From 9e6acc6847d24bf74149e050f7c6198d8d56c3c8 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Jul 29 2011 14:09:58 +0000 Subject: - init_t need setexec - More fixes of rules which cause an explosion in rules by Dan Walsh --- diff --git a/policy-F16.patch b/policy-F16.patch index 791b917..bc64861 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -264,6 +264,30 @@ index e66c296..993a1e9 100644 + + dontaudit $1 acct_data_t:dir list_dir_perms; +') +diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te +index 63ef90e..a535b31 100644 +--- a/policy/modules/admin/acct.te ++++ b/policy/modules/admin/acct.te +@@ -55,6 +55,8 @@ files_list_usr(acct_t) + # for nscd + files_dontaudit_search_pids(acct_t) + ++auth_use_nsswitch(acct_t) ++ + init_use_fds(acct_t) + init_use_script_ptys(acct_t) + init_exec_script_files(acct_t) +@@ -77,10 +79,6 @@ optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(acct_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(acct_t) + ') + diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc index e3e0701..3fd0282 100644 --- a/policy/modules/admin/amanda.fc @@ -422,7 +446,7 @@ index 63eb96b..17a9f6d 100644 ## ## Execute bootloader interactively and do diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index d3da8f2..eeb1b1a 100644 +index d3da8f2..559bc9b 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -23,7 +23,7 @@ role system_r types bootloader_t; @@ -434,7 +458,14 @@ index d3da8f2..eeb1b1a 100644 # # The temp file is used for initrd creation; -@@ -121,13 +121,11 @@ logging_rw_generic_logs(bootloader_t) +@@ -116,18 +116,18 @@ init_rw_script_pipes(bootloader_t) + libs_read_lib_files(bootloader_t) + libs_exec_lib_files(bootloader_t) + ++auth_use_nsswitch(bootloader_t) ++ + logging_send_syslog_msg(bootloader_t) + logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) @@ -449,7 +480,7 @@ index d3da8f2..eeb1b1a 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -162,12 +160,18 @@ ifdef(`distro_redhat',` +@@ -162,12 +162,18 @@ ifdef(`distro_redhat',` files_manage_isid_type_blk_files(bootloader_t) files_manage_isid_type_chr_files(bootloader_t) @@ -472,10 +503,14 @@ index d3da8f2..eeb1b1a 100644 ') optional_policy(` -@@ -197,6 +201,7 @@ optional_policy(` +@@ -197,10 +203,7 @@ optional_policy(` modutils_exec_insmod(bootloader_t) modutils_exec_depmod(bootloader_t) modutils_exec_update_mods(bootloader_t) +-') +- +-optional_policy(` +- nscd_socket_use(bootloader_t) + modutils_domtrans_insmod_uncond(bootloader_t) ') @@ -528,6 +563,21 @@ index 6b02433..1e28e62 100644 optional_policy(` apache_exec_modules(certwatch_t) +diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if +index 0f57d3b..655d07f 100644 +--- a/policy/modules/admin/consoletype.if ++++ b/policy/modules/admin/consoletype.if +@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',` + + corecmd_search_bin($1) + domtrans_pattern($1, consoletype_exec_t, consoletype_t) +- +- ifdef(`hide_broken_symptoms', ` +- dontaudit consoletype_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index cd5e005..50e9ee4 100644 --- a/policy/modules/admin/consoletype.te @@ -890,7 +940,7 @@ index 9dd6880..4b7fa27 100644 optional_policy(` diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te -index 4f7bd3c..b5c346f 100644 +index 4f7bd3c..6c420a4 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t) @@ -910,22 +960,20 @@ index 4f7bd3c..b5c346f 100644 userdom_dontaudit_use_unpriv_user_fds(kudzu_t) userdom_search_user_home_dirs(kudzu_t) -@@ -128,6 +123,14 @@ optional_policy(` +@@ -128,7 +123,11 @@ optional_policy(` ') optional_policy(` +- nscd_socket_use(kudzu_t) + modutils_read_module_config(kudzu_t) + modutils_read_module_deps(kudzu_t) + modutils_rename_module_config(kudzu_t) + modutils_delete_module_config(kudzu_t) + modutils_domtrans_insmod(kudzu_t) -+') -+ -+optional_policy(` - nscd_socket_use(kudzu_t) ') -@@ -141,5 +144,5 @@ optional_policy(` + optional_policy(` +@@ -141,5 +140,5 @@ optional_policy(` optional_policy(` unconfined_domtrans(kudzu_t) @@ -1559,6 +1607,18 @@ index 7f1d18e..a68d519 100644 userdom_dontaudit_read_user_home_content_files(portage_fetch_t) ifdef(`hide_broken_symptoms',` +diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if +index 93ec175..0e42018 100644 +--- a/policy/modules/admin/prelink.if ++++ b/policy/modules/admin/prelink.if +@@ -19,7 +19,6 @@ interface(`prelink_domtrans',` + domtrans_pattern($1, prelink_exec_t, prelink_t) + + ifdef(`hide_broken_symptoms', ` +- dontaudit prelink_t $1:socket_class_set { read write }; + dontaudit prelink_t $1:fifo_file setattr; + ') + ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index af55369..5ede07b 100644 --- a/policy/modules/admin/prelink.te @@ -2109,7 +2169,7 @@ index d33daa8..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..0b100a8 100644 +index 47a8f7d..fdbf07c 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -2171,6 +2231,17 @@ index 47a8f7d..0b100a8 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) +@@ -154,8 +172,8 @@ storage_raw_read_fixed_disk(rpm_t) + + term_list_ptys(rpm_t) + +-auth_relabel_all_files_except_shadow(rpm_t) +-auth_manage_all_files_except_shadow(rpm_t) ++files_relabel_all_files(rpm_t) ++files_manage_all_files(rpm_t) + auth_dontaudit_read_shadow(rpm_t) + auth_use_nsswitch(rpm_t) + @@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) @@ -2219,7 +2290,7 @@ index 47a8f7d..0b100a8 100644 kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) -@@ -299,7 +321,7 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -299,15 +321,17 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -2228,8 +2299,11 @@ index 47a8f7d..0b100a8 100644 auth_dontaudit_getattr_shadow(rpm_script_t) auth_use_nsswitch(rpm_script_t) -@@ -308,6 +330,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) - auth_relabel_shadow(rpm_script_t) + # ideally we would not need this +-auth_manage_all_files_except_shadow(rpm_script_t) +-auth_relabel_shadow(rpm_script_t) ++files_manage_all_files(rpm_script_t) ++files_relabel_all_files(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) +can_exec(rpm_script_t, rpm_script_tmp_t) @@ -2436,10 +2510,10 @@ index 95bce88..d1edd79 100644 optional_policy(` hostname_exec(shorewall_t) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if -index d0604cf..3089f30 100644 +index d0604cf..15311b4 100644 --- a/policy/modules/admin/shutdown.if +++ b/policy/modules/admin/shutdown.if -@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',` +@@ -18,9 +18,12 @@ interface(`shutdown_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, shutdown_exec_t, shutdown_t) @@ -2448,13 +2522,13 @@ index d0604cf..3089f30 100644 + ') + ifdef(`hide_broken_symptoms', ` - dontaudit shutdown_t $1:socket_class_set { read write }; +- dontaudit shutdown_t $1:socket_class_set { read write }; - dontaudit shutdown_t $1:fifo_file { read write }; + dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; ') ') -@@ -51,6 +55,73 @@ interface(`shutdown_run',` +@@ -51,6 +54,73 @@ interface(`shutdown_run',` ######################################## ## @@ -2661,9 +2735,18 @@ index 94c01b5..f64bd93 100644 ######################################## diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te -index fe1c377..7660180 100644 +index fe1c377..557e37f 100644 --- a/policy/modules/admin/sosreport.te +++ b/policy/modules/admin/sosreport.te +@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t) + + # some config files do not have configfile attribute + # sosreport needs to read various files on system +-auth_read_all_files_except_shadow(sosreport_t) ++files_read_non_security_files(sosreport_t) + auth_use_nsswitch(sosreport_t) + + init_domtrans_script(sosreport_t) @@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t) miscfiles_read_localization(sosreport_t) @@ -2687,10 +2770,22 @@ index fe1c377..7660180 100644 ') diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 8c5fa3c..1a46f56 100644 +index 8c5fa3c..ce3d33a 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if -@@ -210,7 +210,7 @@ template(`su_role_template',` +@@ -119,11 +119,6 @@ template(`su_restricted_domain_template', ` + userdom_spec_domtrans_unpriv_users($1_su_t) + ') + +- ifdef(`hide_broken_symptoms',` +- # dontaudit leaked sockets from parent +- dontaudit $1_su_t $2:socket_class_set { read write }; +- ') +- + optional_policy(` + cron_read_pipes($1_su_t) + ') +@@ -210,7 +205,7 @@ template(`su_role_template',` auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t) @@ -2699,7 +2794,7 @@ index 8c5fa3c..1a46f56 100644 auth_rw_faillog($1_su_t) corecmd_search_bin($1_su_t) -@@ -234,6 +234,7 @@ template(`su_role_template',` +@@ -234,6 +229,7 @@ template(`su_role_template',` userdom_use_user_terminals($1_su_t) userdom_search_user_home_dirs($1_su_t) @@ -2707,6 +2802,18 @@ index 8c5fa3c..1a46f56 100644 ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora +@@ -279,11 +275,6 @@ template(`su_role_template',` + ') + ') + +- ifdef(`hide_broken_symptoms',` +- # dontaudit leaked sockets from parent +- dontaudit $1_su_t $3:socket_class_set { read write }; +- ') +- + tunable_policy(`allow_polyinstantiation',` + fs_mount_xattr_fs($1_su_t) + fs_unmount_xattr_fs($1_su_t) diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc index 7bddc02..2b59ed0 100644 --- a/policy/modules/admin/sudo.fc @@ -2717,7 +2824,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 975af1a..f220623 100644 +index 975af1a..bcc4481 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -2781,7 +2888,7 @@ index 975af1a..f220623 100644 seutil_libselinux_linked($1_sudo_t) userdom_spec_domtrans_all_users($1_sudo_t) -@@ -135,13 +153,18 @@ template(`sudo_role_template',` +@@ -135,12 +153,13 @@ template(`sudo_role_template',` userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) @@ -2792,15 +2899,13 @@ index 975af1a..f220623 100644 + userdom_search_admin_dir($1_sudo_t) + userdom_manage_all_users_keys($1_sudo_t) - ifdef(`hide_broken_symptoms', ` - dontaudit $1_sudo_t $3:socket_class_set { read write }; - ') - +- ifdef(`hide_broken_symptoms', ` +- dontaudit $1_sudo_t $3:socket_class_set { read write }; +- ') + mta_role($2, $1_sudo_t) -+ + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) - ') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 2731fa1..3443ba2 100644 --- a/policy/modules/admin/sudo.te @@ -2814,9 +2919,18 @@ index 2731fa1..3443ba2 100644 +files_type(sudo_db_t) + diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te -index d5aaf0e..689b2fd 100644 +index d5aaf0e..6b16aef 100644 --- a/policy/modules/admin/sxid.te +++ b/policy/modules/admin/sxid.te +@@ -66,7 +66,7 @@ fs_list_all(sxid_t) + + term_dontaudit_use_console(sxid_t) + +-auth_read_all_files_except_shadow(sxid_t) ++files_read_non_security_files(sxid_t) + auth_dontaudit_getattr_shadow(sxid_t) + + init_use_fds(sxid_t) @@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t) miscfiles_read_localization(sxid_t) @@ -2978,6 +3092,33 @@ index d0f2a64..834a56d 100644 # tzdata looks for /var/spool/postfix/etc/localtime. optional_policy(` +diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te +index ef12ed5..2c013c4 100644 +--- a/policy/modules/admin/updfstab.te ++++ b/policy/modules/admin/updfstab.te +@@ -78,9 +78,8 @@ seutil_read_file_contexts(updfstab_t) + userdom_dontaudit_search_user_home_content(updfstab_t) + userdom_dontaudit_use_unpriv_user_fds(updfstab_t) + +-optional_policy(` +- auth_domtrans_pam_console(updfstab_t) +-') ++auth_use_nsswitch(updfstab_t) ++auth_domtrans_pam_console(updfstab_t) + + optional_policy(` + init_dbus_chat_script(updfstab_t) +@@ -104,10 +103,6 @@ optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(updfstab_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(updfstab_t) + ') + diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te index 74354da..f04565f 100644 --- a/policy/modules/admin/usbmodules.te @@ -3015,13 +3156,30 @@ index c467144..fb794f9 100644 /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 81fb26f..adce466 100644 +index 81fb26f..66cf96c 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if -@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',` +@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` + + corecmd_search_bin($1) + domtrans_pattern($1, chfn_exec_t, chfn_t) +- +- ifdef(`hide_broken_symptoms',` +- dontaudit chfn_t $1:socket_class_set { read write }; +- ') + ') ######################################## - ## +@@ -65,10 +61,25 @@ interface(`usermanage_domtrans_groupadd',` + + corecmd_search_bin($1) + domtrans_pattern($1, groupadd_exec_t, groupadd_t) ++') + +- ifdef(`hide_broken_symptoms',` +- dontaudit groupadd_t $1:socket_class_set { read write }; ++######################################## ++## +## Check access to the groupadd executable. +## +## @@ -3033,18 +3191,25 @@ index 81fb26f..adce466 100644 +interface(`usermanage_access_check_groupadd',` + gen_require(` + type groupadd_exec_t; -+ ') + ') + + corecmd_search_bin($1) + allow $1 groupadd_exec_t:file { getattr_file_perms execute }; -+') -+ -+######################################## -+## - ## Execute groupadd in the groupadd domain, and - ## allow the specified role the groupadd domain. - ## -@@ -170,6 +189,25 @@ interface(`usermanage_run_passwd',` + ') + + ######################################## +@@ -118,10 +129,6 @@ interface(`usermanage_domtrans_passwd',` + + corecmd_search_bin($1) + domtrans_pattern($1, passwd_exec_t, passwd_t) +- +- ifdef(`hide_broken_symptoms',` +- dontaudit passwd_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## +@@ -170,6 +177,25 @@ interface(`usermanage_run_passwd',` ######################################## ## @@ -3070,7 +3235,18 @@ index 81fb26f..adce466 100644 ## Execute password admin functions in ## the admin passwd domain. ## -@@ -285,6 +323,9 @@ interface(`usermanage_run_useradd',` +@@ -254,10 +280,6 @@ interface(`usermanage_domtrans_useradd',` + + corecmd_search_bin($1) + domtrans_pattern($1, useradd_exec_t, useradd_t) +- +- ifdef(`hide_broken_symptoms',` +- dontaudit useradd_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## +@@ -285,6 +307,9 @@ interface(`usermanage_run_useradd',` usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -3080,7 +3256,7 @@ index 81fb26f..adce466 100644 seutil_run_semanage(useradd_t, $2) optional_policy(` -@@ -294,6 +335,25 @@ interface(`usermanage_run_useradd',` +@@ -294,6 +319,25 @@ interface(`usermanage_run_useradd',` ######################################## ## @@ -3356,10 +3532,10 @@ index 0000000..1f468aa +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..bbbba63 +index 0000000..bacc639 --- /dev/null +++ b/policy/modules/apps/chrome.if -@@ -0,0 +1,128 @@ +@@ -0,0 +1,127 @@ + +## policy for chrome + @@ -3384,7 +3560,6 @@ index 0000000..bbbba63 + allow $1 chrome_sandbox_t:fd use; + + ifdef(`hide_broken_symptoms',` -+ dontaudit chrome_sandbox_t $1:socket_class_set { read write }; + fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) + ') +') @@ -3646,10 +3821,19 @@ index 37475dd..7db4a01 100644 + xserver_dbus_chat_xdm(cpufreqselector_t) +') diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te -index cd70958..126d7ea 100644 +index cd70958..e8c94b1 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te -@@ -215,7 +215,7 @@ userdom_rw_user_tmp_files(evolution_t) +@@ -202,6 +202,8 @@ files_read_var_files(evolution_t) + + fs_search_auto_mountpoints(evolution_t) + ++auth_use_nsswitch(evolution_t) ++ + logging_send_syslog_msg(evolution_t) + + miscfiles_read_localization(evolution_t) +@@ -215,7 +217,7 @@ userdom_rw_user_tmp_files(evolution_t) userdom_manage_user_tmp_dirs(evolution_t) userdom_manage_user_tmp_sockets(evolution_t) userdom_manage_user_tmp_files(evolution_t) @@ -3658,6 +3842,99 @@ index cd70958..126d7ea 100644 # FIXME: suppress access to .local/.icons/.themes until properly implemented # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) # until properly implemented +@@ -319,15 +321,6 @@ optional_policy(` + mozilla_domtrans(evolution_t) + ') + +-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) +-optional_policy(` +- nis_use_ypbind(evolution_t) +-') +- +-optional_policy(` +- nscd_socket_use(evolution_t) +-') +- + ### Junk mail filtering (start spamd) + optional_policy(` + spamassassin_exec_spamd(evolution_t) +@@ -376,6 +369,8 @@ files_read_usr_files(evolution_alarm_t) + + fs_search_auto_mountpoints(evolution_alarm_t) + ++auth_use_nsswitch(evolution_alarm_t) ++ + miscfiles_read_localization(evolution_alarm_t) + + # Access evolution home +@@ -404,10 +399,6 @@ optional_policy(` + gnome_stream_connect_gconf(evolution_alarm_t) + ') + +-optional_policy(` +- nscd_socket_use(evolution_alarm_t) +-') +- + ######################################## + # + # Evolution exchange connector local policy +@@ -459,6 +450,8 @@ files_read_usr_files(evolution_exchange_t) + # Access evolution home + fs_search_auto_mountpoints(evolution_exchange_t) + ++auth_use_nsswitch(evolution_exchange_t) ++ + miscfiles_read_localization(evolution_exchange_t) + + userdom_write_user_tmp_sockets(evolution_exchange_t) +@@ -484,10 +477,6 @@ optional_policy(` + gnome_stream_connect_gconf(evolution_exchange_t) + ') + +-optional_policy(` +- nscd_socket_use(evolution_exchange_t) +-') +- + ######################################## + # + # Evolution data server local policy +@@ -539,6 +528,8 @@ files_read_usr_files(evolution_server_t) + + fs_search_auto_mountpoints(evolution_server_t) + ++auth_use_nsswitch(evolution_server_t) ++ + miscfiles_read_localization(evolution_server_t) + # Look in /etc/pki + miscfiles_read_generic_certs(evolution_server_t) +@@ -568,10 +559,6 @@ optional_policy(` + gnome_stream_connect_gconf(evolution_server_t) + ') + +-optional_policy(` +- nscd_socket_use(evolution_server_t) +-') +- + ######################################## + # + # Evolution webcal local policy +@@ -600,6 +587,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t) + corenet_sendrecv_http_client_packets(evolution_webcal_t) + corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) + ++auth_use_nsswitch(evolution_webcal_t) ++ + # Networking capability - connect to website and handle ics link + sysnet_read_config(evolution_webcal_t) + sysnet_dns_name_resolve(evolution_webcal_t) +@@ -612,7 +601,3 @@ userdom_search_user_home_dirs(evolution_webcal_t) + userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) + + xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) +- +-optional_policy(` +- nscd_socket_use(evolution_webcal_t) +-') diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc new file mode 100644 index 0000000..6f3570a @@ -3714,10 +3991,10 @@ index 0000000..6f3570a +/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if new file mode 100644 -index 0000000..34d913e +index 0000000..6c038c8 --- /dev/null +++ b/policy/modules/apps/execmem.if -@@ -0,0 +1,112 @@ +@@ -0,0 +1,110 @@ +## execmem domain + +######################################## @@ -3783,9 +4060,7 @@ index 0000000..34d913e + allow $1_execmem_t self:process { execmem execstack }; + allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; + domtrans_pattern($3, execmem_exec_t, $1_execmem_t) -+ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_execmem_t $3:socket_class_set { read write }; -+') ++ + files_execmod_tmp($1_execmem_t) + + # needed by plasma-desktop @@ -3904,10 +4179,10 @@ index 0000000..2bd5790 +') diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te new file mode 100644 -index 0000000..f4c2d3f +index 0000000..5e96d3d --- /dev/null +++ b/policy/modules/apps/firewallgui.te -@@ -0,0 +1,74 @@ +@@ -0,0 +1,71 @@ +policy_module(firewallgui,1.0.0) + +######################################## @@ -3953,6 +4228,8 @@ index 0000000..f4c2d3f +files_search_kernel_modules(firewallgui_t) +files_list_kernel_modules(firewallgui_t) + ++auth_use_nsswitch(firewallgui_t) ++ +miscfiles_read_localization(firewallgui_t) + +userdom_dontaudit_search_user_home_dirs(firewallgui_t) @@ -3975,11 +4252,6 @@ index 0000000..f4c2d3f +') + +optional_policy(` -+ nscd_dontaudit_search_pid(firewallgui_t) -+ nscd_socket_use(firewallgui_t) -+') -+ -+optional_policy(` + policykit_dbus_chat(firewallgui_t) +') diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te @@ -4046,10 +4318,10 @@ index 00a19e3..d5acf98 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..d428376 100644 +index f5afe78..940c1c4 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,729 @@ +@@ -1,44 +1,731 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -4142,6 +4414,8 @@ index f5afe78..d428376 100644 + + ps_process_pattern($1_gkeyringd_t, $3) + ++ auth_use_nsswitch($1_gkeyringd_t) ++ + ps_process_pattern($3, $1_gkeyringd_t) + allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + @@ -4797,7 +5071,7 @@ index f5afe78..d428376 100644 ## ## ## -@@ -46,37 +731,36 @@ interface(`gnome_role',` +@@ -46,37 +733,36 @@ interface(`gnome_role',` ## ## # @@ -4846,7 +5120,7 @@ index f5afe78..d428376 100644 ## ## ## -@@ -84,37 +768,42 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +770,42 @@ template(`gnome_read_gconf_config',` ## ## # @@ -4900,7 +5174,7 @@ index f5afe78..d428376 100644 ## ## ## -@@ -122,17 +811,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +813,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -4922,7 +5196,7 @@ index f5afe78..d428376 100644 ## ## ## -@@ -140,51 +829,354 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +831,354 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -5293,7 +5567,7 @@ index f5afe78..d428376 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..5b18879 100644 +index 2505654..0c8361a 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0) @@ -5371,7 +5645,7 @@ index 2505654..5b18879 100644 ############################## # # Local Policy -@@ -75,3 +113,169 @@ optional_policy(` +@@ -75,3 +113,167 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -5505,8 +5779,6 @@ index 2505654..5b18879 100644 + +selinux_getattr_fs(gkeyringd_domain) + -+auth_use_nsswitch(gkeyringd_domain) -+ +logging_send_syslog_msg(gkeyringd_domain) + +miscfiles_read_localization(gkeyringd_domain) @@ -5559,10 +5831,10 @@ index e9853d4..6864b58 100644 +/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if -index 40e0a2a..f4a103c 100644 +index 40e0a2a..93d212c 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if -@@ -54,10 +54,13 @@ interface(`gpg_role',` +@@ -54,15 +54,16 @@ interface(`gpg_role',` manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) @@ -5575,8 +5847,13 @@ index 40e0a2a..f4a103c 100644 + allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; ifdef(`hide_broken_symptoms',` #Leaked File Descriptors - dontaudit gpg_t $2:socket_class_set { getattr read write }; -@@ -85,6 +88,43 @@ interface(`gpg_domtrans',` +- dontaudit gpg_t $2:socket_class_set { getattr read write }; + dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; +- dontaudit gpg_agent_t $2:socket_class_set { getattr read write }; + dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; + ') + ') +@@ -85,6 +86,43 @@ interface(`gpg_domtrans',` domtrans_pattern($1, gpg_exec_t, gpg_t) ') @@ -6022,7 +6299,7 @@ index 86c1768..5d2130c 100644 /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) ') diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if -index e6d84e8..b10bbbc 100644 +index e6d84e8..7c398c0 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -72,7 +72,8 @@ template(`java_role_template',` @@ -6035,19 +6312,16 @@ index e6d84e8..b10bbbc 100644 allow $1_java_t self:process { ptrace signal getsched execmem execstack }; -@@ -82,7 +83,10 @@ template(`java_role_template',` +@@ -82,7 +83,7 @@ template(`java_role_template',` domtrans_pattern($3, java_exec_t, $1_java_t) - corecmd_bin_domtrans($1_java_t, $3) + corecmd_bin_domtrans($1_java_t, $1_t) -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_t $1_java_t:socket_class_set { read write }; -+ ') dev_dontaudit_append_rand($1_java_t) -@@ -105,7 +109,7 @@ template(`java_role_template',` +@@ -105,7 +106,7 @@ template(`java_role_template',` ## ## # @@ -6056,7 +6330,7 @@ index e6d84e8..b10bbbc 100644 gen_require(` type java_t, java_exec_t; ') -@@ -179,6 +183,10 @@ interface(`java_run_unconfined',` +@@ -179,6 +180,10 @@ interface(`java_run_unconfined',` java_domtrans_unconfined($1) role $2 types unconfined_java_t; @@ -6068,10 +6342,10 @@ index e6d84e8..b10bbbc 100644 ######################################## diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te -index 167950d..ef63b20 100644 +index 167950d..27d37b0 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te -@@ -82,12 +82,12 @@ dev_read_urand(java_t) +@@ -82,18 +82,20 @@ dev_read_urand(java_t) dev_read_rand(java_t) dev_dontaudit_append_rand(java_t) @@ -6085,7 +6359,30 @@ index 167950d..ef63b20 100644 fs_getattr_xattr_fs(java_t) fs_dontaudit_rw_tmpfs_files(java_t) -@@ -143,14 +143,21 @@ optional_policy(` + + logging_send_syslog_msg(java_t) + ++auth_use_nsswitch(java_t) ++ + miscfiles_read_localization(java_t) + # Read global fonts and font config + miscfiles_read_fonts(java_t) +@@ -123,14 +125,6 @@ tunable_policy(`allow_java_execstack',` + ') + + optional_policy(` +- nis_use_ypbind(java_t) +-') +- +-optional_policy(` +- nscd_socket_use(java_t) +-') +- +-optional_policy(` + xserver_user_x_domain_template(java, java_t, java_tmpfs_t) + ') + +@@ -143,14 +137,21 @@ optional_policy(` # execheap is needed for itanium/BEA jrocket allow unconfined_java_t self:process { execstack execmem execheap }; @@ -6261,6 +6558,21 @@ index a0be4ef..ae36a3f 100644 ') optional_policy(` +diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if +index b55edd0..7b8d952 100644 +--- a/policy/modules/apps/loadkeys.if ++++ b/policy/modules/apps/loadkeys.if +@@ -17,10 +17,6 @@ interface(`loadkeys_domtrans',` + + corecmd_search_bin($1) + domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) +- +- ifdef(`hide_broken_symptoms',` +- dontaudit loadkeys_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index 2523758..50629a8 100644 --- a/policy/modules/apps/loadkeys.te @@ -6296,10 +6608,10 @@ index 0bac996..ca2388d 100644 +userdom_use_inherited_user_terminals(lockdev_t) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if -index 7b08e13..515a88a 100644 +index 7b08e13..1fa8573 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if -@@ -41,15 +41,22 @@ template(`mono_role_template',` +@@ -41,7 +41,6 @@ template(`mono_role_template',` application_type($1_mono_t) allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; @@ -6307,20 +6619,13 @@ index 7b08e13..515a88a 100644 allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) - +@@ -49,7 +48,8 @@ template(`mono_role_template',` fs_dontaudit_rw_tmpfs_files($1_mono_t) corecmd_bin_domtrans($1_mono_t, $1_t) -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_t $1_mono_t:socket_class_set { read write }; -+ ') - userdom_manage_user_tmpfs_files($1_mono_t) + userdom_unpriv_usertype($1, $1_mono_t) + userdom_manage_tmpfs_role($2, $1_mono_t) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_t $1_mono_t:socket_class_set { read write }; -+ ') optional_policy(` xserver_role($1_r, $1_mono_t) @@ -6497,7 +6802,7 @@ index fbb5c5a..170963f 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..456b38e 100644 +index 2e9318b..d4c78ac 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -6529,7 +6834,16 @@ index 2e9318b..456b38e 100644 corenet_tcp_sendrecv_ftp_port(mozilla_t) corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) -@@ -165,7 +169,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +@@ -156,6 +160,8 @@ fs_rw_tmpfs_files(mozilla_t) + + term_dontaudit_getattr_pty_dirs(mozilla_t) + ++auth_use_nsswitch(mozilla_t) ++ + logging_send_syslog_msg(mozilla_t) + + miscfiles_read_fonts(mozilla_t) +@@ -165,7 +171,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -6538,7 +6852,7 @@ index 2e9318b..456b38e 100644 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -262,6 +266,7 @@ optional_policy(` +@@ -262,6 +268,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -6546,19 +6860,17 @@ index 2e9318b..456b38e 100644 ') optional_policy(` -@@ -282,6 +287,11 @@ optional_policy(` +@@ -278,7 +285,8 @@ optional_policy(` ') optional_policy(` +- nscd_socket_use(mozilla_t) + nsplugin_manage_rw(mozilla_t) + nsplugin_manage_home_files(mozilla_t) -+') -+ -+optional_policy(` - pulseaudio_exec(mozilla_t) - pulseaudio_stream_connect(mozilla_t) - pulseaudio_manage_home_files(mozilla_t) -@@ -297,15 +307,18 @@ optional_policy(` + ') + + optional_policy(` +@@ -297,15 +305,18 @@ optional_policy(` # dontaudit mozilla_plugin_t self:capability { sys_ptrace }; @@ -6580,7 +6892,7 @@ index 2e9318b..456b38e 100644 can_exec(mozilla_plugin_t, mozilla_home_t) read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -@@ -313,8 +326,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +@@ -313,8 +324,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -6593,7 +6905,7 @@ index 2e9318b..456b38e 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -332,11 +347,9 @@ kernel_request_load_module(mozilla_plugin_t) +@@ -332,11 +345,9 @@ kernel_request_load_module(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -6607,7 +6919,7 @@ index 2e9318b..456b38e 100644 corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -@@ -344,6 +357,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) +@@ -344,6 +355,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) @@ -6617,7 +6929,7 @@ index 2e9318b..456b38e 100644 dev_read_rand(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) -@@ -385,13 +401,19 @@ term_getattr_all_ttys(mozilla_plugin_t) +@@ -385,13 +399,19 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -6637,7 +6949,7 @@ index 2e9318b..456b38e 100644 tunable_policy(`allow_execmem',` allow mozilla_plugin_t self:process { execmem execstack }; -@@ -425,6 +447,11 @@ optional_policy(` +@@ -425,6 +445,11 @@ optional_policy(` ') optional_policy(` @@ -6649,7 +6961,7 @@ index 2e9318b..456b38e 100644 gnome_manage_config(mozilla_plugin_t) ') -@@ -438,7 +465,14 @@ optional_policy(` +@@ -438,7 +463,14 @@ optional_policy(` ') optional_policy(` @@ -6665,7 +6977,7 @@ index 2e9318b..456b38e 100644 ') optional_policy(` -@@ -446,10 +480,27 @@ optional_policy(` +@@ -446,10 +478,27 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -6738,7 +7050,7 @@ index d8ea41d..8bdc526 100644 + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te -index 072a210..7986b0b 100644 +index 072a210..16ce654 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t) @@ -6766,10 +7078,12 @@ index 072a210..7986b0b 100644 manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -@@ -225,10 +227,12 @@ fs_dontaudit_getattr_all_fs(mplayer_t) +@@ -225,10 +227,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) fs_list_inotifyfs(mplayer_t) ++auth_use_nsswitch(mplayer_t) ++ +logging_send_syslog_msg(mplayer_t) + miscfiles_read_localization(mplayer_t) @@ -6780,17 +7094,15 @@ index 072a210..7986b0b 100644 # Read media files userdom_list_user_tmp(mplayer_t) userdom_read_user_tmp_files(mplayer_t) -@@ -305,6 +309,10 @@ optional_policy(` +@@ -305,7 +311,7 @@ optional_policy(` ') optional_policy(` +- nscd_socket_use(mplayer_t) + gnome_setattr_config_dirs(mplayer_t) -+') -+ -+optional_policy(` - nscd_socket_use(mplayer_t) ') + optional_policy(` diff --git a/policy/modules/apps/namespace.fc b/policy/modules/apps/namespace.fc new file mode 100644 index 0000000..ce51c8d @@ -6917,10 +7229,10 @@ index 0000000..22e6c96 +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if new file mode 100644 -index 0000000..044c613 +index 0000000..1925bd9 --- /dev/null +++ b/policy/modules/apps/nsplugin.if -@@ -0,0 +1,474 @@ +@@ -0,0 +1,472 @@ + +## policy for nsplugin + @@ -7006,9 +7318,7 @@ index 0000000..044c613 + + #Leaked File Descriptors +ifdef(`hide_broken_symptoms', ` -+ dontaudit nsplugin_t $2:socket_class_set { read write }; + dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit nsplugin_config_t $2:socket_class_set { read write }; + dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; +') + allow nsplugin_t $2:unix_stream_socket connectto; @@ -8320,10 +8630,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..6efdeca +index 0000000..809784d --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,362 @@ +@@ -0,0 +1,364 @@ + +## policy for sandbox + @@ -8446,6 +8756,8 @@ index 0000000..6efdeca + application_type($1_t) + mcs_untrusted_proc($1_t) + ++ auth_use_nsswitch($1_t) ++ + # window manager + miscfiles_setattr_fonts_cache_dirs($1_t) + allow $1_t self:capability setuid; @@ -8688,10 +9000,10 @@ index 0000000..6efdeca +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..cb552f5 +index 0000000..31c02d2 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,486 @@ +@@ -0,0 +1,483 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8916,7 +9228,6 @@ index 0000000..cb552f5 + +auth_dontaudit_read_login_records(sandbox_x_domain) +auth_dontaudit_write_login_records(sandbox_x_domain) -+auth_use_nsswitch(sandbox_x_domain) +auth_search_pam_console_data(sandbox_x_domain) + +init_read_utmp(sandbox_x_domain) @@ -9101,8 +9412,6 @@ index 0000000..cb552f5 + +storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type) + -+auth_use_nsswitch(sandbox_web_type) -+ +dbus_system_bus_client(sandbox_web_type) +dbus_read_config(sandbox_web_type) +selinux_get_fs_mount(sandbox_web_type) @@ -9242,10 +9551,20 @@ index a57e81e..57519a4 100644 files_search_tmp($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..9342572 100644 +index 1dc7a85..a01511f 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if -@@ -53,8 +53,14 @@ interface(`seunshare_run',` +@@ -43,18 +43,18 @@ interface(`seunshare_run',` + role $2 types seunshare_t; + + allow $1 seunshare_t:process signal_perms; +- +- ifdef(`hide_broken_symptoms', ` +- dontaudit seunshare_t $1:tcp_socket rw_socket_perms; +- dontaudit seunshare_t $1:udp_socket rw_socket_perms; +- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; +- ') + ') ######################################## ## @@ -9261,7 +9580,7 @@ index 1dc7a85..9342572 100644 ## ## ## Role allowed access. -@@ -66,15 +72,32 @@ interface(`seunshare_run',` +@@ -66,15 +66,30 @@ interface(`seunshare_run',` ## ## # @@ -9279,10 +9598,10 @@ index 1dc7a85..9342572 100644 + role $2 types $1_seunshare_t; - seunshare_domtrans($1) ++ auth_use_nsswitch($1_seunshare_t) ++ + mls_process_set_level($1_seunshare_t) - -- ps_process_pattern($2, seunshare_t) -- allow $2 seunshare_t:process signal; ++ + domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) + sandbox_transition($1_seunshare_t, $2) + @@ -9292,19 +9611,17 @@ index 1dc7a85..9342572 100644 + + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; -+ + +- ps_process_pattern($2, seunshare_t) +- allow $2 seunshare_t:process signal; + corecmd_bin_domtrans($1_seunshare_t, $1_t) + corecmd_shell_domtrans($1_seunshare_t, $1_t) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_seunshare_t $3:socket_class_set { read write }; -+ ') ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..9a7ebe5 100644 +index 7590165..7e6f53c 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -9351,13 +9668,11 @@ index 7590165..9a7ebe5 100644 +fs_manage_cgroup_files(seunshare_domain) -miscfiles_read_localization(seunshare_t) -+auth_use_nsswitch(seunshare_domain) - --userdom_use_user_terminals(seunshare_t) +logging_send_syslog_msg(seunshare_domain) +-userdom_use_user_terminals(seunshare_t) +miscfiles_read_localization(seunshare_domain) -+ + +userdom_use_inherited_user_terminals(seunshare_domain) +userdom_list_user_home_content(seunshare_domain) ifdef(`hide_broken_symptoms', ` @@ -9384,7 +9699,7 @@ index 7590165..9a7ebe5 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if -index 3cfb128..e9bfed0 100644 +index 3cfb128..609921d 100644 --- a/policy/modules/apps/telepathy.if +++ b/policy/modules/apps/telepathy.if @@ -11,7 +11,6 @@ @@ -9395,7 +9710,18 @@ index 3cfb128..e9bfed0 100644 template(`telepathy_domain_template',` gen_require(` -@@ -32,7 +31,7 @@ template(`telepathy_domain_template',` +@@ -23,16 +22,18 @@ template(`telepathy_domain_template',` + type telepathy_$1_exec_t, telepathy_executable; + application_domain(telepathy_$1_t, telepathy_$1_exec_t) + ubac_constrained(telepathy_$1_t) ++ auth_use_nsswitch(telepathy_$1_t) + + type telepathy_$1_tmp_t; + files_tmp_file(telepathy_$1_tmp_t) + ubac_constrained(telepathy_$1_tmp_t) ++ + ') + ####################################### ## ## Role access for telepathy domains @@ -9404,7 +9730,7 @@ index 3cfb128..e9bfed0 100644 ## ## ## -@@ -44,8 +43,13 @@ template(`telepathy_domain_template',` +@@ -44,8 +45,13 @@ template(`telepathy_domain_template',` ## The type of the user domain. ## ## @@ -9419,7 +9745,7 @@ index 3cfb128..e9bfed0 100644 gen_require(` attribute telepathy_domain; type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; -@@ -76,6 +80,8 @@ template(`telepathy_role', ` +@@ -76,6 +82,8 @@ template(`telepathy_role', ` dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) @@ -9428,7 +9754,7 @@ index 3cfb128..e9bfed0 100644 ') ######################################## -@@ -122,11 +128,6 @@ interface(`telepathy_gabble_dbus_chat', ` +@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', ` ## ## Read telepathy mission control state. ## @@ -9440,7 +9766,7 @@ index 3cfb128..e9bfed0 100644 ## ## ## Domain allowed access. -@@ -179,3 +180,75 @@ interface(`telepathy_salut_stream_connect', ` +@@ -179,3 +182,75 @@ interface(`telepathy_salut_stream_connect', ` stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) files_search_tmp($1) ') @@ -9517,7 +9843,7 @@ index 3cfb128..e9bfed0 100644 + ') +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..9f6298c 100644 +index 2533ea0..e6e956f 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t) @@ -9627,15 +9953,19 @@ index 2533ea0..9f6298c 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -365,6 +404,7 @@ dev_read_urand(telepathy_domain) +@@ -365,10 +404,9 @@ dev_read_urand(telepathy_domain) kernel_read_system_state(telepathy_domain) +fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) - auth_use_nsswitch(telepathy_domain) -@@ -376,5 +416,23 @@ optional_policy(` +-auth_use_nsswitch(telepathy_domain) +- + miscfiles_read_localization(telepathy_domain) + + optional_policy(` +@@ -376,5 +414,23 @@ optional_policy(` ') optional_policy(` @@ -9695,7 +10025,7 @@ index e70b0e8..cd83b89 100644 /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if -index ced285a..3d2073a 100644 +index ced285a..ff11b08 100644 --- a/policy/modules/apps/userhelper.if +++ b/policy/modules/apps/userhelper.if @@ -25,6 +25,7 @@ template(`userhelper_role_template',` @@ -9706,7 +10036,36 @@ index ced285a..3d2073a 100644 ') ######################################## -@@ -256,3 +257,65 @@ interface(`userhelper_exec',` +@@ -122,6 +123,9 @@ template(`userhelper_role_template',` + auth_manage_pam_pid($1_userhelper_t) + auth_manage_var_auth($1_userhelper_t) + auth_search_pam_console_data($1_userhelper_t) ++ auth_use_nsswitch($1_userhelper_t) ++ ++ logging_send_syslog_msg($1_userhelper_t) + + # Inherit descriptors from the current session. + init_use_fds($1_userhelper_t) +@@ -146,18 +150,6 @@ template(`userhelper_role_template',` + ') + + optional_policy(` +- logging_send_syslog_msg($1_userhelper_t) +- ') +- +- optional_policy(` +- nis_use_ypbind($1_userhelper_t) +- ') +- +- optional_policy(` +- nscd_socket_use($1_userhelper_t) +- ') +- +- optional_policy(` + tunable_policy(`! secure_mode',` + #if we are not in secure mode then we can transition to sysadm_t + sysadm_bin_spec_domtrans($1_userhelper_t) +@@ -256,3 +248,65 @@ interface(`userhelper_exec',` can_exec($1, userhelper_exec_t) ') @@ -9946,10 +10305,18 @@ index 23066a1..6aff330 100644 # cjp: why? userdom_read_user_home_content_files(vmware_t) diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te -index b11941a..dc37e57 100644 +index b11941a..93ec570 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te -@@ -81,7 +81,7 @@ miscfiles_read_public_files(webalizer_t) +@@ -75,13 +75,15 @@ files_read_etc_runtime_files(webalizer_t) + logging_list_logs(webalizer_t) + logging_send_syslog_msg(webalizer_t) + ++auth_use_nsswitch(webalizer_t) ++ + miscfiles_read_localization(webalizer_t) + miscfiles_read_public_files(webalizer_t) + sysnet_dns_name_resolve(webalizer_t) sysnet_read_config(webalizer_t) @@ -9958,6 +10325,20 @@ index b11941a..dc37e57 100644 userdom_use_unpriv_users_fds(webalizer_t) userdom_dontaudit_search_user_home_content(webalizer_t) +@@ -97,13 +99,5 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(webalizer_t) +-') +- +-optional_policy(` +- nscd_socket_use(webalizer_t) +-') +- +-optional_policy(` + squid_read_log(webalizer_t) + ') diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc index 9d24449..2666317 100644 --- a/policy/modules/apps/wine.fc @@ -9979,7 +10360,7 @@ index 9d24449..2666317 100644 /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if -index f9a73d0..4b055c1 100644 +index f9a73d0..e10101a 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -29,12 +29,16 @@ @@ -10017,13 +10398,8 @@ index f9a73d0..4b055c1 100644 type wine_exec_t; ') -@@ -99,9 +103,12 @@ template(`wine_role_template',` - allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; - domtrans_pattern($3, wine_exec_t, $1_wine_t) +@@ -101,7 +105,7 @@ template(`wine_role_template',` corecmd_bin_domtrans($1_wine_t, $1_t) -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_t $1_wine_t:socket_class_set { read write }; -+ ') userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) @@ -10031,7 +10407,7 @@ index f9a73d0..4b055c1 100644 domain_mmap_low($1_wine_t) -@@ -109,6 +116,10 @@ template(`wine_role_template',` +@@ -109,6 +113,10 @@ template(`wine_role_template',` dontaudit $1_wine_t self:memprotect mmap_zero; ') @@ -10056,7 +10432,7 @@ index be9246b..e3de8fa 100644 tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te -index 8bfe97d..6bba1a8 100644 +index 8bfe97d..9e4ad2c 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -15,6 +15,7 @@ ubac_constrained(wireshark_t) @@ -10067,6 +10443,26 @@ index 8bfe97d..6bba1a8 100644 userdom_user_home_content(wireshark_home_t) type wireshark_tmp_t; +@@ -85,6 +86,8 @@ fs_search_auto_mountpoints(wireshark_t) + + libs_read_lib_files(wireshark_t) + ++auth_use_nsswitch(wireshark_t) ++ + miscfiles_read_fonts(wireshark_t) + miscfiles_read_localization(wireshark_t) + +@@ -106,10 +109,6 @@ tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_symlinks(wireshark_t) + ') + +-optional_policy(` +- nscd_socket_use(wireshark_t) +-') +- + # Manual transition from userhelper + optional_policy(` + userhelper_use_fd(wireshark_t) diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if index b3efef7..50c1a74 100644 --- a/policy/modules/apps/wm.if @@ -10097,10 +10493,19 @@ index 1bdeb16..775f788 100644 userdom_read_user_home_content_files(xscreensaver_t) diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te -index 223ad43..d400ef6 100644 +index 223ad43..d95e720 100644 --- a/policy/modules/apps/yam.te +++ b/policy/modules/apps/yam.te -@@ -92,7 +92,7 @@ seutil_read_config(yam_t) +@@ -83,6 +83,8 @@ fs_search_auto_mountpoints(yam_t) + # Content can also be on ISO image files. + fs_read_iso9660_files(yam_t) + ++auth_use_nsswitch(yam_t) ++ + logging_send_syslog_msg(yam_t) + + miscfiles_read_localization(yam_t) +@@ -92,7 +94,7 @@ seutil_read_config(yam_t) sysnet_dns_name_resolve(yam_t) sysnet_read_config(yam_t) @@ -10109,6 +10514,20 @@ index 223ad43..d400ef6 100644 userdom_use_unpriv_users_fds(yam_t) # Reading dotfiles... # cjp: ? +@@ -112,13 +114,5 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(yam_t) +-') +- +-optional_policy(` +- nscd_socket_use(yam_t) +-') +- +-optional_policy(` + rsync_exec(yam_t) + ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 3fae11a..c8607de 100644 --- a/policy/modules/kernel/corecommands.fc @@ -10368,7 +10787,7 @@ index 9e9263a..59c2125 100644 manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 4f3b542..4581434 100644 +index 4f3b542..5a41e58 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',` @@ -10538,11 +10957,11 @@ index 4f3b542..4581434 100644 +interface(`corenet_dccp_bind_generic_port',` + gen_require(` + type port_t; -+ attribute port_type; ++ attribute defined_port_type; + ') + + allow $1 port_t:dccp_socket name_bind; -+ dontaudit $1 { port_type -port_t }:dccp_socket name_bind; ++ dontaudit $1 defined_port_type:dccp_socket name_bind; +') + +######################################## @@ -10550,10 +10969,21 @@ index 4f3b542..4581434 100644 ## Bind TCP sockets to generic ports. ## ## -@@ -1264,6 +1394,25 @@ interface(`corenet_tcp_bind_generic_port',` +@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',` + interface(`corenet_tcp_bind_generic_port',` + gen_require(` + type port_t; +- attribute port_type; ++ attribute defined_port_type; + ') - ######################################## - ## + allow $1 port_t:tcp_socket name_bind; +- dontaudit $1 { port_type -port_t }:tcp_socket name_bind; ++ dontaudit $1 defined_port_type:tcp_socket name_bind; ++') ++ ++######################################## ++## +## Do not audit attempts to bind DCCP +## sockets to generic ports. +## @@ -10569,17 +10999,24 @@ index 4f3b542..4581434 100644 + ') + + dontaudit $1 port_t:dccp_socket name_bind; + ') + + ######################################## +@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` + interface(`corenet_udp_bind_generic_port',` + gen_require(` + type port_t; +- attribute port_type; ++ attribute defined_port_type; + ') + + allow $1 port_t:udp_socket name_bind; +- dontaudit $1 { port_type -port_t }:udp_socket name_bind; ++ dontaudit $1 defined_port_type:udp_socket name_bind; +') + +######################################## +## - ## Do not audit bind TCP sockets to generic ports. - ## - ## -@@ -1302,6 +1451,24 @@ interface(`corenet_udp_bind_generic_port',` - - ######################################## - ## +## Connect DCCP sockets to generic ports. +## +## @@ -10594,13 +11031,9 @@ index 4f3b542..4581434 100644 + ') + + allow $1 port_t:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Connect TCP sockets to generic ports. - ## - ## + ') + + ######################################## @@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',` ######################################## @@ -10753,80 +11186,119 @@ index 4f3b542..4581434 100644 ## Send and receive TCP network traffic on generic reserved ports. ## ## -@@ -1647,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` +@@ -1647,7 +1924,7 @@ interface(`corenet_udp_sendrecv_reserved_port',` ######################################## ## +-## Bind TCP sockets to generic reserved ports. +## Bind DCCP sockets to generic reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1655,18 +1932,18 @@ interface(`corenet_udp_sendrecv_reserved_port',` + ## + ## + # +-interface(`corenet_tcp_bind_reserved_port',` +interface(`corenet_dccp_bind_reserved_port',` -+ gen_require(` -+ type reserved_port_t; -+ ') -+ + gen_require(` + type reserved_port_t; + ') + +- allow $1 reserved_port_t:tcp_socket name_bind; + allow $1 reserved_port_t:dccp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic reserved ports. + allow $1 self:capability net_bind_service; + ') + + ######################################## + ## +-## Bind UDP sockets to generic reserved ports. ++## Bind TCP sockets to generic reserved ports. ## ## -@@ -1685,7 +1981,7 @@ interface(`corenet_udp_bind_reserved_port',` + ## +@@ -1674,18 +1951,18 @@ interface(`corenet_tcp_bind_reserved_port',` + ## + ## + # +-interface(`corenet_udp_bind_reserved_port',` ++interface(`corenet_tcp_bind_reserved_port',` + gen_require(` + type reserved_port_t; + ') + +- allow $1 reserved_port_t:udp_socket name_bind; ++ allow $1 reserved_port_t:tcp_socket name_bind; + allow $1 self:capability net_bind_service; + ') ######################################## ## -## Connect TCP sockets to generic reserved ports. -+## Connect DCCP sockets to generic reserved ports. ++## Bind UDP sockets to generic reserved ports. ## ## ## -@@ -1693,17 +1989,17 @@ interface(`corenet_udp_bind_reserved_port',` +@@ -1693,17 +1970,18 @@ interface(`corenet_udp_bind_reserved_port',` ## ## # -interface(`corenet_tcp_connect_reserved_port',` -+interface(`corenet_dccp_connect_reserved_port',` ++interface(`corenet_udp_bind_reserved_port',` gen_require(` type reserved_port_t; ') - allow $1 reserved_port_t:tcp_socket name_connect; -+ allow $1 reserved_port_t:dccp_socket name_connect; ++ allow $1 reserved_port_t:udp_socket name_bind; ++ allow $1 self:capability net_bind_service; ') ######################################## ## -## Send and receive TCP network traffic on all reserved ports. -+## Connect TCP sockets to generic reserved ports. ++## Connect DCCP sockets to generic reserved ports. ## ## ## -@@ -1711,17 +2007,53 @@ interface(`corenet_tcp_connect_reserved_port',` +@@ -1711,17 +1989,17 @@ interface(`corenet_tcp_connect_reserved_port',` ## ## # -interface(`corenet_tcp_sendrecv_all_reserved_ports',` -+interface(`corenet_tcp_connect_reserved_port',` ++interface(`corenet_dccp_connect_reserved_port',` gen_require(` - attribute reserved_port_type; + type reserved_port_t; ') - allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; -+ allow $1 reserved_port_t:tcp_socket name_connect; ++ allow $1 reserved_port_t:dccp_socket name_connect; ') ######################################## ## -## Send UDP network traffic on all reserved ports. ++## Connect TCP sockets to generic reserved ports. + ## + ## + ## +@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` + ## + ## + # +-interface(`corenet_udp_send_all_reserved_ports',` ++interface(`corenet_tcp_connect_reserved_port',` + gen_require(` +- attribute reserved_port_type; ++ type reserved_port_t; ++ ') ++ ++ allow $1 reserved_port_t:tcp_socket name_connect; ++') ++ ++######################################## ++## +## Send and receive DCCP network traffic on all reserved ports. +## +## @@ -10864,9 +11336,19 @@ index 4f3b542..4581434 100644 +######################################## +## +## Send UDP network traffic on all reserved ports. - ## - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_udp_send_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; + ') + + allow $1 reserved_port_type:udp_socket send_msg; @@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ######################################## @@ -10932,10 +11414,10 @@ index 4f3b542..4581434 100644 +# +interface(`corenet_dccp_bind_all_unreserved_ports',` + gen_require(` -+ attribute port_type, reserved_port_type; ++ attribute unreserved_port_type; + ') + -+ allow $1 { port_type -reserved_port_type }:dccp_socket name_bind; ++ allow $1 unreserved_port_type:dccp_socket name_bind; +') + +######################################## @@ -10943,10 +11425,32 @@ index 4f3b542..4581434 100644 ## Bind TCP sockets to all ports > 1024. ## ## -@@ -1882,6 +2269,24 @@ interface(`corenet_udp_bind_all_unreserved_ports',` +@@ -1856,10 +2243,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` + # + interface(`corenet_tcp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute unreserved_port_type; + ') + +- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; ++ allow $1 unreserved_port_type:tcp_socket name_bind; + ') ######################################## - ## +@@ -1874,10 +2261,28 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` + # + interface(`corenet_udp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute unreserved_port_type; ++ ') ++ ++ allow $1 unreserved_port_type:udp_socket name_bind; ++') ++ ++######################################## ++## +## Connect DCCP sockets to reserved ports. +## +## @@ -10958,16 +11462,13 @@ index 4f3b542..4581434 100644 +interface(`corenet_dccp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; -+ ') -+ + ') + +- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; + allow $1 reserved_port_type:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Connect TCP sockets to reserved ports. - ## - ## + ') + + ######################################## @@ -1900,6 +2305,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',` ######################################## @@ -10982,10 +11483,10 @@ index 4f3b542..4581434 100644 +# +interface(`corenet_dccp_connect_all_unreserved_ports',` + gen_require(` -+ attribute port_type, reserved_port_type; ++ attribute unreserved_port_type; + ') + -+ allow $1 { port_type -reserved_port_type }:dccp_socket name_connect; ++ allow $1 unreserved_port_type:dccp_socket name_connect; +') + +######################################## @@ -10993,10 +11494,20 @@ index 4f3b542..4581434 100644 ## Connect TCP sockets to all ports > 1024. ## ## -@@ -1918,6 +2341,25 @@ interface(`corenet_tcp_connect_all_unreserved_ports',` +@@ -1910,10 +2333,29 @@ interface(`corenet_tcp_connect_all_reserved_ports',` + # + interface(`corenet_tcp_connect_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute unreserved_port_type; + ') - ######################################## - ## +- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; ++ allow $1 unreserved_port_type:tcp_socket name_connect; ++') ++ ++######################################## ++## +## Do not audit attempts to connect DCCP sockets +## all reserved ports. +## @@ -11012,13 +11523,9 @@ index 4f3b542..4581434 100644 + ') + + dontaudit $1 reserved_port_type:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Do not audit attempts to connect TCP sockets - ## all reserved ports. - ## + ') + + ######################################## @@ -1937,6 +2379,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` ######################################## @@ -11369,10 +11876,17 @@ index 4f3b542..4581434 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..b49e084 100644 +index 99b71cb..7345e5f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in -@@ -16,6 +16,7 @@ attribute rpc_port_type; +@@ -11,11 +11,14 @@ attribute netif_type; + attribute node_type; + attribute packet_type; + attribute port_type; ++attribute defined_port_type; + attribute reserved_port_type; ++attribute unreserved_port_type; + attribute rpc_port_type; attribute server_packet_type; attribute corenet_unconfined_type; @@ -11380,7 +11894,7 @@ index 99b71cb..b49e084 100644 type ppp_device_t; dev_node(ppp_device_t) -@@ -25,6 +26,7 @@ dev_node(ppp_device_t) +@@ -25,6 +28,7 @@ dev_node(ppp_device_t) # type tun_tap_device_t; dev_node(tun_tap_device_t) @@ -11388,7 +11902,7 @@ index 99b71cb..b49e084 100644 ######################################## # -@@ -34,6 +36,18 @@ dev_node(tun_tap_device_t) +@@ -34,6 +38,18 @@ dev_node(tun_tap_device_t) # # client_packet_t is the default type of IPv4 and IPv6 client packets. # @@ -11407,7 +11921,7 @@ index 99b71cb..b49e084 100644 type client_packet_t, packet_type, client_packet_type; # -@@ -65,22 +79,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; +@@ -65,22 +81,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -11435,7 +11949,7 @@ index 99b71cb..b49e084 100644 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) -@@ -88,7 +106,9 @@ network_port(clamd, tcp,3310,s0) +@@ -88,7 +108,9 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) @@ -11445,7 +11959,7 @@ index 99b71cb..b49e084 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -99,9 +119,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -99,9 +121,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -11460,7 +11974,7 @@ index 99b71cb..b49e084 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -129,20 +154,25 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +156,25 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -11489,7 +12003,7 @@ index 99b71cb..b49e084 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -155,13 +185,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +@@ -155,13 +187,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) @@ -11512,7 +12026,7 @@ index 99b71cb..b49e084 100644 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -183,25 +221,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -183,25 +223,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -11545,7 +12059,7 @@ index 99b71cb..b49e084 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -215,7 +257,7 @@ network_port(uucpd, tcp,540,s0) +@@ -215,7 +259,7 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -11554,7 +12068,7 @@ index 99b71cb..b49e084 100644 network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -@@ -229,6 +271,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +273,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -11562,7 +12076,7 @@ index 99b71cb..b49e084 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -282,9 +325,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +327,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -11575,6 +12089,28 @@ index 99b71cb..b49e084 100644 -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; +allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind; +allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind; +diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 +index 35fed4f..49f27ca 100644 +--- a/policy/modules/kernel/corenetwork.te.m4 ++++ b/policy/modules/kernel/corenetwork.te.m4 +@@ -81,7 +81,7 @@ declare_nodes($1_node_t,shift($*)) + define(`declare_ports',`dnl + ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; + ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') +-',`dnl') ++',`typeattribute $1 unreserved_port_type;') + portcon $2 $3 gen_context(system_u:object_r:$1,$4) + ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl + ') +@@ -90,7 +90,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl + # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) + # + define(`network_port',` +-type $1_port_t, port_type; ++type $1_port_t, port_type, defined_port_type; + type $1_client_packet_t, packet_type, client_packet_type; + type $1_server_packet_t, packet_type, server_packet_type; + declare_ports($1_port_t,shift($*))dnl diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 6cf8784..5b25039 100644 --- a/policy/modules/kernel/devices.fc @@ -12930,7 +13466,7 @@ index 6a1e4d1..cf3d50b 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..1f0b08f 100644 +index fae1ab1..da927bb 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -13023,7 +13559,7 @@ index fae1ab1..1f0b08f 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,88 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,90 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -13085,6 +13621,7 @@ index fae1ab1..1f0b08f 100644 +ifdef(`hide_broken_symptoms',` + dontaudit domain self:udp_socket listen; + allow domain domain:key { link search }; ++ dontaudit domain domain:socket_class_set { read write }; +') + +optional_policy(` @@ -13112,6 +13649,7 @@ index fae1ab1..1f0b08f 100644 + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; ++ diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c19518a..ba08cfe 100644 --- a/policy/modules/kernel/files.fc @@ -13221,7 +13759,7 @@ index c19518a..ba08cfe 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..9097e58 100644 +index ff006ea..a049775 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -13232,7 +13770,71 @@ index ff006ea..9097e58 100644 ##
  • files_tmp_file()
    • ##
  • files_tmpfs_file()
    • ##
  • logging_log_file()
    • -@@ -1053,10 +1054,8 @@ interface(`files_relabel_all_files',` +@@ -663,12 +664,63 @@ interface(`files_read_non_security_files',` + attribute non_security_file_type; + ') + ++ list_dirs_pattern($1, non_security_file_type, non_security_file_type) + read_files_pattern($1, non_security_file_type, non_security_file_type) + read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) + ') + + ######################################## + ## ++## Manage all non-security files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_manage_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ manage_files_pattern($1, non_security_file_type, non_security_file_type) ++ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ++') ++ ++######################################## ++## ++## Relabel all non-security files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ relabel_files_pattern($1, non_security_file_type, non_security_file_type) ++ allow $1 { non_security_file_type }:dir list_dir_perms; ++ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ ++ # satisfy the assertions: ++ seutil_relabelto_bin_policy($1) ++') ++ ++######################################## ++## + ## Read all directories on the filesystem, except + ## the listed exceptions. + ## +@@ -1053,10 +1105,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -13245,7 +13847,7 @@ index ff006ea..9097e58 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1482,6 +1481,42 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1482,6 +1532,42 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -13288,7 +13890,7 @@ index ff006ea..9097e58 100644 ## List the contents of the root directory. ## ## -@@ -1562,7 +1597,7 @@ interface(`files_root_filetrans',` +@@ -1562,7 +1648,7 @@ interface(`files_root_filetrans',` type root_t; ') @@ -13297,7 +13899,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -1848,7 +1883,7 @@ interface(`files_boot_filetrans',` +@@ -1848,7 +1934,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -13306,7 +13908,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -2372,6 +2407,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2458,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -13331,7 +13933,7 @@ index ff006ea..9097e58 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2504,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2555,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -13340,7 +13942,7 @@ index ff006ea..9097e58 100644 ## ## # -@@ -2525,6 +2578,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2629,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -13365,7 +13967,7 @@ index ff006ea..9097e58 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2695,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2746,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -13374,7 +13976,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -2680,24 +2751,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2802,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -13399,7 +14001,7 @@ index ff006ea..9097e58 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2791,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2842,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -13424,7 +14026,7 @@ index ff006ea..9097e58 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2897,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -13432,7 +14034,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -3364,7 +3436,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3487,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -13441,7 +14043,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -3502,20 +3574,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3625,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -13485,7 +14087,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -3900,6 +3990,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +4041,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13585,7 +14187,7 @@ index ff006ea..9097e58 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4179,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -13594,7 +14196,7 @@ index ff006ea..9097e58 100644 ## ## # -@@ -4017,7 +4200,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4251,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13603,7 +14205,7 @@ index ff006ea..9097e58 100644 ## ## # -@@ -4029,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4263,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13628,7 +14230,7 @@ index ff006ea..9097e58 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4085,6 +4337,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13661,7 +14263,7 @@ index ff006ea..9097e58 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4139,6 +4366,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4139,6 +4417,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13704,7 +14306,7 @@ index ff006ea..9097e58 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4202,7 +4465,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4202,7 +4516,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13713,7 +14315,7 @@ index ff006ea..9097e58 100644 ## ## # -@@ -4262,7 +4525,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4576,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13722,7 +14324,7 @@ index ff006ea..9097e58 100644 ## ## # -@@ -4318,7 +4581,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4632,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -13731,7 +14333,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -4342,6 +4605,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4656,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13748,7 +14350,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -4681,7 +4954,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +5005,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -13757,7 +14359,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -5084,7 +5357,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5408,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -13766,7 +14368,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -5219,7 +5492,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5543,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13775,10 +14377,11 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -5304,6 +5577,25 @@ interface(`files_manage_mounttab',` +@@ -5304,7 +5628,26 @@ interface(`files_manage_mounttab',` ######################################## ## +-## Search the locks directory (/var/lock). +## List generic lock directories. +## +## @@ -13798,10 +14401,11 @@ index ff006ea..9097e58 100644 + +######################################## +## - ## Search the locks directory (/var/lock). ++## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5609,8 @@ interface(`files_search_locks',` + ## +@@ -5317,6 +5660,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -13810,7 +14414,7 @@ index ff006ea..9097e58 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5630,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5681,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -13826,7 +14430,7 @@ index ff006ea..9097e58 100644 ## ## ## -@@ -5349,12 +5645,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5696,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13838,7 +14442,8 @@ index ff006ea..9097e58 100644 + files_search_locks($1) + allow $1 var_lock_t:dir create_dir_perms; +') -+ + +- list_dirs_pattern($1, var_t, var_lock_t) +######################################## +## +## Set the attributes of the /var/lock directory. @@ -13853,13 +14458,12 @@ index ff006ea..9097e58 100644 + gen_require(` + type var_lock_t; + ') - -- list_dirs_pattern($1, var_t, var_lock_t) ++ + allow $1 var_lock_t:dir setattr; ') ######################################## -@@ -5373,6 +5687,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5738,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -13867,7 +14471,7 @@ index ff006ea..9097e58 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5700,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5751,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -13875,7 +14479,7 @@ index ff006ea..9097e58 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5726,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5777,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -13884,7 +14488,7 @@ index ff006ea..9097e58 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5742,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5793,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -13901,7 +14505,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -5452,7 +5766,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5817,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -13910,7 +14514,7 @@ index ff006ea..9097e58 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5807,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5858,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -13919,7 +14523,7 @@ index ff006ea..9097e58 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5829,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5880,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -13928,7 +14532,7 @@ index ff006ea..9097e58 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5861,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5912,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -13939,7 +14543,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -5608,6 +5922,43 @@ interface(`files_search_pids',` +@@ -5608,6 +5973,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -13983,7 +14587,7 @@ index ff006ea..9097e58 100644 ######################################## ## ## Do not audit attempts to search -@@ -5736,7 +6087,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6138,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13992,7 +14596,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -5815,6 +6166,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,6 +6217,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -14109,7 +14713,7 @@ index ff006ea..9097e58 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6293,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6344,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -14154,7 +14758,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -5900,6 +6399,90 @@ interface(`files_delete_all_pid_dirs',` +@@ -5900,6 +6450,90 @@ interface(`files_delete_all_pid_dirs',` ######################################## ## @@ -14245,7 +14849,7 @@ index ff006ea..9097e58 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6042,7 +6625,7 @@ interface(`files_spool_filetrans',` +@@ -6042,7 +6676,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14254,7 +14858,7 @@ index ff006ea..9097e58 100644 ') ######################################## -@@ -6117,3 +6700,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6751,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15337,7 +15941,7 @@ index 6346378..edbe041 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index d91c62f..30d03e3 100644 +index d91c62f..2860a62 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -15438,7 +16042,27 @@ index d91c62f..30d03e3 100644 ') optional_policy(` -@@ -358,6 +399,15 @@ optional_policy(` +@@ -334,9 +375,7 @@ optional_policy(` + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + +- auth_read_all_dirs_except_shadow(kernel_t) +- auth_read_all_files_except_shadow(kernel_t) +- auth_read_all_symlinks_except_shadow(kernel_t) ++ files_read_non_security_files(kernel_t) + ') + + tunable_policy(`nfs_export_all_rw',` +@@ -345,7 +384,7 @@ optional_policy(` + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + +- auth_manage_all_files_except_shadow(kernel_t) ++ files_manage_non_security_files(kernel_t) + ') + ') + +@@ -358,6 +397,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -16873,7 +17497,7 @@ index 1cb7311..1de82b2 100644 + +gen_user(guest_u, user, guest_r, s0, s0) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index be4de58..cce681a 100644 +index be4de58..7e8b6ec 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -9,6 +9,8 @@ role secadm_r; @@ -16885,6 +17509,16 @@ index be4de58..cce681a 100644 ######################################## # +@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t) + mls_file_downgrade(secadm_t) + + auth_role(secadm_r, secadm_t) +-auth_relabel_all_files_except_shadow(secadm_t) +-auth_relabel_shadow(secadm_t) ++files_relabel_all_files(secadm_t) + + init_exec(secadm_t) + diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 2be17d2..1a6d9d1 100644 --- a/policy/modules/roles/staff.te @@ -18260,10 +18894,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..99f35d5 +index 0000000..f35e36b --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,545 @@ +@@ -0,0 +1,549 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18610,6 +19244,10 @@ index 0000000..99f35d5 +') + +optional_policy(` ++ dnsmasq_filetrans_named_content(unconfined_t) ++') ++ ++optional_policy(` + firstboot_run(unconfined_t, unconfined_r) +') + @@ -19165,7 +19803,7 @@ index 1bd5812..b3631d6 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..7382308 100644 +index 0b827c5..e03a970 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -19176,18 +19814,7 @@ index 0b827c5..7382308 100644 ps_process_pattern($1, abrt_t) ') -@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',` - ') - - domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit abrt_helper_t $1:socket_class_set { read write }; -+ ') - ') - - ######################################## -@@ -160,8 +165,44 @@ interface(`abrt_run_helper',` +@@ -160,8 +161,44 @@ interface(`abrt_run_helper',` ######################################## ## @@ -19234,7 +19861,7 @@ index 0b827c5..7382308 100644 ## ## ## -@@ -253,6 +294,24 @@ interface(`abrt_manage_pid_files',` +@@ -253,6 +290,24 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -19259,7 +19886,7 @@ index 0b827c5..7382308 100644 ##################################### ## ## All of the rules required to administrate -@@ -286,18 +345,98 @@ interface(`abrt_admin',` +@@ -286,18 +341,98 @@ interface(`abrt_admin',` role_transition $2 abrt_initrc_exec_t system_r; allow $2 system_r; @@ -21952,7 +22579,7 @@ index 1ea99b2..9427dd5 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..64ed1bb 100644 +index 1c8c27e..4ae8a51 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -22037,16 +22664,17 @@ index 1c8c27e..64ed1bb 100644 ',` # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) -@@ -205,12 +217,18 @@ optional_policy(` +@@ -201,7 +213,8 @@ optional_policy(` ') optional_policy(` +- nscd_socket_use(apmd_t) + modutils_domtrans_insmod(apmd_t) + modutils_read_module_config(apmd_t) -+') -+ -+optional_policy(` - pcmcia_domtrans_cardmgr(apmd_t) + ') + + optional_policy(` +@@ -209,8 +222,9 @@ optional_policy(` pcmcia_domtrans_cardctl(apmd_t) ') @@ -22057,7 +22685,7 @@ index 1c8c27e..64ed1bb 100644 ') optional_policy(` -@@ -218,9 +236,9 @@ optional_policy(` +@@ -218,9 +232,9 @@ optional_policy(` udev_read_state(apmd_t) #necessary? ') @@ -22397,7 +23025,7 @@ index 44a1e3d..7e9d2fb 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..be16209 100644 +index 4deca04..991629d 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -6,16 +6,24 @@ policy_module(bind, 1.11.0) @@ -22461,8 +23089,11 @@ index 4deca04..be16209 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms; - allow ndc_t self:netlink_route_socket r_netlink_socket_perms; +@@ -198,15 +211,14 @@ allow ndc_t self:process { fork signal_perms }; + allow ndc_t self:fifo_file rw_fifo_file_perms; + allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; + allow ndc_t self:tcp_socket create_socket_perms; +-allow ndc_t self:netlink_route_socket r_netlink_socket_perms; allow ndc_t dnssec_t:file read_file_perms; -allow ndc_t dnssec_t:lnk_file { getattr read }; @@ -22476,10 +23107,22 @@ index 4deca04..be16209 100644 allow ndc_t named_zone_t:dir search_dir_perms; -@@ -238,13 +251,13 @@ miscfiles_read_localization(ndc_t) - sysnet_read_config(ndc_t) - sysnet_dns_name_resolve(ndc_t) +@@ -228,6 +240,8 @@ files_search_pids(ndc_t) + + fs_getattr_xattr_fs(ndc_t) + ++auth_use_nsswitch(ndc_t) ++ + init_use_fds(ndc_t) + init_use_script_ptys(ndc_t) + +@@ -235,24 +249,13 @@ logging_send_syslog_msg(ndc_t) + miscfiles_read_localization(ndc_t) + +-sysnet_read_config(ndc_t) +-sysnet_dns_name_resolve(ndc_t) +- -userdom_use_user_terminals(ndc_t) +userdom_use_inherited_user_terminals(ndc_t) @@ -22488,6 +23131,14 @@ index 4deca04..be16209 100644 # for /etc/rndc.key ifdef(`distro_redhat',` - allow ndc_t named_conf_t:dir search; +-') +- +-optional_policy(` +- nis_use_ypbind(ndc_t) +-') +- +-optional_policy(` +- nscd_socket_use(ndc_t) + allow ndc_t named_conf_t:dir search_dir_perms; ') @@ -22660,7 +23311,7 @@ index 3e45431..4aa8fb1 100644 admin_pattern($1, bluetooth_var_lib_t) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te -index 215b86b..4a3569f 100644 +index 215b86b..619518f 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0) @@ -22701,6 +23352,33 @@ index 215b86b..4a3569f 100644 dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) +@@ -190,7 +200,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; + allow bluetooth_helper_t self:shm create_shm_perms; + allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow bluetooth_helper_t self:tcp_socket create_socket_perms; +-allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; + + allow bluetooth_helper_t bluetooth_t:socket { read write }; + +@@ -220,6 +229,8 @@ files_read_etc_runtime_files(bluetooth_helper_t) + files_read_usr_files(bluetooth_helper_t) + files_dontaudit_list_default(bluetooth_helper_t) + ++auth_use_nsswitch(bluetooth_helper_t) ++ + locallogin_dontaudit_use_fds(bluetooth_helper_t) + + logging_send_syslog_msg(bluetooth_helper_t) +@@ -236,9 +247,5 @@ optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(bluetooth_helper_t) +-') +- +-optional_policy(` + xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) + ') diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc new file mode 100644 index 0000000..c095160 @@ -25902,7 +26580,7 @@ index 838dec7..59d0f96 100644 miscfiles_read_localization(courier_pop_t) diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te -index 13d2f63..a048c53 100644 +index 13d2f63..861fad7 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -10,7 +10,7 @@ type cpucontrol_exec_t; @@ -25914,6 +26592,28 @@ index 13d2f63..a048c53 100644 type cpuspeed_t; type cpuspeed_exec_t; +@@ -55,10 +55,6 @@ logging_send_syslog_msg(cpucontrol_t) + userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t) + + optional_policy(` +- nscd_socket_use(cpucontrol_t) +-') +- +-optional_policy(` + rhgb_use_ptys(cpucontrol_t) + ') + +@@ -110,10 +106,6 @@ miscfiles_read_localization(cpuspeed_t) + userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t) + + optional_policy(` +- nscd_socket_use(cpuspeed_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(cpuspeed_t) + ') + diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index 2eefc08..34ab5ce 100644 --- a/policy/modules/services/cron.fc @@ -25937,7 +26637,7 @@ index 2eefc08..34ab5ce 100644 + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if -index 35241ed..2976df7 100644 +index 35241ed..074392b 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -12,6 +12,11 @@ @@ -25989,11 +26689,12 @@ index 35241ed..2976df7 100644 domain_use_interactive_fds($1_t) -@@ -59,12 +70,15 @@ template(`cron_common_crontab_template',` +@@ -59,12 +70,16 @@ template(`cron_common_crontab_template',` files_dontaudit_search_pids($1_t) auth_domtrans_chk_passwd($1_t) + auth_rw_var_auth($1_t) ++ auth_use_nsswitch($1_t) logging_send_syslog_msg($1_t) logging_send_audit_msgs($1_t) @@ -26005,7 +26706,7 @@ index 35241ed..2976df7 100644 miscfiles_read_localization($1_t) -@@ -73,9 +87,10 @@ template(`cron_common_crontab_template',` +@@ -73,9 +88,10 @@ template(`cron_common_crontab_template',` userdom_manage_user_tmp_dirs($1_t) userdom_manage_user_tmp_files($1_t) # Access terminals. @@ -26017,7 +26718,17 @@ index 35241ed..2976df7 100644 tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -102,10 +117,12 @@ template(`cron_common_crontab_template',` +@@ -83,9 +99,6 @@ template(`cron_common_crontab_template',` + dontaudit $1_t crond_t:process signal; + ') + +- optional_policy(` +- nscd_socket_use($1_t) +- ') + ') + + ######################################## +@@ -102,10 +115,12 @@ template(`cron_common_crontab_template',` ## User domain for the role ## ## @@ -26030,7 +26741,7 @@ index 35241ed..2976df7 100644 ') role $1 types { cronjob_t crontab_t }; -@@ -116,9 +133,16 @@ interface(`cron_role',` +@@ -116,9 +131,16 @@ interface(`cron_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, crontab_t) @@ -26048,7 +26759,7 @@ index 35241ed..2976df7 100644 # Run helper programs as the user domain #corecmd_bin_domtrans(crontab_t, $2) -@@ -132,9 +156,8 @@ interface(`cron_role',` +@@ -132,9 +154,8 @@ interface(`cron_role',` ') dbus_stub(cronjob_t) @@ -26059,7 +26770,7 @@ index 35241ed..2976df7 100644 ') ######################################## -@@ -151,29 +174,18 @@ interface(`cron_role',` +@@ -151,29 +172,18 @@ interface(`cron_role',` ## User domain for the role ## ## @@ -26093,7 +26804,7 @@ index 35241ed..2976df7 100644 optional_policy(` gen_require(` -@@ -181,9 +193,8 @@ interface(`cron_unconfined_role',` +@@ -181,9 +191,8 @@ interface(`cron_unconfined_role',` ') dbus_stub(unconfined_cronjob_t) @@ -26104,7 +26815,7 @@ index 35241ed..2976df7 100644 ') ######################################## -@@ -200,6 +211,7 @@ interface(`cron_unconfined_role',` +@@ -200,6 +209,7 @@ interface(`cron_unconfined_role',` ## User domain for the role ## ## @@ -26112,7 +26823,7 @@ index 35241ed..2976df7 100644 # interface(`cron_admin_role',` gen_require(` -@@ -220,7 +232,7 @@ interface(`cron_admin_role',` +@@ -220,7 +230,7 @@ interface(`cron_admin_role',` # crontab shows up in user ps ps_process_pattern($2, admin_crontab_t) @@ -26121,7 +26832,7 @@ index 35241ed..2976df7 100644 # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) -@@ -234,9 +246,8 @@ interface(`cron_admin_role',` +@@ -234,9 +244,8 @@ interface(`cron_admin_role',` ') dbus_stub(admin_cronjob_t) @@ -26132,7 +26843,7 @@ index 35241ed..2976df7 100644 ') ######################################## -@@ -304,7 +315,7 @@ interface(`cron_exec',` +@@ -304,7 +313,7 @@ interface(`cron_exec',` ######################################## ## @@ -26141,7 +26852,7 @@ index 35241ed..2976df7 100644 ## ## ## -@@ -377,6 +388,47 @@ interface(`cron_read_pipes',` +@@ -377,6 +386,47 @@ interface(`cron_read_pipes',` ######################################## ## @@ -26189,7 +26900,7 @@ index 35241ed..2976df7 100644 ## Do not audit attempts to write cron daemon unnamed pipes. ## ## -@@ -390,6 +442,7 @@ interface(`cron_dontaudit_write_pipes',` +@@ -390,6 +440,7 @@ interface(`cron_dontaudit_write_pipes',` type crond_t; ') @@ -26197,7 +26908,7 @@ index 35241ed..2976df7 100644 dontaudit $1 crond_t:fifo_file write; ') -@@ -408,7 +461,43 @@ interface(`cron_rw_pipes',` +@@ -408,7 +459,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -26242,7 +26953,7 @@ index 35241ed..2976df7 100644 ') ######################################## -@@ -481,6 +570,7 @@ interface(`cron_manage_pid_files',` +@@ -481,6 +568,7 @@ interface(`cron_manage_pid_files',` type crond_var_run_t; ') @@ -26250,7 +26961,7 @@ index 35241ed..2976df7 100644 manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') -@@ -536,7 +626,7 @@ interface(`cron_write_system_job_pipes',` +@@ -536,7 +624,7 @@ interface(`cron_write_system_job_pipes',` type system_cronjob_t; ') @@ -26259,7 +26970,7 @@ index 35241ed..2976df7 100644 ') ######################################## -@@ -554,7 +644,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -554,7 +642,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -26268,7 +26979,7 @@ index 35241ed..2976df7 100644 ') ######################################## -@@ -587,11 +677,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -587,11 +675,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -26284,7 +26995,7 @@ index 35241ed..2976df7 100644 ') ######################################## -@@ -627,7 +720,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -627,7 +718,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -27047,7 +27758,7 @@ index 0000000..9146ef1 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..09cb39f +index 0000000..5e2a4bd --- /dev/null +++ b/policy/modules/services/ctdbd.te @@ -0,0 +1,114 @@ @@ -27139,10 +27850,10 @@ index 0000000..09cb39f +logging_send_syslog_msg(ctdbd_t) + +miscfiles_read_localization(ctdbd_t) ++miscfiles_read_public_files(ctdbd_t) + -+ -+# corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t) -+# corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t) ++#corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t) ++#corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t) + +optional_policy(` + consoletype_exec(ctdbd_t) @@ -27644,7 +28355,7 @@ index 81eba14..d0ab56c 100644 /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 1a1becd..7dbd8f6 100644 +index 1a1becd..d4357ec 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -27669,18 +28380,21 @@ index 1a1becd..7dbd8f6 100644 ubac_constrained($1_dbusd_t) role $2 types $1_dbusd_t; -@@ -62,8 +61,9 @@ template(`dbus_role_template',` +@@ -62,107 +61,26 @@ template(`dbus_role_template',` # Local policy # -+ dontaudit $1_dbusd_t self:capability sys_resource; - allow $1_dbusd_t self:process { getattr sigkill signal }; +- allow $1_dbusd_t self:process { getattr sigkill signal }; - dontaudit $1_dbusd_t self:process ptrace; -+ dontaudit $1_dbusd_t self:process { ptrace setrlimit }; - allow $1_dbusd_t self:file { getattr read write }; - allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; - allow $1_dbusd_t self:dbus { send_msg acquire_svc }; -@@ -76,7 +76,7 @@ template(`dbus_role_template',` +- allow $1_dbusd_t self:file { getattr read write }; +- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; +- allow $1_dbusd_t self:dbus { send_msg acquire_svc }; +- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; +- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; +- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; +- + # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions @@ -27688,10 +28402,14 @@ index 1a1becd..7dbd8f6 100644 + allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -88,14 +88,16 @@ template(`dbus_role_template',` - files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) - +- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; +- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) +- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) +- +- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) +- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) +- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) +- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - allow $3 $1_dbusd_t:process { signull sigkill signal }; + @@ -27706,50 +28424,78 @@ index 1a1becd..7dbd8f6 100644 allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; - allow $3 $1_dbusd_t:process sigchld; - - kernel_read_system_state($1_dbusd_t) - kernel_read_kernel_sysctls($1_dbusd_t) -@@ -116,7 +118,7 @@ template(`dbus_role_template',` - - dev_read_urand($1_dbusd_t) - +- +- kernel_read_system_state($1_dbusd_t) +- kernel_read_kernel_sysctls($1_dbusd_t) +- +- corecmd_list_bin($1_dbusd_t) +- corecmd_read_bin_symlinks($1_dbusd_t) +- corecmd_read_bin_files($1_dbusd_t) +- corecmd_read_bin_pipes($1_dbusd_t) +- corecmd_read_bin_sockets($1_dbusd_t) +- +- corenet_all_recvfrom_unlabeled($1_dbusd_t) +- corenet_all_recvfrom_netlabel($1_dbusd_t) +- corenet_tcp_sendrecv_generic_if($1_dbusd_t) +- corenet_tcp_sendrecv_generic_node($1_dbusd_t) +- corenet_tcp_sendrecv_all_ports($1_dbusd_t) +- corenet_tcp_bind_generic_node($1_dbusd_t) +- corenet_tcp_bind_reserved_port($1_dbusd_t) +- +- dev_read_urand($1_dbusd_t) +- - domain_use_interactive_fds($1_dbusd_t) -+ domain_use_interactive_fds($1_dbusd_t) - domain_read_all_domains_state($1_dbusd_t) - - files_read_etc_files($1_dbusd_t) -@@ -147,19 +149,27 @@ template(`dbus_role_template',` - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - +- domain_read_all_domains_state($1_dbusd_t) +- +- files_read_etc_files($1_dbusd_t) +- files_list_home($1_dbusd_t) +- files_read_usr_files($1_dbusd_t) +- files_dontaudit_search_var($1_dbusd_t) +- +- fs_getattr_romfs($1_dbusd_t) +- fs_getattr_xattr_fs($1_dbusd_t) +- fs_list_inotifyfs($1_dbusd_t) +- fs_dontaudit_list_nfs($1_dbusd_t) +- +- selinux_get_fs_mount($1_dbusd_t) +- selinux_validate_context($1_dbusd_t) +- selinux_compute_access_vector($1_dbusd_t) +- selinux_compute_create_context($1_dbusd_t) +- selinux_compute_relabel_context($1_dbusd_t) +- selinux_compute_user_contexts($1_dbusd_t) +- +- auth_read_pam_console_data($1_dbusd_t) +- auth_use_nsswitch($1_dbusd_t) +- +- logging_send_audit_msgs($1_dbusd_t) +- logging_send_syslog_msg($1_dbusd_t) +- +- miscfiles_read_localization($1_dbusd_t) +- +- seutil_read_config($1_dbusd_t) +- seutil_read_default_contexts($1_dbusd_t) +- - term_use_all_terms($1_dbusd_t) -+ term_use_all_inherited_terms($1_dbusd_t) - +- - userdom_read_user_home_content_files($1_dbusd_t) -+ userdom_dontaudit_search_admin_dir($1_dbusd_t) -+ userdom_manage_user_home_content_dirs($1_dbusd_t) -+ userdom_manage_user_home_content_files($1_dbusd_t) -+ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file }) - +- - ifdef(`hide_broken_symptoms', ` -+ ifdef(`hide_broken_symptoms',` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') +- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; +- ') +- +- optional_policy(` +- hal_dbus_chat($1_dbusd_t) +- ') - optional_policy(` -+ gnome_read_gconf_home_files($1_dbusd_t) -+ ') -+ -+ optional_policy(` - hal_dbus_chat($1_dbusd_t) - ') +- optional_policy(` +- xserver_use_xdm_fds($1_dbusd_t) +- xserver_rw_xdm_pipes($1_dbusd_t) +- ') ++ auth_use_nsswitch($1_dbusd_t) + ') - optional_policy(` -+ xserver_search_xdm_lib($1_dbusd_t) - xserver_use_xdm_fds($1_dbusd_t) - xserver_rw_xdm_pipes($1_dbusd_t) - ') -@@ -181,11 +191,12 @@ interface(`dbus_system_bus_client',` + ####################################### +@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -27763,7 +28509,7 @@ index 1a1becd..7dbd8f6 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -198,6 +209,34 @@ interface(`dbus_system_bus_client',` +@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',` ####################################### ## @@ -27798,7 +28544,7 @@ index 1a1becd..7dbd8f6 100644 ## Template for creating connections to ## a user DBUS. ## -@@ -218,6 +257,8 @@ interface(`dbus_session_bus_client',` +@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',` # For connecting to the bus allow $1 session_bus_type:unix_stream_socket connectto; @@ -27807,7 +28553,7 @@ index 1a1becd..7dbd8f6 100644 ') ######################################## -@@ -322,6 +363,11 @@ interface(`dbus_connect_session_bus',` +@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',` ## Allow a application domain to be started ## by the session dbus. ## @@ -27819,7 +28565,7 @@ index 1a1becd..7dbd8f6 100644 ## ## ## Type to be used as a domain. -@@ -336,13 +382,13 @@ interface(`dbus_connect_session_bus',` +@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',` # interface(`dbus_session_domain',` gen_require(` @@ -27837,42 +28583,37 @@ index 1a1becd..7dbd8f6 100644 ') ######################################## -@@ -432,14 +478,33 @@ interface(`dbus_system_domain',` - - domtrans_pattern(system_dbusd_t, $2, $1) - -+ fs_search_all($1) -+ - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - -+ init_stream_connect($1) -+ init_dgram_send($1) -+ init_use_fds($1) -+ - ps_process_pattern(system_dbusd_t, $1) +@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',` + # + interface(`dbus_system_domain',` + gen_require(` ++ attribute system_bus_type; + type system_dbusd_t; + role system_r; + ') ++ typeattribute $1 system_bus_type; -+ userdom_dontaudit_search_admin_dir($1) - userdom_read_all_users_state($1) + domain_type($1) + domain_entry_file($1, $2) +- role system_r types $1; +- + domtrans_pattern(system_dbusd_t, $2, $1) +- +- dbus_system_bus_client($1) +- dbus_connect_system_bus($1) +- +- ps_process_pattern(system_dbusd_t, $1) +- +- userdom_read_all_users_state($1) +- - ifdef(`hide_broken_symptoms', ` -+ optional_policy(` -+ abrt_stream_connect($1) -+ ') -+ -+ optional_policy(` -+ rpm_script_dbus_chat($1) -+ ') -+ -+ optional_policy(` -+ unconfined_dbus_send($1) -+ ') -+ -+ ifdef(`hide_broken_symptoms',` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') +- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; +- ') ') -@@ -464,26 +529,25 @@ interface(`dbus_use_system_bus_fds',` + + ######################################## +@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## @@ -27905,7 +28646,7 @@ index 1a1becd..7dbd8f6 100644 ## ## ## -@@ -491,10 +555,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -491,10 +433,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -27922,10 +28663,18 @@ index 1a1becd..7dbd8f6 100644 ') + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 1bff6ee..0909589 100644 +index 1bff6ee..3136cb7 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te -@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t) +@@ -10,6 +10,7 @@ gen_require(` + # + + attribute dbusd_unconfined; ++attribute system_bus_type; + attribute session_bus_type; + + type dbusd_etc_t; +@@ -36,6 +37,7 @@ files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) @@ -27933,7 +28682,7 @@ index 1bff6ee..0909589 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -52,9 +53,9 @@ ifdef(`enable_mls',` +@@ -52,9 +54,9 @@ ifdef(`enable_mls',` # dac_override: /var/run/dbus is owned by messagebus on Debian # cjp: dac_override should probably go in a distro_debian @@ -27945,7 +28694,7 @@ index 1bff6ee..0909589 100644 allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) +@@ -74,9 +76,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) @@ -27957,7 +28706,7 @@ index 1bff6ee..0909589 100644 kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) -@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t) +@@ -111,6 +114,8 @@ auth_read_pam_console_data(system_dbusd_t) corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -27966,7 +28715,7 @@ index 1bff6ee..0909589 100644 domain_use_interactive_fds(system_dbusd_t) domain_read_all_domains_state(system_dbusd_t) -@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t) +@@ -121,7 +126,9 @@ files_read_usr_files(system_dbusd_t) init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -27976,7 +28725,7 @@ index 1bff6ee..0909589 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,6 +147,19 @@ optional_policy(` +@@ -141,6 +148,19 @@ optional_policy(` ') optional_policy(` @@ -27996,7 +28745,7 @@ index 1bff6ee..0909589 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -151,12 +170,29 @@ optional_policy(` +@@ -151,12 +171,155 @@ optional_policy(` ') optional_policy(` @@ -28015,18 +28764,144 @@ index 1bff6ee..0909589 100644 + ######################################## # - # Unconfined access to this module +-# Unconfined access to this module ++# system_bus_type rules # -- - allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; -+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; -+allow session_bus_type dbusd_unconfined:dbus send_msg; ++role system_r types system_bus_type; ++ ++fs_search_all(system_bus_type) ++ ++dbus_system_bus_client(system_bus_type) ++dbus_connect_system_bus(system_bus_type) ++ ++init_stream_connect(system_bus_type) ++init_dgram_send(system_bus_type) ++init_use_fds(system_bus_type) + ++ps_process_pattern(system_dbusd_t, system_bus_type) ++ ++userdom_dontaudit_search_admin_dir(system_bus_type) ++userdom_read_all_users_state(system_bus_type) + +optional_policy(` ++ abrt_stream_connect(system_bus_type) ++') ++ ++optional_policy(` ++ rpm_script_dbus_chat(system_bus_type) ++') ++ ++optional_policy(` ++ unconfined_dbus_send(system_bus_type) ++') ++ ++ifdef(`hide_broken_symptoms',` ++ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; ++') ++ ++######################################## ++# ++# session_bus_type rules ++# ++dontaudit session_bus_type self:capability sys_resource; ++allow session_bus_type self:process { getattr sigkill signal }; ++dontaudit session_bus_type self:process { ptrace setrlimit }; ++allow session_bus_type self:file { getattr read write }; ++allow session_bus_type self:fifo_file rw_fifo_file_perms; ++allow session_bus_type self:dbus { send_msg acquire_svc }; ++allow session_bus_type self:unix_stream_socket create_stream_socket_perms; ++allow session_bus_type self:unix_dgram_socket create_socket_perms; ++allow session_bus_type self:tcp_socket create_stream_socket_perms; ++allow session_bus_type self:netlink_selinux_socket create_socket_perms; ++ ++allow session_bus_type dbusd_etc_t:dir list_dir_perms; ++read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) ++read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) ++ ++manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) ++manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) ++files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir }) ++ ++kernel_read_system_state(session_bus_type) ++kernel_read_kernel_sysctls(session_bus_type) ++ ++corecmd_list_bin(session_bus_type) ++corecmd_read_bin_symlinks(session_bus_type) ++corecmd_read_bin_files(session_bus_type) ++corecmd_read_bin_pipes(session_bus_type) ++corecmd_read_bin_sockets(session_bus_type) ++ ++corenet_all_recvfrom_unlabeled(session_bus_type) ++corenet_all_recvfrom_netlabel(session_bus_type) ++corenet_tcp_sendrecv_generic_if(session_bus_type) ++corenet_tcp_sendrecv_generic_node(session_bus_type) ++corenet_tcp_sendrecv_all_ports(session_bus_type) ++corenet_tcp_bind_generic_node(session_bus_type) ++corenet_tcp_bind_reserved_port(session_bus_type) ++ ++dev_read_urand(session_bus_type) ++ ++domain_use_interactive_fds(session_bus_type) ++domain_read_all_domains_state(session_bus_type) ++ ++files_read_etc_files(session_bus_type) ++files_list_home(session_bus_type) ++files_read_usr_files(session_bus_type) ++files_dontaudit_search_var(session_bus_type) ++ ++fs_getattr_romfs(session_bus_type) ++fs_getattr_xattr_fs(session_bus_type) ++fs_list_inotifyfs(session_bus_type) ++fs_dontaudit_list_nfs(session_bus_type) ++ ++selinux_get_fs_mount(session_bus_type) ++selinux_validate_context(session_bus_type) ++selinux_compute_access_vector(session_bus_type) ++selinux_compute_create_context(session_bus_type) ++selinux_compute_relabel_context(session_bus_type) ++selinux_compute_user_contexts(session_bus_type) ++ ++auth_read_pam_console_data(session_bus_type) ++ ++logging_send_audit_msgs(session_bus_type) ++logging_send_syslog_msg(session_bus_type) ++ ++miscfiles_read_localization(session_bus_type) ++ ++seutil_read_config(session_bus_type) ++seutil_read_default_contexts(session_bus_type) ++ ++term_use_all_inherited_terms(session_bus_type) ++ ++userdom_dontaudit_search_admin_dir(session_bus_type) ++userdom_manage_user_home_content_dirs(session_bus_type) ++userdom_manage_user_home_content_files(session_bus_type) ++userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) ++ ++optional_policy(` ++ gnome_read_gconf_home_files(session_bus_type) ++') ++ ++optional_policy(` ++ hal_dbus_chat(session_bus_type) ++') ++ ++optional_policy(` ++ xserver_search_xdm_lib(session_bus_type) ++ xserver_use_xdm_fds(session_bus_type) ++ xserver_rw_xdm_pipes(session_bus_type) + xserver_use_xdm_fds(session_bus_type) + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') ++ ++######################################## ++# ++# Unconfined access to this module ++# + allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; ++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; ++allow session_bus_type dbusd_unconfined:dbus send_msg; diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if index 784753e..bf65e7d 100644 --- a/policy/modules/services/dcc.if @@ -28780,6 +29655,36 @@ index d4424ad..a809e38 100644 dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') +diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te +index d2d9359..ee10625 100644 +--- a/policy/modules/services/dictd.te ++++ b/policy/modules/services/dictd.te +@@ -73,23 +73,15 @@ files_search_var_lib(dictd_t) + # for checking for nscd + files_dontaudit_search_pids(dictd_t) + ++auth_use_nsswitch(dictd_t) ++ + logging_send_syslog_msg(dictd_t) + + miscfiles_read_localization(dictd_t) + +-sysnet_read_config(dictd_t) +- + userdom_dontaudit_use_unpriv_user_fds(dictd_t) + + optional_policy(` +- nis_use_ypbind(dictd_t) +-') +- +-optional_policy(` +- nscd_socket_use(dictd_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(dictd_t) + ') + diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc new file mode 100644 index 0000000..642e548 @@ -29110,10 +30015,10 @@ index 0000000..3aae725 +/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if new file mode 100644 -index 0000000..9d8f5de +index 0000000..6fd8e9f --- /dev/null +++ b/policy/modules/services/dirsrv.if -@@ -0,0 +1,212 @@ +@@ -0,0 +1,208 @@ +## policy for dirsrv + +######################################## @@ -29132,10 +30037,6 @@ index 0000000..9d8f5de + ') + + domtrans_pattern($1, dirsrv_exec_t,dirsrv_t) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit dirsrv_t $1:socket_class_set { read write }; -+ ') +') + + @@ -29564,7 +30465,7 @@ index b886676..ad3210e 100644 /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if -index 9bd812b..89a9426 100644 +index 9bd812b..c4abec3 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -101,9 +101,9 @@ interface(`dnsmasq_kill',` @@ -29605,7 +30506,7 @@ index 9bd812b..89a9426 100644 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -163,17 +163,59 @@ interface(`dnsmasq_delete_pid_files',` +@@ -163,17 +163,79 @@ interface(`dnsmasq_delete_pid_files',` ## ## # @@ -29647,18 +30548,38 @@ index 9bd812b..89a9426 100644 +## Domain allowed access. +##     +## -+## -+## -+## The type of the object to be created. -+## ++## ++## ++## The type of the directory for the object to be created. ++## +## +# -+interface(`dnsmasq_filetrans_named_content',` ++interface(`dnsmasq_filetrans_named_content_fromdir',` + gen_require(` + type dnsmasq_var_run_t; + ') + + filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") ++ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid") ++') ++ ++######################################## ++## ++## Transition to dnsmasq named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_filetrans_named_content',` ++ gen_require(` ++ type dnsmasq_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network") ++ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid") +') + +######################################## @@ -31220,6 +32141,42 @@ index 6537214..7d64c0a 100644 ps_process_pattern($1, fetchmail_t) files_list_etc($1) +diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te +index 9b7036a..4770f61 100644 +--- a/policy/modules/services/finger.te ++++ b/policy/modules/services/finger.te +@@ -66,6 +66,7 @@ term_getattr_all_ttys(fingerd_t) + term_getattr_all_ptys(fingerd_t) + + auth_read_lastlog(fingerd_t) ++auth_use_nsswitch(fingerd_t) + + corecmd_exec_bin(fingerd_t) + corecmd_exec_shell(fingerd_t) +@@ -83,8 +84,6 @@ logging_send_syslog_msg(fingerd_t) + + mta_getattr_spool(fingerd_t) + +-sysnet_read_config(fingerd_t) +- + miscfiles_read_localization(fingerd_t) + + # stop it accessing sub-directories, prevents checking a Maildir for new mail, +@@ -101,14 +100,6 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(fingerd_t) +-') +- +-optional_policy(` +- nscd_socket_use(fingerd_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(fingerd_t) + ') + diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc new file mode 100644 index 0000000..ba9a7a9 @@ -31490,7 +32447,7 @@ index 9d3201b..748cac5 100644 ## ## Allow domain dyntransition to sftpd_anon domain. diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..4986fb9 100644 +index 8a74a83..3283e90 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -31582,6 +32539,15 @@ index 8a74a83..4986fb9 100644 init_rw_utmp(ftpd_t) +@@ -261,7 +281,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` + + tunable_policy(`allow_ftpd_full_access',` + allow ftpd_t self:capability { dac_override dac_read_search }; +- auth_manage_all_files_except_shadow(ftpd_t) ++ files_manage_non_security_files(ftpd_t) + ') + + tunable_policy(`ftp_home_dir',` @@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) @@ -31671,7 +32637,7 @@ index 8a74a83..4986fb9 100644 +tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) -+ auth_manage_all_files_except_shadow(sftpd_t) ++ files_manage_non_security_files(sftpd_t) +') + +tunable_policy(`sftpd_write_ssh_home',` @@ -31694,6 +32660,15 @@ index 8a74a83..4986fb9 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` +@@ -394,7 +456,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` + tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) +- auth_manage_all_files_except_shadow(sftpd_t) ++ files_manage_non_security_files(sftpd_t) + ') + + tunable_policy(`use_samba_home_dirs',` diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te index 99a94de..6dbc203 100644 --- a/policy/modules/services/gatekeeper.te @@ -32272,10 +33247,10 @@ index 458aac6..8e83609 100644 + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te -index 7382f85..0b39a8b 100644 +index 7382f85..deb5bff 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te -@@ -1,8 +1,192 @@ +@@ -1,8 +1,194 @@ -policy_module(git, 1.0) +policy_module(git, 1.0.3) + @@ -32374,8 +33349,6 @@ index 7382f85..0b39a8b 100644 + +kernel_read_system_state(git_domains) + -+auth_use_nsswitch(git_domains) -+ +logging_send_syslog_msg(git_domains) + +miscfiles_read_localization(git_domains) @@ -32399,6 +33372,8 @@ index 7382f85..0b39a8b 100644 +read_files_pattern(git_system_t, git_content, git_content) +files_search_var_lib(git_system_t) + ++auth_use_nsswitch(git_system_t) ++ +tunable_policy(`git_system_enable_homedirs',` + userdom_search_user_home_dirs(git_system_t) +') @@ -32430,6 +33405,8 @@ index 7382f85..0b39a8b 100644 + +allow git_session_t self:tcp_socket { accept listen }; + ++auth_use_nsswitch(git_session_t) ++ +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t) +userdom_search_user_home_dirs(git_session_t) @@ -32693,7 +33670,7 @@ index 03742d8..c65263e 100644 ') diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if -index 2d0b4e1..e268ede 100644 +index 2d0b4e1..1e40c00 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if @@ -91,7 +91,7 @@ template(`hadoop_domain_template',` @@ -32705,7 +33682,26 @@ index 2d0b4e1..e268ede 100644 corenet_tcp_sendrecv_generic_if(hadoop_$1_t) corenet_udp_sendrecv_generic_if(hadoop_$1_t) corenet_tcp_sendrecv_generic_node(hadoop_$1_t) -@@ -175,8 +175,6 @@ template(`hadoop_domain_template',` +@@ -109,6 +109,7 @@ template(`hadoop_domain_template',` + files_read_etc_files(hadoop_$1_t) + + auth_domtrans_chkpwd(hadoop_$1_t) ++ auth_use_nsswitch(hadoop_$1_t) + + hadoop_match_lan_spd(hadoop_$1_t) + +@@ -132,10 +133,6 @@ template(`hadoop_domain_template',` + + su_exec(hadoop_$1_t) + +- optional_policy(` +- nscd_socket_use(hadoop_$1_t) +- ') +- + #################################### + # + # Shared hadoop_$1 initrc policy. +@@ -175,8 +172,6 @@ template(`hadoop_domain_template',` files_read_etc_files(hadoop_$1_initrc_t) files_read_usr_files(hadoop_$1_initrc_t) @@ -32714,31 +33710,65 @@ index 2d0b4e1..e268ede 100644 fs_getattr_xattr_fs(hadoop_$1_initrc_t) fs_search_cgroup_dirs(hadoop_$1_initrc_t) -@@ -196,6 +194,10 @@ template(`hadoop_domain_template',` +@@ -184,6 +179,8 @@ template(`hadoop_domain_template',` + + hadoop_exec_config(hadoop_$1_initrc_t) + ++ auth_domtrans_chkpwd(hadoop_$1_initrc_t) ++ + init_rw_utmp(hadoop_$1_initrc_t) + init_use_fds(hadoop_$1_initrc_t) + init_use_script_ptys(hadoop_$1_initrc_t) +@@ -196,8 +193,9 @@ template(`hadoop_domain_template',` userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) optional_policy(` +- nscd_socket_use(hadoop_$1_initrc_t) + consoletype_exec(hadoop_$1_initrc_t) -+ ') -+ -+ optional_policy(` - nscd_socket_use(hadoop_$1_initrc_t) ') ++ ') + + ######################################## diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te -index 7d3a469..5b1ec32 100644 +index 7d3a469..3889dc9 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te -@@ -165,7 +165,7 @@ miscfiles_read_localization(hadoop_t) +@@ -161,24 +161,16 @@ files_read_usr_files(hadoop_t) - sysnet_read_config(hadoop_t) + fs_getattr_xattr_fs(hadoop_t) + +-miscfiles_read_localization(hadoop_t) ++auth_use_nsswitch(hadoop_t) + +-sysnet_read_config(hadoop_t) ++miscfiles_read_localization(hadoop_t) -userdom_use_user_terminals(hadoop_t) +userdom_use_inherited_user_terminals(hadoop_t) java_exec(hadoop_t) -@@ -345,7 +345,7 @@ miscfiles_read_localization(zookeeper_t) + kerberos_use(hadoop_t) + +-optional_policy(` +- nis_use_ypbind(hadoop_t) +-') +- +-optional_policy(` +- nscd_socket_use(hadoop_t) +-') +- + ######################################## + # + # Hadoop datanode policy. +@@ -341,19 +333,17 @@ domain_use_interactive_fds(zookeeper_t) + files_read_etc_files(zookeeper_t) + files_read_usr_files(zookeeper_t) + ++auth_use_nsswitch(zookeeper_t) ++ + miscfiles_read_localization(zookeeper_t) sysnet_read_config(zookeeper_t) @@ -32747,6 +33777,14 @@ index 7d3a469..5b1ec32 100644 userdom_dontaudit_search_user_home_dirs(zookeeper_t) java_exec(zookeeper_t) + +-optional_policy(` +- nscd_socket_use(zookeeper_t) +-') +- + ######################################## + # + # Hadoop zookeeper server policy. diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index c98b0df..3b1a051 100644 --- a/policy/modules/services/hal.fc @@ -33209,7 +34247,7 @@ index dfb4232..7665429 100644 allow $1 ifplugd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te -index 978c32f..3b96342 100644 +index 978c32f..81c5ca2 100644 --- a/policy/modules/services/ifplugd.te +++ b/policy/modules/services/ifplugd.te @@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t) @@ -33221,6 +34259,15 @@ index 978c32f..3b96342 100644 type ifplugd_initrc_exec_t; init_script_file(ifplugd_initrc_exec_t) +@@ -54,7 +54,7 @@ corecmd_exec_bin(ifplugd_t) + # reading of hardware information + dev_read_sysfs(ifplugd_t) + +-domain_read_confined_domains_state(ifplugd_t) ++domain_read_all_domains_state(ifplugd_t) + domain_dontaudit_read_all_domains_state(ifplugd_t) + + auth_use_nsswitch(ifplugd_t) diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if index df48e5e..878d9df 100644 --- a/policy/modules/services/inetd.if @@ -36938,7 +37985,7 @@ index 256166a..6321a93 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..5e792cc 100644 +index 343cee3..f8c4fb6 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -37035,18 +38082,7 @@ index 343cee3..5e792cc 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -362,6 +375,10 @@ interface(`mta_send_mail',` - allow mta_user_agent $1:fd use; - allow mta_user_agent $1:process sigchld; - allow mta_user_agent $1:fifo_file rw_fifo_file_perms; -+ -+ ifdef(`hide_broken_symptoms',` -+ dontaudit system_mail_t $1:socket_class_set { read write }; -+ ') - ') - - ######################################## -@@ -391,12 +408,17 @@ interface(`mta_send_mail',` +@@ -391,12 +404,17 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -37066,7 +38102,7 @@ index 343cee3..5e792cc 100644 ') ######################################## -@@ -409,7 +431,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +427,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -37074,7 +38110,7 @@ index 343cee3..5e792cc 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +441,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +437,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -37099,7 +38135,7 @@ index 343cee3..5e792cc 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +477,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +473,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -37126,7 +38162,7 @@ index 343cee3..5e792cc 100644 ## Read mail server configuration. ## ## -@@ -474,7 +533,8 @@ interface(`mta_write_config',` +@@ -474,7 +529,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -37136,7 +38172,7 @@ index 343cee3..5e792cc 100644 ') ######################################## -@@ -494,6 +554,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +550,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -37144,7 +38180,7 @@ index 343cee3..5e792cc 100644 ') ######################################## -@@ -532,7 +593,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +589,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -37153,7 +38189,7 @@ index 343cee3..5e792cc 100644 ') ######################################## -@@ -552,7 +613,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +609,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -37162,7 +38198,7 @@ index 343cee3..5e792cc 100644 ') ####################################### -@@ -646,8 +707,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +703,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -37173,7 +38209,7 @@ index 343cee3..5e792cc 100644 ') ####################################### -@@ -697,8 +758,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +754,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -37184,7 +38220,7 @@ index 343cee3..5e792cc 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +899,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +895,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -37193,7 +38229,7 @@ index 343cee3..5e792cc 100644 ') ######################################## -@@ -899,3 +960,112 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +956,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -37307,7 +38343,7 @@ index 343cee3..5e792cc 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..3bd4ceb 100644 +index 64268e4..cdcf4c7 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -37369,7 +38405,7 @@ index 64268e4..3bd4ceb 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +89,28 @@ optional_policy(` +@@ -92,14 +89,21 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -37383,23 +38419,18 @@ index 64268e4..3bd4ceb 100644 optional_policy(` arpwatch_manage_tmp_files(system_mail_t) ++') - ifdef(`hide_broken_symptoms', ` -+ ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(system_mail_t) - ') - ') - - optional_policy(` +- arpwatch_dontaudit_rw_packet_sockets(system_mail_t) +- ') ++optional_policy(` + bugzilla_search_content(system_mail_t) + bugzilla_dontaudit_rw_stream_sockets(system_mail_t) -+') -+ -+optional_policy(` - clamav_stream_connect(system_mail_t) - clamav_append_log(system_mail_t) ') -@@ -111,6 +119,8 @@ optional_policy(` + + optional_policy(` +@@ -111,6 +115,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -37408,7 +38439,7 @@ index 64268e4..3bd4ceb 100644 ') optional_policy(` -@@ -124,12 +134,9 @@ optional_policy(` +@@ -124,12 +130,9 @@ optional_policy(` ') optional_policy(` @@ -37423,7 +38454,7 @@ index 64268e4..3bd4ceb 100644 ') optional_policy(` -@@ -146,6 +153,10 @@ optional_policy(` +@@ -146,6 +149,10 @@ optional_policy(` ') optional_policy(` @@ -37434,7 +38465,7 @@ index 64268e4..3bd4ceb 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +169,6 @@ optional_policy(` +@@ -158,18 +165,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -37453,7 +38484,7 @@ index 64268e4..3bd4ceb 100644 ') optional_policy(` -@@ -189,6 +188,10 @@ optional_policy(` +@@ -189,6 +184,10 @@ optional_policy(` ') optional_policy(` @@ -37464,16 +38495,28 @@ index 64268e4..3bd4ceb 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +202,7 @@ optional_policy(` +@@ -199,15 +198,16 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) - ifdef(`hide_broken_symptoms', ` -+ ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) +- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) +- ') +- + optional_policy(` + cron_read_system_job_tmp_files(mta_user_agent) ') + ') -@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) ++ifdef(`hide_broken_symptoms',` ++ domain_dontaudit_leaks(user_mail_domain) ++ domain_dontaudit_leaks(mta_user_agent) ++') ++ + ######################################## + # + # Mailserver delivery local policy +@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -37483,7 +38526,7 @@ index 64268e4..3bd4ceb 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +246,10 @@ optional_policy(` +@@ -242,6 +243,10 @@ optional_policy(` ') optional_policy(` @@ -37494,7 +38537,7 @@ index 64268e4..3bd4ceb 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +257,25 @@ optional_policy(` +@@ -249,16 +254,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -37522,7 +38565,7 @@ index 64268e4..3bd4ceb 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -292,3 +309,44 @@ optional_policy(` +@@ -292,3 +306,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -38655,7 +39698,7 @@ index 2324d9e..eebf5a7 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..863ba2d 100644 +index 0619395..79140e4 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -38724,6 +39767,15 @@ index 0619395..863ba2d 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) +@@ -113,7 +136,7 @@ corecmd_exec_shell(NetworkManager_t) + corecmd_exec_bin(NetworkManager_t) + + domain_use_interactive_fds(NetworkManager_t) +-domain_read_confined_domains_state(NetworkManager_t) ++domain_read_all_domains_state(NetworkManager_t) + + files_read_etc_files(NetworkManager_t) + files_read_etc_runtime_files(NetworkManager_t) @@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) @@ -41232,7 +42284,7 @@ index 1e7169d..05409ab 100644 ') - diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te -index 333a1fe..dcca269 100644 +index 333a1fe..e599723 100644 --- a/policy/modules/services/portmap.te +++ b/policy/modules/services/portmap.te @@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t) @@ -41243,7 +42295,31 @@ index 333a1fe..dcca269 100644 type portmap_tmp_t; files_tmp_file(portmap_tmp_t) -@@ -142,7 +141,7 @@ logging_send_syslog_msg(portmap_helper_t) +@@ -75,6 +74,8 @@ domain_use_interactive_fds(portmap_t) + + files_read_etc_files(portmap_t) + ++auth_use_nsswitch(portmap_t) ++ + logging_send_syslog_msg(portmap_t) + + miscfiles_read_localization(portmap_t) +@@ -85,14 +86,6 @@ userdom_dontaudit_use_unpriv_user_fds(portmap_t) + userdom_dontaudit_search_user_home_dirs(portmap_t) + + optional_policy(` +- nis_use_ypbind(portmap_t) +-') +- +-optional_policy(` +- nscd_socket_use(portmap_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(portmap_t) + ') + +@@ -142,7 +135,7 @@ logging_send_syslog_msg(portmap_helper_t) sysnet_read_config(portmap_helper_t) @@ -41356,7 +42432,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..9e2714e 100644 +index 46bee12..c22af86 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -41592,7 +42668,7 @@ index 46bee12..9e2714e 100644 ') ######################################## -@@ -621,3 +701,107 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -41695,10 +42771,6 @@ index 46bee12..9e2714e 100644 + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write }; -+ ') +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index a32c4b3..d60a654 100644 @@ -43152,7 +44224,7 @@ index 2855a44..c71fa1e 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..cb7c5e2 100644 +index 64c5f95..313f77d 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0) @@ -43203,6 +44275,15 @@ index 64c5f95..cb7c5e2 100644 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) +@@ -132,7 +147,7 @@ sysnet_dns_name_resolve(puppet_t) + sysnet_run_ifconfig(puppet_t, system_r) + + tunable_policy(`puppet_manage_all_files',` +- auth_manage_all_files_except_shadow(puppet_t) ++ files_manage_non_security_files(puppet_t) + ') + + optional_policy(` @@ -162,7 +177,60 @@ optional_policy(` ######################################## @@ -43265,7 +44346,7 @@ index 64c5f95..cb7c5e2 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -171,29 +239,34 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +@@ -171,29 +239,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; @@ -43284,6 +44365,7 @@ index 64c5f95..cb7c5e2 100644 manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; ++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) @@ -43303,7 +44385,7 @@ index 64c5f95..cb7c5e2 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +279,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -43353,7 +44435,7 @@ index 64c5f95..cb7c5e2 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +329,9 @@ optional_policy(` +@@ -231,3 +330,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -44201,10 +45283,10 @@ index f04a595..3203212 100644 + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te -index 852840b..4427b21 100644 +index 852840b..cc1775e 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te -@@ -5,118 +5,139 @@ policy_module(razor, 2.2.0) +@@ -5,118 +5,135 @@ policy_module(razor, 2.2.0) # Declarations # @@ -44291,7 +45373,7 @@ index 852840b..4427b21 100644 + corenet_tcp_connect_razor_port(system_razor_t) + corenet_sendrecv_razor_client_packets(system_razor_t) + -+ sysnet_read_config(system_razor_t) ++ auth_use_nsswitch(system_razor_t) + + # cjp: this shouldn't be needed + userdom_use_unpriv_users_fds(system_razor_t) @@ -44300,10 +45382,6 @@ index 852840b..4427b21 100644 + logging_send_syslog_msg(system_razor_t) + ') + -+ optional_policy(` -+ nscd_socket_use(system_razor_t) -+ ') -+ + ######################################## + # + # User razor local policy @@ -44326,30 +45404,32 @@ index 852840b..4427b21 100644 + auth_use_nsswitch(razor_t) + + logging_send_syslog_msg(razor_t) - --type razor_etc_t; --files_config_file(razor_etc_t) ++ + userdom_search_user_home_dirs(razor_t) + userdom_use_inherited_user_terminals(razor_t) - --type razor_home_t; --typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; --typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; --userdom_user_home_content(razor_home_t) ++ + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(razor_t) + fs_manage_nfs_files(razor_t) + fs_manage_nfs_symlinks(razor_t) + ') --type razor_log_t; --logging_log_file(razor_log_t) +-type razor_etc_t; +-files_config_file(razor_etc_t) + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(razor_t) + fs_manage_cifs_files(razor_t) + fs_manage_cifs_symlinks(razor_t) + ') +-type razor_home_t; +-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; +-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; +-userdom_user_home_content(razor_home_t) +- +-type razor_log_t; +-logging_log_file(razor_log_t) +- -type razor_tmp_t; -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; @@ -44635,7 +45715,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..9e237a7 100644 +index 00fa514..d95e136 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -44719,7 +45799,8 @@ index 00fa514..9e237a7 100644 -#term_use_ptmx(rgmanager_t) # needed by resources scripts - auth_read_all_files_except_shadow(rgmanager_t) +-auth_read_all_files_except_shadow(rgmanager_t) ++files_read_non_security_files(rgmanager_t) auth_dontaudit_getattr_shadow(rgmanager_t) auth_use_nsswitch(rgmanager_t) @@ -46024,7 +47105,7 @@ index f7826f9..679d185 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..a61bb94 100644 +index 33e72e8..ffc0c12 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -46091,7 +47172,16 @@ index 33e72e8..a61bb94 100644 domain_read_all_domains_state(ricci_modcluster_t) -@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t) +@@ -202,6 +212,8 @@ files_read_etc_runtime_files(ricci_modcluster_t) + files_read_etc_files(ricci_modcluster_t) + files_search_usr(ricci_modcluster_t) + ++auth_use_nsswitch(ricci_modcluster_t) ++ + init_exec(ricci_modcluster_t) + init_domtrans_script(ricci_modcluster_t) + +@@ -209,13 +221,9 @@ logging_send_syslog_msg(ricci_modcluster_t) miscfiles_read_localization(ricci_modcluster_t) @@ -46108,10 +47198,11 @@ index 33e72e8..a61bb94 100644 optional_policy(` aisexec_stream_connect(ricci_modcluster_t) -@@ -233,6 +239,18 @@ optional_policy(` +@@ -233,7 +241,15 @@ optional_policy(` ') optional_policy(` +- nscd_socket_use(ricci_modcluster_t) + modutils_domtrans_insmod(ricci_modcluster_t) +') + @@ -46121,13 +47212,10 @@ index 33e72e8..a61bb94 100644 + +optional_policy(` + consoletype_exec(ricci_modcluster_t) -+') -+ -+optional_policy(` - nscd_socket_use(ricci_modcluster_t) ') -@@ -241,8 +259,7 @@ optional_policy(` + optional_policy(` +@@ -241,8 +257,7 @@ optional_policy(` ') optional_policy(` @@ -46137,7 +47225,7 @@ index 33e72e8..a61bb94 100644 ') ######################################## -@@ -261,6 +278,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; +@@ -261,6 +276,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -46148,7 +47236,7 @@ index 33e72e8..a61bb94 100644 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +293,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock +@@ -272,6 +291,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -46156,7 +47244,7 @@ index 33e72e8..a61bb94 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t) +@@ -394,8 +414,6 @@ files_search_usr(ricci_modservice_t) # Needed for running chkconfig files_manage_etc_symlinks(ricci_modservice_t) @@ -46165,7 +47253,7 @@ index 33e72e8..a61bb94 100644 init_domtrans_script(ricci_modservice_t) miscfiles_read_localization(ricci_modservice_t) -@@ -405,6 +425,10 @@ optional_policy(` +@@ -405,6 +423,10 @@ optional_policy(` ') optional_policy(` @@ -46176,7 +47264,7 @@ index 33e72e8..a61bb94 100644 nscd_dontaudit_search_pid(ricci_modservice_t) ') -@@ -444,22 +468,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -444,22 +466,22 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -46191,7 +47279,8 @@ index 33e72e8..a61bb94 100644 term_dontaudit_use_console(ricci_modstorage_t) -fstools_domtrans(ricci_modstorage_t) -- ++auth_use_nsswitch(ricci_modstorage_t) + logging_send_syslog_msg(ricci_modstorage_t) miscfiles_read_localization(ricci_modstorage_t) @@ -46205,7 +47294,7 @@ index 33e72e8..a61bb94 100644 optional_policy(` aisexec_stream_connect(ricci_modstorage_t) corosync_stream_connect(ricci_modstorage_t) -@@ -471,11 +493,27 @@ optional_policy(` +@@ -471,12 +493,24 @@ optional_policy(` ') optional_policy(` @@ -46222,17 +47311,15 @@ index 33e72e8..a61bb94 100644 ') optional_policy(` +- nscd_socket_use(ricci_modstorage_t) + modutils_read_module_deps(ricci_modstorage_t) +') + +optional_policy(` + mount_domtrans(ricci_modstorage_t) -+') -+ -+optional_policy(` - nscd_socket_use(ricci_modstorage_t) ') + optional_policy(` diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc index 2785337..d7f6b82 100644 --- a/policy/modules/services/rlogin.fc @@ -46448,7 +47535,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..06e637c 100644 +index b1468ed..fb0f852 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -46545,7 +47632,25 @@ index b1468ed..06e637c 100644 # Write access to public_content_t and public_content_rw_t tunable_policy(`allow_nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) -@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -158,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',` + dev_getattr_all_chr_files(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) +- auth_manage_all_files_except_shadow(nfsd_t) + ') + + tunable_policy(`nfs_export_all_ro',` +@@ -170,8 +187,7 @@ tunable_policy(`nfs_export_all_ro',` + + fs_read_noxattr_fs_files(nfsd_t) + +- auth_read_all_dirs_except_shadow(nfsd_t) +- auth_read_all_files_except_shadow(nfsd_t) ++ files_read_non_security_files(nfsd_t) + ') + + ######################################## +@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',` allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; @@ -46554,7 +47659,7 @@ index b1468ed..06e637c 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t) +@@ -199,6 +215,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -46562,7 +47667,7 @@ index b1468ed..06e637c 100644 fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) -@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t) +@@ -210,14 +227,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -46579,7 +47684,7 @@ index b1468ed..06e637c 100644 ') optional_policy(` -@@ -229,6 +248,10 @@ optional_policy(` +@@ -229,6 +246,10 @@ optional_policy(` ') optional_policy(` @@ -46791,7 +47896,7 @@ index 3386f29..b28cae5 100644 + files_etc_filetrans($1, rsync_etc_t, $2) +') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te -index 39015ae..5e7b7cf 100644 +index 39015ae..967bebd 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -7,6 +7,13 @@ policy_module(rsync, 1.10.0) @@ -46825,7 +47930,7 @@ index 39015ae..5e7b7cf 100644 allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -@@ -122,6 +128,7 @@ optional_policy(` +@@ -122,12 +128,26 @@ optional_policy(` ') tunable_policy(`rsync_export_all_ro',` @@ -46833,8 +47938,10 @@ index 39015ae..5e7b7cf 100644 fs_read_noxattr_fs_files(rsync_t) fs_read_nfs_files(rsync_t) fs_read_cifs_files(rsync_t) -@@ -130,4 +137,19 @@ tunable_policy(`rsync_export_all_ro',` - auth_read_all_symlinks_except_shadow(rsync_t) +- auth_read_all_dirs_except_shadow(rsync_t) +- auth_read_all_files_except_shadow(rsync_t) +- auth_read_all_symlinks_except_shadow(rsync_t) ++ files_read_non_security_files(rsync_t) auth_tunable_read_shadow(rsync_t) ') + @@ -47207,7 +48314,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..fdfa9bf 100644 +index e30bb63..a23112b 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -47314,7 +48421,7 @@ index e30bb63..fdfa9bf 100644 optional_policy(` cups_read_rw_config(smbd_t) -@@ -445,8 +445,8 @@ optional_policy(` +@@ -445,26 +445,25 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -47324,17 +48431,31 @@ index e30bb63..fdfa9bf 100644 tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) -@@ -462,8 +462,8 @@ tunable_policy(`samba_export_all_rw',` - auth_manage_all_files_except_shadow(smbd_t) +- auth_read_all_dirs_except_shadow(smbd_t) +- auth_read_all_files_except_shadow(smbd_t) ++ files_read_non_security_files(smbd_t) fs_read_noxattr_fs_files(nmbd_t) - auth_manage_all_files_except_shadow(nmbd_t) +- auth_read_all_dirs_except_shadow(nmbd_t) +- auth_read_all_files_except_shadow(nmbd_t) ++ files_read_non_security_files(nmbd_t) + ') + + tunable_policy(`samba_export_all_rw',` + fs_read_noxattr_fs_files(smbd_t) +- auth_manage_all_files_except_shadow(smbd_t) ++ files_manage_non_security_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) +- auth_manage_all_files_except_shadow(nmbd_t) - userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ++ files_manage_non_security_files(nmbd_t) ') -+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ++userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ++ ######################################## # -@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms; + # nmbd Local policy +@@ -484,8 +483,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -47345,7 +48466,7 @@ index e30bb63..fdfa9bf 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -560,13 +560,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -47363,7 +48484,7 @@ index e30bb63..fdfa9bf 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t) +@@ -578,7 +578,7 @@ files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -47372,7 +48493,7 @@ index e30bb63..fdfa9bf 100644 ######################################## # -@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +644,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -47397,7 +48518,7 @@ index e30bb63..fdfa9bf 100644 ######################################## # # SWAT Local policy -@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -47406,7 +48527,7 @@ index e30bb63..fdfa9bf 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -47421,7 +48542,7 @@ index e30bb63..fdfa9bf 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -47429,7 +48550,7 @@ index e30bb63..fdfa9bf 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +760,8 @@ logging_search_logs(swat_t) +@@ -754,6 +759,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -47438,7 +48559,7 @@ index e30bb63..fdfa9bf 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -47460,7 +48581,7 @@ index e30bb63..fdfa9bf 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -47468,7 +48589,7 @@ index e30bb63..fdfa9bf 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +913,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -47477,7 +48598,7 @@ index e30bb63..fdfa9bf 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +932,18 @@ optional_policy(` +@@ -922,6 +931,18 @@ optional_policy(` # optional_policy(` @@ -47496,7 +48617,7 @@ index e30bb63..fdfa9bf 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +954,12 @@ optional_policy(` +@@ -932,9 +953,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -48338,7 +49459,7 @@ index 275f9fb..4f4a192 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..5c0d25f 100644 +index 3d8d1b3..0c5769c 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -48379,14 +49500,18 @@ index 3d8d1b3..5c0d25f 100644 kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) -@@ -97,6 +100,7 @@ fs_search_auto_mountpoints(snmpd_t) +@@ -97,9 +100,10 @@ fs_search_auto_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) +storage_dontaudit_write_removable_device(snmpd_t) auth_use_nsswitch(snmpd_t) - auth_read_all_dirs_except_shadow(snmpd_t) +-auth_read_all_dirs_except_shadow(snmpd_t) ++files_list_all(snmpd_t) + + init_read_utmp(snmpd_t) + init_dontaudit_write_utmp(snmpd_t) @@ -115,7 +119,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -49607,7 +50732,7 @@ index 22adaca..76e8829 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..fcfc95b 100644 +index 2dad3c8..a85027d 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -49793,7 +50918,7 @@ index 2dad3c8..fcfc95b 100644 ############################## # # ssh_keysign_t local policy -@@ -209,8 +230,9 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,19 +230,14 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -49804,7 +50929,18 @@ index 2dad3c8..fcfc95b 100644 dev_read_urand(ssh_keysign_t) files_read_etc_files(ssh_keysign_t) -@@ -232,33 +254,43 @@ optional_policy(` + ') + +-optional_policy(` +- tunable_policy(`allow_ssh_keysign',` +- nscd_socket_use(ssh_keysign_t) +- ') +-') +- + ################################# + # + # sshd local policy +@@ -232,33 +248,43 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -49857,7 +50993,7 @@ index 2dad3c8..fcfc95b 100644 ') optional_policy(` -@@ -266,11 +298,24 @@ optional_policy(` +@@ -266,11 +292,24 @@ optional_policy(` ') optional_policy(` @@ -49883,7 +51019,7 @@ index 2dad3c8..fcfc95b 100644 ') optional_policy(` -@@ -284,6 +329,15 @@ optional_policy(` +@@ -284,6 +323,15 @@ optional_policy(` ') optional_policy(` @@ -49899,7 +51035,7 @@ index 2dad3c8..fcfc95b 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +346,26 @@ optional_policy(` +@@ -292,26 +340,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -49945,7 +51081,7 @@ index 2dad3c8..fcfc95b 100644 ') dnl endif TODO ######################################## -@@ -322,19 +376,25 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +370,25 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -49972,18 +51108,18 @@ index 2dad3c8..fcfc95b 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,9 +411,10 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,10 +405,7 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -+userdom_use_user_terminals(ssh_keygen_t) - - optional_policy(` +- +-optional_policy(` - nscd_socket_use(ssh_keygen_t) -+ nscd_socket_use(ssh_keygen_t) - ') +-') ++userdom_use_user_terminals(ssh_keygen_t) optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 941380a..6dbfc01 100644 --- a/policy/modules/services/sssd.if @@ -50216,7 +51352,7 @@ index 08d999c..bca4388 100644 /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te -index 52f0d6c..6bfbf45 100644 +index 52f0d6c..7ef2b18 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0) @@ -50237,7 +51373,7 @@ index 52f0d6c..6bfbf45 100644 allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) -@@ -51,7 +49,7 @@ fs_getattr_xattr_fs(sysstat_t) +@@ -51,12 +49,16 @@ fs_getattr_xattr_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) term_use_console(sysstat_t) @@ -50246,14 +51382,23 @@ index 52f0d6c..6bfbf45 100644 init_use_fds(sysstat_t) -@@ -68,3 +66,7 @@ optional_policy(` + locallogin_use_fds(sysstat_t) + ++auth_use_nsswitch(sysstat_t) ++ ++logging_send_syslog_msg(sysstat_t) ++ + miscfiles_read_localization(sysstat_t) + + userdom_dontaudit_list_user_home_dirs(sysstat_t) +@@ -64,7 +66,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t) optional_policy(` - logging_send_syslog_msg(sysstat_t) + cron_system_entry(sysstat_t, sysstat_exec_t) ') -+ -+optional_policy(` -+ nscd_socket_use(sysstat_t) -+') +- +-optional_policy(` +- logging_send_syslog_msg(sysstat_t) +-') diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te index 7038b55..4e84f23 100644 --- a/policy/modules/services/tcpd.te @@ -50815,7 +51960,7 @@ index 4440aa6..34ffbfd 100644 + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..5e7be4f 100644 +index d4349e9..f14d337 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -24,7 +24,7 @@ type uucpd_ro_t; @@ -50836,14 +51981,13 @@ index d4349e9..5e7be4f 100644 uucp_append_log(uux_t) uucp_manage_spool(uux_t) -@@ -147,3 +149,7 @@ optional_policy(` - optional_policy(` - nscd_socket_use(uux_t) +@@ -145,5 +147,5 @@ optional_policy(` ') -+ -+optional_policy(` + + optional_policy(` +- nscd_socket_use(uux_t) + postfix_rw_master_pipes(uux_t) -+') + ') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index f9310f3..064171e 100644 --- a/policy/modules/services/varnishd.te @@ -51187,10 +52331,10 @@ index 2124b6a..55b5012 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..59ba27c 100644 +index 7c5d8d8..4feaf88 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if -@@ -13,39 +13,42 @@ +@@ -13,39 +13,44 @@ # template(`virt_domain_template',` gen_require(` @@ -51227,7 +52371,8 @@ index 7c5d8d8..59ba27c 100644 - type $1_var_run_t; - files_pid_file($1_var_run_t) -- ++ auth_use_nsswitch($1_t) + - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) @@ -51242,7 +52387,7 @@ index 7c5d8d8..59ba27c 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +60,6 @@ template(`virt_domain_template',` +@@ -57,18 +62,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -51261,7 +52406,7 @@ index 7c5d8d8..59ba27c 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -101,9 +92,9 @@ interface(`virt_image',` +@@ -101,9 +94,9 @@ interface(`virt_image',` ## Execute a domain transition to run virt. ## ## @@ -51273,7 +52418,7 @@ index 7c5d8d8..59ba27c 100644 ## # interface(`virt_domtrans',` -@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',` +@@ -164,13 +157,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -51289,7 +52434,7 @@ index 7c5d8d8..59ba27c 100644 ') ######################################## -@@ -185,13 +176,13 @@ interface(`virt_read_config',` +@@ -185,13 +178,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -51305,7 +52450,7 @@ index 7c5d8d8..59ba27c 100644 ') ######################################## -@@ -231,6 +222,24 @@ interface(`virt_read_content',` +@@ -231,6 +224,24 @@ interface(`virt_read_content',` ######################################## ## @@ -51330,7 +52475,7 @@ index 7c5d8d8..59ba27c 100644 ## Read virt PID files. ## ## -@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',` +@@ -269,6 +280,36 @@ interface(`virt_manage_pid_files',` ######################################## ## @@ -51367,7 +52512,7 @@ index 7c5d8d8..59ba27c 100644 ## Search virt lib directories. ## ## -@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',` +@@ -308,6 +349,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -51392,7 +52537,7 @@ index 7c5d8d8..59ba27c 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +409,9 @@ interface(`virt_read_log',` +@@ -352,9 +411,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -51404,7 +52549,7 @@ index 7c5d8d8..59ba27c 100644 ## # interface(`virt_append_log',` -@@ -424,6 +481,24 @@ interface(`virt_read_images',` +@@ -424,6 +483,24 @@ interface(`virt_read_images',` ######################################## ## @@ -51429,7 +52574,7 @@ index 7c5d8d8..59ba27c 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +508,15 @@ interface(`virt_read_images',` +@@ -433,15 +510,15 @@ interface(`virt_read_images',` ## ## # @@ -51450,7 +52595,7 @@ index 7c5d8d8..59ba27c 100644 ') ######################################## -@@ -500,11 +575,16 @@ interface(`virt_manage_images',` +@@ -500,11 +577,16 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -51467,7 +52612,7 @@ index 7c5d8d8..59ba27c 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 virtd_initrc_exec_t system_r; -@@ -515,4 +595,188 @@ interface(`virt_admin',` +@@ -515,4 +597,188 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -51657,7 +52802,7 @@ index 7c5d8d8..59ba27c 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..b2c36e4 100644 +index 3eca020..5a0c2ce 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -52062,7 +53207,7 @@ index 3eca020..b2c36e4 100644 dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) -+ dnsmasq_filetrans_named_content(virtd_t, virt_var_run_t); ++ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); ') optional_policy(` @@ -52148,7 +53293,7 @@ index 3eca020..b2c36e4 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,8 +588,16 @@ files_search_all(virt_domain) +@@ -440,14 +588,20 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -52166,7 +53311,13 @@ index 3eca020..b2c36e4 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -457,8 +613,176 @@ optional_policy(` + +-auth_use_nsswitch(virt_domain) +- + logging_send_syslog_msg(virt_domain) + + miscfiles_read_localization(virt_domain) +@@ -457,8 +611,176 @@ optional_policy(` ') optional_policy(` @@ -52763,7 +53914,7 @@ index 4966c94..cb2e1a3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..10b57e0 100644 +index 130ced9..1772fa2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -52848,17 +53999,13 @@ index 130ced9..10b57e0 100644 xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -106,12 +116,27 @@ interface(`xserver_restricted_role',` +@@ -106,12 +116,23 @@ interface(`xserver_restricted_role',` xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + xserver_read_xdm_etc_files($2) + + modutils_run_insmod(xserver_t, $1) -+ -+ ifdef(`hide_broken_symptoms',` -+ dontaudit iceauth_t $2:socket_class_set { read write }; -+ ') # Client write xserver shm tunable_policy(`allow_write_xshm',` @@ -52876,7 +54023,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -143,13 +168,15 @@ interface(`xserver_role',` +@@ -143,13 +164,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -52894,7 +54041,7 @@ index 130ced9..10b57e0 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +189,6 @@ interface(`xserver_role',` +@@ -162,7 +185,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -52902,7 +54049,7 @@ index 130ced9..10b57e0 100644 ') ####################################### -@@ -197,7 +223,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +219,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -52911,7 +54058,7 @@ index 130ced9..10b57e0 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +253,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +249,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -52920,7 +54067,7 @@ index 130ced9..10b57e0 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +281,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +277,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -52929,7 +54076,7 @@ index 130ced9..10b57e0 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +317,13 @@ interface(`xserver_user_client',` +@@ -291,13 +313,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -52947,7 +54094,7 @@ index 130ced9..10b57e0 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -342,19 +368,23 @@ interface(`xserver_user_client',` +@@ -342,19 +364,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -52974,7 +54121,7 @@ index 130ced9..10b57e0 100644 ') ############################## -@@ -386,6 +416,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +412,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -52990,7 +54137,7 @@ index 130ced9..10b57e0 100644 ') ####################################### -@@ -444,8 +483,9 @@ template(`xserver_object_types_template',` +@@ -444,8 +479,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -53002,7 +54149,7 @@ index 130ced9..10b57e0 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +496,18 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +492,18 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -53023,7 +54170,7 @@ index 130ced9..10b57e0 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +519,25 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +515,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -53033,6 +54180,7 @@ index 130ced9..10b57e0 100644 xserver_read_xdm_tmp_files($2) + xserver_read_xdm_pid($2) ++ xserver_xdm_append_log($2) # X object manager xserver_object_types_template($1) @@ -53051,7 +54199,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +566,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -53059,18 +54207,10 @@ index 130ced9..10b57e0 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -545,6 +598,28 @@ interface(`xserver_domtrans_xauth',` - ') +@@ -549,6 +599,24 @@ interface(`xserver_domtrans_xauth',` - domtrans_pattern($1, xauth_exec_t, xauth_t) -+ -+ ifdef(`hide_broken_symptoms',` -+ dontaudit xauth_t $1:socket_class_set { read write }; -+ ') -+') -+ -+######################################## -+## + ######################################## + ## +## Dontaudit exec of Xauthority program. +## +## @@ -53085,10 +54225,14 @@ index 130ced9..10b57e0 100644 + ') + + dontaudit $1 xauth_exec_t:file execute; - ') - - ######################################## -@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',` ++') ++ ++######################################## ++## + ## Create a Xauthority file in the user home directory. + ## + ## +@@ -598,6 +666,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -53096,7 +54240,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +684,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -53105,7 +54249,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -638,6 +714,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +707,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -53131,7 +54275,7 @@ index 130ced9..10b57e0 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +746,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +739,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -53140,7 +54284,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -670,7 +765,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +758,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -53149,7 +54293,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -688,7 +783,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +776,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -53158,7 +54302,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -703,12 +798,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +791,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -53172,7 +54316,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -724,11 +818,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +811,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -53206,7 +54350,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -752,6 +866,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -752,6 +859,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -53232,7 +54376,7 @@ index 130ced9..10b57e0 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +898,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +891,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -53241,7 +54385,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -805,7 +938,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +931,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -53269,7 +54413,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -828,6 +980,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +973,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -53294,7 +54438,7 @@ index 130ced9..10b57e0 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1067,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1060,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -53303,7 +54447,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -916,7 +1086,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1079,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -53312,7 +54456,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -963,6 +1133,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1126,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -53358,7 +54502,7 @@ index 130ced9..10b57e0 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1185,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1178,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -53367,7 +54511,7 @@ index 130ced9..10b57e0 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1247,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1240,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -53410,7 +54554,7 @@ index 130ced9..10b57e0 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1297,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1290,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -53419,7 +54563,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -1070,8 +1315,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1308,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -53431,7 +54575,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -1185,6 +1432,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1425,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -53458,7 +54602,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -1210,7 +1477,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1470,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -53467,7 +54611,7 @@ index 130ced9..10b57e0 100644 ## ## ## -@@ -1220,13 +1487,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1480,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -53492,7 +54636,7 @@ index 130ced9..10b57e0 100644 ') ######################################## -@@ -1243,10 +1520,458 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1513,458 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -53711,7 +54855,7 @@ index 130ced9..10b57e0 100644 + ') + + typeattribute $1 xdmhomewriter; -+ append_files_pattern($1, xdm_log_t, xdm_log_t) ++ allow $1 xdm_log_t:file append_inherited_file_perms; +') + +######################################## @@ -55204,10 +56348,19 @@ index 3defaa1..2ad2488 100644 /var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) /var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if -index 21ae664..fcc91a1 100644 +index 21ae664..3e448dd 100644 --- a/policy/modules/services/zarafa.if +++ b/policy/modules/services/zarafa.if -@@ -118,3 +118,24 @@ interface(`zarafa_stream_connect_server',` +@@ -42,6 +42,8 @@ template(`zarafa_domain_template',` + + manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) ++ ++ auth_use_nsswitch(zarafa_$1_t) + ') + + ###################################### +@@ -118,3 +120,24 @@ interface(`zarafa_stream_connect_server',` files_search_var_lib($1) stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) ') @@ -55233,7 +56386,7 @@ index 21ae664..fcc91a1 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te -index 9fb4747..54abc7a 100644 +index 9fb4747..42a6067 100644 --- a/policy/modules/services/zarafa.te +++ b/policy/modules/services/zarafa.te @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t) @@ -55309,6 +56462,13 @@ index 9fb4747..54abc7a 100644 # zarafa domains local policy # +@@ -156,6 +201,4 @@ kernel_read_system_state(zarafa_domain) + + files_read_etc_files(zarafa_domain) + +-auth_use_nsswitch(zarafa_domain) +- + miscfiles_read_localization(zarafa_domain) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if index 6b87605..347f754 100644 --- a/policy/modules/services/zebra.if @@ -55462,8 +56622,18 @@ index c6fdab7..41198a4 100644 optional_policy(` cron_sigchld(application_domain_type) ') +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index 28ad538..5cae905 100644 +--- a/policy/modules/system/authlogin.fc ++++ b/policy/modules/system/authlogin.fc +@@ -45,5 +45,4 @@ ifdef(`distro_gentoo', ` + /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..dedb917 100644 +index 73554ec..07e21e1 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -55805,64 +56975,69 @@ index 73554ec..dedb917 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1579,28 +1758,36 @@ interface(`auth_relabel_login_records',` +@@ -1578,54 +1757,11 @@ interface(`auth_relabel_login_records',` + ## # interface(`auth_use_nsswitch',` - +- - files_list_var_lib($1) - - # read /etc/nsswitch.conf - files_read_etc_files($1) - +- # read /etc/nsswitch.conf +- files_read_etc_files($1) +- - miscfiles_read_generic_certs($1) - - sysnet_dns_name_resolve($1) +- sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) -+ -+ tunable_policy(`authlogin_nsswitch_use_ldap',` -+ files_list_var_lib($1) -+ -+ miscfiles_read_generic_certs($1) -+ -+ sysnet_use_ldap($1) -+ ') - - optional_policy(` +- +- optional_policy(` - avahi_stream_connect($1) -+ tunable_policy(`authlogin_nsswitch_use_ldap',` -+ dirsrv_stream_connect($1) -+ ') - ') - - optional_policy(` +- ') +- +- optional_policy(` - ldap_stream_connect($1) -+ tunable_policy(`authlogin_nsswitch_use_ldap',` -+ ldap_stream_connect($1) -+ ') - ') - - optional_policy(` - likewise_stream_connect_lsassd($1) - ') - -+ # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. - optional_policy(` - kerberos_use($1) - ') -@@ -1610,7 +1797,7 @@ interface(`auth_use_nsswitch',` - ') - - optional_policy(` +- ') +- +- optional_policy(` +- likewise_stream_connect_lsassd($1) +- ') +- +- optional_policy(` +- kerberos_use($1) +- ') +- +- optional_policy(` +- nis_use_ypbind($1) +- ') +- +- optional_policy(` - nscd_socket_use($1) -+ nscd_use($1) +- ') +- +- optional_policy(` +- nslcd_stream_connect($1) +- ') +- +- optional_policy(` +- sssd_stream_connect($1) ++ gen_require(` ++ attribute nsswitch_domain; ') - optional_policy(` +- optional_policy(` +- samba_stream_connect_winbind($1) +- samba_read_var_files($1) +- samba_dontaudit_write_var_files($1) +- ') ++ typeattribute $1 nsswitch_domain; + ') + + ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index b7a5f00..335900f 100644 +index b7a5f00..a53db2b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1) +@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1) # Declarations # @@ -55884,10 +57059,11 @@ index b7a5f00..335900f 100644 attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; +attribute polydomain; ++attribute nsswitch_domain; type auth_cache_t; logging_log_file(auth_cache_t) -@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t) +@@ -100,6 +116,8 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd files_dontaudit_search_var(chkpwd_t) @@ -55896,7 +57072,7 @@ index b7a5f00..335900f 100644 fs_dontaudit_getattr_xattr_fs(chkpwd_t) -@@ -118,7 +135,7 @@ miscfiles_read_localization(chkpwd_t) +@@ -118,7 +136,7 @@ miscfiles_read_localization(chkpwd_t) seutil_read_config(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) @@ -55905,7 +57081,7 @@ index b7a5f00..335900f 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -343,7 +360,7 @@ logging_send_syslog_msg(updpwd_t) +@@ -343,7 +361,7 @@ logging_send_syslog_msg(updpwd_t) miscfiles_read_localization(updpwd_t) @@ -55914,7 +57090,15 @@ index b7a5f00..335900f 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -377,7 +394,7 @@ domain_use_interactive_fds(utempter_t) +@@ -371,13 +389,15 @@ term_dontaudit_use_all_ttys(utempter_t) + term_dontaudit_use_all_ptys(utempter_t) + term_dontaudit_use_ptmx(utempter_t) + ++auth_use_nsswitch(utempter_t) ++ + init_rw_utmp(utempter_t) + + domain_use_interactive_fds(utempter_t) logging_search_logs(utempter_t) @@ -55923,20 +57107,81 @@ index b7a5f00..335900f 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -395,3 +412,13 @@ optional_policy(` - xserver_use_xdm_fds(utempter_t) - xserver_rw_xdm_pipes(utempter_t) +@@ -388,10 +408,71 @@ ifdef(`distro_ubuntu',` ') + + optional_policy(` +- nscd_socket_use(utempter_t) ++ xserver_use_xdm_fds(utempter_t) ++ xserver_rw_xdm_pipes(utempter_t) ++') + +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(polydomain) + ') + + optional_policy(` +- xserver_use_xdm_fds(utempter_t) +- xserver_rw_xdm_pipes(utempter_t) ++ tunable_policy(`allow_polyinstantiation',` ++ namespace_init_domtrans(polydomain) ++ ') ++') ++ ++# read /etc/nsswitch.conf ++files_read_etc_files(nsswitch_domain) ++ ++sysnet_dns_name_resolve(nsswitch_domain) ++ ++tunable_policy(`authlogin_nsswitch_use_ldap',` ++ files_list_var_lib(nsswitch_domain) ++ ++ miscfiles_read_generic_certs(nsswitch_domain) ++ sysnet_use_ldap(nsswitch_domain) +') + +optional_policy(` -+ tunable_policy(`allow_polyinstantiation',` -+ namespace_init_domtrans(polydomain) ++ tunable_policy(`authlogin_nsswitch_use_ldap',` ++ dirsrv_stream_connect(nsswitch_domain) + ') +') ++ ++optional_policy(` ++ tunable_policy(`authlogin_nsswitch_use_ldap',` ++ ldap_stream_connect(nsswitch_domain) ++ ') ++') ++ ++optional_policy(` ++ likewise_stream_connect_lsassd(nsswitch_domain) ++') ++ ++# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. ++optional_policy(` ++ kerberos_use(nsswitch_domain) ++') ++ ++optional_policy(` ++ nis_use_ypbind(nsswitch_domain) ++') ++ ++optional_policy(` ++ nscd_use(nsswitch_domain) ++') ++ ++optional_policy(` ++ nslcd_stream_connect(nsswitch_domain) ++') ++ ++optional_policy(` ++ sssd_stream_connect(nsswitch_domain) ++') ++ ++optional_policy(` ++ samba_stream_connect_winbind(nsswitch_domain) ++ samba_read_var_files(nsswitch_domain) ++ samba_dontaudit_write_var_files(nsswitch_domain) + ') diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index e2f6d93..c78ccc6 100644 --- a/policy/modules/system/clock.if @@ -55968,10 +57213,10 @@ index e2f6d93..c78ccc6 100644 ## ## diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te -index b9ed25b..de3738c 100644 +index b9ed25b..39e1dc1 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te -@@ -46,8 +46,8 @@ fs_search_auto_mountpoints(hwclock_t) +@@ -46,11 +46,13 @@ fs_search_auto_mountpoints(hwclock_t) term_dontaudit_use_console(hwclock_t) term_use_unallocated_ttys(hwclock_t) @@ -55982,6 +57227,22 @@ index b9ed25b..de3738c 100644 domain_use_interactive_fds(hwclock_t) ++auth_use_nsswitch(hwclock_t) ++ + init_use_fds(hwclock_t) + init_use_script_ptys(hwclock_t) + +@@ -65,10 +67,6 @@ optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(hwclock_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(hwclock_t) + ') + diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if index ce3e676..0158314 100644 --- a/policy/modules/system/daemontools.if @@ -56150,16 +57411,30 @@ index c28da1c..73883c4 100644 xen_rw_image_files(fsadm_t) ') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index ede3231..6cdbda3 100644 +index ede3231..c8c15bd 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te -@@ -83,6 +83,7 @@ term_use_unallocated_ttys(getty_t) +@@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t) term_setattr_all_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) +term_use_console(getty_t) auth_rw_login_records(getty_t) ++auth_use_nsswitch(getty_t) + + init_rw_utmp(getty_t) + init_use_script_ptys(getty_t) +@@ -125,10 +127,6 @@ optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(getty_t) +-') +- +-optional_policy(` + ppp_domtrans(getty_t) + ') diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index c310775..ec32c5e 100644 @@ -56209,6 +57484,34 @@ index 40eb10c..2a0a32c 100644 ') corecmd_search_bin($1) +diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te +index 1a3d970..ba2f286 100644 +--- a/policy/modules/system/hotplug.te ++++ b/policy/modules/system/hotplug.te +@@ -96,6 +96,8 @@ init_domtrans_script(hotplug_t) + # kernel threads inherit from shared descriptor table used by init + init_dontaudit_rw_initctl(hotplug_t) + ++auth_use_nsswitch(hotplug_t) ++ + logging_send_syslog_msg(hotplug_t) + logging_search_logs(hotplug_t) + +@@ -164,14 +166,6 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(hotplug_t) +-') +- +-optional_policy(` +- nscd_socket_use(hotplug_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(hotplug_t) + ') + diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 354ce93..b8b14b9 100644 --- a/policy/modules/system/init.fc @@ -56254,7 +57557,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..26dcf18 100644 +index 94fd8dd..354e39c 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,42 @@ interface(`init_script_domain',` @@ -56292,7 +57595,7 @@ index 94fd8dd..26dcf18 100644 + domtrans_pattern(init_t,$2,$1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow init_t $1:unix_dgram_socket create_socket_perms; -+ allow $1 init_t:unix_stream_socket ioctl; ++ allow $1 init_t:unix_stream_socket ioctl; + allow $1 init_t:unix_dgram_socket sendto; + ') +') @@ -56324,42 +57627,52 @@ index 94fd8dd..26dcf18 100644 ') typeattribute $1 daemon; -@@ -204,7 +246,24 @@ interface(`init_daemon_domain',` - - role system_r types $1; +@@ -202,39 +244,20 @@ interface(`init_daemon_domain',` + domain_type($1) + domain_entry_file($1, $2) +- role system_r types $1; +- - domtrans_pattern(initrc_t, $2, $1) +- +- # daemons started from init will +- # inherit fds from init for the console +- init_dontaudit_use_fds($1) +- term_dontaudit_use_console($1) +- +- # init script ptys are the stdin/out/err +- # when using run_init +- init_use_script_ptys($1) + domtrans_pattern(initrc_t,$2,$1) -+ allow initrc_t $1:process siginh; -+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; -+ allow $1 initrc_transition_domain:fd use; -+ -+ tunable_policy(`init_upstart || init_systemd',` -+ # Handle upstart direct transition to a executable -+ domtrans_pattern(init_t,$2,$1) -+ allow init_t $1:process siginh; -+ ') -+ -+ tunable_policy(`init_systemd',` -+ allow init_t $1:unix_stream_socket create_stream_socket_perms; -+ allow init_t $1:unix_dgram_socket create_socket_perms; -+ allow init_t $1:tcp_socket create_stream_socket_perms; -+ allow $1 init_t:unix_dgram_socket sendto; -+ dontaudit $1 init_t:unix_stream_socket { read ioctl getattr }; -+ ') - # daemons started from init will - # inherit fds from init for the console -@@ -231,6 +290,8 @@ interface(`init_daemon_domain',` - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') -+ -+ dontaudit $1 init_t:dir search_dir_perms; + ifdef(`direct_sysadm_daemon',` + domtrans_pattern(direct_run_init, $2, $1) +- allow direct_run_init $1:process { noatsecure siginh rlimitinh }; + + typeattribute $1 direct_init; + typeattribute $2 direct_init_entry; + +- userdom_dontaudit_use_user_terminals($1) ++# userdom_dontaudit_use_user_terminals($1) ') - optional_policy(` -@@ -283,17 +344,20 @@ interface(`init_daemon_domain',` +- ifdef(`hide_broken_symptoms',` +- # RHEL4 systems seem to have a stray +- # fds open from the initrd +- ifdef(`distro_rhel4',` +- kernel_dontaudit_use_fds($1) +- ') +- ') +- +- optional_policy(` +- nscd_socket_use($1) ++ tunable_policy(`init_upstart || init_systemd',` ++ # Handle upstart direct transition to a executable ++ domtrans_pattern(init_t,$2,$1) + ') + ') + +@@ -283,17 +306,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; @@ -56381,7 +57694,7 @@ index 94fd8dd..26dcf18 100644 ') ') -@@ -336,15 +400,32 @@ interface(`init_ranged_daemon_domain',` +@@ -336,22 +362,23 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -56389,75 +57702,30 @@ index 94fd8dd..26dcf18 100644 type initrc_t; role system_r; + attribute initrc_transition_domain; ++ attribute systemprocess; ') ++ typeattribute $1 systemprocess; application_domain($1, $2) role system_r types $1; - domtrans_pattern(initrc_t, $2, $1) + domtrans_pattern(initrc_t,$2,$1) -+ allow initrc_t $1:process siginh; -+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; -+ allow $1 initrc_transition_domain:fd use; -+ -+ dontaudit $1 init_t:unix_stream_socket getattr; -+ + +- ifdef(`hide_broken_symptoms',` +- # RHEL4 systems seem to have a stray +- # fds open from the initrd +- ifdef(`distro_rhel4',` +- kernel_dontaudit_use_fds($1) +- ') + tunable_policy(`init_systemd',` + # Handle upstart/systemd direct transition to a executable + domtrans_pattern(init_t,$2,$1) -+ allow init_t $1:process siginh; -+ allow init_t $1:unix_stream_socket create_stream_socket_perms; -+ allow init_t $1:unix_dgram_socket create_socket_perms; -+ allow $1 init_t:unix_dgram_socket sendto; -+ dontaudit $1 init_t:unix_stream_socket { read getattr ioctl }; -+ ') - - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray -@@ -353,6 +434,41 @@ interface(`init_system_domain',` - kernel_dontaudit_use_fds($1) - ') ') -+ -+ userdom_dontaudit_search_user_home_dirs($1) -+ userdom_dontaudit_rw_stream($1) -+ userdom_dontaudit_write_user_tmp_files($1) -+ -+ tunable_policy(`allow_daemons_use_tty',` -+ term_use_all_ttys($1) -+ term_use_all_ptys($1) -+ ',` -+ term_dontaudit_use_all_ttys($1) -+ term_dontaudit_use_all_ptys($1) -+ ') -+ -+ # these apps are often redirect output to random log files -+ logging_inherit_append_all_logs($1) -+ -+ optional_policy(` -+ abrt_stream_connect($1) -+ ') -+ -+ optional_policy(` -+ cron_rw_pipes($1) -+ ') -+ -+ optional_policy(` -+ xserver_dontaudit_append_xdm_home_files($1) -+ ') -+ -+ optional_policy(` -+ unconfined_dontaudit_rw_pipes($1) -+ unconfined_dontaudit_rw_stream($1) -+ userdom_dontaudit_read_user_tmp_files($1) -+ ') -+ -+ init_rw_script_stream_sockets($1) ') - ######################################## -@@ -401,16 +517,19 @@ interface(`init_system_domain',` +@@ -401,16 +428,19 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -56477,7 +57745,7 @@ index 94fd8dd..26dcf18 100644 mls_rangetrans_target($1) ') ') -@@ -451,6 +570,10 @@ interface(`init_exec',` +@@ -451,6 +481,10 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -56488,7 +57756,7 @@ index 94fd8dd..26dcf18 100644 ') ######################################## -@@ -509,6 +632,24 @@ interface(`init_sigchld',` +@@ -509,6 +543,24 @@ interface(`init_sigchld',` ######################################## ## @@ -56513,7 +57781,7 @@ index 94fd8dd..26dcf18 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +660,29 @@ interface(`init_sigchld',` +@@ -519,10 +571,29 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -56545,7 +57813,7 @@ index 94fd8dd..26dcf18 100644 ') ######################################## -@@ -688,19 +848,25 @@ interface(`init_telinit',` +@@ -688,19 +759,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -56572,7 +57840,7 @@ index 94fd8dd..26dcf18 100644 ') ') -@@ -730,7 +896,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +807,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -56581,7 +57849,7 @@ index 94fd8dd..26dcf18 100644 ## ## # -@@ -773,18 +939,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +850,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -56605,7 +57873,7 @@ index 94fd8dd..26dcf18 100644 ') ') -@@ -800,23 +967,45 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +878,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -56628,11 +57896,11 @@ index 94fd8dd..26dcf18 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -56645,17 +57913,13 @@ index 94fd8dd..26dcf18 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') + ') + + corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## -@@ -868,9 +1057,14 @@ interface(`init_script_file_domtrans',` + ') + + ######################################## +@@ -868,9 +968,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -56670,7 +57934,7 @@ index 94fd8dd..26dcf18 100644 files_search_etc($1) ') -@@ -1079,6 +1273,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1184,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -56695,7 +57959,7 @@ index 94fd8dd..26dcf18 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1342,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1253,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -56709,7 +57973,7 @@ index 94fd8dd..26dcf18 100644 ') ######################################## -@@ -1375,6 +1582,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1493,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -56737,7 +58001,7 @@ index 94fd8dd..26dcf18 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1689,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1600,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -56763,7 +58027,7 @@ index 94fd8dd..26dcf18 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1766,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1677,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -56788,7 +58052,7 @@ index 94fd8dd..26dcf18 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1674,7 +1939,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -56797,7 +58061,7 @@ index 94fd8dd..26dcf18 100644 ') ######################################## -@@ -1715,6 +1980,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1891,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -56926,7 +58190,7 @@ index 94fd8dd..26dcf18 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2136,156 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2047,156 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -57084,7 +58348,7 @@ index 94fd8dd..26dcf18 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..70532cc 100644 +index 29a9565..837bc69 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -57122,7 +58386,7 @@ index 29a9565..70532cc 100644 # used for direct running of init scripts # by admin domains attribute direct_run_init; -@@ -25,6 +53,9 @@ attribute direct_init_entry; +@@ -25,14 +53,18 @@ attribute direct_init_entry; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; @@ -57132,7 +58396,8 @@ index 29a9565..70532cc 100644 # Mark process types as daemons attribute daemon; -@@ -32,7 +63,7 @@ attribute daemon; ++attribute systemprocess; + # # init_t is the domain of the init process. # @@ -57141,7 +58406,7 @@ index 29a9565..70532cc 100644 type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) -@@ -63,6 +94,8 @@ role system_r types initrc_t; +@@ -63,6 +95,8 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -57150,7 +58415,7 @@ index 29a9565..70532cc 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -87,7 +120,7 @@ ifdef(`enable_mls',` +@@ -87,7 +121,7 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -57159,7 +58424,7 @@ index 29a9565..70532cc 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -100,11 +133,15 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -100,11 +134,15 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -57179,7 +58444,7 @@ index 29a9565..70532cc 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -114,25 +151,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,25 +152,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -57214,7 +58479,7 @@ index 29a9565..70532cc 100644 files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: files_exec_etc_files(init_t) -@@ -151,10 +197,19 @@ mls_file_read_all_levels(init_t) +@@ -151,10 +198,19 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -57235,7 +58500,7 @@ index 29a9565..70532cc 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +217,16 @@ init_domtrans_script(init_t) +@@ -162,12 +218,16 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -57252,7 +58517,7 @@ index 29a9565..70532cc 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +237,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +238,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -57261,7 +58526,7 @@ index 29a9565..70532cc 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +245,131 @@ tunable_policy(`init_upstart',` +@@ -186,16 +246,136 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -57365,13 +58630,14 @@ index 29a9565..70532cc 100644 + + create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + -+# miscfiles_delete_man_pages(init_t) -+# miscfiles_relabel_man_pages(init_t) -+ +') + ++auth_use_nsswitch(init_t) ++auth_rw_login_records(init_t) ++ optional_policy(` - auth_rw_login_records(init_t) +- auth_rw_login_records(init_t) ++ lvm_rw_pipes(init_t) ') optional_policy(` @@ -57393,16 +58659,13 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -199,10 +377,26 @@ optional_policy(` +- nscd_socket_use(init_t) ++ plymouthd_stream_connect(init_t) ++ plymouthd_exec_plymouth(init_t) ') optional_policy(` -+ plymouthd_stream_connect(init_t) -+ plymouthd_exec_plymouth(init_t) -+') -+ -+optional_policy(` - sssd_stream_connect(init_t) +@@ -203,6 +383,17 @@ optional_policy(` ') optional_policy(` @@ -57420,7 +58683,7 @@ index 29a9565..70532cc 100644 unconfined_domain(init_t) ') -@@ -212,7 +406,7 @@ optional_policy(` +@@ -212,7 +403,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -57429,7 +58692,7 @@ index 29a9565..70532cc 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -57445,7 +58708,7 @@ index 29a9565..70532cc 100644 init_write_initctl(initrc_t) -@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -57482,7 +58745,7 @@ index 29a9565..70532cc 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -57490,7 +58753,7 @@ index 29a9565..70532cc 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -57501,7 +58764,7 @@ index 29a9565..70532cc 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -57518,7 +58781,7 @@ index 29a9565..70532cc 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -57526,7 +58789,7 @@ index 29a9565..70532cc 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -57538,7 +58801,7 @@ index 29a9565..70532cc 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -57552,7 +58815,7 @@ index 29a9565..70532cc 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -57561,7 +58824,7 @@ index 29a9565..70532cc 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -57569,7 +58832,7 @@ index 29a9565..70532cc 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -57577,7 +58840,7 @@ index 29a9565..70532cc 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -57599,7 +58862,7 @@ index 29a9565..70532cc 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -57610,7 +58873,7 @@ index 29a9565..70532cc 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +705,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +702,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -57619,7 +58882,7 @@ index 29a9565..70532cc 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +720,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +717,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -57627,7 +58890,7 @@ index 29a9565..70532cc 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +750,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +747,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -57661,7 +58924,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -531,10 +784,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +781,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -57688,7 +58951,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -549,6 +818,39 @@ ifdef(`distro_suse',` +@@ -549,6 +815,39 @@ ifdef(`distro_suse',` ') ') @@ -57728,7 +58991,7 @@ index 29a9565..70532cc 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +863,8 @@ optional_policy(` +@@ -561,6 +860,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -57737,7 +59000,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -577,6 +881,7 @@ optional_policy(` +@@ -577,6 +878,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -57745,7 +59008,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -589,6 +894,11 @@ optional_policy(` +@@ -589,6 +891,11 @@ optional_policy(` ') optional_policy(` @@ -57757,7 +59020,7 @@ index 29a9565..70532cc 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +915,13 @@ optional_policy(` +@@ -605,9 +912,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -57771,7 +59034,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -649,6 +963,11 @@ optional_policy(` +@@ -649,6 +960,11 @@ optional_policy(` ') optional_policy(` @@ -57783,7 +59046,7 @@ index 29a9565..70532cc 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1008,7 @@ optional_policy(` +@@ -689,6 +1005,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -57791,7 +59054,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -706,7 +1026,13 @@ optional_policy(` +@@ -706,7 +1023,13 @@ optional_policy(` ') optional_policy(` @@ -57805,7 +59068,7 @@ index 29a9565..70532cc 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1055,10 @@ optional_policy(` +@@ -729,6 +1052,10 @@ optional_policy(` ') optional_policy(` @@ -57816,7 +59079,7 @@ index 29a9565..70532cc 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1068,20 @@ optional_policy(` +@@ -738,10 +1065,20 @@ optional_policy(` ') optional_policy(` @@ -57837,7 +59100,7 @@ index 29a9565..70532cc 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1090,10 @@ optional_policy(` +@@ -750,6 +1087,10 @@ optional_policy(` ') optional_policy(` @@ -57848,7 +59111,7 @@ index 29a9565..70532cc 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1115,6 @@ optional_policy(` +@@ -771,8 +1112,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -57857,7 +59120,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -790,10 +1132,12 @@ optional_policy(` +@@ -790,10 +1129,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -57870,7 +59133,7 @@ index 29a9565..70532cc 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1149,6 @@ optional_policy(` +@@ -805,7 +1146,6 @@ optional_policy(` ') optional_policy(` @@ -57878,7 +59141,7 @@ index 29a9565..70532cc 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1158,24 @@ optional_policy(` +@@ -815,11 +1155,24 @@ optional_policy(` ') optional_policy(` @@ -57904,7 +59167,7 @@ index 29a9565..70532cc 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1185,25 @@ optional_policy(` +@@ -829,6 +1182,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -57930,7 +59193,7 @@ index 29a9565..70532cc 100644 ') optional_policy(` -@@ -844,6 +1219,10 @@ optional_policy(` +@@ -844,6 +1216,10 @@ optional_policy(` ') optional_policy(` @@ -57941,7 +59204,7 @@ index 29a9565..70532cc 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1233,45 @@ optional_policy(` +@@ -854,3 +1230,149 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -57987,6 +59250,110 @@ index 29a9565..70532cc 100644 +allow init_t var_run_t:dir relabelto; + +init_stream_connect(initrc_t) ++ ++allow initrc_t daemon:process siginh; ++allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; ++allow daemon initrc_transition_domain:fd use; ++ ++tunable_policy(`init_systemd',` ++ allow init_t daemon:unix_stream_socket create_stream_socket_perms; ++ allow init_t daemon:unix_dgram_socket create_socket_perms; ++ allow init_t daemon:tcp_socket create_stream_socket_perms; ++ allow daemon init_t:unix_dgram_socket sendto; ++ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr }; ++') ++ ++# daemons started from init will ++# inherit fds from init for the console ++init_dontaudit_use_fds(daemon) ++term_dontaudit_use_console(daemon) ++# init script ptys are the stdin/out/err ++# when using run_init ++init_use_script_ptys(daemon) ++ ++allow init_t daemon:process siginh; ++ ++ifdef(`hide_broken_symptoms',` ++ # RHEL4 systems seem to have a stray ++ # fds open from the initrd ++ ifdef(`distro_rhel4',` ++ kernel_dontaudit_use_fds(daemon) ++ ') ++ ++ dontaudit daemon init_t:dir search_dir_perms; ++') ++ ++optional_policy(` ++ nscd_socket_use(daemon) ++') ++ ++allow direct_run_init daemon:process { noatsecure siginh rlimitinh }; ++ ++allow initrc_t systemprocess:process siginh; ++allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; ++allow systemprocess initrc_transition_domain:fd use; ++ ++dontaudit systemprocess init_t:unix_stream_socket getattr; ++ ++ ++tunable_policy(`init_systemd',` ++ # Handle upstart/systemd direct transition to a executable ++ allow init_t systemprocess:process { dyntransition siginh }; ++ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; ++ allow init_t systemprocess:unix_dgram_socket create_socket_perms; ++ allow systemprocess init_t:unix_dgram_socket sendto; ++ dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl }; ++') ++ ++ifdef(`hide_broken_symptoms',` ++ # RHEL4 systems seem to have a stray ++ # fds open from the initrd ++ ifdef(`distro_rhel4',` ++ kernel_dontaudit_use_fds(systemprocess) ++ ') ++') ++ ++userdom_dontaudit_search_user_home_dirs(systemprocess) ++userdom_dontaudit_rw_stream(systemprocess) ++userdom_dontaudit_write_user_tmp_files(systemprocess) ++ ++tunable_policy(`allow_daemons_use_tty',` ++ term_use_all_ttys(systemprocess) ++ term_use_all_ptys(systemprocess) ++',` ++ term_dontaudit_use_all_ttys(systemprocess) ++ term_dontaudit_use_all_ptys(systemprocess) ++') ++ ++# these apps are often redirect output to random log files ++logging_inherit_append_all_logs(systemprocess) ++ ++optional_policy(` ++ abrt_stream_connect(systemprocess) ++') ++ ++optional_policy(` ++ cron_rw_pipes(systemprocess) ++') ++ ++optional_policy(` ++ xserver_dontaudit_append_xdm_home_files(systemprocess) ++') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(systemprocess) ++ unconfined_dontaudit_rw_stream(systemprocess) ++ userdom_dontaudit_read_user_tmp_files(systemprocess) ++') ++ ++init_rw_script_stream_sockets(systemprocess) ++ ++role system_r types systemprocess; ++role system_r types daemon; ++ ++#ifdef(`enable_mls',` ++# mls_rangetrans_target(systemprocess) ++#') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index fb09b9e..e25c6b6 100644 --- a/policy/modules/system/ipsec.fc @@ -58062,7 +59429,7 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 55a6cd8..bec6385 100644 +index 55a6cd8..4bc226b 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -128,13 +128,13 @@ corecmd_exec_bin(ipsec_t) @@ -58112,7 +59479,7 @@ index 55a6cd8..bec6385 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -277,7 +290,7 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +290,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -58120,8 +59487,11 @@ index 55a6cd8..bec6385 100644 +term_use_all_inherited_terms(ipsec_mgmt_t) auth_dontaudit_read_login_records(ipsec_mgmt_t) ++auth_use_nsswitch(ipsec_mgmt_t) -@@ -297,7 +310,7 @@ sysnet_manage_config(ipsec_mgmt_t) + init_read_utmp(ipsec_mgmt_t) + init_use_script_ptys(ipsec_mgmt_t) +@@ -297,7 +311,7 @@ sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) @@ -58130,7 +59500,18 @@ index 55a6cd8..bec6385 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -377,12 +390,12 @@ corecmd_exec_shell(racoon_t) +@@ -324,10 +338,6 @@ optional_policy(` + modutils_domtrans_insmod(ipsec_mgmt_t) + ') + +-optional_policy(` +- nscd_socket_use(ipsec_mgmt_t) +-') +- + ifdef(`TODO',` + # ideally it would not need this. It wants to write to /root/.rnd + file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) +@@ -377,12 +387,12 @@ corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) @@ -58149,7 +59530,7 @@ index 55a6cd8..bec6385 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -411,6 +424,8 @@ miscfiles_read_localization(racoon_t) +@@ -411,6 +421,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -58158,7 +59539,7 @@ index 55a6cd8..bec6385 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -448,5 +463,6 @@ miscfiles_read_localization(setkey_t) +@@ -448,5 +460,6 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) @@ -58189,6 +59570,21 @@ index 05fb364..6b895d1 100644 -/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if +index 7ba53db..5c94dfe 100644 +--- a/policy/modules/system/iptables.if ++++ b/policy/modules/system/iptables.if +@@ -17,10 +17,6 @@ interface(`iptables_domtrans',` + + corecmd_search_bin($1) + domtrans_pattern($1, iptables_exec_t, iptables_t) +- +- ifdef(`hide_broken_symptoms', ` +- dontaudit iptables_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index f3e1b57..d6a93ac 100644 --- a/policy/modules/system/iptables.te @@ -58912,7 +60308,7 @@ index e5836d3..b32b945 100644 +#') + diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index a0b379d..77f0e09 100644 +index a0b379d..7d88511 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -32,9 +32,8 @@ role system_r types sulogin_t; @@ -58936,15 +60332,18 @@ index a0b379d..77f0e09 100644 dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -125,6 +126,7 @@ auth_manage_pam_console_data(local_login_t) +@@ -123,8 +124,10 @@ auth_rw_faillog(local_login_t) + auth_manage_pam_pid(local_login_t) + auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) ++auth_use_nsswitch(local_login_t) init_dontaudit_use_fds(local_login_t) +init_stream_connect(local_login_t) miscfiles_read_localization(local_login_t) -@@ -156,6 +158,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -156,6 +159,12 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(local_login_t) ') @@ -58957,7 +60356,22 @@ index a0b379d..77f0e09 100644 optional_policy(` alsa_domtrans(local_login_t) ') -@@ -225,6 +233,7 @@ files_read_etc_files(sulogin_t) +@@ -177,14 +186,6 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(local_login_t) +-') +- +-optional_policy(` +- nscd_socket_use(local_login_t) +-') +- +-optional_policy(` + unconfined_shell_domtrans(local_login_t) + ') + +@@ -225,6 +226,7 @@ files_read_etc_files(sulogin_t) files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) @@ -58965,7 +60379,7 @@ index a0b379d..77f0e09 100644 init_getpgid_script(sulogin_t) -@@ -238,14 +247,23 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -238,14 +240,23 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -58991,7 +60405,7 @@ index a0b379d..77f0e09 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +274,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +267,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -59408,10 +60822,10 @@ index 879bb1e..7b22111 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..bcc0758 100644 +index 58bc27f..51e9872 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -123,3 +123,77 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -59489,8 +60903,25 @@ index 58bc27f..bcc0758 100644 + allow $1 lvm_t:unix_dgram_socket sendto; +') + ++######################################## ++## ++## Read and write a lvm unnamed pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_rw_pipes',` ++ gen_require(` ++ type lvm_var_run_t; ++ ') ++ ++ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; ++') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..895cc10 100644 +index a0a0ebf..4513ab9 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -59566,16 +60997,18 @@ index a0a0ebf..895cc10 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -201,7 +215,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -200,8 +214,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) + manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) ++manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) -+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file sock_file }) ++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -213,11 +227,13 @@ files_search_mnt(lvm_t) +@@ -213,11 +228,13 @@ files_search_mnt(lvm_t) kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) @@ -59589,7 +61022,7 @@ index a0a0ebf..895cc10 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -228,6 +244,7 @@ dev_delete_generic_dirs(lvm_t) +@@ -228,6 +245,7 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -59597,7 +61030,7 @@ index a0a0ebf..895cc10 100644 dev_manage_generic_symlinks(lvm_t) dev_relabel_generic_dev_dirs(lvm_t) dev_manage_generic_blk_files(lvm_t) -@@ -244,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -59605,7 +61038,7 @@ index a0a0ebf..895cc10 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,17 +271,21 @@ files_read_etc_files(lvm_t) +@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -59628,7 +61061,7 @@ index a0a0ebf..895cc10 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -283,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -59637,7 +61070,7 @@ index a0a0ebf..895cc10 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -292,6 +314,8 @@ init_read_script_state(lvm_t) +@@ -292,6 +315,8 @@ init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -59646,7 +61079,7 @@ index a0a0ebf..895cc10 100644 miscfiles_read_localization(lvm_t) seutil_read_config(lvm_t) -@@ -299,15 +323,23 @@ seutil_read_file_contexts(lvm_t) +@@ -299,15 +324,23 @@ seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -59673,7 +61106,7 @@ index a0a0ebf..895cc10 100644 ') optional_policy(` -@@ -331,14 +363,26 @@ optional_policy(` +@@ -331,14 +364,26 @@ optional_policy(` ') optional_policy(` @@ -59821,7 +61254,7 @@ index 9c0faab..dd6530e 100644 ## loading modules. ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index a0eef20..7a8241b 100644 +index a0eef20..223af54 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -18,11 +18,12 @@ type insmod_t; @@ -59931,12 +61364,14 @@ index a0eef20..7a8241b 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -161,11 +175,15 @@ files_write_kernel_modules(insmod_t) +@@ -161,11 +175,17 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) +fs_mount_rpc_pipefs(insmod_t) +fs_search_rpc(insmod_t) ++ ++auth_use_nsswitch(insmod_t) init_rw_initctl(insmod_t) init_use_fds(insmod_t) @@ -59947,7 +61382,7 @@ index a0eef20..7a8241b 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -174,8 +192,7 @@ miscfiles_read_localization(insmod_t) +@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -59957,21 +61392,41 @@ index a0eef20..7a8241b 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -187,8 +204,11 @@ optional_policy(` +@@ -187,28 +206,23 @@ optional_policy(` ') optional_policy(` - firstboot_dontaudit_rw_pipes(insmod_t) - firstboot_dontaudit_rw_stream_sockets(insmod_t) + firstboot_dontaudit_leaks(insmod_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- hal_write_log(insmod_t) + firewallgui_dontaudit_rw_pipes(insmod_t) ') optional_policy(` -@@ -231,11 +251,15 @@ optional_policy(` +- hotplug_search_config(insmod_t) +-') +- +-optional_policy(` +- mount_domtrans(insmod_t) ++ hal_write_log(insmod_t) + ') + + optional_policy(` +- nis_use_ypbind(insmod_t) ++ hotplug_search_config(insmod_t) + ') + + optional_policy(` +- nscd_socket_use(insmod_t) ++ mount_domtrans(insmod_t) + ') + + optional_policy(` +@@ -231,11 +245,15 @@ optional_policy(` ') optional_policy(` @@ -59988,7 +61443,7 @@ index a0eef20..7a8241b 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -296,7 +320,7 @@ logging_send_syslog_msg(update_modules_t) +@@ -296,7 +314,7 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) @@ -60020,10 +61475,10 @@ index 72c746e..704d2d7 100644 +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 8b5c196..1ac1567 100644 +index 8b5c196..1be2768 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if -@@ -16,6 +16,18 @@ interface(`mount_domtrans',` +@@ -16,6 +16,12 @@ interface(`mount_domtrans',` ') domtrans_pattern($1, mount_exec_t, mount_t) @@ -60033,16 +61488,10 @@ index 8b5c196..1ac1567 100644 + ps_process_pattern(mount_t, $1) + + allow mount_t $1:unix_stream_socket { read write }; -+ -+ifdef(`hide_broken_symptoms', ` -+ dontaudit mount_t $1:tcp_socket { read write }; -+ dontaudit mount_t $1:udp_socket { read write }; -+') -+ ') ######################################## -@@ -45,12 +57,77 @@ interface(`mount_run',` +@@ -45,8 +51,73 @@ interface(`mount_run',` role $2 types mount_t; optional_policy(` @@ -60065,11 +61514,11 @@ index 8b5c196..1ac1567 100644 + + optional_policy(` + samba_run_smbmount(mount_t, $2) - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. @@ -60089,7 +61538,7 @@ index 8b5c196..1ac1567 100644 +interface(`mount_run_fusermount',` + gen_require(` + type mount_t; -+ ') + ') + + mount_domtrans_fusermount($1) + role $2 types mount_t; @@ -60114,14 +61563,10 @@ index 8b5c196..1ac1567 100644 + + allow $1 mount_var_run_t:file read_file_perms; + files_search_pids($1) -+') -+ -+######################################## -+## - ## Execute mount in the caller domain. - ## - ## -@@ -84,9 +161,11 @@ interface(`mount_exec',` + ') + + ######################################## +@@ -84,9 +155,11 @@ interface(`mount_exec',` interface(`mount_signal',` gen_require(` type mount_t; @@ -60133,7 +61578,7 @@ index 8b5c196..1ac1567 100644 ') ######################################## -@@ -95,7 +174,7 @@ interface(`mount_signal',` +@@ -95,7 +168,7 @@ interface(`mount_signal',` ## ## ## @@ -60142,7 +61587,7 @@ index 8b5c196..1ac1567 100644 ## ## # -@@ -135,6 +214,24 @@ interface(`mount_send_nfs_client_request',` +@@ -135,6 +208,24 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -60167,7 +61612,7 @@ index 8b5c196..1ac1567 100644 ## Execute mount in the unconfined mount domain. ## ## -@@ -176,4 +273,113 @@ interface(`mount_run_unconfined',` +@@ -176,4 +267,113 @@ interface(`mount_run_unconfined',` mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; @@ -60282,7 +61727,7 @@ index 8b5c196..1ac1567 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..ed497ff 100644 +index 15832c7..79bc8f4 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -60475,15 +61920,16 @@ index 15832c7..ed497ff 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +213,29 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +213,28 @@ ifdef(`distro_ubuntu',` ') ') +corecmd_exec_shell(mount_t) + tunable_policy(`allow_mount_anyfile',` - auth_read_all_dirs_except_shadow(mount_t) - auth_read_all_files_except_shadow(mount_t) +- auth_read_all_dirs_except_shadow(mount_t) +- auth_read_all_files_except_shadow(mount_t) ++ files_read_non_security_files(mount_t) files_mounton_non_security(mount_t) + files_rw_all_inherited_files(mount_t) ') @@ -60513,7 +61959,7 @@ index 15832c7..ed497ff 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +249,8 @@ optional_policy(` +@@ -174,6 +248,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -60522,7 +61968,7 @@ index 15832c7..ed497ff 100644 ') optional_policy(` -@@ -181,6 +258,28 @@ optional_policy(` +@@ -181,6 +257,28 @@ optional_policy(` ') optional_policy(` @@ -60551,7 +61997,7 @@ index 15832c7..ed497ff 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +287,52 @@ optional_policy(` +@@ -188,13 +286,52 @@ optional_policy(` ') ') @@ -60604,7 +62050,7 @@ index 15832c7..ed497ff 100644 ') ######################################## -@@ -203,6 +341,43 @@ optional_policy(` +@@ -203,6 +340,43 @@ optional_policy(` # optional_policy(` @@ -60667,10 +62113,22 @@ index cbbda4a..8dcc346 100644 +userdom_use_inherited_user_terminals(netlabel_mgmt_t) + diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te -index 4d06ae3..ebd5ed4 100644 +index 4d06ae3..e81b7ac 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te -@@ -98,18 +98,20 @@ logging_send_syslog_msg(cardmgr_t) +@@ -62,9 +62,8 @@ dev_read_urand(cardmgr_t) + + domain_use_interactive_fds(cardmgr_t) + # Read /proc/PID directories for all domains (for fuser). +-domain_read_confined_domains_state(cardmgr_t) +-domain_getattr_confined_domains(cardmgr_t) +-domain_dontaudit_ptrace_confined_domains(cardmgr_t) ++domain_read_all_domains_state(cardmgr_t) ++domain_dontaudit_ptrace_all_domains(cardmgr_t) + # cjp: these look excessive: + domain_dontaudit_getattr_all_pipes(cardmgr_t) + domain_dontaudit_getattr_all_sockets(cardmgr_t) +@@ -98,18 +97,20 @@ logging_send_syslog_msg(cardmgr_t) miscfiles_read_localization(cardmgr_t) @@ -60863,21 +62321,10 @@ index 2cc4bda..167c358 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 170e2c7..beb818f 100644 +index 170e2c7..7b10445 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if -@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',` - - corecmd_search_bin($1) - domtrans_pattern($1, load_policy_exec_t, load_policy_t) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit load_policy_t $1:socket_class_set { read write }; -+ ') - ') - - ######################################## -@@ -199,6 +203,10 @@ interface(`seutil_run_newrole',` +@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',` role $2 types newrole_t; auth_run_upd_passwd(newrole_t, $2) @@ -60888,7 +62335,7 @@ index 170e2c7..beb818f 100644 ') ######################################## -@@ -361,6 +369,27 @@ interface(`seutil_exec_restorecon',` +@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',` ######################################## ## @@ -60916,18 +62363,7 @@ index 170e2c7..beb818f 100644 ## Execute run_init in the run_init domain. ## ## -@@ -514,6 +543,10 @@ interface(`seutil_domtrans_setfiles',` - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, setfiles_exec_t, setfiles_t) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit setfiles_t $1:socket_class_set { read write }; -+ ') - ') - - ######################################## -@@ -545,6 +578,53 @@ interface(`seutil_run_setfiles',` +@@ -545,6 +570,53 @@ interface(`seutil_run_setfiles',` ######################################## ## @@ -60981,7 +62417,7 @@ index 170e2c7..beb818f 100644 ## Execute setfiles in the caller domain. ## ## -@@ -690,6 +770,7 @@ interface(`seutil_manage_config',` +@@ -690,6 +762,7 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -60989,7 +62425,7 @@ index 170e2c7..beb818f 100644 manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -756,6 +837,29 @@ interface(`seutil_read_default_contexts',` +@@ -756,6 +829,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') @@ -61019,18 +62455,10 @@ index 170e2c7..beb818f 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -1005,6 +1109,30 @@ interface(`seutil_domtrans_semanage',` - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, semanage_exec_t, semanage_t) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit semanage_t $1:socket_class_set { read write }; -+ ') -+') -+ -+######################################## -+## +@@ -1009,6 +1105,26 @@ interface(`seutil_domtrans_semanage',` + + ######################################## + ## +## Execute a domain transition to run setsebool. +## +## @@ -61047,10 +62475,14 @@ index 170e2c7..beb818f 100644 + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setsebool_exec_t, setsebool_t) - ') - - ######################################## -@@ -1038,6 +1166,54 @@ interface(`seutil_run_semanage',` ++') ++ ++######################################## ++## + ## Execute semanage in the semanage domain, and + ## allow the specified role the semanage domain, + ## and use the caller's terminal. +@@ -1038,6 +1154,54 @@ interface(`seutil_run_semanage',` ######################################## ## @@ -61105,7 +62537,7 @@ index 170e2c7..beb818f 100644 ## Full management of the semanage ## module store. ## -@@ -1149,3 +1325,199 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1149,3 +1313,199 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -61306,7 +62738,7 @@ index 170e2c7..beb818f 100644 + ') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..96406b1 100644 +index 7ed9819..d74087e 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -61480,6 +62912,17 @@ index 7ed9819..96406b1 100644 fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) +@@ -323,8 +350,8 @@ selinux_compute_create_context(restorecond_t) + selinux_compute_relabel_context(restorecond_t) + selinux_compute_user_contexts(restorecond_t) + +-auth_relabel_all_files_except_shadow(restorecond_t ) +-auth_read_all_files_except_shadow(restorecond_t) ++files_relabel_all_files(restorecond_t ) ++files_read_non_security_files(restorecond_t) + auth_use_nsswitch(restorecond_t) + + locallogin_dontaudit_use_fds(restorecond_t) @@ -335,6 +362,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -61606,7 +63049,7 @@ index 7ed9819..96406b1 100644 - -locallogin_use_fds(semanage_t) +# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) ++files_read_non_security_files(semanage_t) -logging_send_syslog_msg(semanage_t) - @@ -61825,7 +63268,7 @@ index 694fd94..334e80e 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index ff80d0a..95e705c 100644 +index ff80d0a..752e031 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` @@ -61967,17 +63410,7 @@ index ff80d0a..95e705c 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -484,6 +579,9 @@ interface(`sysnet_domtrans_ifconfig',` - - corecmd_search_bin($1) - domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit ifconfig_t $1:socket_class_set { read write }; -+ ') - ') - - ######################################## -@@ -554,6 +652,25 @@ interface(`sysnet_signal_ifconfig',` +@@ -554,6 +649,25 @@ interface(`sysnet_signal_ifconfig',` ######################################## ## @@ -62003,7 +63436,7 @@ index ff80d0a..95e705c 100644 ## Read the DHCP configuration files. ## ## -@@ -661,6 +778,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -661,6 +775,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -62012,7 +63445,7 @@ index ff80d0a..95e705c 100644 sysnet_read_config($1) optional_policy(` -@@ -698,6 +817,9 @@ interface(`sysnet_use_ldap',` +@@ -698,6 +814,9 @@ interface(`sysnet_use_ldap',` corenet_sendrecv_ldap_client_packets($1) sysnet_read_config($1) @@ -62022,7 +63455,7 @@ index ff80d0a..95e705c 100644 ') ######################################## -@@ -731,3 +853,49 @@ interface(`sysnet_use_portmap',` +@@ -731,3 +850,49 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -62724,10 +64157,10 @@ index 0000000..11fbd0f + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..a0b79d5 +index 0000000..038db18 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,314 @@ +@@ -0,0 +1,317 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -62752,11 +64185,11 @@ index 0000000..a0b79d5 + +# /run/systemd/sessions +type systemd_logind_sessions_t; -+files_type(systemd_logind_sessions_t) ++files_pid_file(systemd_logind_sessions_t) + +# /run/systemd/{seats, users} +type systemd_logind_var_run_t; -+files_type(systemd_logind_var_run_t) ++files_pid_file(systemd_logind_var_run_t) + +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components @@ -62849,6 +64282,9 @@ index 0000000..a0b79d5 + +userdom_read_all_users_state(systemd_logind_t) +userdom_use_user_ttys(systemd_logind_t) ++userdom_manage_user_tmp_dirs(systemd_logind_t) ++userdom_manage_user_tmp_files(systemd_logind_t) ++userdom_manage_user_tmp_symlinks(systemd_logind_t) + +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) @@ -63264,7 +64700,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..d26f45a 100644 +index d88f7c3..4485816 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -63346,7 +64782,7 @@ index d88f7c3..d26f45a 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +112,27 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,21 +112,28 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -63358,6 +64794,7 @@ index d88f7c3..d26f45a 100644 files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) -files_read_etc_files(udev_t) ++files_read_system_conf_files(udev_t) + +# console_init manages files in /etc/sysconfig +files_manage_etc_files(udev_t) @@ -63375,7 +64812,7 @@ index d88f7c3..d26f45a 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -63383,7 +64820,7 @@ index d88f7c3..d26f45a 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -169,6 +183,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -63392,7 +64829,7 @@ index d88f7c3..d26f45a 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -186,15 +202,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +203,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -63413,7 +64850,7 @@ index d88f7c3..d26f45a 100644 ') optional_policy(` -@@ -216,11 +233,16 @@ optional_policy(` +@@ -216,11 +234,16 @@ optional_policy(` ') optional_policy(` @@ -63431,7 +64868,7 @@ index d88f7c3..d26f45a 100644 ') optional_policy(` -@@ -230,10 +252,20 @@ optional_policy(` +@@ -230,10 +253,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -63452,7 +64889,7 @@ index d88f7c3..d26f45a 100644 ') optional_policy(` -@@ -259,6 +291,10 @@ optional_policy(` +@@ -259,6 +292,10 @@ optional_policy(` ') optional_policy(` @@ -63463,7 +64900,7 @@ index d88f7c3..d26f45a 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +309,11 @@ optional_policy(` +@@ -273,6 +310,11 @@ optional_policy(` ') optional_policy(` @@ -64225,10 +65662,10 @@ index eae5001..71e46b2 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..392d1ee 100644 +index db75976..cca4cd1 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,17 @@ +@@ -1,4 +1,19 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -64240,15 +65677,17 @@ index db75976..392d1ee 100644 +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) -+HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) ++HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> ++ ++/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..fd5c0a5 100644 +index 4b2878a..31290e1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -64393,16 +65832,16 @@ index 4b2878a..fd5c0a5 100644 + + storage_rw_fuse($1_usertype) + -+ auth_use_nsswitch($1_usertype) - -- libs_exec_ld_so($1_t) ++ auth_use_nsswitch($1_t) ++ + init_stream_connect($1_usertype) + # The library functions always try to open read-write first, + # then fall back to read-only if it fails. + init_dontaudit_rw_utmp($1_usertype) + + libs_exec_ld_so($1_usertype) -+ + +- libs_exec_ld_so($1_t) + logging_send_audit_msgs($1_t) miscfiles_read_localization($1_t) @@ -64772,27 +66211,27 @@ index 4b2878a..fd5c0a5 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corecmd_exec_bin($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -64816,10 +66255,10 @@ index 4b2878a..fd5c0a5 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) -+ -+ application_getattr_socket($1_usertype) - fs_rw_cgroup_files($1_t) ++ application_getattr_socket($1_usertype) ++ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -64912,89 +66351,89 @@ index 4b2878a..fd5c0a5 100644 + optional_policy(` + avahi_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ policykit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ bluetooth_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ ') -+ -+ optional_policy(` -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ gnome_dbus_chat_gconfdefault($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ policykit_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpn_dbus_chat($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') ++ ++ optional_policy(` ++ gnome_dbus_chat_gconfdefault($1_usertype) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ kde_dbus_chat_backlighthelper($1_usertype) ++ ') ++ ++ optional_policy(` ++ modemmanager_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ++ ') ++ ++ optional_policy(` ++ vpn_dbus_chat($1_usertype) ++ ') ++ ') ++ ++ optional_policy(` ++ git_session_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ git_session_role($1_r, $1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ lircd_stream_connect($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) -+ ') -+ -+ optional_policy(` -+ lircd_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + locate_read_lib_files($1_usertype) ') @@ -65002,16 +66441,16 @@ index 4b2878a..fd5c0a5 100644 optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ mta_filetrans_home_content($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ++ mta_filetrans_home_content($1_usertype) ++ ') ++ ++ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') @@ -65048,32 +66487,32 @@ index 4b2878a..fd5c0a5 100644 + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpcbind_stream_connect($1_usertype) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ seunshare_role_template($1, $1_r, $1_t) - ') -+ -+ optional_policy(` + slrnpull_search_spool($1_usertype) -+ ') + ') + ') @@ -65084,17 +66523,15 @@ index 4b2878a..fd5c0a5 100644 - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -65102,7 +66539,9 @@ index 4b2878a..fd5c0a5 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -65309,27 +66748,26 @@ index 4b2878a..fd5c0a5 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` + + optional_policy(` +- consolekit_dbus_chat($1_t) + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) -+ ') + ') optional_policy(` -- consolekit_dbus_chat($1_t) +- cups_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) ') - - optional_policy(` -- cups_dbus_chat($1_t) ++ ++ optional_policy(` + fprintd_dbus_chat($1_t) - ') - ') - - optional_policy(` -- java_role($1_r, $1_t) ++ ') ++ ') ++ ++ optional_policy(` + openoffice_role_template($1, $1_r, $1_usertype) + ') + @@ -65341,9 +66779,10 @@ index 4b2878a..fd5c0a5 100644 + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) + pulseaudio_filetrans_home_content($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- java_role($1_r, $1_t) + rtkit_scheduled($1_usertype) ') @@ -65454,19 +66893,19 @@ index 4b2878a..fd5c0a5 100644 + + optional_policy(` + mono_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) + ') + + optional_policy(` + wine_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + ') + @@ -65525,7 +66964,7 @@ index 4b2878a..fd5c0a5 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1429,22 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1429,37 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -65549,7 +66988,13 @@ index 4b2878a..fd5c0a5 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1456,10 @@ template(`userdom_admin_user_template',` +- auth_manage_all_files_except_shadow($1_t) ++ files_manage_non_security_files($1_t) + # Relabel almost all files +- auth_relabel_all_files_except_shadow($1_t) ++ files_relabel_non_security_files($1_t) + + init_telinit($1_t) logging_send_syslog_msg($1_t) @@ -65579,14 +67024,17 @@ index 4b2878a..fd5c0a5 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1544,7 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1544,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) + selinux_read_policy($1) - auth_relabel_all_files_except_shadow($1) +- auth_relabel_all_files_except_shadow($1) ++ files_relabel_all_files($1) auth_relabel_shadow($1) + + init_exec($1) @@ -1234,13 +1557,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) @@ -65714,14 +67162,13 @@ index 4b2878a..fd5c0a5 100644 ## ## ## -@@ -1334,9 +1680,46 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,7 +1680,44 @@ interface(`userdom_setattr_user_ptys',` ## ## # -interface(`userdom_create_user_pty',` +interface(`userdom_attach_admin_tun_iface',` - gen_require(` -- type user_devpts_t; ++ gen_require(` + attribute admindomain; + ') + @@ -65758,11 +67205,9 @@ index 4b2878a..fd5c0a5 100644 +## +# +interface(`userdom_create_user_pty',` -+ gen_require(` -+ type user_devpts_t; + gen_require(` + type user_devpts_t; ') - - term_create_pty($1, user_devpts_t) @@ -1395,6 +1778,7 @@ interface(`userdom_search_user_home_dirs',` ') @@ -66528,7 +67973,7 @@ index 4b2878a..fd5c0a5 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3825,1075 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3825,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -66580,7 +68025,8 @@ index 4b2878a..fd5c0a5 100644 + typeattribute $2 $1_usertype; + typeattribute $2 unpriv_userdomain; + typeattribute $2 userdomain; -+ ++ ++ auth_use_nsswitch($2) + ubac_constrained($2) +') + @@ -68034,7 +69480,7 @@ index bdd500c..4719351 100644 define(`admin_pattern',` diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt -index 22ca011..df6b5de 100644 +index 22ca011..823794e 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',` @@ -68046,20 +69492,15 @@ index 22ca011..df6b5de 100644 allow $3 $1:process sigchld; ') -@@ -34,8 +34,12 @@ define(`domtrans_pattern',` +@@ -34,7 +34,7 @@ define(`domtrans_pattern',` domain_auto_transition_pattern($1,$2,$3) allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; allow $3 $1:process sigchld; -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $3 $1:socket_class_set { read write }; -+ ') ') - # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index f7380b3..fb62555 100644 --- a/policy/support/obj_perm_sets.spt diff --git a/selinux-policy.spec b/selinux-policy.spec index cbff720..2d6973c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 29 2011 Miroslav Grepl 3.10.0-11 +- init_t need setexec +- More fixes of rules which cause an explosion in rules by Dan Walsh + * Tue Jul 26 2011 Miroslav Grepl 3.10.0-10 - Allow rcsmcertd to perform DNS name resolution - Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts