From 92fd9aa2a14dae2cf060f9c752f684fa71a070c9 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 15 2016 16:15:21 +0000 Subject: * Thu Sep 15 2016 Lukas Vrabec 3.13.1-191.16 - Allow attach usb device to virtual machine BZ(1276873) - Dontaudit mozilla_plugin to sys_ptrace - Allow nut_upsdrvctl_t domain to read udev db BZ(1375636) - Fix typo - Allow geoclue to send msgs to syslog. BZ(1371818) - Allow abrt to read rpm_tmp_t dirs - Add interface rpm_read_tmp_files() - Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. - Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service - Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm - Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t - Allow mdadm_t to getattr all device nodes - Dontaudit gkeyringd_domain to connect to system_dbusd_t - Add interface dbus_dontaudit_stream_connect_system_dbusd() - Allow guest-set-user-passwd to set users password. - Allow domains using kerberos to read also kerberos config dirs - Add kdymp_t domain sys_admin capability BZ(1357949) - Allow dnssec_trigger to exec ldconfig - Allow svirt_sandbox_domains to r/w onload sockets - Fix typo bugs in rsync and inetd SELinux modules - Fixes for containers - Idenitfy these domains as init daemons - Allow samdbox domains to use msg class - Allow add new interface to new namespace BZ(1375124) - Dontaudit domain to create any file in /proc. This is kernel bug. - Add new interface fs_getattr_oracleasmfs_fs() - Add interface fs_manage_oracleasm() - Label /dev/kfd as hsa_device_t - Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs - Add transition rule that caller domain can create resolv.conf link file with correct label in sysnet_filetrans_named_content() interface - Allow run sulogin_t in range mls_systemlow-mls_systemhigh. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 65646ba..091c700 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 2f815db..d1f9a53 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -6420,7 +6420,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..891ace5 100644 +index b31c054..1ed65a0 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6490,7 +6490,7 @@ index b31c054..891ace5 100644 /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -90,6 +106,7 @@ +@@ -90,9 +106,11 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6498,7 +6498,11 @@ index b31c054..891ace5 100644 /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -106,6 +123,7 @@ ++/dev/kfd -c gen_context(system_u:object_r:hsa_device_t,s0) + /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/random -c gen_context(system_u:object_r:random_device_t,s0) + /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) +@@ -106,6 +124,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6506,7 +6510,7 @@ index b31c054..891ace5 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +136,12 @@ +@@ -118,6 +137,12 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6519,7 +6523,7 @@ index b31c054..891ace5 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +153,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +154,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6534,7 +6538,7 @@ index b31c054..891ace5 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,15 +198,21 @@ ifdef(`distro_suse', ` +@@ -172,15 +199,21 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6556,7 +6560,7 @@ index b31c054..891ace5 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +230,27 @@ ifdef(`distro_debian',` +@@ -198,12 +231,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6587,7 +6591,7 @@ index b31c054..891ace5 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..4e020f3 100644 +index 76f285e..6843613 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8654,7 +8658,7 @@ index 76f285e..4e020f3 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5996,1020 @@ interface(`dev_unconfined',` +@@ -4851,3 +5996,1022 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8877,6 +8881,7 @@ index 76f285e..4e020f3 100644 + type null_device_t; + type random_device_t; + type dri_device_t; ++ type hsa_device_t; + type ipmi_device_t; + type memory_device_t; + type kmsg_device_t; @@ -9143,6 +9148,7 @@ index 76f285e..4e020f3 100644 + filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random") + filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng") + filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915") ++ filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1") @@ -9676,7 +9682,7 @@ index 76f285e..4e020f3 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..9f3512c 100644 +index 0b1a871..29965c3 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -9713,7 +9719,17 @@ index 0b1a871..9f3512c 100644 # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) -@@ -88,12 +89,33 @@ type framebuf_device_t; +@@ -78,6 +79,9 @@ dev_node(dlm_control_device_t) + type dri_device_t; + dev_node(dri_device_t) + ++type hsa_device_t; ++dev_node(hsa_device_t) ++ + type event_device_t; + dev_node(event_device_t) + +@@ -88,12 +92,33 @@ type framebuf_device_t; dev_node(framebuf_device_t) # @@ -9747,7 +9763,7 @@ index 0b1a871..9f3512c 100644 # Type for /dev/kmsg # type kmsg_device_t; -@@ -111,6 +133,7 @@ dev_node(ksm_device_t) +@@ -111,6 +136,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -9755,7 +9771,7 @@ index 0b1a871..9f3512c 100644 # # Type for /dev/lirc -@@ -118,6 +141,9 @@ dev_node(kvm_device_t) +@@ -118,6 +144,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) @@ -9765,7 +9781,7 @@ index 0b1a871..9f3512c 100644 type loop_control_device_t; dev_node(loop_control_device_t) -@@ -150,12 +176,24 @@ type modem_device_t; +@@ -150,12 +179,24 @@ type modem_device_t; dev_node(modem_device_t) # @@ -9790,7 +9806,7 @@ index 0b1a871..9f3512c 100644 # Type for /dev/cpu/mtrr and /proc/mtrr # type mtrr_device_t; -@@ -183,6 +221,12 @@ type nvram_device_t; +@@ -183,6 +224,12 @@ type nvram_device_t; dev_node(nvram_device_t) # @@ -9803,7 +9819,7 @@ index 0b1a871..9f3512c 100644 # Type for /dev/pmu # type power_device_t; -@@ -227,6 +271,10 @@ files_mountpoint(sysfs_t) +@@ -227,6 +274,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -9814,7 +9830,7 @@ index 0b1a871..9f3512c 100644 # # Type for /dev/tpm # -@@ -266,6 +314,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +317,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -9830,7 +9846,7 @@ index 0b1a871..9f3512c 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +331,7 @@ dev_node(v4l_device_t) +@@ -274,6 +334,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -9838,7 +9854,7 @@ index 0b1a871..9f3512c 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +377,8 @@ files_associate_tmp(device_node) +@@ -319,5 +380,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -10161,7 +10177,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..466882e 100644 +index cf04cb5..8dd0c6b 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10317,7 +10333,7 @@ index cf04cb5..466882e 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +243,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +243,374 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -10642,6 +10658,7 @@ index cf04cb5..466882e 100644 + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; ++dontaudit domain self:file create; + +ifdef(`distro_redhat',` + optional_policy(` @@ -17887,7 +17904,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..737bfbc 100644 +index 8416beb..474c726 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18951,7 +18968,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -2214,19 +2588,642 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +2588,681 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # @@ -19122,6 +19139,25 @@ index 8416beb..737bfbc 100644 +## +## +# ++interface(`fs_getattr_oracleasmfs_fs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:filesystem getattr; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_oracleasmfs',` + gen_require(` + type oracleasmfs_t; @@ -19170,6 +19206,26 @@ index 8416beb..737bfbc 100644 + +######################################## +## ++## Read and write the oracleasm device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_oracleasm',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t) ++ manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t) ++ dev_filetrans($1, oracleasmfs_t, dir, "oracleasm") ++') ++ ++######################################## ++## +## Search inotifyfs filesystem. +## +## @@ -19600,7 +19656,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -2234,18 +3231,19 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3270,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -19625,7 +19681,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -2253,38 +3251,41 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3290,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -19679,7 +19735,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -2292,19 +3293,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3332,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -19707,7 +19763,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -2312,16 +3315,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3354,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -19728,7 +19784,7 @@ index 8416beb..737bfbc 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3400,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3439,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -19753,7 +19809,7 @@ index 8416beb..737bfbc 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3505,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3544,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19761,7 +19817,7 @@ index 8416beb..737bfbc 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3544,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3583,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19769,7 +19825,7 @@ index 8416beb..737bfbc 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3571,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3610,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19814,7 +19870,7 @@ index 8416beb..737bfbc 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3629,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3668,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -19823,7 +19879,7 @@ index 8416beb..737bfbc 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3649,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3688,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19866,7 +19922,7 @@ index 8416beb..737bfbc 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3699,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3738,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19875,7 +19931,7 @@ index 8416beb..737bfbc 100644 ') ######################################## -@@ -2627,7 +3723,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3762,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -19884,7 +19940,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -2719,6 +3815,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3854,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -19950,7 +20006,7 @@ index 8416beb..737bfbc 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3896,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3935,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19959,7 +20015,7 @@ index 8416beb..737bfbc 100644 ## ## # -@@ -2777,7 +3932,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3971,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19968,7 +20024,7 @@ index 8416beb..737bfbc 100644 ## ## # -@@ -2970,6 +4125,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4164,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19976,7 +20032,7 @@ index 8416beb..737bfbc 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4166,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4205,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -19984,7 +20040,7 @@ index 8416beb..737bfbc 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4207,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4246,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -19992,7 +20048,7 @@ index 8416beb..737bfbc 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4295,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4334,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -20017,7 +20073,7 @@ index 8416beb..737bfbc 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3190,28 +4366,100 @@ interface(`fs_unmount_nfsd_fs',` +@@ -3190,28 +4405,100 @@ interface(`fs_unmount_nfsd_fs',` allow $1 nfsd_fs_t:filesystem unmount; ') @@ -20131,7 +20187,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3219,17 +4467,17 @@ interface(`fs_getattr_nfsd_fs',` +@@ -3219,17 +4506,17 @@ interface(`fs_getattr_nfsd_fs',` ## ## # @@ -20152,7 +20208,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3237,35 +4485,34 @@ interface(`fs_search_nfsd_fs',` +@@ -3237,35 +4524,34 @@ interface(`fs_search_nfsd_fs',` ## ## # @@ -20201,7 +20257,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3273,12 +4520,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4559,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -20216,7 +20272,7 @@ index 8416beb..737bfbc 100644 ') ######################################## -@@ -3392,7 +4639,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4678,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20225,7 +20281,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3429,7 +4676,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4715,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20234,7 +20290,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3447,7 +4694,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4733,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20243,7 +20299,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3779,6 +5026,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5065,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20268,7 +20324,7 @@ index 8416beb..737bfbc 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5080,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5119,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20293,7 +20349,7 @@ index 8416beb..737bfbc 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5191,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5230,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20302,7 +20358,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3916,17 +5199,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5238,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20323,7 +20379,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3934,17 +5217,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5256,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20344,7 +20400,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3952,17 +5235,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5274,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20384,7 +20440,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -3970,31 +5272,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5311,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20440,7 +20496,7 @@ index 8416beb..737bfbc 100644 ') ######################################## -@@ -4066,33 +5385,161 @@ interface(`fs_tmpfs_filetrans',` +@@ -4066,33 +5424,161 @@ interface(`fs_tmpfs_filetrans',` type tmpfs_t; ') @@ -20611,7 +20667,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -4100,72 +5547,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,72 +5586,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20701,7 +20757,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -4173,17 +5620,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5659,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -20723,7 +20779,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -4191,37 +5639,37 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5678,37 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -20769,7 +20825,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -4229,18 +5677,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5716,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -20791,7 +20847,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -4248,18 +5696,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5735,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -20815,7 +20871,7 @@ index 8416beb..737bfbc 100644 ## ## ## -@@ -4267,32 +5716,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5755,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -20854,7 +20910,7 @@ index 8416beb..737bfbc 100644 ') ######################################## -@@ -4407,6 +5855,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5894,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20880,7 +20936,7 @@ index 8416beb..737bfbc 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5970,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6009,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20889,7 +20945,7 @@ index 8416beb..737bfbc 100644 ') ######################################## -@@ -4549,7 +6018,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6057,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20898,7 +20954,7 @@ index 8416beb..737bfbc 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6065,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6104,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20925,7 +20981,7 @@ index 8416beb..737bfbc 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6160,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6199,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -20951,7 +21007,7 @@ index 8416beb..737bfbc 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6420,173 @@ interface(`fs_unconfined',` +@@ -4912,3 +6459,173 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -40392,7 +40448,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..22f539c 100644 +index 446fa99..d66491c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -40416,7 +40472,7 @@ index 446fa99..22f539c 100644 +') + +ifdef(`enable_mls',` -+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh) ++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh) +') + ######################################## @@ -44289,7 +44345,7 @@ index d43f3b1..c5053db 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..593c90d 100644 +index 3822072..d358162 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -44780,7 +44836,15 @@ index 3822072..593c90d 100644 ') ######################################## -@@ -999,6 +1363,26 @@ interface(`seutil_domtrans_semanage',` +@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',` + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + manage_files_pattern($1, file_context_t, file_context_t) ++ manage_dirs_pattern($1, file_context_t, file_context_t) + ') + + ######################################## +@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -44807,7 +44871,7 @@ index 3822072..593c90d 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1401,105 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -44915,7 +44979,7 @@ index 3822072..593c90d 100644 ') ######################################## -@@ -1041,9 +1519,15 @@ interface(`seutil_manage_module_store',` +@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) @@ -44931,7 +44995,7 @@ index 3822072..593c90d 100644 ') ####################################### -@@ -1067,6 +1551,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## @@ -44956,7 +45020,7 @@ index 3822072..593c90d 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1639,121 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -46041,7 +46105,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..bf86a31 100644 +index 2cea692..b363779 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -46458,7 +46522,7 @@ index 2cea692..bf86a31 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1053,126 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -46532,6 +46596,7 @@ index 2cea692..bf86a31 100644 + files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger") + files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf") ++ files_etc_filetrans($1, net_conf_t, lnk_file, "resolv.conf") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") + files_etc_filetrans($1, net_conf_t, file, "hosts") @@ -46585,7 +46650,7 @@ index 2cea692..bf86a31 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..8a3cec2 100644 +index a392fc4..50c946e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46627,7 +46692,7 @@ index a392fc4..8a3cec2 100644 ifdef(`distro_debian',` init_daemon_run_dir(net_conf_t, "network") -@@ -48,10 +61,10 @@ ifdef(`distro_debian',` +@@ -48,10 +61,11 @@ ifdef(`distro_debian',` # DHCP client local policy # allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; @@ -46637,10 +46702,11 @@ index a392fc4..8a3cec2 100644 dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms }; ++allow dhcpc_t self:cap_userns { net_bind_service }; allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -64,8 +78,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -46652,7 +46718,7 @@ index a392fc4..8a3cec2 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +@@ -74,6 +91,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -46661,7 +46727,7 @@ index a392fc4..8a3cec2 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t) +@@ -95,14 +114,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) @@ -46682,7 +46748,7 @@ index a392fc4..8a3cec2 100644 corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) -@@ -112,22 +129,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) +@@ -112,22 +130,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_udp_bind_all_unreserved_ports(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) @@ -46710,7 +46776,7 @@ index a392fc4..8a3cec2 100644 fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -137,11 +157,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -137,11 +158,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -46729,7 +46795,7 @@ index a392fc4..8a3cec2 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -161,7 +187,21 @@ ifdef(`distro_ubuntu',` +@@ -161,7 +188,21 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -46752,7 +46818,7 @@ index a392fc4..8a3cec2 100644 ') optional_policy(` -@@ -179,10 +219,6 @@ optional_policy(` +@@ -179,10 +220,6 @@ optional_policy(` ') optional_policy(` @@ -46763,7 +46829,7 @@ index a392fc4..8a3cec2 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -195,23 +231,31 @@ optional_policy(` +@@ -195,23 +232,31 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -46798,7 +46864,7 @@ index a392fc4..8a3cec2 100644 ') optional_policy(` -@@ -221,7 +265,16 @@ optional_policy(` +@@ -221,7 +266,16 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -46816,7 +46882,7 @@ index a392fc4..8a3cec2 100644 ') optional_policy(` -@@ -233,6 +286,10 @@ optional_policy(` +@@ -233,6 +287,10 @@ optional_policy(` ') optional_policy(` @@ -46827,7 +46893,7 @@ index a392fc4..8a3cec2 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +321,26 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,12 +322,26 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -46854,7 +46920,7 @@ index a392fc4..8a3cec2 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +350,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +351,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -46887,7 +46953,7 @@ index a392fc4..8a3cec2 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +388,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +389,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -46945,7 +47011,7 @@ index a392fc4..8a3cec2 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +443,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +444,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -46958,7 +47024,7 @@ index a392fc4..8a3cec2 100644 ') optional_policy(` -@@ -350,7 +461,16 @@ optional_policy(` +@@ -350,7 +462,16 @@ optional_policy(` ') optional_policy(` @@ -46976,7 +47042,7 @@ index a392fc4..8a3cec2 100644 ') optional_policy(` -@@ -371,3 +491,13 @@ optional_policy(` +@@ -371,3 +492,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index 4715777..78350e7 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..22f5977 100644 +index eb50f07..22e6c69 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -902,7 +902,7 @@ index eb50f07..22f5977 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +292,11 @@ optional_policy(` +@@ -234,15 +292,22 @@ optional_policy(` ') optional_policy(` @@ -914,7 +914,10 @@ index eb50f07..22f5977 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +306,7 @@ optional_policy(` + rpm_manage_log(abrt_t) + rpm_manage_pid_files(abrt_t) ++ rpm_read_tmp_files(abrt_t) + rpm_read_db(abrt_t) rpm_signull(abrt_t) ') @@ -922,7 +925,7 @@ index eb50f07..22f5977 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +317,21 @@ optional_policy(` +@@ -253,9 +318,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -945,7 +948,7 @@ index eb50f07..22f5977 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +342,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +343,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -960,7 +963,7 @@ index eb50f07..22f5977 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +361,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +362,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -968,7 +971,7 @@ index eb50f07..22f5977 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +370,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +371,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -989,7 +992,7 @@ index eb50f07..22f5977 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +391,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +392,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1016,7 +1019,7 @@ index eb50f07..22f5977 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +427,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +428,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1030,7 +1033,7 @@ index eb50f07..22f5977 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +445,11 @@ optional_policy(` +@@ -343,10 +446,11 @@ optional_policy(` ####################################### # @@ -1044,7 +1047,7 @@ index eb50f07..22f5977 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +468,78 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +469,78 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1127,7 +1130,7 @@ index eb50f07..22f5977 100644 ####################################### # -@@ -404,25 +547,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +548,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1190,7 +1193,7 @@ index eb50f07..22f5977 100644 ') ####################################### -@@ -430,10 +608,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +609,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -2275,7 +2278,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..0f871e6 100644 +index 519051c..69a4c66 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2313,7 +2316,15 @@ index 519051c..0f871e6 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; + + manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) + manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) ++files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir) + + manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) + manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) +@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2330,7 +2341,7 @@ index 519051c..0f871e6 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2338,7 +2349,7 @@ index 519051c..0f871e6 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -130,6 +137,7 @@ fs_list_all(amanda_t) +@@ -130,6 +138,7 @@ fs_list_all(amanda_t) storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) @@ -2346,7 +2357,7 @@ index 519051c..0f871e6 100644 auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2354,7 +2365,7 @@ index 519051c..0f871e6 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -22107,7 +22118,7 @@ index dda905b..5587295 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..d578ac1 100644 +index 62d22cb..f9c33f4 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -22256,9 +22267,9 @@ index 62d22cb..d578ac1 100644 - files_search_var_lib($1) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) -+ -+ dev_read_urand($1) ++ dev_read_urand($1) ++ + # For connecting to the bus files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) @@ -22771,7 +22782,7 @@ index 62d22cb..d578ac1 100644 ## ## ## -@@ -498,98 +497,100 @@ interface(`dbus_connect_system_bus',` +@@ -498,98 +497,122 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -22872,12 +22883,30 @@ index 62d22cb..d578ac1 100644 - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -- ') + allow $1 session_bus_type:dbus send_msg; + allow session_bus_type $1:dbus send_msg; ++') + +- ifdef(`hide_broken_symptoms', ` +- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ++######################################## ++## ++## Do not audit attempts to send dbus ++## messages to session bus types. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dbus_dontaudit_chat_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ class dbus send_msg; + ') ++ ++ dontaudit $1 session_bus_type:dbus send_msg; ') ######################################## @@ -22885,7 +22914,7 @@ index 62d22cb..d578ac1 100644 -## Use and inherit DBUS system bus -## file descriptors. +## Do not audit attempts to send dbus -+## messages to session bus types. ++## messages to system bus types. ##
## ## @@ -22895,41 +22924,41 @@ index 62d22cb..d578ac1 100644 ## # -interface(`dbus_use_system_bus_fds',` -+interface(`dbus_dontaudit_chat_session_bus',` ++interface(`dbus_dontaudit_chat_system_bus',` gen_require(` - type system_dbusd_t; -+ attribute session_bus_type; ++ attribute system_bus_type; + class dbus send_msg; ') - allow $1 system_dbusd_t:fd use; -+ dontaudit $1 session_bus_type:dbus send_msg; ++ dontaudit $1 system_bus_type:dbus send_msg; ++ dontaudit system_bus_type $1:dbus send_msg; ') ######################################## ## -## Do not audit attempts to read and -## write DBUS system bus TCP sockets. -+## Do not audit attempts to send dbus -+## messages to system bus types. ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## -@@ -597,28 +598,50 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +620,48 @@ interface(`dbus_use_system_bus_fds',` ## ## # -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+interface(`dbus_dontaudit_chat_system_bus',` ++interface(`dbus_dontaudit_stream_connect_system_dbusd',` gen_require(` - type system_dbusd_t; -+ attribute system_bus_type; -+ class dbus send_msg; ++ attribute system_dbusd_t; ') - dontaudit $1 system_dbusd_t:tcp_socket { read write }; -+ dontaudit $1 system_bus_type:dbus send_msg; -+ dontaudit system_bus_type $1:dbus send_msg; ++ dontaudit $1 system_dbusd_t:unix_stream_socket connectto; ') ######################################## @@ -26115,10 +26144,10 @@ index 0000000..d22ed69 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..e44017c +index 0000000..2387876 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,91 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -26179,6 +26208,8 @@ index 0000000..e44017c +files_read_etc_runtime_files(dnssec_trigger_t) +files_dontaudit_list_tmp(dnssec_trigger_t) + ++libs_exec_ldconfig(dnssec_trigger_t) ++ +logging_send_syslog_msg(dnssec_trigger_t) + +auth_use_nsswitch(dnssec_trigger_t) @@ -31262,10 +31293,10 @@ index 0000000..cf9f7bf +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..2d357a2 +index 0000000..efd838f --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,69 @@ +@@ -0,0 +1,71 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -31310,6 +31341,8 @@ index 0000000..2d357a2 + +dev_read_urand(geoclue_t) + ++logging_send_syslog_msg(geoclue_t) ++ +miscfiles_read_certs(geoclue_t) + +sysnet_dns_name_resolve(geoclue_t) @@ -34872,7 +34905,7 @@ index ab09d61..1a07290 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..d759604 100644 +index 63893eb..3508b98 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -34911,7 +34944,7 @@ index 63893eb..d759604 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +@@ -31,105 +50,229 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; @@ -34963,41 +34996,41 @@ index 63893eb..d759604 100644 +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - --domain_use_interactive_fds(gnomedomain) ++ +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - --files_read_etc_files(gnomedomain) ++ +allow gconfd_t gconf_etc_t:dir list_dir_perms; +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) + +dev_read_urand(gconfd_t) --miscfiles_read_localization(gnomedomain) +-domain_use_interactive_fds(gnomedomain) --logging_send_syslog_msg(gnomedomain) +-files_read_etc_files(gnomedomain) --userdom_use_user_terminals(gnomedomain) +-miscfiles_read_localization(gnomedomain) +logging_send_syslog_msg(gconfd_t) -+ + +-logging_send_syslog_msg(gnomedomain) +userdom_manage_user_tmp_sockets(gconfd_t) +userdom_manage_user_tmp_dirs(gconfd_t) +userdom_tmp_filetrans_user_tmp(gconfd_t, dir) +-userdom_use_user_terminals(gnomedomain) ++optional_policy(` ++ nscd_dontaudit_search_pid(gconfd_t) ++') + optional_policy(` - xserver_rw_xdm_pipes(gnomedomain) - xserver_use_xdm_fds(gnomedomain) -+ nscd_dontaudit_search_pid(gconfd_t) ++ xserver_use_xdm_fds(gconfd_t) ++ xserver_rw_xdm_pipes(gconfd_t) ') -############################## -+optional_policy(` -+ xserver_use_xdm_fds(gconfd_t) -+ xserver_rw_xdm_pipes(gconfd_t) -+') -+ +####################################### # -# Conf daemon local Policy @@ -35166,6 +35199,10 @@ index 63893eb..d759604 100644 + xserver_append_xdm_home_files(gkeyringd_domain) + xserver_read_xdm_home_files(gkeyringd_domain) + xserver_use_xdm_fds(gkeyringd_domain) ++') ++ ++optional_policy(` ++ dbus_dontaudit_stream_connect_system_dbusd(gkeyringd_domain) ') optional_policy(` @@ -37875,10 +37912,18 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..6304b00 100644 +index c6450df..ed6af79 100644 --- a/inetd.te +++ b/inetd.te -@@ -37,9 +37,9 @@ ifdef(`enable_mcs',` +@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t) + type inetd_child_t; + type inetd_child_exec_t; + inetd_service_domain(inetd_child_t, inetd_child_exec_t) ++init_daemon_domain(inetd_child_t, inetd_child_exec_t) + + type inetd_child_tmp_t; + files_tmp_file(inetd_child_tmp_t) +@@ -37,9 +38,9 @@ ifdef(`enable_mcs',` # Local policy # @@ -37890,7 +37935,7 @@ index c6450df..6304b00 100644 allow inetd_t self:fifo_file rw_fifo_file_perms; allow inetd_t self:tcp_socket { accept listen }; allow inetd_t self:fd use; -@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) +@@ -61,6 +62,7 @@ kernel_read_system_state(inetd_t) kernel_tcp_recvfrom_unlabeled(inetd_t) corecmd_bin_domtrans(inetd_t, inetd_child_t) @@ -37898,7 +37943,7 @@ index c6450df..6304b00 100644 corenet_all_recvfrom_unlabeled(inetd_t) corenet_all_recvfrom_netlabel(inetd_t) -@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) +@@ -98,6 +100,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) @@ -37910,7 +37955,7 @@ index c6450df..6304b00 100644 corenet_sendrecv_ircd_server_packets(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) -@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t) +@@ -141,6 +148,9 @@ corenet_sendrecv_git_server_packets(inetd_t) corenet_tcp_bind_git_port(inetd_t) corenet_udp_bind_git_port(inetd_t) @@ -37920,7 +37965,7 @@ index c6450df..6304b00 100644 dev_read_sysfs(inetd_t) domain_use_interactive_fds(inetd_t) -@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t) +@@ -157,8 +167,6 @@ auth_use_nsswitch(inetd_t) logging_send_syslog_msg(inetd_t) @@ -37929,7 +37974,7 @@ index c6450df..6304b00 100644 mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) -@@ -188,17 +195,13 @@ optional_policy(` +@@ -188,17 +196,13 @@ optional_policy(` ') optional_policy(` @@ -37948,7 +37993,7 @@ index c6450df..6304b00 100644 ######################################## # # Child local policy -@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t) +@@ -220,6 +224,16 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) kernel_read_system_state(inetd_child_t) @@ -37965,7 +38010,7 @@ index c6450df..6304b00 100644 dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t) +@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) @@ -41546,7 +41591,7 @@ index 3a00b3a..92f125f 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc21..b75739b 100644 +index 715fc21..3007fb3 100644 --- a/kdump.te +++ b/kdump.te @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) @@ -41580,7 +41625,8 @@ index 715fc21..b75739b 100644 +# kdump local policy # - allow kdump_t self:capability { sys_boot dac_override }; +-allow kdump_t self:capability { sys_boot dac_override }; ++allow kdump_t self:capability { sys_admin sys_boot dac_override }; +allow kdump_t self:capability2 compromise_kernel; + +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) @@ -42170,7 +42216,7 @@ index 4fe75fd..3504a9b 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index f6c00d8..e3cb4f1 100644 +index f6c00d8..192df56 100644 --- a/kerberos.if +++ b/kerberos.if @@ -1,27 +1,29 @@ @@ -42247,7 +42293,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',` +@@ -69,45 +69,45 @@ interface(`kerberos_domtrans_kpropd',` # interface(`kerberos_use',` gen_require(` @@ -42261,6 +42307,7 @@ index f6c00d8..e3cb4f1 100644 - dontaudit $1 krb5_conf_t:file write_file_perms; + files_search_etc($1) + read_files_pattern($1, krb5_conf_t, krb5_conf_t) ++ list_dirs_pattern($1, krb5_conf_t, krb5_conf_t) + dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; @@ -42308,7 +42355,7 @@ index f6c00d8..e3cb4f1 100644 pcscd_stream_connect($1) ') ') -@@ -119,7 +118,7 @@ interface(`kerberos_use',` +@@ -119,7 +119,7 @@ interface(`kerberos_use',` ######################################## ## @@ -42317,7 +42364,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -135,15 +134,13 @@ interface(`kerberos_read_config',` +@@ -135,15 +135,13 @@ interface(`kerberos_read_config',` files_search_etc($1) allow $1 krb5_conf_t:file read_file_perms; @@ -42335,7 +42382,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',` +@@ -156,13 +154,12 @@ interface(`kerberos_dontaudit_write_config',` type krb5_conf_t; ') @@ -42351,7 +42398,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',` +@@ -182,27 +179,27 @@ interface(`kerberos_rw_config',` ######################################## ## @@ -42386,7 +42433,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -210,47 +206,63 @@ interface(`kerberos_manage_krb5_home_files',` +@@ -210,47 +207,63 @@ interface(`kerberos_manage_krb5_home_files',` ## ## # @@ -42465,7 +42512,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -259,18 +271,18 @@ interface(`kerberos_home_filetrans_krb5_home',` +@@ -259,18 +272,18 @@ interface(`kerberos_home_filetrans_krb5_home',` ## ## # @@ -42488,7 +42535,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -278,49 +290,122 @@ interface(`kerberos_read_keytab',` +@@ -278,49 +291,122 @@ interface(`kerberos_read_keytab',` ## ## # @@ -42627,7 +42674,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -329,60 +414,63 @@ interface(`kerberos_manage_keytab_files',` +@@ -329,60 +415,63 @@ interface(`kerberos_manage_keytab_files',` ## ## # @@ -42712,7 +42759,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -391,141 +479,88 @@ interface(`kerberos_read_kdc_config',` +@@ -391,141 +480,88 @@ interface(`kerberos_read_kdc_config',` ## ## # @@ -52107,7 +52154,7 @@ index 6194b80..e27c53d 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..b341bb0 100644 +index 11ac8e4..653ba10 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -52560,7 +52607,7 @@ index 11ac8e4..b341bb0 100644 ') optional_policy(` -@@ -300,259 +339,253 @@ optional_policy(` +@@ -300,259 +339,254 @@ optional_policy(` ######################################## # @@ -52573,6 +52620,7 @@ index 11ac8e4..b341bb0 100644 -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; +dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config }; +dontaudit mozilla_plugin_t self:capability2 block_suspend; ++dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace }; + +allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; @@ -52959,7 +53007,7 @@ index 11ac8e4..b341bb0 100644 ') optional_policy(` -@@ -560,7 +593,11 @@ optional_policy(` +@@ -560,7 +594,11 @@ optional_policy(` ') optional_policy(` @@ -52972,7 +53020,7 @@ index 11ac8e4..b341bb0 100644 ') optional_policy(` -@@ -568,108 +605,144 @@ optional_policy(` +@@ -568,108 +606,144 @@ optional_policy(` ') optional_policy(` @@ -63231,10 +63279,10 @@ index 57c0161..c554eb6 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..1ac5cf5 100644 +index 5b2cb0d..ccaa0d4 100644 --- a/nut.te +++ b/nut.te -@@ -7,154 +7,153 @@ policy_module(nut, 1.3.0) +@@ -7,154 +7,155 @@ policy_module(nut, 1.3.0) attribute nut_domain; @@ -63348,9 +63396,9 @@ index 5b2cb0d..1ac5cf5 100644 +allow nut_upsmon_t self:tcp_socket create_socket_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; - -+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) @@ -63412,13 +63460,13 @@ index 5b2cb0d..1ac5cf5 100644 +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; + +can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) ++ ++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) -+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) - +kernel_read_kernel_sysctls(nut_upsdrvctl_t) -+ + +# /sbin/upsdrvctl executes other drivers corecmd_exec_bin(nut_upsdrvctl_t) @@ -63434,6 +63482,8 @@ index 5b2cb0d..1ac5cf5 100644 init_sigchld(nut_upsdrvctl_t) ++udev_read_db(nut_upsdrvctl_t) ++ ####################################### # -# Cgi local policy @@ -67589,13 +67639,15 @@ index 0000000..3bcd32c + diff --git a/oracleasm.fc b/oracleasm.fc new file mode 100644 -index 0000000..80fb8c3 +index 0000000..c416596 --- /dev/null +++ b/oracleasm.fc -@@ -0,0 +1,4 @@ +@@ -0,0 +1,6 @@ + +/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0) + ++/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0) ++ +/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0) diff --git a/oracleasm.if b/oracleasm.if new file mode 100644 @@ -67680,10 +67732,10 @@ index 0000000..6ae382c + diff --git a/oracleasm.te b/oracleasm.te new file mode 100644 -index 0000000..14d642b +index 0000000..48fdbd5 --- /dev/null +++ b/oracleasm.te -@@ -0,0 +1,57 @@ +@@ -0,0 +1,64 @@ +policy_module(oracleasm, 1.0.0) + +######################################## @@ -67701,15 +67753,20 @@ index 0000000..14d642b +type oracleasm_tmp_t; +files_tmp_file(oracleasm_tmp_t) + ++type oracleasm_conf_t; ++files_config_file(oracleasm_conf_t) ++ +######################################## +# +# oracleasm local policy +# + -+allow oracleasm_t self:capability { fsetid fowner chown }; ++allow oracleasm_t self:capability { dac_override fsetid fowner chown }; +allow oracleasm_t self:fifo_file rw_fifo_file_perms; +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; + ++allow oracleasm_t oracleasm_conf_t:file manage_file_perms; ++ +manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) +manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) +files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir }) @@ -67728,8 +67785,10 @@ index 0000000..14d642b +fs_getattr_xattr_fs(oracleasm_t) +fs_list_oracleasmfs(oracleasm_t) +fs_getattr_oracleasmfs(oracleasm_t) ++fs_getattr_oracleasmfs_fs(oracleasm_t) +fs_setattr_oracleasmfs(oracleasm_t) +fs_setattr_oracleasmfs_dirs(oracleasm_t) ++fs_manage_oracleasm(oracleasm_t) + +storage_raw_read_fixed_disk(oracleasm_t) +storage_raw_read_removable_device(oracleasm_t) @@ -68724,10 +68783,10 @@ index 8176e4a..2df1789 100644 diff --git a/pcp.fc b/pcp.fc new file mode 100644 -index 0000000..26a45e3 +index 0000000..de7c78c --- /dev/null +++ b/pcp.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,33 @@ +/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) @@ -68750,6 +68809,10 @@ index 0000000..26a45e3 +/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) +/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0) + ++/usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++ ++/usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) ++ +/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0) + +/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0) @@ -68907,12 +68970,16 @@ index 0000000..80246e6 + can_exec($1, pcp_pmlogger_exec_t) +') + +diff --git a/pcp.pp b/pcp.pp +new file mode 100644 +index 0000000..fa4cfaa +Binary files /dev/null and b/pcp.pp differ diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..e81f463 +index 0000000..f302fd8 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,287 @@ +@@ -0,0 +1,297 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -69183,6 +69250,7 @@ index 0000000..e81f463 +# pcp_pmlogger local policy +# + ++allow pcp_pmlogger_t self:capability chown; +allow pcp_pmlogger_t self:process setpgid; +allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read }; + @@ -69200,6 +69268,15 @@ index 0000000..e81f463 + +domain_read_all_domains_state(pcp_pmlogger_t) + ++init_read_utmp(pcp_pmlogger_t) ++ ++systemd_exec_systemctl(pcp_pmlogger_t) ++systemd_getattr_unit_files(pcp_pmlogger_t) ++ ++optional_policy(` ++ hostname_exec(pcp_pmlogger_t) ++') ++ diff --git a/pcscd.if b/pcscd.if index 43d50f9..6b1544f 100644 --- a/pcscd.if @@ -79090,10 +79167,10 @@ index 6643b49..dd0c3d3 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..2542f5a 100644 +index d68e26d..3b08cfd 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,22 @@ +@@ -1,18 +1,23 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) @@ -79115,6 +79192,7 @@ index d68e26d..2542f5a 100644 -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) @@ -83975,7 +84053,7 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..31ff402 100644 +index c99753f..0255b7e 100644 --- a/raid.te +++ b/raid.te @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; @@ -84059,7 +84137,7 @@ index c99753f..31ff402 100644 -dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_read_all_blk_files(mdadm_t) +dev_dontaudit_read_all_chr_files(mdadm_t) -+dev_getattr_generic_chr_files(mdadm_t) ++dev_getattr_all(mdadm_t) +dev_read_crash(mdadm_t) +dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) @@ -91362,7 +91440,7 @@ index ebe91fc..6ba4338 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..415a50b 100644 +index ef3b225..b15d901 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -91703,7 +91781,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -374,12 +479,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -91715,11 +91793,31 @@ index ef3b225..415a50b 100644 ######################################## ## -## Read rpm script temporary files. ++## Read rpm temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_read_tmp_files',` ++ gen_require(` ++ type rpm_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ list_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) ++ read_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++') ++ ++######################################## ++## +## Read RPM script temporary files. ## ## ## -@@ -399,7 +506,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -91728,7 +91826,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -420,8 +527,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +547,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -91738,7 +91836,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -442,7 +548,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -91747,7 +91845,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -459,11 +565,12 @@ interface(`rpm_read_db',` +@@ -459,11 +585,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -91761,7 +91859,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -482,8 +589,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +609,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -91771,7 +91869,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -503,8 +609,28 @@ interface(`rpm_manage_db',` +@@ -503,8 +629,28 @@ interface(`rpm_manage_db',` ######################################## ## @@ -91801,7 +91899,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -517,7 +643,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -91810,7 +91908,7 @@ index ef3b225..415a50b 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +669,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -91820,7 +91918,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -563,8 +688,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -91830,7 +91928,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -573,43 +697,54 @@ interface(`rpm_manage_pid_files',` +@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -91902,7 +92000,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -617,22 +752,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` +@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` ## ## ## @@ -91971,7 +92069,7 @@ index ef3b225..415a50b 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) -@@ -641,9 +811,6 @@ interface(`rpm_admin',` +@@ -641,9 +831,6 @@ interface(`rpm_admin',` admin_pattern($1, rpm_file_t) @@ -92936,10 +93034,10 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..6836678 100644 +index abeb302..b27a479 100644 --- a/rsync.te +++ b/rsync.te -@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) +@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0) # ## @@ -93012,11 +93110,11 @@ index abeb302..6836678 100644 type rsync_t; type rsync_exec_t; --init_daemon_domain(rsync_t, rsync_exec_t) --application_domain(rsync_t, rsync_exec_t) --role rsync_roles types rsync_t; +application_executable_file(rsync_exec_t) +role system_r types rsync_t; + init_daemon_domain(rsync_t, rsync_exec_t) +-application_domain(rsync_t, rsync_exec_t) +-role rsync_roles types rsync_t; type rsync_etc_t; files_config_file(rsync_etc_t) @@ -93026,7 +93124,7 @@ index abeb302..6836678 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -93057,7 +93155,7 @@ index abeb302..6836678 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,46 +97,55 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -93131,7 +93229,7 @@ index abeb302..6836678 100644 ') tunable_policy(`rsync_export_all_ro',` -@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',` +@@ -161,38 +159,24 @@ tunable_policy(`rsync_export_all_ro',` auth_tunable_read_shadow(rsync_t) ') @@ -111384,7 +111482,7 @@ index a4f20bc..d8b1fd1 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..816d860 100644 +index facdee8..12e74f1 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,231 @@ @@ -112211,7 +112309,7 @@ index facdee8..816d860 100644 ## ## ## -@@ -673,54 +539,472 @@ interface(`virt_home_filetrans',` +@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',` ## ## # @@ -112247,14 +112345,8 @@ index facdee8..816d860 100644 gen_require(` - type virt_home_t; + type virt_var_lib_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir manage_dir_perms; -- allow $1 virt_home_t:file manage_file_perms; -- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; -- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; -- allow $1 virt_home_t:sock_file manage_sock_file_perms; ++ ') ++ + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; +') + @@ -112399,20 +112491,14 @@ index facdee8..816d860 100644 + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + read_chr_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) ++ ++ tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) ++ ') ++ ++ tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) @@ -112579,14 +112665,13 @@ index facdee8..816d860 100644 +interface(`virt_exec_sandbox_files',` + gen_require(` + type svirt_sandbox_file_t; - ') ++ ') + + can_exec($1, svirt_sandbox_file_t) - ') - - ######################################## - ## --## Relabel virt home content. ++') ++ ++######################################## ++## +## Allow any svirt_sandbox_file_t to be an entrypoint of this domain +## +## @@ -112703,19 +112788,97 @@ index facdee8..816d860 100644 +####################################### +## +## Connect to virt over a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_stream_connect_sandbox',` ++ gen_require(` ++ attribute svirt_sandbox_domain; ++ type svirt_sandbox_file_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) ++ ps_process_pattern(svirt_sandbox_domain, $1) ++') ++ ++######################################## ++## ++## Execute qemu in the svirt domain, and ++## allow the specified role the svirt domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++## ++# ++interface(`virt_transition_svirt',` ++ gen_require(` ++ attribute virt_domain; ++ type virt_bridgehelper_t; ++ type svirt_image_t; ++ type svirt_socket_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir manage_dir_perms; +- allow $1 virt_home_t:file manage_file_perms; +- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_home_t:sock_file manage_sock_file_perms; ++ allow $1 virt_domain:process transition; ++ role $2 types virt_domain; ++ role $2 types virt_bridgehelper_t; ++ role $2 types svirt_socket_t; + +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) +- ') ++ allow $1 virt_domain:process { sigkill sigstop signull signal }; ++ allow $1 svirt_image_t:file { relabelfrom relabelto }; ++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; ++ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; ++ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) ++ optional_policy(` ++ ptchown_run(virt_domain, $2) + ') + ') + + ######################################## + ## +-## Relabel virt home content. ++## Do not audit attempts to write virt daemon unnamed pipes. ## ## ## -@@ -728,52 +1012,80 @@ interface(`virt_manage_generic_virt_home_content',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`virt_relabel_generic_virt_home_content',` -+interface(`virt_stream_connect_sandbox',` ++interface(`virt_dontaudit_write_pipes',` gen_require(` - type virt_home_t; -+ attribute svirt_sandbox_domain; -+ type svirt_sandbox_file_t; ++ type virtd_t; ') - userdom_search_user_home_dirs($1) @@ -112724,9 +112887,8 @@ index facdee8..816d860 100644 - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; -+ files_search_pids($1) -+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) -+ ps_process_pattern(svirt_sandbox_domain, $1) ++ dontaudit $1 virtd_t:fd use; ++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ') ######################################## @@ -112734,214 +112896,213 @@ index facdee8..816d860 100644 -## Create specified objects in user home -## directories with the generic virt -## home type. -+## Execute qemu in the svirt domain, and -+## allow the specified role the svirt domain. ++## Send a sigkill to virtual machines ## ## ## --## Domain allowed access. -+## Domain allowed access + ## Domain allowed access. ## ## -## -+## ++# ++interface(`virt_kill_svirt',` ++ gen_require(` ++ attribute virt_domain; ++ ') ++ ++ allow $1 virt_domain:process sigkill; ++') ++ ++######################################## ++## ++## Send a sigkill to virtd daemon. ++## ++## ## -## Class of the object being created. -+## The role to be allowed the sandbox domain. ++## Domain allowed access. ## ## -## -+## +# -+interface(`virt_transition_svirt',` ++interface(`virt_kill',` + gen_require(` -+ attribute virt_domain; -+ type virt_bridgehelper_t; -+ type svirt_image_t; -+ type svirt_socket_t; ++ type virtd_t; + ') + -+ allow $1 virt_domain:process transition; -+ role $2 types virt_domain; -+ role $2 types virt_bridgehelper_t; -+ role $2 types svirt_socket_t; -+ -+ allow $1 virt_domain:process { sigkill sigstop signull signal }; -+ allow $1 svirt_image_t:file { relabelfrom relabelto }; -+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; -+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; -+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; -+ -+ optional_policy(` -+ ptchown_run(virt_domain, $2) -+ ') ++ allow $1 virtd_t:process sigkill; +') + +######################################## +## -+## Do not audit attempts to write virt daemon unnamed pipes. ++## Send a signal to virtd daemon. +## +## ## -## The name of the object being created. -+## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`virt_home_filetrans_virt_home',` -+interface(`virt_dontaudit_write_pipes',` ++interface(`virt_signal',` gen_require(` - type virt_home_t; + type virtd_t; ') - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) -+ dontaudit $1 virtd_t:fd use; -+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++ allow $1 virtd_t:process signal; ') ######################################## ## -## Read virt pid files. -+## Send a sigkill to virtual machines ++## Send null signal to virtd daemon. ## ## ## -@@ -781,19 +1093,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # -interface(`virt_read_pid_files',` -+interface(`virt_kill_svirt',` ++interface(`virt_signull',` gen_require(` - type virt_var_run_t; -+ attribute virt_domain; ++ type virtd_t; ') - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virt_domain:process sigkill; ++ allow $1 virtd_t:process signull; ') ######################################## ## -## Create, read, write, and delete -## virt pid files. -+## Send a sigkill to virtd daemon. ++## Send a signal to virtual machines ## ## ## -@@ -801,18 +1111,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',` ## ## # -interface(`virt_manage_pid_files',` -+interface(`virt_kill',` ++interface(`virt_signal_svirt',` gen_require(` - type virt_var_run_t; -+ type virtd_t; ++ attribute virt_domain; ') - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virtd_t:process sigkill; ++ allow $1 virt_domain:process signal; ') ######################################## ## -## Search virt lib directories. -+## Send a signal to virtd daemon. ++## Send a signal to sandbox domains ## ## ## -@@ -820,18 +1129,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',` ## ## # -interface(`virt_search_lib',` -+interface(`virt_signal',` ++interface(`virt_signal_sandbox',` gen_require(` - type virt_var_lib_t; -+ type virtd_t; ++ attribute svirt_sandbox_domain; ') - files_search_var_lib($1) - allow $1 virt_var_lib_t:dir search_dir_perms; -+ allow $1 virtd_t:process signal; ++ allow $1 svirt_sandbox_domain:process signal; ') ######################################## ## -## Read virt lib files. -+## Send null signal to virtd daemon. ++## Manage virt home files. ## ## ## -@@ -839,20 +1147,17 @@ interface(`virt_search_lib',` +@@ -839,192 +1201,243 @@ interface(`virt_search_lib',` ## ## # -interface(`virt_read_lib_files',` -+interface(`virt_signull',` ++interface(`virt_manage_home_files',` gen_require(` - type virt_var_lib_t; -+ type virtd_t; ++ type virt_home_t; ') - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ allow $1 virtd_t:process signull; ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) ') ######################################## ## -## Create, read, write, and delete -## virt lib files. -+## Send a signal to virtual machines ++## allow domain to read ++## virt tmpfs files ## ## ## -@@ -860,74 +1165,123 @@ interface(`virt_read_lib_files',` +-## Domain allowed access. ++## Domain allowed access ## ## # -interface(`virt_manage_lib_files',` -+interface(`virt_signal_svirt',` ++interface(`virt_read_tmpfs_files',` gen_require(` - type virt_var_lib_t; -+ attribute virt_domain; ++ attribute virt_tmpfs_type; ') - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ allow $1 virt_domain:process signal; ++ allow $1 virt_tmpfs_type:file read_file_perms; ') ######################################## ## -## Create objects in virt pid -## directories with a private type. -+## Send a signal to sandbox domains ++## allow domain to manage ++## virt tmpfs files ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain allowed access ## ## -## +# -+interface(`virt_signal_sandbox',` ++interface(`virt_manage_tmpfs_files',` + gen_require(` -+ attribute svirt_sandbox_domain; ++ attribute virt_tmpfs_type; + ') + -+ allow $1 svirt_sandbox_domain:process signal; ++ allow $1 virt_tmpfs_type:file manage_file_perms; +') + +######################################## +## -+## Manage virt home files. ++## Create .virt directory in the user home directory ++## with an correct label. +## +## ## @@ -112951,204 +113112,213 @@ index facdee8..816d860 100644 ## -## +# -+interface(`virt_manage_home_files',` ++interface(`virt_filetrans_home_content',` + gen_require(` + type virt_home_t; ++ type svirt_home_t; + ') + -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") ++ ++ optional_policy(` ++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") ++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") ++ gnome_data_filetrans($1, svirt_home_t, dir, "images") ++ gnome_data_filetrans($1, svirt_home_t, dir, "boot") ++ ') +') + +######################################## +## -+## allow domain to read -+## virt tmpfs files ++## Dontaudit attempts to Read virt_image_type devices. +## +## ## -## The object class of the object being created. -+## Domain allowed access ++## Domain allowed access. ## ## -## +# -+interface(`virt_read_tmpfs_files',` ++interface(`virt_dontaudit_read_chr_dev',` + gen_require(` -+ attribute virt_tmpfs_type; ++ attribute virt_image_type; + ') + -+ allow $1 virt_tmpfs_type:file read_file_perms; ++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms; +') + +######################################## +## -+## allow domain to manage -+## virt tmpfs files ++## Creates types and rules for a basic ++## virt_lxc process domain. +## -+## ++## ## -## The name of the object being created. -+## Domain allowed access ++## Prefix for the domain. ## ## -## # -interface(`virt_pid_filetrans',` -+interface(`virt_manage_tmpfs_files',` ++template(`virt_sandbox_domain_template',` gen_require(` - type virt_var_run_t; -+ attribute virt_tmpfs_type; ++ attribute svirt_sandbox_domain; ') - files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -+ allow $1 virt_tmpfs_type:file manage_file_perms; ++ type $1_t, svirt_sandbox_domain; ++ domain_type($1_t) ++ domain_user_exemption_target($1_t) ++ mls_rangetrans_target($1_t) ++ mcs_constrained($1_t) ++ role system_r types $1_t; ++ ++ logging_send_syslog_msg($1_t) ++ ++ kernel_read_system_state($1_t) ++ kernel_read_all_proc($1_t) ') ######################################## ## -## Read virt log files. -+## Create .virt directory in the user home directory -+## with an correct label. ++## Make the specified type usable as a lxc domain ## - ## +-## ++## ## - ## Domain allowed access. +-## Domain allowed access. ++## Type to be used as a lxc domain ## ## -## # -interface(`virt_read_log',` -+interface(`virt_filetrans_home_content',` ++template(`virt_sandbox_domain',` gen_require(` - type virt_log_t; -+ type virt_home_t; -+ type svirt_home_t; ++ attribute svirt_sandbox_domain; ') - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") -+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") -+ -+ optional_policy(` -+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt") -+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") -+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") -+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") -+ gnome_data_filetrans($1, svirt_home_t, dir, "images") -+ gnome_data_filetrans($1, svirt_home_t, dir, "boot") -+ ') ++ typeattribute $1 svirt_sandbox_domain; ') ######################################## ## -## Append virt log files. -+## Dontaudit attempts to Read virt_image_type devices. ++## Make the specified type usable as a lxc network domain ## - ## +-## ++## ## -@@ -935,117 +1289,153 @@ interface(`virt_read_log',` +-## Domain allowed access. ++## Type to be used as a lxc network domain ## ## # -interface(`virt_append_log',` -+interface(`virt_dontaudit_read_chr_dev',` ++template(`virt_sandbox_net_domain',` gen_require(` - type virt_log_t; -+ attribute virt_image_type; ++ attribute sandbox_net_domain; ') - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) -+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ++ virt_sandbox_domain($1) ++ typeattribute $1 sandbox_net_domain; ') ######################################## ## -## Create, read, write, and delete -## virt log files. -+## Creates types and rules for a basic -+## virt_lxc process domain. ++## Execute a qemu_exec_t in the callers domain ## --## -+## - ## --## Domain allowed access. -+## Prefix for the domain. - ## + ## +-## ++## + ## Domain allowed access. +-## ++## ## # -interface(`virt_manage_log',` -+template(`virt_sandbox_domain_template',` ++interface(`virt_exec_qemu',` gen_require(` - type virt_log_t; -+ attribute svirt_sandbox_domain; ++ type qemu_exec_t; ') - logging_search_logs($1) - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -+ type $1_t, svirt_sandbox_domain; -+ domain_type($1_t) -+ domain_user_exemption_target($1_t) -+ mls_rangetrans_target($1_t) -+ mcs_constrained($1_t) -+ role system_r types $1_t; -+ -+ logging_send_syslog_msg($1_t) -+ -+ kernel_read_system_state($1_t) -+ kernel_read_all_proc($1_t) ++ can_exec($1, qemu_exec_t) ') ######################################## ## -## Search virt image directories. -+## Make the specified type usable as a lxc domain ++## Transition to virt named content ## --## -+## + ## ## -## Domain allowed access. -+## Type to be used as a lxc domain ++## Domain allowed access. ## ## # -interface(`virt_search_images',` -+template(`virt_sandbox_domain',` ++interface(`virt_filetrans_named_content',` gen_require(` - attribute virt_image_type; -+ attribute svirt_sandbox_domain; ++ type virt_lxc_var_run_t; ++ type virt_var_run_t; ') - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; -+ typeattribute $1 svirt_sandbox_domain; ++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ++ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") ++ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") ') ######################################## ## -## Read virt image files. -+## Make the specified type usable as a lxc network domain ++## Execute qemu in the svirt domain, and ++## allow the specified role the svirt domain. ## --## -+## + ## ## -## Domain allowed access. -+## Type to be used as a lxc network domain ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ## ## ++## # -interface(`virt_read_images',` -+template(`virt_sandbox_net_domain',` ++interface(`virt_transition_svirt_sandbox',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ attribute sandbox_net_domain; ++ attribute svirt_sandbox_domain; ') - virt_search_lib($1) @@ -113157,79 +113327,41 @@ index facdee8..816d860 100644 - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ virt_sandbox_domain($1) -+ typeattribute $1 sandbox_net_domain; -+') ++ allow $1 svirt_sandbox_domain:process { transition signal_perms }; ++ role $2 types svirt_sandbox_domain; ++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) -+######################################## -+## -+## Execute a qemu_exec_t in the callers domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_exec_qemu',` -+ gen_require(` -+ type qemu_exec_t; - ') +- ') ++ allow svirt_sandbox_domain $1:fd use; - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) -+ can_exec($1, qemu_exec_t) -+') -+ -+######################################## -+## -+## Transition to virt named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_filetrans_named_content',` -+ gen_require(` -+ type virt_lxc_var_run_t; -+ type virt_var_run_t; - ') -+ -+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") -+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") -+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") +- ') ++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; ++ allow svirt_sandbox_domain $1:process sigchld; ++ ps_process_pattern($1, svirt_sandbox_domain) ') ######################################## ## -## Read and write all virt image -## character files. -+## Execute qemu in the svirt domain, and -+## allow the specified role the svirt domain. ++## Read the process state of virt sandbox containers ## ## ## --## Domain allowed access. -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the sandbox domain. +@@ -1032,20 +1445,17 @@ interface(`virt_read_images',` ## ## -+## # -interface(`virt_rw_all_image_chr_files',` -+interface(`virt_transition_svirt_sandbox',` ++interface(`virt_sandbox_read_state',` gen_require(` - attribute virt_image_type; + attribute svirt_sandbox_domain; @@ -113238,12 +113370,6 @@ index facdee8..816d860 100644 - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 svirt_sandbox_domain:process { transition signal_perms }; -+ role $2 types svirt_sandbox_domain; -+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; -+ -+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; -+ allow svirt_sandbox_domain $1:process sigchld; + ps_process_pattern($1, svirt_sandbox_domain) ') @@ -113251,23 +113377,23 @@ index facdee8..816d860 100644 ## -## Create, read, write, and delete -## svirt cache files. -+## Read the process state of virt sandbox containers ++## Read and write to svirt_image devices. ## ## ## -@@ -1053,15 +1443,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # -interface(`virt_manage_svirt_cache',` - refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') - virt_manage_virt_cache($1) -+interface(`virt_sandbox_read_state',` ++interface(`virt_rw_svirt_dev',` + gen_require(` -+ attribute svirt_sandbox_domain; ++ type svirt_image_t; + ') + -+ ps_process_pattern($1, svirt_sandbox_domain) ++ allow $1 svirt_image_t:chr_file rw_file_perms; ') ######################################## @@ -113278,22 +113404,22 @@ index facdee8..816d860 100644 ## ## ## -@@ -1069,21 +1461,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',` ## ## # -interface(`virt_manage_virt_cache',` -+interface(`virt_rw_svirt_dev',` ++interface(`virt_rlimitinh',` gen_require(` - type virt_cache_t; -+ type svirt_image_t; ++ type virtd_t; ') - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -+ allow $1 svirt_image_t:chr_file rw_file_perms; ++ allow $1 virtd_t:process { rlimitinh }; ') ######################################## @@ -113304,43 +113430,28 @@ index facdee8..816d860 100644 ## ## ## -@@ -1091,36 +1479,36 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',` ## ## # -interface(`virt_manage_images',` -+interface(`virt_rlimitinh',` ++interface(`virt_noatsecure',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ type virtd_t; - ') - +- ') +- - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 virtd_t:process { rlimitinh }; -+') - +- - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) -+######################################## -+## -+## Read and write to svirt_image devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_noatsecure',` -+ gen_require(` + type virtd_t; ') @@ -113361,7 +113472,7 @@ index facdee8..816d860 100644 ## ## ## -@@ -1136,50 +1524,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -113471,7 +113582,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..ef46070 100644 +index f03dcf5..913e23f 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -114483,7 +114594,7 @@ index f03dcf5..ef46070 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +707,335 @@ optional_policy(` +@@ -746,44 +707,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -114660,7 +114771,7 @@ index f03dcf5..ef46070 100644 +dev_rw_dri(virt_domain) + +domain_use_interactive_fds(virt_domain) - ++ +files_read_mnt_symlinks(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) @@ -114764,6 +114875,7 @@ index f03dcf5..ef46070 100644 + fs_getattr_dos_fs(virt_domain) + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) ++ udev_read_db(virt_domain) +') + +optional_policy(` @@ -114797,7 +114909,7 @@ index f03dcf5..ef46070 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; -+ + +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -114841,7 +114953,7 @@ index f03dcf5..ef46070 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1046,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1047,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -114868,7 +114980,7 @@ index f03dcf5..ef46070 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1066,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1067,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -114885,10 +114997,10 @@ index f03dcf5..ef46070 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -114902,7 +115014,7 @@ index f03dcf5..ef46070 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1103,20 @@ optional_policy(` +@@ -856,14 +1104,20 @@ optional_policy(` ') optional_policy(` @@ -114924,7 +115036,7 @@ index f03dcf5..ef46070 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1141,66 @@ optional_policy(` +@@ -888,49 +1142,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -115009,7 +115121,7 @@ index f03dcf5..ef46070 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1212,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1213,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -115029,7 +115141,7 @@ index f03dcf5..ef46070 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1233,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1234,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -115053,7 +115165,7 @@ index f03dcf5..ef46070 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1258,356 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1259,359 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115080,12 +115192,12 @@ index f03dcf5..ef46070 100644 + hal_dbus_chat(virtd_lxc_t) + ') +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -115108,6 +115220,7 @@ index f03dcf5..ef46070 100644 + +allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow svirt_sandbox_domain self:fifo_file manage_file_perms; ++allow svirt_sandbox_domain self:msg all_msg_perms; +allow svirt_sandbox_domain self:sem create_sem_perms; +allow svirt_sandbox_domain self:shm create_shm_perms; +allow svirt_sandbox_domain self:msgq create_msgq_perms; @@ -115120,6 +115233,7 @@ index f03dcf5..ef46070 100644 +dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) + +fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) ++fs_rw_onload_sockets(svirt_sandbox_domain) + +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; @@ -115240,6 +115354,7 @@ index f03dcf5..ef46070 100644 +kernel_list_all_proc(svirt_sandbox_domain) +kernel_read_all_sysctls(svirt_sandbox_domain) +kernel_rw_net_sysctls(svirt_sandbox_domain) ++kernel_rw_unix_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) +kernel_dontaudit_access_check_proc(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) @@ -115303,8 +115418,9 @@ index f03dcf5..ef46070 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') @@ -115312,9 +115428,8 @@ index f03dcf5..ef46070 100644 +optional_policy(` + gear_read_pid_files(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + @@ -115495,11 +115610,11 @@ index f03dcf5..ef46070 100644 +manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +term_use_generic_ptys(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) @@ -115551,7 +115666,7 @@ index f03dcf5..ef46070 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1620,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1624,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115566,7 +115681,7 @@ index f03dcf5..ef46070 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1638,7 @@ optional_policy(` +@@ -1192,7 +1642,7 @@ optional_policy(` ######################################## # @@ -115575,7 +115690,7 @@ index f03dcf5..ef46070 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1647,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1651,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -115603,6 +115718,8 @@ index f03dcf5..ef46070 100644 + +allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config }; + ++allow virt_qemu_ga_t self:passwd passwd; ++ +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; + diff --git a/selinux-policy.spec b/selinux-policy.spec index 55a1415..d5663a3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.15%{?dist} +Release: 191.16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -669,6 +669,39 @@ exit 0 %endif %changelog +* Thu Sep 15 2016 Lukas Vrabec 3.13.1-191.16 +- Allow attach usb device to virtual machine BZ(1276873) +- Dontaudit mozilla_plugin to sys_ptrace +- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636) +- Fix typo +- Allow geoclue to send msgs to syslog. BZ(1371818) +- Allow abrt to read rpm_tmp_t dirs +- Add interface rpm_read_tmp_files() +- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. +- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service +- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm +- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t +- Allow mdadm_t to getattr all device nodes +- Dontaudit gkeyringd_domain to connect to system_dbusd_t +- Add interface dbus_dontaudit_stream_connect_system_dbusd() +- Allow guest-set-user-passwd to set users password. +- Allow domains using kerberos to read also kerberos config dirs +- Add kdymp_t domain sys_admin capability BZ(1357949) +- Allow dnssec_trigger to exec ldconfig +- Allow svirt_sandbox_domains to r/w onload sockets +- Fix typo bugs in rsync and inetd SELinux modules +- Fixes for containers +- Idenitfy these domains as init daemons +- Allow samdbox domains to use msg class +- Allow add new interface to new namespace BZ(1375124) +- Dontaudit domain to create any file in /proc. This is kernel bug. +- Add new interface fs_getattr_oracleasmfs_fs() +- Add interface fs_manage_oracleasm() +- Label /dev/kfd as hsa_device_t +- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs +- Add transition rule that caller domain can create resolv.conf link file with correct label in sysnet_filetrans_named_content() interface +- Allow run sulogin_t in range mls_systemlow-mls_systemhigh. + * Wed Aug 31 2016 Lukas Vrabec 3.13.1-191.15 - udisksd has moved - Fix file context for /etc/pki/pki-tomcat/ca/