ index 0000000..04a0b20 +# pcp_pmcd local policy +# + -+allow pcp_pmcd_t self:capability sys_admin; ++allow pcp_pmcd_t self:capability { sys_admin sys_ptrace }; +allow pcp_pmcd_t self:process { setsched }; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms; + @@ -69424,6 +69494,7 @@ index 0000000..04a0b20 +kernel_read_state(pcp_pmcd_t) +kernel_read_fs_sysctls(pcp_pmcd_t) +kernel_read_rpc_sysctls(pcp_pmcd_t) ++kernel_search_network_sysctl(pcp_pmcd_t) + +corecmd_exec_bin(pcp_pmcd_t) + @@ -69495,6 +69566,8 @@ index 0000000..04a0b20 +allow pcp_pmproxy_t self:process setsched; +allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms; + ++kernel_search_network_sysctl(pcp_pmproxy_t) ++ +logging_send_syslog_msg(pcp_pmproxy_t) + +optional_policy(` @@ -69553,7 +69626,7 @@ index 0000000..04a0b20 +# +# pcp_pmie local policy +# -+ ++allow pcp_pmie_t self:capability chown; +allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto }; + @@ -69564,11 +69637,16 @@ index 0000000..04a0b20 +kernel_read_system_state(pcp_pmie_t) + +corecmd_exec_bin(pcp_pmie_t) ++corecmd_getattr_all_executables(pcp_pmie_t) + +domain_read_all_domains_state(pcp_pmie_t) + ++fs_search_cgroup_dirs(pcp_pmie_t) ++ +logging_send_syslog_msg(pcp_pmie_t) + ++systemd_search_unit_dirs(pcp_pmie_t) ++ +userdom_read_user_tmp_files(pcp_pmie_t) + +######################################## @@ -69595,6 +69673,7 @@ index 0000000..04a0b20 +domain_read_all_domains_state(pcp_pmlogger_t) + +init_read_utmp(pcp_pmlogger_t) ++init_status(pcp_pmlogger_t) + +systemd_exec_systemctl(pcp_pmlogger_t) +systemd_getattr_unit_files(pcp_pmlogger_t) @@ -75090,7 +75169,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..501c935 100644 +index 5cfb83e..b140dcb 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -75715,7 +75794,7 @@ index 5cfb83e..501c935 100644 dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -584,19 +503,26 @@ optional_policy(` +@@ -584,19 +503,28 @@ optional_policy(` ######################################## # @@ -75735,11 +75814,13 @@ index 5cfb83e..501c935 100644 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) +rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) -+postfix_list_spool(postfix_postdrop_t) - manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t) -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; -- ++postfix_list_spool(postfix_postdrop_t) ++manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + -mcs_file_read_all(postfix_postdrop_t) -mcs_file_write_all(postfix_postdrop_t) +corenet_udp_sendrecv_generic_if(postfix_postdrop_t) @@ -75747,7 +75828,7 @@ index 5cfb83e..501c935 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +537,7 @@ optional_policy(` +@@ -611,10 +539,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -75759,7 +75840,7 @@ index 5cfb83e..501c935 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +552,24 @@ optional_policy(` +@@ -629,17 +554,24 @@ optional_policy(` ####################################### # @@ -75787,7 +75868,7 @@ index 5cfb83e..501c935 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +585,78 @@ optional_policy(` +@@ -655,69 +587,78 @@ optional_policy(` ######################################## # @@ -75884,7 +75965,7 @@ index 5cfb83e..501c935 100644 ') optional_policy(` -@@ -730,28 +669,32 @@ optional_policy(` +@@ -730,28 +671,32 @@ optional_policy(` ######################################## # @@ -75925,7 +76006,7 @@ index 5cfb83e..501c935 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +707,7 @@ optional_policy(` +@@ -764,6 +709,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -75933,7 +76014,7 @@ index 5cfb83e..501c935 100644 ') optional_policy(` -@@ -774,31 +718,100 @@ optional_policy(` +@@ -774,31 +720,101 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -76004,6 +76085,7 @@ index 5cfb83e..501c935 100644 + +kernel_read_network_state(postfix_domain) +kernel_read_all_sysctls(postfix_domain) ++kernel_dontaudit_request_load_module(postfix_domain) + +dev_read_sysfs(postfix_domain) +dev_read_rand(postfix_domain) @@ -83984,7 +84066,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..159f21e 100644 +index 403a4fe..93085f2 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -84011,6 +84093,15 @@ index 403a4fe..159f21e 100644 ######################################## # # Local policy +@@ -34,7 +44,7 @@ files_pid_file(radiusd_var_run_t) + + allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; + dontaudit radiusd_t self:capability sys_tty_config; +-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; ++allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace}; + allow radiusd_t self:fifo_file rw_fifo_file_perms; + allow radiusd_t self:unix_stream_socket { accept listen }; + allow radiusd_t self:tcp_socket { accept listen }; @@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) @@ -84417,7 +84508,7 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..0255b7e 100644 +index c99753f..6d4d0e9 100644 --- a/raid.te +++ b/raid.te @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; @@ -84510,11 +84601,11 @@ index c99753f..0255b7e 100644 +dev_read_kvm(mdadm_t) +dev_read_mei(mdadm_t) +dev_read_nvram(mdadm_t) -+dev_read_nvme(mdadm_t) +dev_read_generic_files(mdadm_t) +dev_read_generic_usb_dev(mdadm_t) +dev_read_urand(mdadm_t) +dev_read_rand(mdadm_t) ++dev_rw_nvme(mdadm_t) + +domain_read_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) @@ -86894,7 +86985,7 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..c2bc05a 100644 +index 47de2d6..6baf5cd 100644 --- a/rhcs.fc +++ b/rhcs.fc @@ -1,31 +1,104 @@ @@ -86959,7 +87050,7 @@ index 47de2d6..c2bc05a 100644 +/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0) +/var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) -+/var/run/haproxy\.sock.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) ++/var/run/haproxy\.sock.* -s gen_context(system_u:object_r:haproxy_var_run_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + +# cluster administrative domains file spec @@ -87892,7 +87983,7 @@ index c8bdea2..8ad3e01 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..4538e45 100644 +index 6cf79c4..5279416 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -88433,7 +88524,7 @@ index 6cf79c4..4538e45 100644 +# bug in haproxy and process vs pid owner +allow haproxy_t self:capability { dac_override kill }; + -+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource net_admin net_raw }; ++allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw }; +allow haproxy_t self:capability2 block_suspend; +allow haproxy_t self:process { fork setrlimit signal_perms }; +allow haproxy_t self:fifo_file rw_fifo_file_perms; @@ -95123,7 +95214,7 @@ index 50d07fb..a34db48 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..02be6db 100644 +index 2b7c441..efe3f59 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -95756,7 +95847,7 @@ index 2b7c441..02be6db 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,12 +549,52 @@ optional_policy(` +@@ -499,12 +549,53 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -95807,10 +95898,11 @@ index 2b7c441..02be6db 100644 dontaudit nmbd_t self:capability sys_tty_config; +allow nmbd_t self:capability {net_admin}; ++allow nmbd_t self:capability2 block_suspend; allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow nmbd_t self:fd use; allow nmbd_t self:fifo_file rw_fifo_file_perms; -@@ -512,9 +602,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +603,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -95825,7 +95917,7 @@ index 2b7c441..02be6db 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +618,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +619,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -95850,7 +95942,7 @@ index 2b7c441..02be6db 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +635,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +636,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -95919,7 +96011,7 @@ index 2b7c441..02be6db 100644 ') optional_policy(` -@@ -606,18 +685,29 @@ optional_policy(` +@@ -606,18 +686,29 @@ optional_policy(` ######################################## # @@ -95955,7 +96047,7 @@ index 2b7c441..02be6db 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,39 +717,38 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +718,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -96007,7 +96099,7 @@ index 2b7c441..02be6db 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +757,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +758,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -96043,7 +96135,7 @@ index 2b7c441..02be6db 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +784,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +785,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -96135,7 +96227,7 @@ index 2b7c441..02be6db 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +863,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +864,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -96159,7 +96251,7 @@ index 2b7c441..02be6db 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +877,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +878,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -96202,7 +96294,7 @@ index 2b7c441..02be6db 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +907,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +908,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -96216,7 +96308,7 @@ index 2b7c441..02be6db 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +930,20 @@ optional_policy(` +@@ -840,17 +931,20 @@ optional_policy(` # Winbind local policy # @@ -96242,7 +96334,7 @@ index 2b7c441..02be6db 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +953,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +954,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -96253,7 +96345,7 @@ index 2b7c441..02be6db 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +964,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +965,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -96307,7 +96399,7 @@ index 2b7c441..02be6db 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1007,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1008,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -96366,7 +96458,7 @@ index 2b7c441..02be6db 100644 ') optional_policy(` -@@ -959,31 +1068,36 @@ optional_policy(` +@@ -959,31 +1069,36 @@ optional_policy(` # Winbind helper local policy # @@ -96410,7 +96502,7 @@ index 2b7c441..02be6db 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1111,38 @@ optional_policy(` +@@ -997,25 +1112,38 @@ optional_policy(` ######################################## # @@ -97904,10 +97996,10 @@ index cd6c213..6d3cdc4 100644 + ') ') diff --git a/sanlock.te b/sanlock.te -index 0045465..5080a66 100644 +index 0045465..5be86bf 100644 --- a/sanlock.te +++ b/sanlock.te -@@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0) +@@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0) # ## @@ -97922,16 +98014,12 @@ index 0045465..5080a66 100644 gen_tunable(sanlock_use_nfs, false) ## --##

--## Determine whether sanlock can use --## cifs file systems. --##

+##

+## Allow sanlock to manage cifs files +##

- ## - gen_tunable(sanlock_use_samba, false) - ++## ++gen_tunable(sanlock_use_samba, false) ++ +## +##

+## Allow sanlock to read/write fuse files @@ -97939,6 +98027,16 @@ index 0045465..5080a66 100644 +## +gen_tunable(sanlock_use_fusefs, false) + ++## + ##

+-## Determine whether sanlock can use +-## cifs file systems. ++## Allow sanlock to read/write user home directories. + ##

+ ## +-gen_tunable(sanlock_use_samba, false) ++gen_tunable(sanlock_enable_home_dirs, false) + type sanlock_t; type sanlock_exec_t; init_daemon_domain(sanlock_t, sanlock_exec_t) @@ -97953,7 +98051,7 @@ index 0045465..5080a66 100644 type sanlock_var_run_t; files_pid_file(sanlock_var_run_t) -@@ -34,6 +46,12 @@ logging_log_file(sanlock_log_t) +@@ -34,6 +53,12 @@ logging_log_file(sanlock_log_t) type sanlock_initrc_exec_t; init_script_file(sanlock_initrc_exec_t) @@ -97966,7 +98064,7 @@ index 0045465..5080a66 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) ') -@@ -44,17 +62,18 @@ ifdef(`enable_mls',` +@@ -44,17 +69,18 @@ ifdef(`enable_mls',` ######################################## # @@ -97980,18 +98078,18 @@ index 0045465..5080a66 100644 allow sanlock_t self:fifo_file rw_fifo_file_perms; -allow sanlock_t self:unix_stream_socket { accept listen }; +allow sanlock_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) ++manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) -append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) -+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) -+ +manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) logging_log_filetrans(sanlock_t, sanlock_log_t, file) manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -@@ -65,13 +84,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) +@@ -65,13 +91,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) kernel_read_kernel_sysctls(sanlock_t) @@ -98013,7 +98111,7 @@ index 0045465..5080a66 100644 auth_use_nsswitch(sanlock_t) init_read_utmp(sanlock_t) -@@ -79,20 +103,29 @@ init_dontaudit_write_utmp(sanlock_t) +@@ -79,20 +110,35 @@ init_dontaudit_write_utmp(sanlock_t) logging_send_syslog_msg(sanlock_t) @@ -98047,12 +98145,18 @@ index 0045465..5080a66 100644 + fs_read_cifs_symlinks(sanlock_t) +') + ++tunable_policy(`sanlock_enable_home_dirs',` ++ userdom_manage_user_home_content_dirs(sanlock_t) ++ userdom_manage_user_home_content_files(sanlock_t) ++ userdom_manage_user_home_content_symlinks(sanlock_t) ++') ++ +optional_policy(` + rhcs_domtrans_fenced(sanlock_t) ') optional_policy(` -@@ -100,7 +133,34 @@ optional_policy(` +@@ -100,7 +146,34 @@ optional_policy(` ') optional_policy(` @@ -102461,7 +102565,7 @@ index 634c6b4..f6db7a7 100644 +') + diff --git a/sosreport.te b/sosreport.te -index f2f507d..4dd29c9 100644 +index f2f507d..7db383e 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -102601,10 +102705,14 @@ index f2f507d..4dd29c9 100644 cups_stream_connect(sosreport_t) ') -@@ -127,6 +167,16 @@ optional_policy(` +@@ -127,6 +167,20 @@ optional_policy(` ') optional_policy(` ++ iptables_domtrans(sosreport_t) ++') ++ ++optional_policy(` + lvm_read_config(sosreport_t) + lvm_dontaudit_access_check_lock(sosreport_t) +') @@ -102618,7 +102726,7 @@ index f2f507d..4dd29c9 100644 fstools_domtrans(sosreport_t) ') -@@ -136,6 +186,14 @@ optional_policy(` +@@ -136,6 +190,14 @@ optional_policy(` optional_policy(` hal_dbus_chat(sosreport_t) ') @@ -102633,7 +102741,7 @@ index f2f507d..4dd29c9 100644 ') optional_policy(` -@@ -147,13 +205,35 @@ optional_policy(` +@@ -147,13 +209,35 @@ optional_policy(` ') optional_policy(` @@ -104295,16 +104403,17 @@ index b38b8b1..eb36653 100644 userdom_dontaudit_search_user_home_dirs(speedmgmt_t) diff --git a/squid.fc b/squid.fc -index 0a8b0f7..03fb6b1 100644 +index 0a8b0f7..80c1d57 100644 --- a/squid.fc +++ b/squid.fc -@@ -1,20 +1,28 @@ +@@ -1,20 +1,31 @@ -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/dev/shm/squid-* -- gen_context(system_u:object_r:squid_tmpfs_t,s0) -/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) ++/etc/squid/ssl_db(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) @@ -104326,11 +104435,13 @@ index 0a8b0f7..03fb6b1 100644 -/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) +/var/run/squid.* gen_context(system_u:object_r:squid_var_run_t,s0) - --/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) ++ +/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) ++/var/lib/ssl_db(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + -/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/squid.if b/squid.if @@ -104370,7 +104481,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 03472ed..48b5633 100644 +index 03472ed..e03b69a 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -104407,7 +104518,15 @@ index 03472ed..48b5633 100644 ######################################## # # Local policy -@@ -78,15 +85,18 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t) +@@ -68,6 +75,7 @@ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) + manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) + manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) + files_var_filetrans(squid_t, squid_cache_t, dir, "squid") ++filetrans_pattern(squid_t, squid_conf_t, squid_cache_t, dir, "ssl_db") + + allow squid_t squid_conf_t:dir list_dir_perms; + allow squid_t squid_conf_t:file read_file_perms; +@@ -78,15 +86,18 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t) manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) logging_log_filetrans(squid_t, squid_log_t, { file dir }) @@ -104430,7 +104549,7 @@ index 03472ed..48b5633 100644 can_exec(squid_t, squid_exec_t) -@@ -94,7 +104,6 @@ kernel_read_kernel_sysctls(squid_t) +@@ -94,7 +105,6 @@ kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) kernel_read_network_state(squid_t) @@ -104438,7 +104557,7 @@ index 03472ed..48b5633 100644 corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) -@@ -132,6 +141,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) +@@ -132,6 +142,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) corenet_udp_sendrecv_gopher_port(squid_t) corenet_sendrecv_squid_server_packets(squid_t) @@ -104446,7 +104565,7 @@ index 03472ed..48b5633 100644 corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) corenet_tcp_sendrecv_squid_port(squid_t) -@@ -154,7 +164,6 @@ dev_read_urand(squid_t) +@@ -154,7 +165,6 @@ dev_read_urand(squid_t) domain_use_interactive_fds(squid_t) files_read_etc_runtime_files(squid_t) @@ -104454,7 +104573,7 @@ index 03472ed..48b5633 100644 files_search_spool(squid_t) files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) -@@ -176,7 +185,6 @@ libs_exec_lib_files(squid_t) +@@ -176,7 +186,6 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) @@ -104462,7 +104581,7 @@ index 03472ed..48b5633 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -197,28 +205,31 @@ tunable_policy(`squid_use_tproxy',` +@@ -197,28 +206,31 @@ tunable_policy(`squid_use_tproxy',` optional_policy(` apache_content_template(squid) @@ -104508,7 +104627,7 @@ index 03472ed..48b5633 100644 ') optional_policy(` -@@ -236,3 +247,24 @@ optional_policy(` +@@ -236,3 +248,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -104788,10 +104907,10 @@ index 0000000..821e158 +') + diff --git a/sssd.fc b/sssd.fc -index dbb005a..835122a 100644 +index dbb005a..8d53b6e 100644 --- a/sssd.fc +++ b/sssd.fc -@@ -1,15 +1,19 @@ +@@ -1,15 +1,26 @@ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) -/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) @@ -104799,6 +104918,13 @@ index dbb005a..835122a 100644 -/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_pac -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_pam -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_ssh -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_sudo -- gen_context(system_u:object_r:sssd_exec_t,s0) -/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0) @@ -105250,10 +105376,10 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..1139567 100644 +index 2d8db1f..6efbaac 100644 --- a/sssd.te +++ b/sssd.te -@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) +@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) type sssd_var_run_t; files_pid_file(sssd_var_run_t) @@ -105280,24 +105406,31 @@ index 2d8db1f..1139567 100644 allow sssd_t self:key manage_key_perms; -allow sssd_t self:unix_stream_socket { accept connectto listen }; +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++# Allow sssd_t to execute responders; which has different context now ++allow sssd_t sssd_exec_t:file execute_no_trans; read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) +list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t) manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -51,9 +60,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +@@ -51,9 +63,11 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) ++# Allow systemd to create sockets for socket activated responders ++create_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t) ++delete_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t) ++ +manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -62,17 +69,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +@@ -62,17 +76,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -105320,7 +105453,7 @@ index 2d8db1f..1139567 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +87,36 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +94,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -105361,7 +105494,7 @@ index 2d8db1f..1139567 100644 init_read_utmp(sssd_t) -@@ -112,18 +124,64 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +131,64 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -105389,7 +105522,7 @@ index 2d8db1f..1139567 100644 + kerberos_read_home_content(sssd_t) + kerberos_rw_config(sssd_t) + kerberos_rw_keytab(sssd_t) -+') + ') + +optional_policy(` + dirsrv_stream_connect(sssd_t) @@ -105403,7 +105536,7 @@ index 2d8db1f..1139567 100644 +optional_policy(` + samba_manage_var_dirs(sssd_t) + samba_manage_var_files(sssd_t) - ') ++') + +optional_policy(` + systemd_login_read_pid_files(sssd_t) @@ -105599,40 +105732,47 @@ index 0000000..80c6480 + systemd_read_fifo_file_passwd_run($1) + ') +') -diff --git a/stapserver.te b/stapserver.te -new file mode 100644 -index 0000000..e847ea3 ---- /dev/null +diff --git a/systemtap.te b/stapserver.te +similarity index 64% +rename from systemtap.te +rename to stapserver.te +index ffde368..e847ea3 100644 +--- a/systemtap.te +++ b/stapserver.te -@@ -0,0 +1,114 @@ +@@ -1,4 +1,4 @@ +-policy_module(systemtap, 1.1.0) +policy_module(stapserver, 1.1.1) -+ -+######################################## -+# -+# Declarations -+# -+ -+type stapserver_t; -+type stapserver_exec_t; -+init_daemon_domain(stapserver_t, stapserver_exec_t) -+ -+type stapserver_var_lib_t; -+files_type(stapserver_var_lib_t) -+ -+type stapserver_log_t; -+logging_log_file(stapserver_log_t) -+ -+type stapserver_var_run_t; -+files_pid_file(stapserver_var_run_t) -+ + + ######################################## + # +@@ -9,12 +9,6 @@ type stapserver_t; + type stapserver_exec_t; + init_daemon_domain(stapserver_t, stapserver_exec_t) + +-type stapserver_initrc_exec_t; +-init_script_file(stapserver_initrc_exec_t) +- +-type stapserver_conf_t; +-files_config_file(stapserver_conf_t) +- + type stapserver_var_lib_t; + files_type(stapserver_var_lib_t) + +@@ -24,50 +18,62 @@ logging_log_file(stapserver_log_t) + type stapserver_var_run_t; + files_pid_file(stapserver_var_run_t) + +type stapserver_tmp_t; +files_tmp_file(stapserver_tmp_t) + -+######################################## -+# + ######################################## + # +-# Local policy +# stapserver local policy -+# -+ + # + +-allow stapserver_t self:capability { dac_override kill setuid setgid }; +-allow stapserver_t self:process { setrlimit setsched signal }; +#runuser +allow stapserver_t self:capability { setuid setgid }; +allow stapserver_t self:process setsched; @@ -105640,84 +105780,84 @@ index 0000000..e847ea3 +allow stapserver_t self:capability { dac_override kill sys_ptrace}; +allow stapserver_t self:process { setrlimit signal }; + -+allow stapserver_t self:fifo_file rw_fifo_file_perms; -+allow stapserver_t self:key write; + allow stapserver_t self:fifo_file rw_fifo_file_perms; + allow stapserver_t self:key write; +-allow stapserver_t self:unix_stream_socket { accept listen }; +-allow stapserver_t self:tcp_socket create_stream_socket_perms; +- +-allow stapserver_t stapserver_conf_t:file read_file_perms; +allow stapserver_t self:unix_stream_socket create_stream_socket_perms; +allow stapserver_t self:tcp_socket { accept listen }; -+ -+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -+ -+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) + + manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) + manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) + files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) + + manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -+logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -+ + logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) + +manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir }) + -+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -+ -+kernel_read_system_state(stapserver_t) + manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) + manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) + files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) + +-kernel_read_kernel_sysctls(stapserver_t) + kernel_read_system_state(stapserver_t) +kernel_read_kernel_sysctls(stapserver_t) -+ -+corecmd_exec_bin(stapserver_t) -+corecmd_exec_shell(stapserver_t) -+ -+domain_read_all_domains_state(stapserver_t) + + corecmd_exec_bin(stapserver_t) + corecmd_exec_shell(stapserver_t) + + domain_read_all_domains_state(stapserver_t) +domain_use_interactive_fds(stapserver_t) -+ -+dev_read_sysfs(stapserver_t) + +-dev_read_rand(stapserver_t) + dev_read_sysfs(stapserver_t) +dev_read_rand(stapserver_t) -+dev_read_urand(stapserver_t) -+ -+files_list_tmp(stapserver_t) -+files_search_kernel_modules(stapserver_t) -+ + dev_read_urand(stapserver_t) + + files_list_tmp(stapserver_t) +-files_read_usr_files(stapserver_t) + files_search_kernel_modules(stapserver_t) + +fs_search_cgroup_dirs(stapserver_t) +fs_getattr_all_fs(stapserver_t) + -+auth_use_nsswitch(stapserver_t) -+ -+init_read_utmp(stapserver_t) -+ -+logging_send_audit_msgs(stapserver_t) -+logging_send_syslog_msg(stapserver_t) -+ + auth_use_nsswitch(stapserver_t) + + init_read_utmp(stapserver_t) +@@ -75,12 +81,18 @@ init_read_utmp(stapserver_t) + logging_send_audit_msgs(stapserver_t) + logging_send_syslog_msg(stapserver_t) + +-miscfiles_read_localization(stapserver_t) +#lspci -+miscfiles_read_hwdata(stapserver_t) -+ + miscfiles_read_hwdata(stapserver_t) + +systemd_dbus_chat_logind(stapserver_t) + -+userdom_use_user_terminals(stapserver_t) -+ -+optional_policy(` + userdom_use_user_terminals(stapserver_t) + + optional_policy(` + avahi_dbus_chat(stapserver_t) +') + +optional_policy(` -+ consoletype_exec(stapserver_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(stapserver_t) -+') -+ -+optional_policy(` -+ hostname_exec(stapserver_t) -+') -+ -+optional_policy(` -+ plymouthd_exec_plymouth(stapserver_t) -+') -+ -+optional_policy(` -+ rpm_exec(stapserver_t) -+') + consoletype_exec(stapserver_t) + ') + +@@ -99,3 +111,4 @@ optional_policy(` + optional_policy(` + rpm_exec(stapserver_t) + ') + diff --git a/stunnel.fc b/stunnel.fc index 49dd63c..ae2e798 100644 @@ -106536,113 +106676,6 @@ index c755e2d..0000000 - files_search_pids($1) - admin_pattern($1, stapserver_var_run_t) -') -diff --git a/systemtap.te b/systemtap.te -deleted file mode 100644 -index ffde368..0000000 ---- a/systemtap.te -+++ /dev/null -@@ -1,101 +0,0 @@ --policy_module(systemtap, 1.1.0) -- --######################################## --# --# Declarations --# -- --type stapserver_t; --type stapserver_exec_t; --init_daemon_domain(stapserver_t, stapserver_exec_t) -- --type stapserver_initrc_exec_t; --init_script_file(stapserver_initrc_exec_t) -- --type stapserver_conf_t; --files_config_file(stapserver_conf_t) -- --type stapserver_var_lib_t; --files_type(stapserver_var_lib_t) -- --type stapserver_log_t; --logging_log_file(stapserver_log_t) -- --type stapserver_var_run_t; --files_pid_file(stapserver_var_run_t) -- --######################################## --# --# Local policy --# -- --allow stapserver_t self:capability { dac_override kill setuid setgid }; --allow stapserver_t self:process { setrlimit setsched signal }; --allow stapserver_t self:fifo_file rw_fifo_file_perms; --allow stapserver_t self:key write; --allow stapserver_t self:unix_stream_socket { accept listen }; --allow stapserver_t self:tcp_socket create_stream_socket_perms; -- --allow stapserver_t stapserver_conf_t:file read_file_perms; -- --manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -- --manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -- --manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -- --kernel_read_kernel_sysctls(stapserver_t) --kernel_read_system_state(stapserver_t) -- --corecmd_exec_bin(stapserver_t) --corecmd_exec_shell(stapserver_t) -- --domain_read_all_domains_state(stapserver_t) -- --dev_read_rand(stapserver_t) --dev_read_sysfs(stapserver_t) --dev_read_urand(stapserver_t) -- --files_list_tmp(stapserver_t) --files_read_usr_files(stapserver_t) --files_search_kernel_modules(stapserver_t) -- --auth_use_nsswitch(stapserver_t) -- --init_read_utmp(stapserver_t) -- --logging_send_audit_msgs(stapserver_t) --logging_send_syslog_msg(stapserver_t) -- --miscfiles_read_localization(stapserver_t) --miscfiles_read_hwdata(stapserver_t) -- --userdom_use_user_terminals(stapserver_t) -- --optional_policy(` -- consoletype_exec(stapserver_t) --') -- --optional_policy(` -- dbus_system_bus_client(stapserver_t) --') -- --optional_policy(` -- hostname_exec(stapserver_t) --') -- --optional_policy(` -- plymouthd_exec_plymouth(stapserver_t) --') -- --optional_policy(` -- rpm_exec(stapserver_t) --') diff --git a/targetd.fc b/targetd.fc new file mode 100644 index 0000000..c1ef053 @@ -106829,10 +106862,10 @@ index 0000000..a6e216c + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 0000000..e372bd7 +index 0000000..7f28cdd --- /dev/null +++ b/targetd.te -@@ -0,0 +1,63 @@ +@@ -0,0 +1,65 @@ +policy_module(targetd, 1.0.0) + +######################################## @@ -106855,6 +106888,7 @@ index 0000000..e372bd7 +# targetd local policy +# + ++allow targetd_t self:capability { sys_admin }; +allow targetd_t self:fifo_file rw_fifo_file_perms; +allow targetd_t self:unix_stream_socket create_stream_socket_perms; +allow targetd_t self:tcp_socket listen; @@ -106870,6 +106904,7 @@ index 0000000..e372bd7 +auth_use_nsswitch(targetd_t) + +corecmd_exec_shell(targetd_t) ++corecmd_exec_bin(targetd_t) + +corenet_tcp_bind_generic_node(targetd_t) +corenet_tcp_bind_lsm_plugin_port(targetd_t) @@ -110092,10 +110127,10 @@ index 0000000..e5cec8f +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..5a263b2 +index 0000000..3157eb8 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,69 @@ +@@ -0,0 +1,70 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -110147,6 +110182,7 @@ index 0000000..5a263b2 +corenet_tcp_bind_mxi_port(tomcat_domain) +corenet_tcp_connect_http_port(tomcat_domain) +corenet_tcp_connect_mxi_port(tomcat_domain) ++corenet_tcp_connect_http_cache_port(tomcat_domain) + +dev_read_rand(tomcat_domain) +dev_read_urand(tomcat_domain) @@ -112565,7 +112601,7 @@ index a4f20bc..9777de2 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..2cff369 100644 +index facdee8..487857a 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,111 @@ @@ -113418,7 +113454,7 @@ index facdee8..2cff369 100644 ## ## ## -@@ -673,107 +565,625 @@ interface(`virt_home_filetrans',` +@@ -673,54 +565,571 @@ interface(`virt_home_filetrans',` ## ## # @@ -113454,8 +113490,14 @@ index facdee8..2cff369 100644 gen_require(` - type virt_home_t; + type virt_var_lib_t; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir manage_dir_perms; +- allow $1 virt_home_t:file manage_file_perms; +- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_home_t:sock_file manage_sock_file_perms; + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; +') + @@ -113600,8 +113642,11 @@ index facdee8..2cff369 100644 + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + read_chr_files_pattern($1, virt_image_type, virt_image_type) -+ -+ tunable_policy(`virt_use_nfs',` + + tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) @@ -113956,56 +114001,64 @@ index facdee8..2cff369 100644 + type virt_bridgehelper_t; + type svirt_image_t; + type svirt_socket_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir manage_dir_perms; -- allow $1 virt_home_t:file manage_file_perms; -- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; -- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; -- allow $1 virt_home_t:sock_file manage_sock_file_perms; ++ ') ++ + allow $1 virt_domain:process transition; + role $2 types virt_domain; + role $2 types virt_bridgehelper_t; + role $2 types svirt_socket_t; - -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) -- ') ++ + allow $1 virt_domain:process { sigkill sigstop signull signal }; + allow $1 svirt_image_t:file { relabelfrom relabelto }; + allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; + allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; + allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; ++ ++ optional_policy(` ++ ptchown_run(virt_domain, $2) ++ ') ++') ++ ++######################################## ++## ++## Do not audit attempts to write virt daemon unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`virt_dontaudit_write_pipes',` ++ gen_require(` ++ type virtd_t; + ') - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) -+ optional_policy(` -+ ptchown_run(virt_domain, $2) - ') +- ') ++ dontaudit $1 virtd_t:fd use; ++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ') ######################################## ## -## Relabel virt home content. -+## Do not audit attempts to write virt daemon unnamed pipes. ++## Send a sigkill to virtual machines ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -728,52 +1137,53 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # -interface(`virt_relabel_generic_virt_home_content',` -+interface(`virt_dontaudit_write_pipes',` ++interface(`virt_kill_svirt',` gen_require(` - type virt_home_t; -+ type virtd_t; ++ attribute virt_domain; ') - userdom_search_user_home_dirs($1) @@ -114014,8 +114067,7 @@ index facdee8..2cff369 100644 - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; -+ dontaudit $1 virtd_t:fd use; -+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++ allow $1 virt_domain:process sigkill; ') ######################################## @@ -114023,7 +114075,7 @@ index facdee8..2cff369 100644 -## Create specified objects in user home -## directories with the generic virt -## home type. -+## Send a sigkill to virtual machines ++## Send a sigkill to virtd daemon. ## ## ## @@ -114031,25 +114083,10 @@ index facdee8..2cff369 100644 ## ## -## -+# -+interface(`virt_kill_svirt',` -+ gen_require(` -+ attribute virt_domain; -+ ') -+ -+ allow $1 virt_domain:process sigkill; -+') -+ -+######################################## -+## -+## Send a sigkill to virtd daemon. -+## -+## - ## +-## -## Class of the object being created. -+## Domain allowed access. - ## - ## +-## +-## -## +# +interface(`virt_kill',` @@ -114435,13 +114472,13 @@ index facdee8..2cff369 100644 ## -## Domain allowed access. +## Domain allowed access -+## -+## + ## + ## +## +## +## The role to be allowed the sandbox domain. - ## - ## ++## ++## +## # -interface(`virt_read_images',` @@ -114603,7 +114640,7 @@ index facdee8..2cff369 100644 ## ## ## -@@ -1136,50 +1574,109 @@ interface(`virt_manage_images',` +@@ -1136,50 +1574,129 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -114706,9 +114743,7 @@ index facdee8..2cff369 100644 + allow virtd_t $1:dbus send_msg; + ps_process_pattern(virtd_t, $1) +') - -- files_search_locks($1) -- admin_pattern($1, virt_lock_t) ++ +######################################## +## +## Execute a file in a sandbox directory @@ -114738,16 +114773,38 @@ index facdee8..2cff369 100644 + gen_require(` + type container_file_t; + ') ++ ++ domtrans_pattern($1,container_file_t, $2) ++') + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) ++######################################## ++## ++## Dontaudit read the process state (/proc/pid) of libvirt ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_dontaudit_read_state',` ++ gen_require(` ++ type virtd_t; ++ ') - dev_list_all_dev_nodes($1) - allow $1 virt_ptynode:chr_file rw_term_perms; -+ domtrans_pattern($1,container_file_t, $2) ++ dontaudit $1 virtd_t:dir search_dir_perms; ++ dontaudit $1 virtd_t:file read_file_perms; ++ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ') diff --git a/virt.te b/virt.te -index f03dcf5..14e8dd9 100644 +index f03dcf5..411b4fe 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,410 @@ +@@ -1,451 +1,412 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -115383,6 +115440,8 @@ index f03dcf5..14e8dd9 100644 +init_dontaudit_read_state(svirt_t) + ++virt_dontaudit_read_state(svirt_t) ++ +####################################### +# +# svirt_prot_exec local policy @@ -115468,7 +115527,7 @@ index f03dcf5..14e8dd9 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +416,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -115515,22 +115574,22 @@ index f03dcf5..14e8dd9 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +451,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- -can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) @@ -115549,7 +115608,7 @@ index f03dcf5..14e8dd9 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +476,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -115577,7 +115636,7 @@ index f03dcf5..14e8dd9 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +496,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -115608,7 +115667,7 @@ index f03dcf5..14e8dd9 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +548,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -115628,7 +115687,7 @@ index f03dcf5..14e8dd9 100644 selinux_validate_context(virtd_t) -@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +570,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -115665,7 +115724,7 @@ index f03dcf5..14e8dd9 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +598,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -115674,7 +115733,7 @@ index f03dcf5..14e8dd9 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +621,12 @@ optional_policy(` +@@ -665,20 +623,12 @@ optional_policy(` ') optional_policy(` @@ -115682,7 +115741,8 @@ index f03dcf5..14e8dd9 100644 - ') - - optional_policy(` - hal_dbus_chat(virtd_t) +- hal_dbus_chat(virtd_t) ++ hal_dbus_chat(virtd_t) ') optional_policy(` @@ -115695,7 +115755,7 @@ index f03dcf5..14e8dd9 100644 ') optional_policy(` -@@ -691,20 +639,26 @@ optional_policy(` +@@ -691,20 +641,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -115726,7 +115786,7 @@ index f03dcf5..14e8dd9 100644 ') optional_policy(` -@@ -712,11 +666,18 @@ optional_policy(` +@@ -712,11 +668,18 @@ optional_policy(` ') optional_policy(` @@ -115745,7 +115805,7 @@ index f03dcf5..14e8dd9 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +688,18 @@ optional_policy(` +@@ -727,10 +690,18 @@ optional_policy(` ') optional_policy(` @@ -115764,7 +115824,7 @@ index f03dcf5..14e8dd9 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +715,336 @@ optional_policy(` +@@ -746,44 +717,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -115905,7 +115965,7 @@ index f03dcf5..14e8dd9 100644 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; -+ + +dontaudit virt_domain virt_tmpfs_type:file { read write }; + +append_files_pattern(virt_domain, virt_log_t, virt_log_t) @@ -116079,7 +116139,7 @@ index f03dcf5..14e8dd9 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; - ++ +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -116123,7 +116183,7 @@ index f03dcf5..14e8dd9 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1057,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116150,7 +116210,7 @@ index f03dcf5..14e8dd9 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1077,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116184,7 +116244,7 @@ index f03dcf5..14e8dd9 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1112,20 @@ optional_policy(` +@@ -856,14 +1114,20 @@ optional_policy(` ') optional_policy(` @@ -116206,7 +116266,7 @@ index f03dcf5..14e8dd9 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1150,66 @@ optional_policy(` +@@ -888,49 +1152,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -116291,7 +116351,7 @@ index f03dcf5..14e8dd9 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1223,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -116311,7 +116371,7 @@ index f03dcf5..14e8dd9 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1244,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -116335,7 +116395,7 @@ index f03dcf5..14e8dd9 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1267,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1269,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116408,89 +116468,7 @@ index f03dcf5..14e8dd9 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -116587,7 +116565,89 @@ index f03dcf5..14e8dd9 100644 + apache_read_sys_content(svirt_sandbox_domain) + ') +') -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') @@ -116595,13 +116655,15 @@ index f03dcf5..14e8dd9 100644 +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') -+ -+optional_policy(` -+ udev_read_pid_files(svirt_sandbox_domain) -+') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) ++ udev_read_pid_files(svirt_sandbox_domain) + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -116631,11 +116693,9 @@ index f03dcf5..14e8dd9 100644 + fs_mount_fusefs(svirt_sandbox_domain) + fs_unmount_fusefs(svirt_sandbox_domain) + fs_exec_fusefs_files(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + container_read_share_files(svirt_sandbox_domain) + container_exec_share_files(svirt_sandbox_domain) + container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) @@ -116785,10 +116845,10 @@ index f03dcf5..14e8dd9 100644 +term_use_ptmx(svirt_qemu_net_t) + +dev_rw_kvm(svirt_qemu_net_t) -+ -+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -allow svirt_prot_exec_t self:process { execmem execstack }; ++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) ++ +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + @@ -116836,7 +116896,7 @@ index f03dcf5..14e8dd9 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1628,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116851,7 +116911,7 @@ index f03dcf5..14e8dd9 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1646,7 @@ optional_policy(` +@@ -1192,7 +1648,7 @@ optional_policy(` ######################################## # @@ -116860,7 +116920,7 @@ index f03dcf5..14e8dd9 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1655,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 8b2f2ae..3f8fb28 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.11%{?dist} +Release: 225.12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,41 @@ exit 0 %endif %changelog +* Mon Apr 03 2017 Lukas Vrabec - 3.13.1-225.12 +- Allow drbd load modules +- Revert "Add sys_module capability for drbd" +- Fix cockpit module +- Allow sssd responders to run as socket activated services +- Allow radius_t domain ptrace +- Update pcp SELinux module to reflect all pcp changes +- Revert "Remove tomcat_t domain from unconfined domains" +- Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_t +- Allow pcp_pmcd_t domain search for network sysctl Allow pcp_pmcd_t domain sys_ptrace capability +- Update targetd policy +- Label /run/haproxy.sock socket as haproxy_var_run_t +- Allow oddjob_mkhomedir_t to mamange autofs_t dirs. +- Allow tomcat to connect on http_cache_port_t +- Allow nova domain search for httpd configuration. +- Add sys_module capability for drbd +- Allow cloud_init to send dbus messages to the init system +- Dontaudit postfix domains to request modules +- Add haproxy_t domain fowner capability +- Allow domain transition from ntpd_t to hwclock_t domains +- Allow cockpit_session_t setrlimit and sys_resource +- Dontaudit svirt_t read state of libvirtd domain +- Update httpd and gssproxy modules to reflects latest changes in freeipa +- Make fwupd_var_lib_t type mountpoint. BZ(1429341) +- Remove tomcat_t domain from unconfined domains +- Create new boolean: sanlock_enable_home_dirs() +- Allow mdadm_t domain to read/write nvme_device_t +- Allow cyrus stream connect to gssproxy +- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules +- Allow colord_t to read systemd hwdb.bin file +- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t +- Allow ptp4l wake_alarm capability +- Add nmbd_t capability2 block_suspend +- Add domain transition from sosreport_t to iptables_t + * Mon Feb 27 2017 Lukas Vrabec - 3.13.1-225.11 - Add radius_use_jit boolean - Allow nfsd_t domain to create sysctls_rpc_t files