From 94cdbacbd8b602eccbbfca202c6084bd9086c702 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 07 2011 16:12:04 +0000 Subject: - Add mailscanner policy from dgrift - Allow chrome to optionally be transitioned to - Zabbix needs these rules when starting the zabbix_server_mysql - Implement a type for freedesktop openicc standard (~/.local/share/icc) - Allow system_dbusd_t to read inherited icc_data_home_t files. - Allow colord_t to read icc_data_home_t content. #706975 - Label stuff under /usr/lib/debug as if it was labeled under / --- diff --git a/modules-targeted.conf b/modules-targeted.conf index d730c9f..ceebf5a 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -985,6 +985,14 @@ lvm = module # mailman = module + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + # Layer: services # Module: matahari # diff --git a/policy-F16.patch b/policy-F16.patch index 9de84fb..fc0458a 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -3380,10 +3380,10 @@ index 0000000..1f468aa +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..ae9c0c5 +index 0000000..7b1047f --- /dev/null +++ b/policy/modules/apps/chrome.if -@@ -0,0 +1,107 @@ +@@ -0,0 +1,126 @@ + +## policy for chrome + @@ -3402,12 +3402,13 @@ index 0000000..ae9c0c5 + type chrome_sandbox_t, chrome_sandbox_exec_t; + ') + -+ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) ++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) + ps_process_pattern(chrome_sandbox_t, $1) -+ifdef(`hide_broken_symptoms', ` -+ dontaudit chrome_sandbox_t $1:socket_class_set { read write }; -+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) -+') ++ ++ ifdef(`hide_broken_symptoms',` ++ dontaudit chrome_sandbox_t $1:socket_class_set { read write }; ++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) ++ ') +') + + @@ -3451,16 +3452,14 @@ index 0000000..ae9c0c5 +## +## +# -+interface(`chrome_role',` ++interface(`chrome_role_notrans',` + gen_require(` -+ type chrome_sandbox_t; -+ type chrome_sandbox_tmpfs_t; ++ type chrome_sandbox_t; ++ type chrome_sandbox_tmpfs_t; + ') + + role $1 types chrome_sandbox_t; + -+ chrome_domtrans_sandbox($2) -+ + ps_process_pattern($2, chrome_sandbox_t) + allow $2 chrome_sandbox_t:process signal_perms; + @@ -3476,6 +3475,26 @@ index 0000000..ae9c0c5 + +######################################## +## ++## Role access for chrome sandbox ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`chrome_role',` ++ chrome_role_notrans($1, $2) ++ chrome_domtrans_sandbox($2) ++') ++ ++######################################## ++## +## Dontaudit read/write to a chrome_sandbox leaks +## +## @@ -3707,10 +3726,10 @@ index 0000000..6f3570a +/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if new file mode 100644 -index 0000000..1bc60f7 +index 0000000..34d913e --- /dev/null +++ b/policy/modules/apps/execmem.if -@@ -0,0 +1,116 @@ +@@ -0,0 +1,112 @@ +## execmem domain + +######################################## @@ -3781,10 +3800,6 @@ index 0000000..1bc60f7 +') + files_execmod_tmp($1_execmem_t) + -+ optional_policy(` -+ chrome_role($2, $1_execmem_t) -+ ') -+ + # needed by plasma-desktop + optional_policy(` + gnome_read_usr_config($1_execmem_t) @@ -3993,12 +4008,13 @@ index 6e4add5..10a2ce4 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(giftd_t) diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc -index 00a19e3..55075f9 100644 +index 00a19e3..d5acf98 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc -@@ -1,9 +1,36 @@ +@@ -1,9 +1,43 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) @@ -4006,18 +4022,24 @@ index 00a19e3..55075f9 100644 +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) -+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) -+/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) ++HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) ++HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) + ++/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) +/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) +/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -+/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) ++/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) ++/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) +/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -4036,10 +4058,10 @@ index 00a19e3..55075f9 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..93aa20f 100644 +index f5afe78..6a38eaf 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,699 @@ +@@ -1,44 +1,739 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -4517,6 +4539,46 @@ index f5afe78..93aa20f 100644 + +######################################## +## ++## Read icc data home content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_home_icc_data_content',` ++ gen_require(` ++ type icc_data_home_t, gconf_home_t, data_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; ++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_files_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) ++') ++ ++######################################## ++## ++## Read inherited icc data home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_inherited_home_icc_data_files',` ++ gen_require(` ++ type icc_data_home_t; ++ ') ++ ++ allow $1 icc_data_home_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## +## Create gconf_home_t objects in the /root directory +## +## @@ -4757,7 +4819,7 @@ index f5afe78..93aa20f 100644 ## ## ## -@@ -46,37 +701,36 @@ interface(`gnome_role',` +@@ -46,37 +741,36 @@ interface(`gnome_role',` ## ## # @@ -4806,7 +4868,7 @@ index f5afe78..93aa20f 100644 ## ## ## -@@ -84,37 +738,42 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +778,42 @@ template(`gnome_read_gconf_config',` ## ## # @@ -4860,7 +4922,7 @@ index f5afe78..93aa20f 100644 ## ## ## -@@ -122,17 +781,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +821,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -4882,7 +4944,7 @@ index f5afe78..93aa20f 100644 ## ## ## -@@ -140,51 +799,353 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +839,358 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -5157,7 +5219,7 @@ index f5afe78..93aa20f 100644 + type gstreamer_home_t; + type gconf_home_t; + type gnome_home_t; -+ type data_home_t; ++ type data_home_t, icc_data_home_t; + type gkeyringd_gnome_home_t; +') + @@ -5171,8 +5233,11 @@ index f5afe78..93aa20f 100644 + userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") ++ # ~/.color/icc: legacy ++ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc") + filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") + filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share") ++ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc") +') + +######################################## @@ -5194,7 +5259,7 @@ index f5afe78..93aa20f 100644 + type gstreamer_home_t; + type gconf_home_t; + type gnome_home_t; -+ type data_home_t; ++ type icc_data_home_t; +') + + userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") @@ -5207,6 +5272,8 @@ index f5afe78..93aa20f 100644 + userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") ++ # /root/.color/icc: legacy ++ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc") +') +###################################### +## @@ -5252,10 +5319,10 @@ index f5afe78..93aa20f 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..bb2e8e8 100644 +index 2505654..9c3e9f6 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te -@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0) +@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0) # Declarations # @@ -5280,11 +5347,14 @@ index 2505654..bb2e8e8 100644 +type gstreamer_home_t, gnome_home_type; +userdom_user_home_content(gstreamer_home_t) + ++type icc_data_home_t, gnome_home_type; ++userdom_user_home_content(icc_data_home_t) ++ +type gconf_home_t, gnome_home_type; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -23,19 +37,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t; +@@ -23,19 +40,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t; files_tmp_file(gconf_tmp_t) ubac_constrained(gconf_tmp_t) @@ -5327,7 +5397,7 @@ index 2505654..bb2e8e8 100644 ############################## # # Local Policy -@@ -75,3 +110,168 @@ optional_policy(` +@@ -75,3 +113,168 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -6454,7 +6524,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..aa29dee 100644 +index 9a6d67d..9c59afd 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -6513,7 +6583,7 @@ index 9a6d67d..aa29dee 100644 ## Execmod mozilla home directory content. ## ## -@@ -168,6 +194,80 @@ interface(`mozilla_domtrans',` +@@ -168,6 +194,84 @@ interface(`mozilla_domtrans',` ######################################## ## @@ -6527,17 +6597,22 @@ index 9a6d67d..aa29dee 100644 +# +interface(`mozilla_domtrans_plugin',` + gen_require(` -+ type mozilla_plugin_t, mozilla_plugin_exec_t; ++ type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; + class dbus send_msg; + ') + + domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) + allow mozilla_plugin_t $1:process signull; + ++ ps_process_pattern($1, mozilla_plugin_t) ++ allow $1 mozilla_plugin_t:process { ptrace signal_perms }; ++ + allow $1 mozilla_plugin_t:dbus send_msg; + allow mozilla_plugin_t $1:dbus send_msg; + + allow $1 mozilla_plugin_t:fd use; ++ ++ allow $1 mozilla_plugin_tmpfs_t:file { delete_file_perms read_file_perms }; +') + + @@ -6564,9 +6639,8 @@ index 9a6d67d..aa29dee 100644 + + mozilla_domtrans_plugin($1) + role $2 types mozilla_plugin_t; ++ + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; -+ allow $1 mozilla_plugin_t:process { ptrace signal sigkill }; -+ allow $1 mozilla_plugin_t:fd use; + + allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; +') @@ -6594,7 +6668,7 @@ index 9a6d67d..aa29dee 100644 ## Send and receive messages from ## mozilla over dbus. ## -@@ -204,3 +304,57 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -204,3 +308,57 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -6627,12 +6701,12 @@ index 9a6d67d..aa29dee 100644 +## +## +# -+interface(`mozilla_plugin_read_inherited_tmpfs_files',` ++interface(`mozilla_plugin_read_tmpfs_files',` + gen_require(` + type mozilla_plugin_tmpfs_t; + ') + -+ allow $1 mozilla_plugin_tmpfs_t:file read_inherited_file_perms; ++ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; +') + +######################################## @@ -8214,7 +8288,7 @@ index 2ba7787..9f12b51 100644 ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index c2d20a2..77178ab 100644 +index c2d20a2..e5d85d1 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -8272,7 +8346,7 @@ index c2d20a2..77178ab 100644 ') optional_policy(` -+ mozilla_plugin_read_inherited_tmpfs_files(pulseaudio_t) ++ mozilla_plugin_read_tmpfs_files(pulseaudio_t) +') + +optional_policy(` @@ -11016,7 +11090,7 @@ index 223ad43..d400ef6 100644 # Reading dotfiles... # cjp: ? diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..1240d65 100644 +index 34c9d01..ddb1528 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -11069,7 +11143,7 @@ index 34c9d01..1240d65 100644 # # /usr # -@@ -196,47 +195,50 @@ ifdef(`distro_gentoo',` +@@ -196,47 +195,51 @@ ifdef(`distro_gentoo',` /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) @@ -11115,9 +11189,9 @@ index 34c9d01..1240d65 100644 - -/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -11127,6 +11201,7 @@ index 34c9d01..1240d65 100644 +/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -11161,12 +11236,12 @@ index 34c9d01..1240d65 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -244,9 +246,13 @@ ifdef(`distro_gentoo',` +@@ -244,9 +247,13 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -11176,7 +11251,7 @@ index 34c9d01..1240d65 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -283,6 +289,7 @@ ifdef(`distro_gentoo',` +@@ -283,6 +290,7 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -11184,7 +11259,7 @@ index 34c9d01..1240d65 100644 /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -291,7 +298,7 @@ ifdef(`distro_gentoo',` +@@ -291,7 +299,7 @@ ifdef(`distro_gentoo',` /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -11193,7 +11268,7 @@ index 34c9d01..1240d65 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -304,9 +311,8 @@ ifdef(`distro_redhat', ` +@@ -304,9 +312,8 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -11204,7 +11279,7 @@ index 34c9d01..1240d65 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -316,9 +322,11 @@ ifdef(`distro_redhat', ` +@@ -316,9 +323,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -11216,7 +11291,7 @@ index 34c9d01..1240d65 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -360,7 +368,7 @@ ifdef(`distro_redhat', ` +@@ -360,7 +369,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -11225,7 +11300,7 @@ index 34c9d01..1240d65 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -372,8 +380,9 @@ ifdef(`distro_suse', ` +@@ -372,8 +381,9 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12364,7 +12439,7 @@ index 5a07a43..eb5f76e 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..599c3e6 100644 +index 0757523..1bec39a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -12442,7 +12517,7 @@ index 0757523..599c3e6 100644 network_port(dbskkd, tcp,1178,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dccm, tcp,5679,s0, udp,5679,s0) -@@ -96,9 +118,13 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -96,9 +118,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -12453,10 +12528,11 @@ index 0757523..599c3e6 100644 network_port(fingerd, tcp,79,s0) +network_port(firebird, tcp,3050,s0, udp,3050,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) ++network_port(fprot, tcp,10200,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -112,7 +138,7 @@ network_port(hddtemp, tcp,7634,s0) +@@ -112,7 +139,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -12465,7 +12541,7 @@ index 0757523..599c3e6 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -126,43 +152,59 @@ network_port(iscsi, tcp,3260,s0) +@@ -126,43 +153,59 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -12531,7 +12607,7 @@ index 0757523..599c3e6 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,24 +219,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,24 +220,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -12565,7 +12641,7 @@ index 0757523..599c3e6 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -205,20 +252,22 @@ network_port(transproxy, tcp,8081,s0) +@@ -205,20 +253,22 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -12591,7 +12667,7 @@ index 0757523..599c3e6 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -272,9 +321,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -272,9 +322,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -14223,7 +14299,7 @@ index bc534c1..6190297 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 16108f6..de3c68f 100644 +index 16108f6..d993f7e 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -14358,16 +14434,14 @@ index 16108f6..de3c68f 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -252,3 +270,7 @@ ifndef(`distro_redhat',` +@@ -252,3 +270,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+ -+/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..811174e 100644 +index 958ca84..473eacc 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -14663,7 +14737,15 @@ index 958ca84..811174e 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -3104,6 +3290,7 @@ interface(`files_getattr_home_dir',` +@@ -2660,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',` + + allow $1 etc_t:dir list_dir_perms; + rw_files_pattern($1, etc_t, etc_runtime_t) ++ read_lnk_files_pattern($1, etc_t, etc_t) + ') + + ######################################## +@@ -3104,6 +3291,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -14671,7 +14753,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -3124,6 +3311,7 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3124,6 +3312,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -14679,7 +14761,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -3247,7 +3435,7 @@ interface(`files_home_filetrans',` +@@ -3247,7 +3436,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -14688,7 +14770,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` +@@ -3287,6 +3476,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` dontaudit $1 lost_found_t:dir getattr; ') @@ -14713,7 +14795,7 @@ index 958ca84..811174e 100644 ######################################## ## ## Create, read, write, and delete objects in -@@ -3365,6 +3571,43 @@ interface(`files_list_mnt',` +@@ -3365,6 +3572,43 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -14757,7 +14839,7 @@ index 958ca84..811174e 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3438,6 +3681,24 @@ interface(`files_read_mnt_files',` +@@ -3438,6 +3682,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -14782,7 +14864,7 @@ index 958ca84..811174e 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3729,6 +3990,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3991,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -14882,7 +14964,7 @@ index 958ca84..811174e 100644 ######################################## ## ## Allow the specified type to associate -@@ -3774,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3774,7 +4129,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -14891,7 +14973,7 @@ index 958ca84..811174e 100644 ## ## # -@@ -3846,7 +4200,7 @@ interface(`files_list_tmp',` +@@ -3846,7 +4201,7 @@ interface(`files_list_tmp',` ## ## ## @@ -14900,7 +14982,7 @@ index 958ca84..811174e 100644 ## ## # -@@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -3858,6 +4213,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -14925,7 +15007,7 @@ index 958ca84..811174e 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -3914,25 +4286,33 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,25 +4287,33 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -14964,7 +15046,7 @@ index 958ca84..811174e 100644 ## ## ## -@@ -3940,17 +4320,35 @@ interface(`files_manage_generic_tmp_files',` +@@ -3940,17 +4321,35 @@ interface(`files_manage_generic_tmp_files',` ## ## # @@ -15003,7 +15085,7 @@ index 958ca84..811174e 100644 ## ## ## -@@ -3968,6 +4366,84 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,6 +4367,84 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -15088,7 +15170,7 @@ index 958ca84..811174e 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4009,7 +4485,7 @@ interface(`files_list_all_tmp',` +@@ -4009,7 +4486,7 @@ interface(`files_list_all_tmp',` ## ## ## @@ -15097,7 +15179,7 @@ index 958ca84..811174e 100644 ## ## # -@@ -4047,7 +4523,7 @@ interface(`files_getattr_all_tmp_files',` +@@ -4047,7 +4524,7 @@ interface(`files_getattr_all_tmp_files',` ## ## ## @@ -15106,7 +15188,7 @@ index 958ca84..811174e 100644 ## ## # -@@ -4103,7 +4579,7 @@ interface(`files_tmp_filetrans',` +@@ -4103,7 +4580,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -15115,7 +15197,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',` +@@ -4127,6 +4604,15 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -15131,7 +15213,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -4466,7 +4951,7 @@ interface(`files_usr_filetrans',` +@@ -4466,7 +4952,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -15140,7 +15222,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -4736,6 +5221,24 @@ interface(`files_read_var_files',` +@@ -4736,6 +5222,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -15165,7 +15247,7 @@ index 958ca84..811174e 100644 ## Read and write files in the /var directory. ## ## -@@ -4851,7 +5354,7 @@ interface(`files_var_filetrans',` +@@ -4851,7 +5355,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -15174,7 +15256,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -4986,7 +5489,7 @@ interface(`files_var_lib_filetrans',` +@@ -4986,7 +5490,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -15183,7 +15265,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5575,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -15209,7 +15291,7 @@ index 958ca84..811174e 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5084,6 +5606,8 @@ interface(`files_search_locks',` +@@ -5084,6 +5607,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -15218,7 +15300,7 @@ index 958ca84..811174e 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5103,11 +5627,50 @@ interface(`files_dontaudit_search_locks',` +@@ -5103,11 +5628,50 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -15269,7 +15351,7 @@ index 958ca84..811174e 100644 ## Add and remove entries in the /var/lock ## directories. ## -@@ -5122,6 +5685,7 @@ interface(`files_rw_lock_dirs',` +@@ -5122,6 +5686,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -15277,7 +15359,7 @@ index 958ca84..811174e 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5140,7 +5704,7 @@ interface(`files_getattr_generic_locks',` +@@ -5140,7 +5705,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -15286,7 +15368,7 @@ index 958ca84..811174e 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5156,12 +5720,12 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5721,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -15303,7 +15385,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -5180,7 +5744,7 @@ interface(`files_manage_generic_locks',` +@@ -5180,7 +5745,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -15312,7 +15394,7 @@ index 958ca84..811174e 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5207,6 +5771,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5772,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -15340,7 +15422,7 @@ index 958ca84..811174e 100644 ## Read all lock files. ## ## -@@ -5221,7 +5806,7 @@ interface(`files_read_all_locks',` +@@ -5221,7 +5807,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -15349,7 +15431,7 @@ index 958ca84..811174e 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5243,7 +5828,7 @@ interface(`files_manage_all_locks',` +@@ -5243,7 +5829,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -15358,7 +15440,7 @@ index 958ca84..811174e 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5275,8 +5860,8 @@ interface(`files_lock_filetrans',` +@@ -5275,8 +5861,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -15369,7 +15451,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -5332,9 +5917,47 @@ interface(`files_search_pids',` +@@ -5332,9 +5918,47 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -15417,7 +15499,7 @@ index 958ca84..811174e 100644 ######################################## ## ## Do not audit attempts to search -@@ -5463,7 +6086,7 @@ interface(`files_pid_filetrans',` +@@ -5463,7 +6087,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -15426,7 +15508,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -5542,6 +6165,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6166,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -15489,7 +15571,7 @@ index 958ca84..811174e 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6238,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6239,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -15534,7 +15616,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -5769,7 +6486,7 @@ interface(`files_spool_filetrans',` +@@ -5769,7 +6487,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -15543,7 +15625,7 @@ index 958ca84..811174e 100644 ') ######################################## -@@ -5844,3 +6561,284 @@ interface(`files_unconfined',` +@@ -5844,3 +6562,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -17155,7 +17237,7 @@ index 0e5b661..3168d72 100644 +attribute mcsuntrustedproc; +attribute mcsnetwrite; diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 786449a..e8ebc76 100644 +index 786449a..c0ecbd5 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -17167,7 +17249,33 @@ index 786449a..e8ebc76 100644 ') ######################################## -@@ -257,6 +257,7 @@ interface(`selinux_dontaudit_read_fs',` +@@ -243,6 +243,25 @@ interface(`selinux_dontaudit_search_fs',` + + ######################################## + ## ++## Mount on selinuxfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`selinux_mounton_fs',` ++ gen_require(` ++ type security_t; ++ ') ++ ++ allow $1 security_t:dir mounton; ++') ++ ++ ++######################################## ++## + ## Do not audit attempts to read + ## generic selinuxfs entries + ## +@@ -257,6 +276,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') @@ -17175,7 +17283,7 @@ index 786449a..e8ebc76 100644 dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') -@@ -278,6 +279,7 @@ interface(`selinux_get_enforce_mode',` +@@ -278,6 +298,7 @@ interface(`selinux_get_enforce_mode',` type security_t; ') @@ -17183,7 +17291,7 @@ index 786449a..e8ebc76 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') -@@ -358,6 +360,26 @@ interface(`selinux_load_policy',` +@@ -358,6 +379,26 @@ interface(`selinux_load_policy',` ######################################## ## @@ -17210,7 +17318,7 @@ index 786449a..e8ebc76 100644 ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. (Deprecated) ## -@@ -459,6 +481,7 @@ interface(`selinux_set_all_booleans',` +@@ -459,6 +500,7 @@ interface(`selinux_set_all_booleans',` ') allow $1 security_t:dir list_dir_perms; @@ -17218,7 +17326,7 @@ index 786449a..e8ebc76 100644 allow $1 boolean_type:file rw_file_perms; if(!secure_mode_policyload) { -@@ -677,3 +700,24 @@ interface(`selinux_unconfined',` +@@ -677,3 +719,24 @@ interface(`selinux_unconfined',` typeattribute $1 selinux_unconfined_type; ') @@ -18449,7 +18557,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..3664943 100644 +index 2be17d2..4f2f20d 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,53 @@ policy_module(staff, 2.2.0) @@ -18506,7 +18614,7 @@ index 2be17d2..3664943 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,19 +68,95 @@ optional_policy(` +@@ -27,19 +68,99 @@ optional_policy(` ') optional_policy(` @@ -18515,6 +18623,10 @@ index 2be17d2..3664943 100644 +') + +optional_policy(` ++ chrome_role(staff_r, staff_t) ++') ++ ++optional_policy(` + colord_dbus_chat(staff_t) +') + @@ -18604,7 +18716,7 @@ index 2be17d2..3664943 100644 ') optional_policy(` -@@ -48,10 +165,48 @@ optional_policy(` +@@ -48,10 +169,48 @@ optional_policy(` ') optional_policy(` @@ -18653,7 +18765,7 @@ index 2be17d2..3664943 100644 xserver_role(staff_r, staff_t) ') -@@ -89,10 +244,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +248,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18664,7 +18776,7 @@ index 2be17d2..3664943 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +288,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +292,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18675,7 +18787,7 @@ index 2be17d2..3664943 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +319,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +323,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -19801,10 +19913,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..168668b +index 0000000..3be35bb --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,528 @@ +@@ -0,0 +1,539 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19822,6 +19934,13 @@ index 0000000..168668b + +## +##

++## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox ++##

++## ++gen_tunable(unconfined_chrome_sandbox_transition, false) ++ ++## ++##

+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +##

+## @@ -20069,7 +20188,11 @@ index 0000000..168668b +') + +optional_policy(` -+ chrome_role(unconfined_r, unconfined_usertype) ++ chrome_role_notrans(unconfined_r, unconfined_usertype) ++ ++ tunable_policy(`unconfined_chrome_sandbox_transition',` ++ chrome_domtrans_sandbox(unconfined_usertype) ++ ') +') + +optional_policy(` @@ -20334,10 +20457,10 @@ index 0000000..168668b +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..425ea6f 100644 +index e5bfdd4..17b57ba 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,74 @@ role user_r; +@@ -12,15 +12,78 @@ role user_r; userdom_unpriv_user_template(user) @@ -20363,6 +20486,10 @@ index e5bfdd4..425ea6f 100644 +') + +optional_policy(` ++ chrome_role(user_r, user_t) ++') ++ ++optional_policy(` + gnome_role(user_r, user_t) +') + @@ -20412,7 +20539,7 @@ index e5bfdd4..425ea6f 100644 vlock_run(user_t, user_r) ') -@@ -62,10 +121,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +125,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20423,7 +20550,7 @@ index e5bfdd4..425ea6f 100644 gpg_role(user_r, user_t) ') -@@ -118,11 +173,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +177,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20436,7 +20563,7 @@ index e5bfdd4..425ea6f 100644 ') optional_policy(` -@@ -157,3 +208,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +212,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -26096,7 +26223,7 @@ index e8e9a21..89fc935 100644 /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if -index 1f11572..7f6a7ab 100644 +index 1f11572..101824b 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -33,6 +33,7 @@ interface(`clamav_stream_connect',` @@ -26123,7 +26250,33 @@ index 1f11572..7f6a7ab 100644 ') ######################################## -@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',` +@@ -133,6 +134,25 @@ interface(`clamav_exec_clamscan',` + + ######################################## + ## ++## Manage clamd pid content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clamav_manage_clamd_pid',` ++ gen_require(` ++ type clamd_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) ++ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an clamav environment + ## +@@ -151,9 +171,8 @@ interface(`clamav_exec_clamscan',` interface(`clamav_admin',` gen_require(` type clamd_t, clamd_etc_t, clamd_tmp_t; @@ -26136,7 +26289,7 @@ index 1f11572..7f6a7ab 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..a2e2d35 100644 +index f758323..4032a58 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ @@ -26273,7 +26426,18 @@ index f758323..a2e2d35 100644 ######################################## # # clamscam local policy -@@ -248,9 +268,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) +@@ -242,15 +262,22 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) + manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) + allow clamscan_t clamd_var_lib_t:dir list_dir_perms; + ++read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t) ++allow clamscan_t clamd_var_run_t:dir list_dir_perms; ++ ++kernel_read_system_state(clamscan_t) ++ + corenet_all_recvfrom_unlabeled(clamscan_t) + corenet_all_recvfrom_netlabel(clamscan_t) + corenet_tcp_sendrecv_generic_if(clamscan_t) corenet_tcp_sendrecv_generic_node(clamscan_t) corenet_tcp_sendrecv_all_ports(clamscan_t) corenet_tcp_sendrecv_clamd_port(clamscan_t) @@ -26285,7 +26449,7 @@ index f758323..a2e2d35 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +286,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +291,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -27085,10 +27249,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..9d0208a +index 0000000..760d092 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,117 @@ +@@ -0,0 +1,111 @@ +policy_module(colord,1.0.0) + +######################################## @@ -27173,8 +27337,6 @@ index 0000000..9d0208a + +sysnet_dns_name_resolve(colord_t) + -+userdom_read_inherited_user_home_content_files(colord_t) -+ +tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(colord_t) + fs_read_nfs_files(colord_t) @@ -27193,10 +27355,6 @@ index 0000000..9d0208a +') + +optional_policy(` -+ gnome_read_gconf_home_files(colord_t) -+') -+ -+optional_policy(` + policykit_dbus_chat(colord_t) + policykit_domtrans_auth(colord_t) + policykit_read_lib(colord_t) @@ -29100,7 +29258,7 @@ index 0d5711c..6e35cb2 100644 ') + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 86d09b4..8e05351 100644 +index 86d09b4..e54a616 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t) @@ -29154,11 +29312,12 @@ index 86d09b4..8e05351 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,10 +147,18 @@ optional_policy(` +@@ -141,10 +147,19 @@ optional_policy(` ') optional_policy(` + gnome_exec_gconf(system_dbusd_t) ++ gnome_read_inherited_home_icc_data_files(system_dbusd_t) +') + +optional_policy(` @@ -29173,7 +29332,7 @@ index 86d09b4..8e05351 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -162,5 +176,12 @@ optional_policy(` +@@ -162,5 +177,12 @@ optional_policy(` # # Unconfined access to this module # @@ -29639,7 +29798,7 @@ index f706b99..f0c629f 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..7cc036b 100644 +index f231f17..44d8969 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -29758,7 +29917,7 @@ index f231f17..7cc036b 100644 domain_read_all_domains_state(devicekit_power_t) dev_read_input(devicekit_power_t) -@@ -212,21 +241,28 @@ dev_rw_generic_usb_dev(devicekit_power_t) +@@ -212,21 +241,29 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -29769,6 +29928,7 @@ index f231f17..7cc036b 100644 files_read_etc_files(devicekit_power_t) +files_read_etc_runtime_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) ++files_dontaudit_list_mnt(devicekit_power_t) fs_list_inotifyfs(devicekit_power_t) +fs_getattr_all_fs(devicekit_power_t) @@ -29788,7 +29948,7 @@ index f231f17..7cc036b 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,6 +271,10 @@ optional_policy(` +@@ -235,6 +272,10 @@ optional_policy(` ') optional_policy(` @@ -29799,7 +29959,7 @@ index f231f17..7cc036b 100644 cron_initrc_domtrans(devicekit_power_t) ') -@@ -261,14 +301,21 @@ optional_policy(` +@@ -261,14 +302,21 @@ optional_policy(` ') optional_policy(` @@ -29822,7 +29982,7 @@ index f231f17..7cc036b 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +323,25 @@ optional_policy(` +@@ -276,9 +324,25 @@ optional_policy(` ') optional_policy(` @@ -31512,7 +31672,7 @@ index f590a1f..338e5bf 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..e6d2dd2 100644 +index 2a69e5e..7842387 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t) @@ -31549,10 +31709,11 @@ index 2a69e5e..e6d2dd2 100644 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) -@@ -50,6 +60,10 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +@@ -50,6 +60,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) ++manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, file) @@ -31560,7 +31721,7 @@ index 2a69e5e..e6d2dd2 100644 kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) -@@ -66,6 +80,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) +@@ -66,6 +81,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) @@ -31568,7 +31729,7 @@ index 2a69e5e..e6d2dd2 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +109,34 @@ optional_policy(` +@@ -94,5 +110,34 @@ optional_policy(` ') optional_policy(` @@ -33616,17 +33777,20 @@ index df48e5e..6985546 100644 type inetd_t; ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te -index c51a7b2..de05a6f 100644 +index c51a7b2..5f71f35 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te -@@ -149,6 +149,7 @@ miscfiles_read_localization(inetd_t) +@@ -149,7 +149,10 @@ miscfiles_read_localization(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) +mls_net_outbound_all_levels(inetd_t) mls_process_set_level(inetd_t) ++#706086 ++mls_net_outbound_all_levels(inetd_t) sysnet_read_config(inetd_t) + diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc index 8ca038d..8507ee2 100644 --- a/policy/modules/services/inn.fc @@ -33830,13 +33994,40 @@ index 4c9acec..deef4c7 100644 /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if -index 9878499..9167dc9 100644 +index 9878499..b5d5c6d 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if -@@ -1,8 +1,82 @@ +@@ -1,8 +1,71 @@ ## Jabber instant messaging server -######################################## ++##################################### ++## ++## Creates types and rules for a basic ++## jabber init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`jabberd_domain_template',` ++ gen_require(` ++ attribute jabberd_domain; ++ ') ++ ++ ############################## ++ # ++ # $1_t declarations ++ # ++ ++ type jabberd_$1_t, jabberd_domain; ++ type jabberd_$1_exec_t; ++ init_daemon_domain(jabberd_$1_t, jabberd_$1_exec_t) ++ ++') ++ +####################################### +## +## Execute a domain transition to run jabberd services @@ -33856,7 +34047,8 @@ index 9878499..9167dc9 100644 +') + +###################################### -+## + ## +-## Connect to jabber over a TCP socket (Deprecated) +## Execute a domain transition to run jabberd router service +## +## @@ -33876,13 +34068,15 @@ index 9878499..9167dc9 100644 +####################################### +## +## Read jabberd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -10,8 +73,51 @@ + ## + ## + # +-interface(`jabber_tcp_connect',` +- refpolicywarn(`$0($*) has been deprecated.') +interface(`jabberd_read_lib_files',` + gen_require(` + type jabberd_var_lib_t; @@ -33893,8 +34087,7 @@ index 9878499..9167dc9 100644 +') + +####################################### - ## --## Connect to jabber over a TCP socket (Deprecated) ++## +## Dontaudit inherited read jabberd lib files. +## +## @@ -33915,15 +34108,13 @@ index 9878499..9167dc9 100644 +## +## Create, read, write, and delete +## jabberd lib files. - ## - ## - ## -@@ -10,8 +84,13 @@ - ## - ## - # --interface(`jabber_tcp_connect',` -- refpolicywarn(`$0($*) has been deprecated.') ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`jabberd_manage_lib_files',` + gen_require(` + type jabberd_var_lib_t; @@ -33934,7 +34125,7 @@ index 9878499..9167dc9 100644 ') ######################################## -@@ -34,12 +113,15 @@ interface(`jabber_tcp_connect',` +@@ -34,12 +140,15 @@ interface(`jabber_tcp_connect',` interface(`jabber_admin',` gen_require(` type jabberd_t, jabberd_log_t, jabberd_var_lib_t; @@ -33952,10 +34143,10 @@ index 9878499..9167dc9 100644 domain_system_change_exemption($1) role_transition $2 jabberd_initrc_exec_t system_r; diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..ae77997 100644 +index da2127e..085ad45 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te -@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0) +@@ -5,13 +5,17 @@ policy_module(jabber, 1.8.0) # Declarations # @@ -33969,14 +34160,12 @@ index da2127e..ae77997 100644 type jabberd_initrc_exec_t; init_script_file(jabberd_initrc_exec_t) -+type jabberd_router_t, jabberd_domain; -+type jabberd_router_exec_t; -+init_daemon_domain(jabberd_router_t, jabberd_router_exec_t) ++jabberd_domain_template(router) + type jabberd_log_t; logging_log_file(jabberd_log_t) -@@ -21,74 +27,91 @@ files_type(jabberd_var_lib_t) +@@ -21,74 +25,91 @@ files_type(jabberd_var_lib_t) type jabberd_var_run_t; files_pid_file(jabberd_var_run_t) @@ -35246,6 +35435,183 @@ index af4d572..999384c 100644 -') \ No newline at end of file +') +diff --git a/policy/modules/services/mailscanner.fc b/policy/modules/services/mailscanner.fc +new file mode 100644 +index 0000000..827e22e +--- /dev/null ++++ b/policy/modules/services/mailscanner.fc +@@ -0,0 +1,11 @@ ++/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0) ++ ++/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0) ++ ++/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0) ++ ++/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0) ++ ++/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0) ++ ++/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0) +diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if +new file mode 100644 +index 0000000..39c12cb +--- /dev/null ++++ b/policy/modules/services/mailscanner.if +@@ -0,0 +1,58 @@ ++## E-mail security and anti-spam package for e-mail gateway systems. ++ ++######################################## ++## ++## Execute a domain transition to run ++## MailScanner. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mailscanner_initrc_domtrans',` ++ gen_require(` ++ type mscan_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, mscan_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mailscanner environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`mailscanner_admin',` ++ gen_require(` ++ type mscan_t, mscan_var_run_t, mscan_etc_t; ++ type mscan_initrc_exec_t; ++ ') ++ ++ mailscanner_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 mscan_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ allow $1 mscan_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, mscan_t) ++ ++ admin_pattern($1, mscan_etc_t) ++ files_list_etc($1) ++ ++ admin_pattern($1, mscan_var_run_t) ++ files_list_pids($1) ++') +diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te +new file mode 100644 +index 0000000..b1cf109 +--- /dev/null ++++ b/policy/modules/services/mailscanner.te +@@ -0,0 +1,90 @@ ++policy_module(mailscanner, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mscan_t; ++type mscan_exec_t; ++init_daemon_domain(mscan_t, mscan_exec_t) ++ ++type mscan_initrc_exec_t; ++init_script_file(mscan_initrc_exec_t) ++ ++type mscan_etc_t; ++files_config_file(mscan_etc_t) ++ ++type mscan_tmp_t; ++files_tmp_file(mscan_tmp_t) ++ ++type mscan_var_run_t; ++files_pid_file(mscan_var_run_t) ++ ++# New in F16 ++permissive mscan_t; ++ ++######################################## ++# ++# Local policy ++# ++ ++allow mscan_t self:capability { setuid chown setgid dac_override }; ++allow mscan_t self:process signal; ++allow mscan_t self:fifo_file rw_fifo_file_perms; ++ ++read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) ++ ++manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) ++files_pid_filetrans(mscan_t, mscan_var_run_t, file) ++ ++manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) ++manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) ++files_tmp_filetrans(mscan_t, mscan_tmp_t, dir) ++ ++can_exec(mscan_t, mscan_exec_t) ++ ++kernel_read_system_state(mscan_t) ++ ++corecmd_exec_bin(mscan_t) ++corecmd_exec_shell(mscan_t) ++ ++corenet_tcp_connect_fprot_port(mscan_t) ++corenet_tcp_sendrecv_fprot_port(mscan_t) ++corenet_sendrecv_fprot_client_packets(mscan_t) ++corenet_udp_bind_generic_node(mscan_t) ++corenet_udp_bind_generic_port(mscan_t) ++corenet_udp_sendrecv_all_ports(mscan_t) ++corenet_sendrecv_generic_server_packets(mscan_t) ++ ++dev_read_urand(mscan_t) ++ ++files_read_usr_files(mscan_t) ++ ++fs_getattr_xattr_fs(mscan_t) ++ ++auth_dontaudit_read_shadow(mscan_t) ++auth_use_nsswitch(mscan_t) ++ ++logging_send_syslog_msg(mscan_t) ++ ++miscfiles_read_localization(mscan_t) ++ ++optional_policy(` ++ clamav_domtrans_clamscan(mscan_t) ++ clamav_manage_clamd_pid(mscan_t) ++') ++ ++optional_policy(` ++ mta_send_mail(mscan_t) ++ mta_manage_queue(mscan_t) ++') ++ ++optional_policy(` ++ procmail_domtrans(mscan_t) ++') ++ ++optional_policy(` ++ spamassassin_read_home_client(mscan_t) ++ spamassassin_read_lib_files(mscan_t) ++') diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc new file mode 100644 index 0000000..bce824e @@ -36825,7 +37191,7 @@ index 0000000..0b9257a + xserver_dontaudit_read_xdm_pid(mpd_t) +') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc -index 256166a..df99841 100644 +index 256166a..6321a93 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -1,4 +1,5 @@ @@ -36835,7 +37201,7 @@ index 256166a..df99841 100644 /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -@@ -11,9 +12,12 @@ ifdef(`distro_redhat',` +@@ -11,20 +12,24 @@ ifdef(`distro_redhat',` /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') @@ -36849,6 +37215,22 @@ index 256166a..df99841 100644 /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + + /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) ++/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) ++/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) + /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 343cee3..fe40cce 100644 --- a/policy/modules/services/mta.if @@ -37217,7 +37599,7 @@ index 343cee3..fe40cce 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..24ab364 100644 +index 64268e4..5f0c71d 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -37396,11 +37778,15 @@ index 64268e4..24ab364 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +255,21 @@ optional_policy(` +@@ -249,16 +255,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') +optional_policy(` ++ postfix_rw_master_pipes(mailserver_delivery) ++') ++ ++optional_policy(` + uucp_domtrans_uux(mailserver_delivery) +') + @@ -37420,7 +37806,7 @@ index 64268e4..24ab364 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -292,3 +303,44 @@ optional_policy(` +@@ -292,3 +307,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -41670,7 +42056,7 @@ index 46bee12..b90c902 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..4276415 100644 +index 06e37d4..c8e77f0 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -41860,11 +42246,12 @@ index 06e37d4..4276415 100644 ######################################## # # Postfix map local policy -@@ -385,13 +424,15 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; +@@ -385,13 +424,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +mcs_file_read_all(postfix_pickup_t) ++mcs_file_write_all(postfix_pickup_t) + ######################################## # @@ -41877,7 +42264,7 @@ index 06e37d4..4276415 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +442,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +443,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -41886,7 +42273,7 @@ index 06e37d4..4276415 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +463,7 @@ optional_policy(` +@@ -420,6 +464,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -41894,7 +42281,7 @@ index 06e37d4..4276415 100644 ') optional_policy(` -@@ -436,6 +480,9 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,6 +481,9 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -41904,7 +42291,7 @@ index 06e37d4..4276415 100644 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) postfix_list_spool(postfix_postdrop_t) -@@ -487,8 +534,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +535,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -41915,7 +42302,7 @@ index 06e37d4..4276415 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +554,8 @@ optional_policy(` +@@ -507,6 +555,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -41924,7 +42311,7 @@ index 06e37d4..4276415 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +568,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +569,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -41933,7 +42320,7 @@ index 06e37d4..4276415 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +588,7 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +589,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -41942,7 +42329,7 @@ index 06e37d4..4276415 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -588,10 +637,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +638,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -41959,7 +42346,7 @@ index 06e37d4..4276415 100644 ') optional_policy(` -@@ -611,8 +666,8 @@ optional_policy(` +@@ -611,8 +667,8 @@ optional_policy(` # Postfix virtual local policy # @@ -41969,7 +42356,7 @@ index 06e37d4..4276415 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +685,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +686,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -42985,7 +43372,7 @@ index 2855a44..c71fa1e 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..7cdabb5 100644 +index 64c5f95..daa73d1 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0) @@ -43098,7 +43485,7 @@ index 64c5f95..7cdabb5 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -176,24 +244,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms; +@@ -176,24 +244,30 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) @@ -43114,6 +43501,7 @@ index 64c5f95..7cdabb5 100644 +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) +allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; @@ -43130,7 +43518,7 @@ index 64c5f95..7cdabb5 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +279,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -43177,7 +43565,7 @@ index 64c5f95..7cdabb5 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +329,9 @@ optional_policy(` +@@ -231,3 +330,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -45100,10 +45488,10 @@ index 0000000..88f6a9e +') diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te new file mode 100644 -index 0000000..ccd9f84 +index 0000000..988f82c --- /dev/null +++ b/policy/modules/services/rhev.te -@@ -0,0 +1,79 @@ +@@ -0,0 +1,81 @@ +policy_module(rhev,1.0) + +######################################## @@ -45146,6 +45534,7 @@ index 0000000..ccd9f84 +can_exec(rhev_agentd_t, rhev_agentd_tmp_t) + +kernel_read_system_state(rhev_agentd_t) ++kernel_read_kernel_sysctls(rhev_agentd_t) + +corecmd_exec_bin(rhev_agentd_t) +corecmd_exec_shell(rhev_agentd_t) @@ -45161,6 +45550,7 @@ index 0000000..ccd9f84 +init_read_utmp(rhev_agentd_t) + +libs_exec_ldconfig(rhev_agentd_t) ++logging_send_syslog_msg(rhev_agentd_t) + +miscfiles_read_localization(rhev_agentd_t) + @@ -46321,10 +46711,10 @@ index 71ea0ea..664e68e 100644 # interface(`rwho_domtrans',` diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te -index a07b2f4..d78daf4 100644 +index a07b2f4..0ba4495 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te -@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t) +@@ -55,6 +55,10 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) @@ -46334,6 +46724,7 @@ index a07b2f4..d78daf4 100644 sysnet_dns_name_resolve(rwho_t) + ++userdom_getattr_user_terminals(rwho_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc index 69a6074..73db5ba 100644 --- a/policy/modules/services/samba.fc @@ -47816,7 +48207,7 @@ index 6b3abf9..d445f78 100644 +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if -index c954f31..7f57f22 100644 +index c954f31..c7cadcb 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -14,6 +14,7 @@ @@ -47849,7 +48240,7 @@ index c954f31..7f57f22 100644 ') ######################################## -@@ -111,6 +115,46 @@ interface(`spamassassin_domtrans_client',` +@@ -111,6 +115,67 @@ interface(`spamassassin_domtrans_client',` ') domtrans_pattern($1, spamc_exec_t, spamc_t) @@ -47893,10 +48284,31 @@ index c954f31..7f57f22 100644 + manage_dirs_pattern($1, spamc_home_t, spamc_home_t) + manage_files_pattern($1, spamc_home_t, spamc_home_t) + manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ++') ++ ++######################################## ++## ++## Read spamc home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`spamassassin_read_home_client',` ++ gen_require(` ++ type spamc_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ list_dirs_pattern($1, spamc_home_t, spamc_home_t) ++ read_files_pattern($1, spamc_home_t, spamc_home_t) ++ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ') ######################################## -@@ -166,7 +210,9 @@ interface(`spamassassin_read_lib_files',` +@@ -166,7 +231,9 @@ interface(`spamassassin_read_lib_files',` ') files_search_var_lib($1) @@ -47906,7 +48318,7 @@ index c954f31..7f57f22 100644 ') ######################################## -@@ -204,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',` +@@ -204,6 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',` type spamd_tmp_t; ') @@ -47914,7 +48326,7 @@ index c954f31..7f57f22 100644 allow $1 spamd_tmp_t:file read_file_perms; ') -@@ -223,5 +270,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +@@ -223,5 +291,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` type spamd_tmp_t; ') @@ -48892,7 +49304,7 @@ index 22adaca..76e8829 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..c71bdb9 100644 +index 2dad3c8..fcfc95b 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -49168,10 +49580,14 @@ index 2dad3c8..c71bdb9 100644 ') optional_policy(` -@@ -284,6 +329,11 @@ optional_policy(` +@@ -284,6 +329,15 @@ optional_policy(` ') optional_policy(` ++ systemd_exec_systemctl(sshd_t) ++') ++ ++optional_policy(` + usermanage_domtrans_passwd(sshd_t) + usermanage_read_crack_db(sshd_t) +') @@ -49180,7 +49596,7 @@ index 2dad3c8..c71bdb9 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +342,26 @@ optional_policy(` +@@ -292,26 +346,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -49226,7 +49642,7 @@ index 2dad3c8..c71bdb9 100644 ') dnl endif TODO ######################################## -@@ -322,19 +372,25 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +376,25 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -49253,7 +49669,7 @@ index 2dad3c8..c71bdb9 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,9 +407,10 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,9 +411,10 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -50124,7 +50540,7 @@ index c2cf97e..037a1e8 100644 allow uptimed_t uptimed_etc_t:file read_file_perms; files_search_etc(uptimed_t) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..d9dbcc2 100644 +index d4349e9..4d112ba 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -125,6 +125,8 @@ optional_policy(` @@ -50136,6 +50552,14 @@ index d4349e9..d9dbcc2 100644 uucp_append_log(uux_t) uucp_manage_spool(uux_t) +@@ -147,3 +149,7 @@ optional_policy(` + optional_policy(` + nscd_socket_use(uux_t) + ') ++ ++optional_policy(` ++ postfix_rw_master_pipes(uux_t) ++') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index f9310f3..064171e 100644 --- a/policy/modules/services/varnishd.te @@ -54352,14 +54776,17 @@ index d77e631..4776863 100644 # interface(`zabbix_append_log',` diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index c26ecf5..b906c48 100644 +index c26ecf5..49c7c50 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te -@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t) +@@ -25,12 +25,13 @@ files_pid_file(zabbix_var_run_t) + # zabbix local policy # - allow zabbix_t self:capability { setuid setgid }; +-allow zabbix_t self:capability { setuid setgid }; -allow zabbix_t self:fifo_file rw_file_perms; ++allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; ++allow zabbix_t self:process setsched; +allow zabbix_t self:fifo_file rw_fifo_file_perms; allow zabbix_t self:unix_stream_socket create_stream_socket_perms; @@ -54369,6 +54796,15 @@ index c26ecf5..b906c48 100644 manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) logging_log_filetrans(zabbix_t, zabbix_log_t, file) +@@ -39,6 +40,8 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) + manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) + files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) + ++kernel_read_kernel_sysctls(zabbix_t) ++ + files_read_etc_files(zabbix_t) + + miscfiles_read_localization(zabbix_t) diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 index 0000000..28cd477 @@ -56706,7 +57142,7 @@ index cc83689..48662f1 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..0eb1342 100644 +index ea29513..52e944d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -56834,7 +57270,7 @@ index ea29513..0eb1342 100644 files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: -@@ -151,10 +196,16 @@ mls_file_read_all_levels(init_t) +@@ -151,10 +196,19 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -56844,6 +57280,9 @@ index ea29513..0eb1342 100644 +mls_rangetrans_source(initrc_t) selinux_set_all_booleans(init_t) ++selinux_load_policy(init_t) ++selinux_mounton_fs(init_t) ++allow init_t security_t:security load_policy; -term_use_all_terms(init_t) +term_use_unallocated_ttys(init_t) @@ -56852,7 +57291,7 @@ index ea29513..0eb1342 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +213,15 @@ init_domtrans_script(init_t) +@@ -162,12 +216,16 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -56860,6 +57299,7 @@ index ea29513..0eb1342 100644 logging_rw_generic_logs(init_t) seutil_read_config(init_t) ++seutil_read_module_store(init_t) miscfiles_read_localization(init_t) @@ -56868,7 +57308,7 @@ index ea29513..0eb1342 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +232,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +236,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -56877,7 +57317,7 @@ index ea29513..0eb1342 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +240,121 @@ tunable_policy(`init_upstart',` +@@ -186,12 +244,121 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56999,7 +57439,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -199,10 +362,26 @@ optional_policy(` +@@ -199,10 +366,26 @@ optional_policy(` ') optional_policy(` @@ -57026,7 +57466,7 @@ index ea29513..0eb1342 100644 unconfined_domain(init_t) ') -@@ -212,7 +391,7 @@ optional_policy(` +@@ -212,7 +395,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -57035,7 +57475,7 @@ index ea29513..0eb1342 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +420,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +424,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -57051,7 +57491,7 @@ index ea29513..0eb1342 100644 init_write_initctl(initrc_t) -@@ -258,20 +440,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +444,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -57088,7 +57528,7 @@ index ea29513..0eb1342 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +473,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +477,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -57096,7 +57536,7 @@ index ea29513..0eb1342 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +484,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +488,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -57107,7 +57547,7 @@ index ea29513..0eb1342 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +495,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +499,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -57124,7 +57564,7 @@ index ea29513..0eb1342 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +514,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +518,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -57132,7 +57572,7 @@ index ea29513..0eb1342 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +522,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +526,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -57144,7 +57584,7 @@ index ea29513..0eb1342 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +541,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +545,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -57158,7 +57598,7 @@ index ea29513..0eb1342 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +556,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +560,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -57167,7 +57607,7 @@ index ea29513..0eb1342 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +570,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +574,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -57175,7 +57615,7 @@ index ea29513..0eb1342 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +582,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +586,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -57183,7 +57623,7 @@ index ea29513..0eb1342 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +603,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +607,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -57205,7 +57645,7 @@ index ea29513..0eb1342 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +666,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +670,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -57216,7 +57656,7 @@ index ea29513..0eb1342 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +690,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +694,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -57225,7 +57665,7 @@ index ea29513..0eb1342 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +705,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +709,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -57233,7 +57673,7 @@ index ea29513..0eb1342 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +735,29 @@ ifdef(`distro_redhat',` +@@ -522,8 +739,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -57263,7 +57703,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -531,10 +765,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +769,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -57286,7 +57726,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -549,6 +795,39 @@ ifdef(`distro_suse',` +@@ -549,6 +799,39 @@ ifdef(`distro_suse',` ') ') @@ -57326,7 +57766,7 @@ index ea29513..0eb1342 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +840,8 @@ optional_policy(` +@@ -561,6 +844,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -57335,7 +57775,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -577,6 +858,7 @@ optional_policy(` +@@ -577,6 +862,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -57343,7 +57783,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -589,6 +871,11 @@ optional_policy(` +@@ -589,6 +875,11 @@ optional_policy(` ') optional_policy(` @@ -57355,7 +57795,7 @@ index ea29513..0eb1342 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +892,13 @@ optional_policy(` +@@ -605,9 +896,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -57369,7 +57809,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -649,6 +940,11 @@ optional_policy(` +@@ -649,6 +944,11 @@ optional_policy(` ') optional_policy(` @@ -57381,7 +57821,7 @@ index ea29513..0eb1342 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +1002,13 @@ optional_policy(` +@@ -706,7 +1006,13 @@ optional_policy(` ') optional_policy(` @@ -57395,7 +57835,7 @@ index ea29513..0eb1342 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1031,10 @@ optional_policy(` +@@ -729,6 +1035,10 @@ optional_policy(` ') optional_policy(` @@ -57406,7 +57846,7 @@ index ea29513..0eb1342 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1044,20 @@ optional_policy(` +@@ -738,10 +1048,20 @@ optional_policy(` ') optional_policy(` @@ -57427,7 +57867,7 @@ index ea29513..0eb1342 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1066,10 @@ optional_policy(` +@@ -750,6 +1070,10 @@ optional_policy(` ') optional_policy(` @@ -57438,7 +57878,7 @@ index ea29513..0eb1342 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1091,6 @@ optional_policy(` +@@ -771,8 +1095,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -57447,7 +57887,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -781,14 +1099,21 @@ optional_policy(` +@@ -781,14 +1103,21 @@ optional_policy(` ') optional_policy(` @@ -57469,7 +57909,7 @@ index ea29513..0eb1342 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1125,6 @@ optional_policy(` +@@ -800,7 +1129,6 @@ optional_policy(` ') optional_policy(` @@ -57477,7 +57917,7 @@ index ea29513..0eb1342 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1134,24 @@ optional_policy(` +@@ -810,11 +1138,24 @@ optional_policy(` ') optional_policy(` @@ -57503,7 +57943,7 @@ index ea29513..0eb1342 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1161,25 @@ optional_policy(` +@@ -824,6 +1165,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -57529,7 +57969,7 @@ index ea29513..0eb1342 100644 ') optional_policy(` -@@ -849,3 +1205,42 @@ optional_policy(` +@@ -849,3 +1209,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -58174,7 +58614,7 @@ index 1d1c399..b8f623a 100644 + tgtd_manage_semaphores(iscsid_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 9df8c4d..6b49c76 100644 +index 9df8c4d..4ea7422 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -37,17 +37,12 @@ ifdef(`distro_redhat',` @@ -58476,7 +58916,7 @@ index 9df8c4d..6b49c76 100644 ') dnl end distro_redhat # -@@ -316,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -316,17 +301,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -58489,9 +58929,10 @@ index 9df8c4d..6b49c76 100644 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) -+/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) @@ -63918,7 +64359,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..d7d8b53 100644 +index 28b88de..64d9bb7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -65697,7 +66138,33 @@ index 28b88de..d7d8b53 100644 ') ######################################## -@@ -2815,7 +3264,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2644,6 +3093,25 @@ interface(`userdom_dontaudit_use_user_terminals',` + dontaudit $1 user_devpts_t:chr_file rw_term_perms; + ') + ++ ++######################################## ++## ++## Get attributes of user domain tty and pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_getattr_user_terminals',` ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ ++ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; ++') ++ + ######################################## + ## + ## Execute a shell in all user domains. This +@@ -2815,7 +3283,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -65706,7 +66173,7 @@ index 28b88de..d7d8b53 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3280,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3299,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -65722,7 +66189,7 @@ index 28b88de..d7d8b53 100644 ') ######################################## -@@ -2917,7 +3368,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3387,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -65731,7 +66198,7 @@ index 28b88de..d7d8b53 100644 ') ######################################## -@@ -2972,7 +3423,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3442,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -65778,7 +66245,7 @@ index 28b88de..d7d8b53 100644 ') ######################################## -@@ -3009,6 +3498,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3517,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -65786,7 +66253,7 @@ index 28b88de..d7d8b53 100644 kernel_search_proc($1) ') -@@ -3087,6 +3577,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3596,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -65811,7 +66278,7 @@ index 28b88de..d7d8b53 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3647,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3666,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -67327,7 +67794,7 @@ index 22ca011..df6b5de 100644 # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index f7380b3..5989a3c 100644 +index f7380b3..4dc179b 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -67349,7 +67816,7 @@ index f7380b3..5989a3c 100644 # # Permissions for creating and using sockets. -@@ -199,12 +198,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') +@@ -199,12 +198,15 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -67358,7 +67825,9 @@ index f7380b3..5989a3c 100644 +define(`read_file_perms',`{ open read_inherited_file_perms }') define(`mmap_file_perms',`{ getattr open read execute ioctl }') define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') - define(`append_file_perms',`{ getattr open append lock ioctl }') +-define(`append_file_perms',`{ getattr open append lock ioctl }') ++define(`append_inherited_perms',`{ getattr append }') ++define(`append_file_perms',`{ open lock ioctl }') define(`write_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') @@ -67366,7 +67835,7 @@ index f7380b3..5989a3c 100644 define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') -@@ -225,7 +226,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') @@ -67375,7 +67844,7 @@ index f7380b3..5989a3c 100644 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -238,7 +239,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') +@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') @@ -67385,7 +67854,7 @@ index f7380b3..5989a3c 100644 define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -254,7 +256,8 @@ define(`getattr_sock_file_perms',`{ getattr }') +@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') @@ -67395,7 +67864,7 @@ index f7380b3..5989a3c 100644 define(`create_sock_file_perms',`{ getattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') -@@ -271,7 +274,8 @@ define(`setattr_blk_file_perms',`{ setattr }') +@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') @@ -67405,7 +67874,7 @@ index f7380b3..5989a3c 100644 define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') -@@ -288,7 +292,8 @@ define(`setattr_chr_file_perms',`{ setattr }') +@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }') define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') @@ -67415,7 +67884,7 @@ index f7380b3..5989a3c 100644 define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') -@@ -305,7 +310,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') +@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # @@ -67425,7 +67894,7 @@ index f7380b3..5989a3c 100644 # # Sockets -@@ -317,3 +323,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept +@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 38ec847..401d718 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,15 @@ exit 0 %endif %changelog +* Tue Jun 7 2011 Miroslav Grepl 3.9.16-26 +- Add mailscanner policy from dgrift +- Allow chrome to optionally be transitioned to +- Zabbix needs these rules when starting the zabbix_server_mysql +- Implement a type for freedesktop openicc standard (~/.local/share/icc) +- Allow system_dbusd_t to read inherited icc_data_home_t files. +- Allow colord_t to read icc_data_home_t content. #706975 +- Label stuff under /usr/lib/debug as if it was labeled under / + * Thu Jun 2 2011 Miroslav Grepl 3.9.16-25 - Fixes for sanlock policy - Fixes for colord policy