From a13ca3133facf6c53e92da5de776530d888cfa99 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 06 2012 12:39:57 +0000 Subject: * Fri Apr 6 2012 Miroslav Grepl 3.10.0-82 - Add httpd_use_fusefs boolean - /etc/auto.* should be labeled bin_t - Allow sshd_t to signal processes that it transitions to - Rename rdate port to time port, and allow gnomeclock to connect to it - Make amavis as nsswitch domain to allow using NIS - Make procmail_t as home manager - Allow systemd-tmpfiles to getattr/delete fifo_file and sock_file - Add port definition for l2tp ports - Make qemu-dm running in xend_t domain - Allow accountsd to read /proc data about gdm - Allow rtkit to schedule wine processes - label /var/lib/sss/mc same as pubconf - Allow NM to read system config file --- diff --git a/policy-F16.patch b/policy-F16.patch index de11716..eed2aaa 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4955,7 +4955,7 @@ index 0000000..a03aec4 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..689a667 +index 0000000..1957119 --- /dev/null +++ b/policy/modules/apps/chrome.te @@ -0,0 +1,188 @@ @@ -5141,7 +5141,7 @@ index 0000000..689a667 +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) -+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) + +optional_policy(` + gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) @@ -12909,7 +12909,7 @@ index f9a73d0..e10101a 100644 xserver_role($1_r, $1_wine_t) ') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te -index be9246b..e3de8fa 100644 +index be9246b..90848c7 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -40,7 +40,7 @@ domain_mmap_low(wine_t) @@ -12921,6 +12921,17 @@ index be9246b..e3de8fa 100644 tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; +@@ -55,6 +55,10 @@ optional_policy(` + ') + + optional_policy(` ++ rtkit_scheduled(wine_t) ++') ++ ++optional_policy(` + unconfined_domain(wine_t) + ') + diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index 8bfe97d..95a3d06 100644 --- a/policy/modules/apps/wireshark.te @@ -13028,10 +13039,18 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..b21e0b7 100644 +index 3fae11a..1334cc8 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc -@@ -71,6 +71,11 @@ ifdef(`distro_redhat',` +@@ -46,6 +46,7 @@ ifdef(`distro_redhat',` + /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) + /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) + ++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0) + /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) + + /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -71,6 +72,11 @@ ifdef(`distro_redhat',` /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -13043,7 +13062,7 @@ index 3fae11a..b21e0b7 100644 /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -97,8 +102,6 @@ ifdef(`distro_redhat',` +@@ -97,8 +103,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -13052,7 +13071,7 @@ index 3fae11a..b21e0b7 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -130,18 +133,15 @@ ifdef(`distro_debian',` +@@ -130,18 +134,15 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -13073,7 +13092,7 @@ index 3fae11a..b21e0b7 100644 /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +169,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -13081,7 +13100,7 @@ index 3fae11a..b21e0b7 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,6 +180,8 @@ ifdef(`distro_gentoo',` +@@ -179,6 +181,8 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -13090,7 +13109,7 @@ index 3fae11a..b21e0b7 100644 # # /usr # -@@ -198,48 +201,51 @@ ifdef(`distro_gentoo',` +@@ -198,48 +202,51 @@ ifdef(`distro_gentoo',` /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) @@ -13184,7 +13203,7 @@ index 3fae11a..b21e0b7 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -247,9 +253,13 @@ ifdef(`distro_gentoo',` +@@ -247,9 +254,13 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -13199,7 +13218,7 @@ index 3fae11a..b21e0b7 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -267,6 +277,10 @@ ifdef(`distro_gentoo',` +@@ -267,6 +278,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -13210,7 +13229,7 @@ index 3fae11a..b21e0b7 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,15 +300,19 @@ ifdef(`distro_gentoo',` +@@ -286,15 +301,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -13231,7 +13250,7 @@ index 3fae11a..b21e0b7 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +324,11 @@ ifdef(`distro_redhat', ` +@@ -306,10 +325,11 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -13245,7 +13264,7 @@ index 3fae11a..b21e0b7 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +338,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +339,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -13257,7 +13276,7 @@ index 3fae11a..b21e0b7 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,7 +384,7 @@ ifdef(`distro_redhat', ` +@@ -363,7 +385,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -13266,7 +13285,7 @@ index 3fae11a..b21e0b7 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +396,9 @@ ifdef(`distro_suse', ` +@@ -375,8 +397,9 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -13278,7 +13297,7 @@ index 3fae11a..b21e0b7 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +407,12 @@ ifdef(`distro_suse', ` +@@ -385,3 +408,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -14619,7 +14638,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..a96b835 100644 +index 99b71cb..43656b7 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14760,7 +14779,7 @@ index 99b71cb..a96b835 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -14775,6 +14794,7 @@ index 99b71cb..a96b835 100644 network_port(kismet, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) ++network_port(l2tp, tcp,1701,s0, udp,1701,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lirc, tcp,8765,s0) +network_port(luci, tcp,8084,s0) @@ -14790,7 +14810,7 @@ index 99b71cb..a96b835 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -14823,11 +14843,11 @@ index 99b71cb..a96b835 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,34 +238,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,34 +239,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) -+network_port(rdate, tcp,37,s0, udp,37,s0) ++network_port(time, tcp,37,s0, udp,37,s0) +network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) @@ -14870,7 +14890,7 @@ index 99b71cb..a96b835 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +281,12 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +282,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14884,7 +14904,7 @@ index 99b71cb..a96b835 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +299,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14892,7 +14912,7 @@ index 99b71cb..a96b835 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +309,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14905,7 +14925,7 @@ index 99b71cb..a96b835 100644 ######################################## # -@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +359,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -19060,7 +19080,7 @@ index 22821ff..20251b0 100644 ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 97fcdac..fdb4b09 100644 +index 97fcdac..7adc55b 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -19358,7 +19378,76 @@ index 97fcdac..fdb4b09 100644 ######################################## ## ## Do not audit attempts to create, -@@ -2080,6 +2260,24 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2025,6 +2205,68 @@ interface(`fs_read_fusefs_symlinks',` + + ######################################## + ## ++## Manage symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## ++## Execute a file on a FUSE filesystem ++## in the specified domain. ++## ++## ++##

++## Execute a file on a FUSE filesystem ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. This is not suggested. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## home directories on FUSE filesystems, ++## in particular used by the ssh-agent policy. ++##

++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`fs_fusefs_domtrans',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, fusefs_t, $2) ++') ++ ++######################################## ++## + ## Get the attributes of an hugetlbfs + ## filesystem. + ## +@@ -2080,6 +2322,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -19383,7 +19472,7 @@ index 97fcdac..fdb4b09 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,6 +2346,7 @@ interface(`fs_list_inotifyfs',` +@@ -2148,6 +2408,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -19391,7 +19480,7 @@ index 97fcdac..fdb4b09 100644 ') ######################################## -@@ -2480,6 +2679,7 @@ interface(`fs_read_nfs_files',` +@@ -2480,6 +2741,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19399,7 +19488,7 @@ index 97fcdac..fdb4b09 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2518,6 +2718,7 @@ interface(`fs_write_nfs_files',` +@@ -2518,6 +2780,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19407,7 +19496,7 @@ index 97fcdac..fdb4b09 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2544,6 +2745,25 @@ interface(`fs_exec_nfs_files',` +@@ -2544,6 +2807,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19433,7 +19522,7 @@ index 97fcdac..fdb4b09 100644 ## Append files ## on a NFS filesystem. ## -@@ -2584,6 +2804,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2584,6 +2866,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19476,7 +19565,7 @@ index 97fcdac..fdb4b09 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2598,7 +2854,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2598,7 +2916,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19485,7 +19574,7 @@ index 97fcdac..fdb4b09 100644 ') ######################################## -@@ -2736,7 +2992,7 @@ interface(`fs_search_removable',` +@@ -2736,7 +3054,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19494,7 +19583,7 @@ index 97fcdac..fdb4b09 100644 ## ## # -@@ -2772,7 +3028,7 @@ interface(`fs_read_removable_files',` +@@ -2772,7 +3090,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19503,7 +19592,7 @@ index 97fcdac..fdb4b09 100644 ## ## # -@@ -2965,6 +3221,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2965,6 +3283,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19511,7 +19600,7 @@ index 97fcdac..fdb4b09 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3005,6 +3262,7 @@ interface(`fs_manage_nfs_files',` +@@ -3005,6 +3324,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -19519,7 +19608,7 @@ index 97fcdac..fdb4b09 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3045,6 +3303,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3045,6 +3365,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -19527,7 +19616,7 @@ index 97fcdac..fdb4b09 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3258,6 +3517,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3258,6 +3579,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -19552,7 +19641,7 @@ index 97fcdac..fdb4b09 100644 ######################################## ## ## Read and write NFS server files. -@@ -3958,6 +4235,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3958,6 +4297,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -19595,7 +19684,7 @@ index 97fcdac..fdb4b09 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4175,6 +4488,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4175,6 +4550,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -19620,7 +19709,7 @@ index 97fcdac..fdb4b09 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4251,6 +4582,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4251,6 +4644,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -19646,7 +19735,7 @@ index 97fcdac..fdb4b09 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4457,6 +4807,8 @@ interface(`fs_mount_all_fs',` +@@ -4457,6 +4869,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -19655,7 +19744,7 @@ index 97fcdac..fdb4b09 100644 ') ######################################## -@@ -4503,7 +4855,7 @@ interface(`fs_unmount_all_fs',` +@@ -4503,7 +4917,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -19664,7 +19753,7 @@ index 97fcdac..fdb4b09 100644 ## Example attributes: ##

##
    -@@ -4866,3 +5218,24 @@ interface(`fs_unconfined',` +@@ -4866,3 +5280,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -20651,7 +20740,7 @@ index 57c4a6a..6a19a94 100644 /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..3e38191 100644 +index 1700ef2..6499ecb 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -20671,7 +20760,38 @@ index 1700ef2..3e38191 100644 dev_add_entry_generic_dirs($1) ') -@@ -808,3 +811,369 @@ interface(`storage_unconfined',` +@@ -267,6 +270,30 @@ interface(`storage_dev_filetrans_fixed_disk',` + ') + + dev_filetrans($1, fixed_disk_device_t, blk_file) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") + ') + + ######################################## +@@ -808,3 +835,369 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -24423,7 +24543,7 @@ index 0b827c5..b2d6129 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..2006219 100644 +index 30861ec..59f712e 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -24790,7 +24910,7 @@ index 30861ec..2006219 100644 +read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) +read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) + -+allow abrt_dump_oops_t abrt_etc_t:file read_file_perms; ++read_files_patter(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) + +kernel_read_kernel_sysctls(abrt_dump_oops_t) +kernel_read_ring_buffer(abrt_dump_oops_t) @@ -24848,7 +24968,7 @@ index c0f858d..d639ae0 100644 accountsd_manage_lib_files($1) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te -index 1632f10..0359b30 100644 +index 1632f10..9663f02 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) @@ -24887,12 +25007,19 @@ index 1632f10..0359b30 100644 miscfiles_read_localization(accountsd_t) -@@ -55,3 +62,8 @@ optional_policy(` +@@ -50,8 +57,15 @@ usermanage_domtrans_passwd(accountsd_t) + + optional_policy(` + consolekit_read_log(accountsd_t) ++ consolekit_dbus_chat(accountsd_t) + ') + optional_policy(` policykit_dbus_chat(accountsd_t) ') + +optional_policy(` ++ xserver_read_state_xdm(accountsd_t) + xserver_dbus_chat_xdm(accountsd_t) + xserver_manage_xdm_etc_files(accountsd_t) +') @@ -25218,7 +25345,7 @@ index d96fdfa..e07158f 100644 ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..ae8c579 100644 +index deca9d3..ac92fce 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -38,7 +38,7 @@ type amavis_quarantine_t; @@ -25238,7 +25365,15 @@ index deca9d3..ae8c579 100644 domain_use_interactive_fds(amavis_t) -@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t) +@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t) + + fs_getattr_xattr_fs(amavis_t) + ++auth_use_nsswitch(amavis_t) + auth_dontaudit_read_shadow(amavis_t) + + # uses uptime which reads utmp - redhat bug 561383 +@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t) userdom_dontaudit_search_user_home_dirs(amavis_t) @@ -26072,10 +26207,10 @@ index 6480167..e12bbc0 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..4845736 100644 +index 3136c6a..ad1e64f 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,225 @@ policy_module(apache, 2.2.1) +@@ -18,130 +18,232 @@ policy_module(apache, 2.2.1) # Declarations # @@ -26198,7 +26333,10 @@ index 3136c6a..4845736 100644 gen_tunable(httpd_can_sendmail, false) + -+## + ## +-##

    +-## Allow Apache to communicate with avahi service via dbus +-##

    +##

    +## Allow http daemon to connect to zabbix +##

    @@ -26212,10 +26350,7 @@ index 3136c6a..4845736 100644 +##     +gen_tunable(httpd_can_check_spam, false) + - ## --##

    --## Allow Apache to communicate with avahi service via dbus --##

    ++## +##

    +## Allow Apache to communicate with avahi service via dbus +##

    @@ -26332,6 +26467,13 @@ index 3136c6a..4845736 100644 -## Allow httpd to run gpg -##

    +##

    ++## Allow httpd to access cifs file systems ++##

    ++##     ++gen_tunable(httpd_use_fusefs, false) ++ ++## ++##

    +## Allow httpd to run gpg in gpg-web domain +##

    ##     @@ -26357,7 +26499,7 @@ index 3136c6a..4845736 100644 attribute httpdcontent; attribute httpd_user_content_type; -@@ -166,7 +261,7 @@ files_type(httpd_cache_t) +@@ -166,7 +268,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -26366,7 +26508,7 @@ index 3136c6a..4845736 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +272,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +279,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -26376,7 +26518,7 @@ index 3136c6a..4845736 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +314,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +321,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26395,7 +26537,7 @@ index 3136c6a..4845736 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +334,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +341,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26406,7 +26548,7 @@ index 3136c6a..4845736 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +345,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +352,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26414,7 +26556,7 @@ index 3136c6a..4845736 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +367,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +374,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26438,7 +26580,7 @@ index 3136c6a..4845736 100644 ######################################## # # Apache server local policy -@@ -281,11 +403,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +410,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26452,7 +26594,7 @@ index 3136c6a..4845736 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +453,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +460,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26463,7 +26605,7 @@ index 3136c6a..4845736 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -339,8 +464,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -339,8 +471,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -26474,7 +26616,7 @@ index 3136c6a..4845736 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -355,6 +481,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +488,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26484,7 +26626,7 @@ index 3136c6a..4845736 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +494,16 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +501,16 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26502,7 +26644,7 @@ index 3136c6a..4845736 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +512,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +519,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26518,7 +26660,7 @@ index 3136c6a..4845736 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +525,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +532,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26526,7 +26668,7 @@ index 3136c6a..4845736 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +537,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +544,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26630,8 +26772,14 @@ index 3136c6a..4845736 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +644,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +649,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) + ') ++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` ++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) ++') ++ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) @@ -26688,7 +26836,7 @@ index 3136c6a..4845736 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +702,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +713,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26702,10 +26850,16 @@ index 3136c6a..4845736 100644 + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) ++') ++ ++tunable_policy(`httpd_use_fusefs',` ++ fs_manage_fusefs_dirs(httpd_t) ++ fs_manage_fusefs_files(httpd_t) ++ fs_manage_fusefs_symlinks(httpd_t) ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +726,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +743,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26726,7 +26880,7 @@ index 3136c6a..4845736 100644 ') optional_policy(` -@@ -513,7 +750,13 @@ optional_policy(` +@@ -513,7 +767,13 @@ optional_policy(` ') optional_policy(` @@ -26741,7 +26895,7 @@ index 3136c6a..4845736 100644 ') optional_policy(` -@@ -528,7 +771,19 @@ optional_policy(` +@@ -528,7 +788,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26762,7 +26916,7 @@ index 3136c6a..4845736 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +792,13 @@ optional_policy(` +@@ -537,8 +809,13 @@ optional_policy(` ') optional_policy(` @@ -26777,7 +26931,7 @@ index 3136c6a..4845736 100644 ') ') -@@ -556,7 +816,21 @@ optional_policy(` +@@ -556,7 +833,21 @@ optional_policy(` ') optional_policy(` @@ -26799,7 +26953,7 @@ index 3136c6a..4845736 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +841,7 @@ optional_policy(` +@@ -567,6 +858,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26807,7 +26961,7 @@ index 3136c6a..4845736 100644 ') optional_policy(` -@@ -577,6 +852,20 @@ optional_policy(` +@@ -577,6 +869,20 @@ optional_policy(` ') optional_policy(` @@ -26828,7 +26982,7 @@ index 3136c6a..4845736 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +880,11 @@ optional_policy(` +@@ -591,6 +897,11 @@ optional_policy(` ') optional_policy(` @@ -26840,7 +26994,7 @@ index 3136c6a..4845736 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +897,12 @@ optional_policy(` +@@ -603,6 +914,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26853,7 +27007,7 @@ index 3136c6a..4845736 100644 ######################################## # # Apache helper local policy -@@ -616,7 +916,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +933,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26866,7 +27020,7 @@ index 3136c6a..4845736 100644 ######################################## # -@@ -654,28 +958,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +975,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -26910,7 +27064,7 @@ index 3136c6a..4845736 100644 ') ######################################## -@@ -685,6 +991,8 @@ optional_policy(` +@@ -685,6 +1008,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -26919,7 +27073,7 @@ index 3136c6a..4845736 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1007,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1024,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -26945,7 +27099,7 @@ index 3136c6a..4845736 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1053,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1070,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -26978,7 +27132,7 @@ index 3136c6a..4845736 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1100,25 @@ optional_policy(` +@@ -769,6 +1117,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27004,7 +27158,7 @@ index 3136c6a..4845736 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1139,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1156,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27022,7 +27176,7 @@ index 3136c6a..4845736 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1158,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1175,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27079,7 +27233,7 @@ index 3136c6a..4845736 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1209,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1226,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27107,10 +27261,20 @@ index 3136c6a..4845736 100644 + fs_exec_cifs_files(httpd_suexec_t) +') + ++tunable_policy(`httpd_use_fusefs',` ++ fs_manage_fusefs_dirs(httpd_sys_script_t) ++ fs_manage_fusefs_files(httpd_sys_script_t) ++ fs_manage_fusefs_symlinks(httpd_sys_script_t) ++ fs_manage_fusefs_dirs(httpd_suexec_t) ++ fs_manage_fusefs_files(httpd_suexec_t) ++ fs_manage_fusefs_symlinks(httpd_suexec_t) ++ fs_exec_fusefs_files(httpd_suexec_t) ++') ++ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1244,20 @@ optional_policy(` +@@ -842,10 +1271,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27131,7 +27295,7 @@ index 3136c6a..4845736 100644 ') ######################################## -@@ -891,11 +1303,49 @@ optional_policy(` +@@ -891,11 +1330,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -33689,7 +33853,7 @@ index 305ddf4..173cd16 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..50a94a4 100644 +index 0f28095..5dafe6a 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -33803,7 +33967,16 @@ index 0f28095..50a94a4 100644 mta_send_mail(cupsd_t) ') -@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -322,6 +336,8 @@ optional_policy(` + # cups execs smbtool which reads samba_etc_t files + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) ++ # needed by smbspool ++ samba_stream_connect_nmbd(cupsd_t) + ') + + optional_policy(` +@@ -371,8 +387,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -33814,7 +33987,7 @@ index 0f28095..50a94a4 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t) +@@ -393,6 +410,10 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -33825,7 +33998,7 @@ index 0f28095..50a94a4 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -33839,7 +34012,7 @@ index 0f28095..50a94a4 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +472,10 @@ optional_policy(` +@@ -453,6 +474,10 @@ optional_policy(` ') optional_policy(` @@ -33850,7 +34023,7 @@ index 0f28095..50a94a4 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +490,10 @@ optional_policy(` +@@ -467,6 +492,10 @@ optional_policy(` ') optional_policy(` @@ -33861,7 +34034,7 @@ index 0f28095..50a94a4 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -537,6 +564,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -33869,7 +34042,7 @@ index 0f28095..50a94a4 100644 dev_read_urand(cupsd_lpd_t) dev_read_rand(cupsd_lpd_t) -@@ -587,13 +615,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,13 +617,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -33889,7 +34062,7 @@ index 0f28095..50a94a4 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +638,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +640,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -33900,7 +34073,7 @@ index 0f28095..50a94a4 100644 ######################################## # # HPLIP local policy -@@ -639,7 +675,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +677,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -33909,7 +34082,7 @@ index 0f28095..50a94a4 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +721,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +723,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -33917,7 +34090,7 @@ index 0f28095..50a94a4 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +735,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -35965,10 +36138,10 @@ index 0000000..c2ac646 + diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc new file mode 100644 -index 0000000..3aae725 +index 0000000..6fc4865 --- /dev/null +++ b/policy/modules/services/dirsrv.fc -@@ -0,0 +1,20 @@ +@@ -0,0 +1,23 @@ +/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) + +/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) @@ -35982,6 +36155,9 @@ index 0000000..3aae725 +/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) +/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) + ++# BZ: ++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++ +/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) + +/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) @@ -40232,10 +40408,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..9f468a5 100644 +index 4fde46b..6c3eaea 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,27 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,18 +15,29 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -40251,6 +40427,8 @@ index 4fde46b..9f468a5 100644 +corecmd_exec_shell(gnomeclock_t) +corecmd_dontaudit_access_check_bin(gnomeclock_t) + ++corenet_tcp_connect_time_port(gnomeclock_t) ++ +dev_read_sysfs(gnomeclock_t) -files_read_etc_files(gnomeclock_t) @@ -40266,7 +40444,7 @@ index 4fde46b..9f468a5 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +46,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -40293,6 +40471,7 @@ index 4fde46b..9f468a5 100644 + ntp_domtrans_ntpdate(gnomeclock_t) + ntp_initrc_domtrans(gnomeclock_t) + init_dontaudit_getattr_all_script_files(gnomeclock_t) ++ init_dontaudit_getattr_exec(gnomeclock_t) + ntp_systemctl(gnomeclock_t) +') + @@ -41060,19 +41239,21 @@ index df48e5e..878d9df 100644 type inetd_t; ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te -index c51a7b2..5547c35 100644 +index c51a7b2..b07694c 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te -@@ -89,6 +89,8 @@ corenet_tcp_bind_ftp_port(inetd_t) +@@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t) corenet_udp_bind_ftp_port(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) -++corenet_tcp_bind_rdate_port(inetd_t) -++corenet_udp_bind_rdate_port(inetd_t) ++corenet_tcp_bind_echo_port(inetd_t) ++corenet_udp_bind_echo_port(inetd_t) ++corenet_tcp_bind_time_port(inetd_t) ++corenet_udp_bind_time_port(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) corenet_udp_bind_ktalkd_port(inetd_t) corenet_tcp_bind_printer_port(inetd_t) -@@ -149,7 +151,10 @@ miscfiles_read_localization(inetd_t) +@@ -149,7 +153,10 @@ miscfiles_read_localization(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) @@ -42327,29 +42508,35 @@ index ca5cfdf..554ad30 100644 diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc new file mode 100644 -index 0000000..76d879e +index 0000000..6b27066 --- /dev/null +++ b/policy/modules/services/l2tpd.fc -@@ -0,0 +1,11 @@ +@@ -0,0 +1,18 @@ ++/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0) + -+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) + -+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) -+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) -+ -+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0) + -+/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) + ++/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if new file mode 100644 -index 0000000..5783d58 +index 0000000..eb6ac8d --- /dev/null +++ b/policy/modules/services/l2tpd.if -@@ -0,0 +1,115 @@ -+ -+## policy for l2tpd +@@ -0,0 +1,156 @@ ++## Layer 2 Tunneling Protocol daemons. + +######################################## +## @@ -42370,7 +42557,6 @@ index 0000000..5783d58 + domtrans_pattern($1, l2tpd_exec_t, l2tpd_t) +') + -+ +######################################## +## +## Execute l2tpd server in the l2tpd domain. @@ -42389,6 +42575,45 @@ index 0000000..5783d58 + init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) +') + ++<<<<<<< HEAD ++======= ++######################################## ++## ++## Send to l2tpd via a unix dgram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_dgram_send',` ++ gen_require(` ++ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; ++ ') ++ ++ files_search_tmp($1) ++ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) ++') ++ ++######################################## ++## ++## Read and write l2tpd sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_rw_socket',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:socket rw_socket_perms; ++') ++>>>>>>> 37639db... Add support for proL2TPd. + +######################################## +## @@ -42446,9 +42671,8 @@ index 0000000..5783d58 +# +interface(`l2tpd_admin',` + gen_require(` -+ type l2tpd_t; -+ type l2tpd_initrc_exec_t; -+ type l2tpd_var_run_t; ++ type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t; ++ type l2tp_etc_t, l2tpd_tmp_t; + ') + + allow $1 l2tpd_t:process { ptrace signal_perms }; @@ -42459,16 +42683,21 @@ index 0000000..5783d58 + role_transition $2 l2tpd_initrc_exec_t system_r; + allow $2 system_r; + ++ files_search_etc($1) ++ admin_pattern($1, l2tp_etc_t) ++ + files_search_pids($1) + admin_pattern($1, l2tpd_var_run_t) -+') + ++ files_search_tmp($1) ++ admin_pattern($1, l2tpd_tmp_t) ++') diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te new file mode 100644 -index 0000000..4aac893 +index 0000000..d3ce22f --- /dev/null +++ b/policy/modules/services/l2tpd.te -@@ -0,0 +1,56 @@ +@@ -0,0 +1,94 @@ +policy_module(l2tpd, 1.0.0) + +######################################## @@ -42483,6 +42712,9 @@ index 0000000..4aac893 +type l2tpd_initrc_exec_t; +init_script_file(l2tpd_initrc_exec_t) + ++type l2tp_etc_t; ++files_config_file(l2tp_etc_t) ++ +type l2tpd_tmp_t; +files_tmp_file(l2tpd_tmp_t) + @@ -42491,14 +42723,20 @@ index 0000000..4aac893 + +######################################## +# -+# l2tpd local policy ++# Local policy +# -+allow l2tpd_t self:capability net_bind_service; -+allow l2tpd_t self:process signal; + ++allow l2tpd_t self:capability { net_admin net_bind_service }; ++allow l2tpd_t self:process signal; +allow l2tpd_t self:fifo_file rw_fifo_file_perms; -+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms; ++allow l2tpd_t self:netlink_socket create_socket_perms; ++allow l2tpd_t self:rawip_socket create_socket_perms; ++allow l2tpd_t self:socket create_socket_perms; +allow l2tpd_t self:tcp_socket create_stream_socket_perms; ++allow l2tpd_t self:unix_dgram_socket sendto; ++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms; ++ ++read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t) + +manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) +files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) @@ -42509,10 +42747,34 @@ index 0000000..4aac893 +manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) +files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) + ++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) ++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) ++ ++corenet_all_recvfrom_unlabeled(l2tpd_t) ++corenet_all_recvfrom_netlabel(l2tpd_t) ++corenet_raw_sendrecv_generic_if(l2tpd_t) ++corenet_tcp_sendrecv_generic_if(l2tpd_t) ++corenet_udp_sendrecv_generic_if(l2tpd_t) ++corenet_raw_bind_generic_node(l2tpd_t) +corenet_tcp_bind_generic_node(l2tpd_t) +corenet_udp_bind_generic_node(l2tpd_t) -+corenet_udp_bind_generic_port(l2tpd_t) ++corenet_raw_sendrecv_generic_node(l2tpd_t) ++corenet_tcp_sendrecv_generic_node(l2tpd_t) ++corenet_udp_sendrecv_generic_node(l2tpd_t) ++ +corenet_tcp_bind_all_rpc_ports(l2tpd_t) ++corenet_udp_bind_generic_port(l2tpd_t) ++ ++corenet_udp_bind_l2tp_port(l2tpd_t) ++corenet_udp_sendrecv_l2tp_port(l2tpd_t) ++corenet_sendrecv_l2tp_server_packets(l2tpd_t) ++ ++kernel_read_network_state(l2tpd_t) ++# net-pf-24 (pppox) ++kernel_request_load_module(l2tpd_t) ++ ++# prol2tpc ++corecmd_exec_bin(l2tpd_t) + +dev_read_urand(l2tpd_t) + @@ -42525,8 +42787,13 @@ index 0000000..4aac893 +miscfiles_read_localization(l2tpd_t) + +sysnet_dns_name_resolve(l2tpd_t) ++ ++optional_policy(` ++ ppp_domtrans(l2tpd_t) ++ ppp_signal(l2tpd_t) ++') diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc -index c62f23e..f8a4301 100644 +index c62f23e..8b7e71f 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc @@ -1,6 +1,10 @@ @@ -42545,7 +42812,7 @@ index c62f23e..f8a4301 100644 /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index 3aa8fa7..40b10fa 100644 --- a/policy/modules/services/ldap.if @@ -47354,7 +47621,7 @@ index 2324d9e..4f46ff8 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..76e9108 100644 +index 0619395..293aaca 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -47432,7 +47699,7 @@ index 0619395..76e9108 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,10 +139,11 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -47441,7 +47708,11 @@ index 0619395..76e9108 100644 files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) -@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t) ++files_read_system_conf_files(NetworkManager_t) + files_read_usr_files(NetworkManager_t) + files_read_usr_src_files(NetworkManager_t) + +@@ -133,30 +160,37 @@ logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) @@ -47481,7 +47752,7 @@ index 0619395..76e9108 100644 ') optional_policy(` -@@ -172,14 +205,21 @@ optional_policy(` +@@ -172,14 +206,21 @@ optional_policy(` ') optional_policy(` @@ -47504,7 +47775,7 @@ index 0619395..76e9108 100644 ') ') -@@ -191,6 +231,7 @@ optional_policy(` +@@ -191,6 +232,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -47512,7 +47783,7 @@ index 0619395..76e9108 100644 ') optional_policy(` -@@ -202,23 +243,45 @@ optional_policy(` +@@ -202,23 +244,45 @@ optional_policy(` ') optional_policy(` @@ -47558,7 +47829,7 @@ index 0619395..76e9108 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -241,6 +304,7 @@ optional_policy(` +@@ -241,6 +305,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -47566,7 +47837,7 @@ index 0619395..76e9108 100644 ') optional_policy(` -@@ -263,6 +327,7 @@ optional_policy(` +@@ -263,6 +328,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -52908,7 +53179,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 29b9295..52443cd 100644 +index 29b9295..ec68440 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -52951,7 +53222,7 @@ index 29b9295..52443cd 100644 # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) -@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t) +@@ -87,8 +100,10 @@ userdom_manage_user_home_content_pipes(procmail_t) userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) @@ -52959,10 +53230,12 @@ index 29b9295..52443cd 100644 -userdom_dontaudit_search_user_home_dirs(procmail_t) +# Execute user executables +userdom_exec_user_bin_files(procmail_t) ++ ++userdom_home_manager(procmail_t) mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -112,6 +125,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -112,6 +127,12 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` clamav_domtrans_clamscan(procmail_t) clamav_search_lib(procmail_t) @@ -52975,7 +53248,7 @@ index 29b9295..52443cd 100644 ') optional_policy(` -@@ -125,6 +144,11 @@ optional_policy(` +@@ -125,6 +146,11 @@ optional_policy(` postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) @@ -57726,10 +57999,36 @@ index 69a6074..596dbb3 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..0a29f68 100644 +index 82cb169..f9c229f 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if -@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',` +@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',` + + ######################################## + ## ++## Connect to nmbd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_stream_connect_nmbd',` ++ gen_require(` ++ type nmbd_t, nmbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++') ++ ++######################################## ++## + ## Execute samba server in the samba domain. + ## + ## +@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',` ######################################## ## @@ -57759,7 +58058,7 @@ index 82cb169..0a29f68 100644 ## Execute samba net in the samba_net domain. ## ## -@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',` +@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',` ######################################## ## @@ -57785,7 +58084,7 @@ index 82cb169..0a29f68 100644 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -103,6 +145,51 @@ interface(`samba_run_net',` +@@ -103,6 +164,51 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -57837,7 +58136,7 @@ index 82cb169..0a29f68 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -327,7 +414,6 @@ interface(`samba_search_var',` +@@ -327,7 +433,6 @@ interface(`samba_search_var',` type samba_var_t; ') @@ -57845,7 +58144,7 @@ index 82cb169..0a29f68 100644 files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; ') -@@ -348,7 +434,6 @@ interface(`samba_read_var_files',` +@@ -348,7 +453,6 @@ interface(`samba_read_var_files',` type samba_var_t; ') @@ -57853,7 +58152,7 @@ index 82cb169..0a29f68 100644 files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',` +@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',` type samba_var_t; ') @@ -57861,7 +58160,7 @@ index 82cb169..0a29f68 100644 files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',` +@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',` type samba_var_t; ') @@ -57872,7 +58171,7 @@ index 82cb169..0a29f68 100644 ') ######################################## -@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',` +@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',` ## Execute a domain transition to run smbcontrol. ## ## @@ -57891,7 +58190,7 @@ index 82cb169..0a29f68 100644 ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',` +@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -57899,7 +58198,7 @@ index 82cb169..0a29f68 100644 ') ######################################## -@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',` +@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -57937,7 +58236,7 @@ index 82cb169..0a29f68 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,21 +776,12 @@ interface(`samba_stream_connect_winbind',` +@@ -661,21 +795,12 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -57965,7 +58264,7 @@ index 82cb169..0a29f68 100644 ') allow $1 smbd_t:process { ptrace signal_perms }; -@@ -684,6 +790,9 @@ interface(`samba_admin',` +@@ -684,6 +809,9 @@ interface(`samba_admin',` allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) @@ -57975,7 +58274,7 @@ index 82cb169..0a29f68 100644 samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -709,9 +818,6 @@ interface(`samba_admin',` +@@ -709,9 +837,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -57985,7 +58284,7 @@ index 82cb169..0a29f68 100644 admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +833,7 @@ interface(`samba_admin',` +@@ -727,4 +852,7 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -58525,10 +58824,10 @@ index 0000000..486d53d +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..96adff5 +index 0000000..afa8d37 --- /dev/null +++ b/policy/modules/services/sanlock.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,102 @@ +policy_module(sanlock,1.0.0) + +######################################## @@ -58597,6 +58896,8 @@ index 0000000..96adff5 + +storage_raw_rw_fixed_disk(sanlock_t) + ++auth_use_nsswitch(sanlock_t) ++ +dev_read_urand(sanlock_t) + +logging_send_syslog_msg(sanlock_t) @@ -60440,7 +60741,7 @@ index d2496bd..1d0c078 100644 allow $1 squid_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te -index 4b2230e..7b3d2db 100644 +index 4b2230e..51dc8d8 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) @@ -60477,7 +60778,26 @@ index 4b2230e..7b3d2db 100644 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) -@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file) +@@ -40,6 +40,9 @@ logging_log_file(squid_log_t) + type squid_tmpfs_t; + files_tmpfs_file(squid_tmpfs_t) + ++type squid_tmp_t; ++files_tmp_file(squid_tmp_t) ++ + type squid_var_run_t; + files_pid_file(squid_var_run_t) + +@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) + manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) + fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) + ++manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) ++manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) ++files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) ++ + manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) + files_pid_filetrans(squid_t, squid_var_run_t, file) kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) @@ -60485,7 +60805,7 @@ index 4b2230e..7b3d2db 100644 files_dontaudit_getattr_boot_dirs(squid_t) -@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) +@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) corenet_tcp_bind_all_ports(squid_t) @@ -60495,7 +60815,7 @@ index 4b2230e..7b3d2db 100644 ') tunable_policy(`squid_use_tproxy',` -@@ -185,6 +187,7 @@ optional_policy(` +@@ -185,6 +194,7 @@ optional_policy(` corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_connect_http_cache_port(httpd_squid_script_t) @@ -60503,7 +60823,7 @@ index 4b2230e..7b3d2db 100644 sysnet_dns_name_resolve(httpd_squid_script_t) -@@ -206,3 +209,7 @@ optional_policy(` +@@ -206,3 +216,7 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -60536,7 +60856,7 @@ index 078bcd7..84d29ee 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..9001bca 100644 +index 22adaca..8cbaa9a 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -60971,7 +61291,7 @@ index 22adaca..9001bca 100644 ') ###################################### -@@ -735,3 +893,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +893,82 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -61011,6 +61331,7 @@ index 22adaca..9001bca 100644 + + allow sshd_t $1:process dyntransition; + allow $1 sshd_t:process sigchld; ++ allow sshd_t $1:process { getattr sigkill sigstop signull signal }; +') + +######################################## @@ -61054,7 +61375,7 @@ index 22adaca..9001bca 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..e411df0 100644 +index 2dad3c8..7ef3f55 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) @@ -61392,6 +61713,10 @@ index 2dad3c8..e411df0 100644 - - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, userdomain) +- ') +-',` +- optional_policy(` +- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to @@ -61412,10 +61737,6 @@ index 2dad3c8..e411df0 100644 + # some versions of sshd on the new SE Linux require setattr + allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; ') --',` -- optional_policy(` -- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) -- ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. @@ -61467,7 +61788,7 @@ index 2dad3c8..e411df0 100644 ') optional_policy(` -@@ -363,3 +436,82 @@ optional_policy(` +@@ -363,3 +436,81 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -61502,7 +61823,6 @@ index 2dad3c8..e411df0 100644 +# chroot_user_t local policy +# + -+ +userdom_read_user_home_content_files(chroot_user_t) +userdom_read_inherited_user_home_content_files(chroot_user_t) +userdom_read_user_home_content_symlinks(chroot_user_t) @@ -61550,6 +61870,19 @@ index 2dad3c8..e411df0 100644 +optional_policy(` + ssh_rw_dgram_sockets(chroot_user_t) +') +diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc +index 4271815..4bc00ea 100644 +--- a/policy/modules/services/sssd.fc ++++ b/policy/modules/services/sssd.fc +@@ -4,6 +4,8 @@ + + /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) + ++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) ++ + /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + + /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 941380a..ce8c972 100644 --- a/policy/modules/services/sssd.if @@ -67963,7 +68296,7 @@ index 28ad538..40f76db 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..2c6ee0e 100644 +index 73554ec..cd2c7cc 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -68096,7 +68429,7 @@ index 73554ec..2c6ee0e 100644 + + optional_policy(` + fprintd_dbus_chat($1) - ') ++ ') + + optional_policy(` + ssh_agent_exec($1) @@ -68136,7 +68469,7 @@ index 73554ec..2c6ee0e 100644 +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; -+ ') + ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; ') @@ -68377,7 +68710,7 @@ index 73554ec..2c6ee0e 100644 ') ######################################## -@@ -1659,3 +1800,33 @@ interface(`auth_unconfined',` +@@ -1659,3 +1800,35 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -68396,6 +68729,7 @@ index 73554ec..2c6ee0e 100644 + gen_require(` + type shadow_t; + type faillog_t; ++ type lastlog_t; + type wtmp_t; + ') + @@ -68405,6 +68739,7 @@ index 73554ec..2c6ee0e 100644 + files_etc_filetrans($1, shadow_t, file, "gshadow") + files_var_filetrans($1, shadow_t, file, "shadow") + files_var_filetrans($1, shadow_t, file, "shadow-") ++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog") + logging_log_named_filetrans($1, faillog_t, file, "tallylog") + logging_log_named_filetrans($1, faillog_t, file, "faillog") + logging_log_named_filetrans($1, faillog_t, file, "btmp") @@ -68965,7 +69300,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..f2689e3 100644 +index 94fd8dd..82d8769 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -69063,17 +69398,17 @@ index 94fd8dd..f2689e3 100644 typeattribute $2 direct_init_entry; - userdom_dontaudit_use_user_terminals($1) -+# userdom_dontaudit_use_user_terminals($1) - ') - +- ') +- - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') -- ') -- ++# userdom_dontaudit_use_user_terminals($1) + ') + - optional_policy(` - nscd_socket_use($1) + tunable_policy(`init_upstart || init_systemd',` @@ -69177,7 +69512,15 @@ index 94fd8dd..f2689e3 100644 ######################################## ## ## Execute init (/sbin/init) with a domain transition. -@@ -451,6 +501,10 @@ interface(`init_exec',` +@@ -442,7 +492,6 @@ interface(`init_domtrans',` + ## Domain allowed access. + ## + ## +-## + # + interface(`init_exec',` + gen_require(` +@@ -451,6 +500,29 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -69185,10 +69528,29 @@ index 94fd8dd..f2689e3 100644 + tunable_policy(`init_systemd',` + systemd_exec_systemctl($1) + ') ++') ++ ++####################################### ++## ++## Dontaudit getattr on the init program. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`init_dontaudit_getattr_exec',` ++ gen_require(` ++ type init_exec_t; ++ ') ++ ++ dontaudit $1 init_exec_t:file getattr; ') ######################################## -@@ -509,6 +563,24 @@ interface(`init_sigchld',` +@@ -509,6 +581,24 @@ interface(`init_sigchld',` ######################################## ## @@ -69213,7 +69575,7 @@ index 94fd8dd..f2689e3 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +591,66 @@ interface(`init_sigchld',` +@@ -519,10 +609,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -69282,7 +69644,7 @@ index 94fd8dd..f2689e3 100644 ') ######################################## -@@ -688,19 +816,25 @@ interface(`init_telinit',` +@@ -688,19 +834,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -69309,7 +69671,7 @@ index 94fd8dd..f2689e3 100644 ') ') -@@ -730,7 +864,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +882,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -69318,7 +69680,7 @@ index 94fd8dd..f2689e3 100644 ## ## # -@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -69342,7 +69704,7 @@ index 94fd8dd..f2689e3 100644 ') ') -@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +953,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -69388,7 +69750,7 @@ index 94fd8dd..f2689e3 100644 ') ######################################## -@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',` +@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -69403,7 +69765,7 @@ index 94fd8dd..f2689e3 100644 files_search_etc($1) ') -@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1259,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -69428,7 +69790,7 @@ index 94fd8dd..f2689e3 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1328,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -69442,7 +69804,7 @@ index 94fd8dd..f2689e3 100644 ') ######################################## -@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1568,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -69470,7 +69832,7 @@ index 94fd8dd..f2689e3 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1675,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -69496,7 +69858,7 @@ index 94fd8dd..f2689e3 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1752,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -69521,7 +69883,7 @@ index 94fd8dd..f2689e3 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',` +@@ -1586,6 +1837,24 @@ interface(`init_read_utmp',` ######################################## ## @@ -69546,7 +69908,7 @@ index 94fd8dd..f2689e3 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1943,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -69555,7 +69917,7 @@ index 94fd8dd..f2689e3 100644 ') ######################################## -@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1984,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -69684,7 +70046,7 @@ index 94fd8dd..f2689e3 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2140,194 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -75600,7 +75962,7 @@ index ff80d0a..be800df 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..dac04f8 100644 +index 34d0ec5..a9ce01d 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -75636,6 +75998,15 @@ index 34d0ec5..dac04f8 100644 ######################################## # +@@ -44,7 +54,7 @@ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_s + dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; ++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate ptrace signal_perms }; + + allow dhcpc_t self:fifo_file rw_fifo_file_perms; + allow dhcpc_t self:tcp_socket create_stream_socket_perms; @@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) @@ -76421,10 +76792,10 @@ index 0000000..1688a39 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b8c56f1 +index 0000000..9106ba4 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,379 @@ +@@ -0,0 +1,381 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -76646,6 +77017,8 @@ index 0000000..b8c56f1 +files_manage_all_locks(systemd_tmpfiles_t) +files_setattr_all_tmp_dirs(systemd_tmpfiles_t) +files_delete_all_non_security_files(systemd_tmpfiles_t) ++files_delete_all_pid_sockets(systemd_tmpfiles_t) ++files_delete_all_pid_pipes(systemd_tmpfiles_t) +files_purge_tmp(systemd_tmpfiles_t) +files_manage_generic_tmp_files(systemd_tmpfiles_t) +files_manage_generic_tmp_dirs(systemd_tmpfiles_t) @@ -81811,7 +82184,7 @@ index 9b4a930..8525f8a 100644 + fs_manage_fusefs_symlinks(userdom_home_manager_type) +') diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc -index a865da7..a5ed06e 100644 +index a865da7..f22f770 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -1,12 +1,10 @@ @@ -81824,7 +82197,7 @@ index a865da7..a5ed06e 100644 /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) -/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) -+/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ++#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ifdef(`distro_debian',` /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) @@ -81915,7 +82288,7 @@ index 77d41b6..7ccb440 100644 files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index 4350ba0..b82a902 100644 +index 4350ba0..c4c4bcb 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1) @@ -81946,7 +82319,18 @@ index 4350ba0..b82a902 100644 ######################################## # # blktap local policy -@@ -208,7 +205,7 @@ tunable_policy(`xend_run_qemu',` +@@ -170,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + # + # qemu-dm local policy + # ++ ++# TODO: This part of policy should be removed ++# qemu-dm should run in xend_t domain ++ + # Do we need to allow execution of qemu-dm? + tunable_policy(`xend_run_qemu',` + allow qemu_dm_t self:capability sys_resource; +@@ -208,9 +209,14 @@ tunable_policy(`xend_run_qemu',` # xend local policy # @@ -81954,8 +82338,15 @@ index 4350ba0..b82a902 100644 +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { signal sigkill }; ++ ++# needed by qemu_dm ++allow xend_t self:capability sys_resource; ++allow xend_t self:process setrlimit; ++ dontaudit xend_t self:process ptrace; -@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t) + # internal communication is often done using fifo and unix sockets. + allow xend_t self:fifo_file rw_fifo_file_perms; +@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -81965,10 +82356,11 @@ index 4350ba0..b82a902 100644 miscfiles_read_hwdata(xend_t) -mount_domtrans(xend_t) - +- sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) -@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) + sysnet_domtrans_ifconfig(xend_t) +@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -81977,7 +82369,7 @@ index 4350ba0..b82a902 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +341,23 @@ optional_policy(` +@@ -349,6 +349,23 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -82001,7 +82393,7 @@ index 4350ba0..b82a902 100644 ######################################## # # Xen console local policy -@@ -413,9 +422,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +430,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -82013,7 +82405,7 @@ index 4350ba0..b82a902 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +452,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +460,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -82025,7 +82417,7 @@ index 4350ba0..b82a902 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +469,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +477,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -82122,7 +82514,7 @@ index 4350ba0..b82a902 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +484,4 @@ optional_policy(` +@@ -559,8 +492,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b9473eb..8c479a8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 81%{?dist} +Release: 82%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,21 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 6 2012 Miroslav Grepl 3.10.0-82 +- Add httpd_use_fusefs boolean +- /etc/auto.* should be labeled bin_t +- Allow sshd_t to signal processes that it transitions to +- Rename rdate port to time port, and allow gnomeclock to connect to it +- Make amavis as nsswitch domain to allow using NIS +- Make procmail_t as home manager +- Allow systemd-tmpfiles to getattr/delete fifo_file and sock_file +- Add port definition for l2tp ports +- Make qemu-dm running in xend_t domain +- Allow accountsd to read /proc data about gdm +- Allow rtkit to schedule wine processes +- label /var/lib/sss/mc same as pubconf +- Allow NM to read system config file + * Wed Mar 13 2012 Miroslav Grepl 3.10.0-81 - boinc fixes - Allow vnstat to search through var_lib_t directories