From a1a98aaf5330e53ee415f2e8419e03f159e19aff Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 07 2017 15:07:40 +0000 Subject: * Mon Aug 07 2017 Lukas Vrabec - 3.13.1-225.20 - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 6551eec..adf3610 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index 42d53ff..577a1ff 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -2319,10 +2319,18 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..1ed2cd4 100644 +index 03ec5ca..1e3ace4 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if -@@ -48,6 +48,7 @@ template(`su_restricted_domain_template', ` +@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', ` + + allow $2 $1_su_t:process signal; + +- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; ++ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:key { search write }; + allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:unix_stream_socket create_stream_socket_perms; @@ -2507,7 +2515,7 @@ index 03ec5ca..1ed2cd4 100644 ####################################### diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te -index 85bb77e..5f38282 100644 +index 85bb77e..a430233 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -9,3 +9,82 @@ attribute su_domain_type; @@ -2515,7 +2523,7 @@ index 85bb77e..5f38282 100644 type su_exec_t; corecmd_executable_file(su_exec_t) + -+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; ++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; +dontaudit su_domain_type self:capability sys_tty_config; +allow su_domain_type self:process { setexec setsched setrlimit }; +allow su_domain_type self:fifo_file rw_fifo_file_perms; @@ -2788,7 +2796,7 @@ index 0960199..2e75ec7 100644 + manage_files_pattern($1, sudo_db_t, sudo_db_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..8a18a54 100644 +index d9fce57..174f893 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,111 @@ attribute sudodomain; @@ -2809,7 +2817,7 @@ index d9fce57..8a18a54 100644 +# + +# Use capabilities. -+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource }; ++allow sudodomain self:capability { chown fowner setuid setgid dac_read_search dac_override sys_nice sys_resource }; +dontaudit sudodomain self:capability net_admin; +allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow sudodomain self:process { setexec setrlimit }; @@ -3081,7 +3089,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..09a9fb3 100644 +index 1d732f1..d66e3d5 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3104,7 +3112,7 @@ index 1d732f1..09a9fb3 100644 application_domain(passwd_t, passwd_exec_t) role passwd_roles types passwd_t; -@@ -61,9 +64,13 @@ files_tmp_file(sysadm_passwd_tmp_t) +@@ -61,15 +64,19 @@ files_tmp_file(sysadm_passwd_tmp_t) type useradd_t; type useradd_exec_t; domain_obj_id_change_exemption(useradd_t) @@ -3118,6 +3126,13 @@ index 1d732f1..09a9fb3 100644 ######################################## # # Chfn local policy + # + +-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; ++allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; + allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; + allow chfn_t self:process { setrlimit setfscreate }; + allow chfn_t self:fd use; @@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) @@ -3196,6 +3211,15 @@ index 1d732f1..09a9fb3 100644 ######################################## # # Crack local policy +@@ -186,7 +210,7 @@ optional_policy(` + # Groupadd local policy + # + +-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; ++allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write }; + dontaudit groupadd_t self:capability { fsetid sys_tty_config }; + allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; + allow groupadd_t self:process { setrlimit setfscreate }; @@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -3250,7 +3274,7 @@ index 1d732f1..09a9fb3 100644 # -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; -+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; ++allow passwd_t self:capability { chown dac_read_search ac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; @@ -3342,6 +3366,15 @@ index 1d732f1..09a9fb3 100644 optional_policy(` nscd_run(passwd_t, passwd_roles) +@@ -362,7 +411,7 @@ optional_policy(` + # Password admin local policy + # + +-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; ++allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; + allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow sysadm_passwd_t self:process { setrlimit setfscreate }; + allow sysadm_passwd_t self:fd use; @@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3381,7 +3414,7 @@ index 1d732f1..09a9fb3 100644 # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; ++allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -3621,7 +3654,7 @@ index 1dc7a85..e4f6fc2 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..d81185e 100644 +index 7590165..f50f799 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) @@ -3638,7 +3671,7 @@ index 7590165..d81185e 100644 # # seunshare local policy # -+allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice }; ++allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; @@ -11054,7 +11087,7 @@ index b876c48..d7cfba9 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..1ac470a 100644 +index f962f76..8c91d26 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11933,7 +11966,7 @@ index f962f76..1ac470a 100644 - type root_t; + attribute mountpoint; ') -+ dontaudit $1 self:capability dac_override; ++ dontaudit $1 self:capability { dac_read_search dac_override }; - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; @@ -24234,7 +24267,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..47b6d44 100644 +index 2522ca6..24d8439 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1) @@ -24645,7 +24678,7 @@ index 2522ca6..47b6d44 100644 optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) -+ allow sysadm_screen_t self:capability dac_override; ++ allow sysadm_screen_t self:capability { dac_read_search dac_override }; ') optional_policy(` @@ -26903,7 +26936,7 @@ index 76d9f66..7528851 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..d55811f 100644 +index fe0c682..92e8e48 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -27030,7 +27063,7 @@ index fe0c682..d55811f 100644 files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; ++ allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; + allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec }; @@ -27631,7 +27664,7 @@ index fe0c682..d55811f 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..92de2d7 100644 +index cc877c7..3038b08 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -28112,7 +28145,7 @@ index cc877c7..92de2d7 100644 # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t -+allow ssh_keygen_t self:capability dac_override; ++allow ssh_keygen_t self:capability { dac_read_search dac_override }; dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - @@ -30234,7 +30267,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..00a15e8 100644 +index 8b40377..3b99ed3 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -30494,7 +30527,7 @@ index 8b40377..00a15e8 100644 # Xauth local policy # -+allow xauth_t self:capability dac_override; ++allow xauth_t self:capability { dac_read_search dac_override }; allow xauth_t self:process signal; +allow xauth_t self:shm create_shm_perms; allow xauth_t self:unix_stream_socket create_stream_socket_perms; @@ -30582,13 +30615,13 @@ index 8b40377..00a15e8 100644 +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) -+') -+ -+optional_policy(` -+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ') optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ++') ++ ++optional_policy(` + ssh_use_ptys(xauth_t) ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) @@ -30624,12 +30657,12 @@ index 8b40377..00a15e8 100644 +allow xdm_t self:dbus { send_msg acquire_svc }; + +allow xdm_t xauth_home_t:file manage_file_perms; - --allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+ + +-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +xserver_filetrans_home_content(xdm_t) @@ -30886,7 +30919,7 @@ index 8b40377..00a15e8 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +698,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +698,167 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -30942,6 +30975,10 @@ index 8b40377..00a15e8 100644 +') + +optional_policy(` ++ dbus_read_lib_files(xdm_t) ++') ++ ++optional_policy(` + gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates") +') + @@ -31056,7 +31093,7 @@ index 8b40377..00a15e8 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +867,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +871,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -31088,7 +31125,7 @@ index 8b40377..00a15e8 100644 ') optional_policy(` -@@ -518,8 +902,36 @@ optional_policy(` +@@ -518,8 +906,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -31107,13 +31144,13 @@ index 8b40377..00a15e8 100644 + cpufreqselector_dbus_chat(xdm_t) + ') + - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') + -+ optional_policy(` + optional_policy(` +- accountsd_dbus_chat(xdm_t) + hal_dbus_chat(xdm_t) + ') + @@ -31126,7 +31163,7 @@ index 8b40377..00a15e8 100644 ') ') -@@ -530,6 +942,20 @@ optional_policy(` +@@ -530,6 +946,20 @@ optional_policy(` ') optional_policy(` @@ -31147,7 +31184,7 @@ index 8b40377..00a15e8 100644 hostname_exec(xdm_t) ') -@@ -547,28 +973,78 @@ optional_policy(` +@@ -547,28 +977,78 @@ optional_policy(` ') optional_policy(` @@ -31235,7 +31272,7 @@ index 8b40377..00a15e8 100644 ') optional_policy(` -@@ -580,6 +1056,14 @@ optional_policy(` +@@ -580,6 +1060,14 @@ optional_policy(` ') optional_policy(` @@ -31250,7 +31287,7 @@ index 8b40377..00a15e8 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1078,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1082,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -31259,12 +31296,12 @@ index 8b40377..00a15e8 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1088,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1092,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + dontaudit xserver_t self:capability chown; +#allow xserver_t self:capability2 compromise_kernel; @@ -31272,7 +31309,7 @@ index 8b40377..00a15e8 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1105,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1109,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -31288,7 +31325,7 @@ index 8b40377..00a15e8 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1121,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1125,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -31299,7 +31336,7 @@ index 8b40377..00a15e8 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1136,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1140,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -31341,7 +31378,7 @@ index 8b40377..00a15e8 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1187,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1191,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -31373,7 +31410,7 @@ index 8b40377..00a15e8 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1220,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1224,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -31388,7 +31425,7 @@ index 8b40377..00a15e8 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1241,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1245,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -31412,7 +31449,7 @@ index 8b40377..00a15e8 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1260,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1264,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -31421,7 +31458,7 @@ index 8b40377..00a15e8 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1304,54 @@ optional_policy(` +@@ -785,17 +1308,54 @@ optional_policy(` ') optional_policy(` @@ -31478,7 +31515,7 @@ index 8b40377..00a15e8 100644 ') optional_policy(` -@@ -803,6 +1359,10 @@ optional_policy(` +@@ -803,6 +1363,10 @@ optional_policy(` ') optional_policy(` @@ -31489,7 +31526,7 @@ index 8b40377..00a15e8 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1382,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -31514,7 +31551,7 @@ index 8b40377..00a15e8 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1401,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1405,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -31549,7 +31586,7 @@ index 8b40377..00a15e8 100644 ') optional_policy(` -@@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1470,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -31558,7 +31595,7 @@ index 8b40377..00a15e8 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1524,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -31590,7 +31627,7 @@ index 8b40377..00a15e8 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1566,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1570,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -32925,7 +32962,7 @@ index 3efd5b6..3db526f 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..fde4518 100644 +index 09b791d..2d255df 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -33009,6 +33046,15 @@ index 09b791d..fde4518 100644 type updpwd_t; type updpwd_exec_t; domain_type(updpwd_t) +@@ -90,7 +112,7 @@ logging_log_file(wtmp_t) + # Check password local policy + # + +-allow chkpwd_t self:capability { dac_override setuid }; ++allow chkpwd_t self:capability { dac_read_search dac_override setuid }; + dontaudit chkpwd_t self:capability sys_tty_config; + allow chkpwd_t self:process { getattr signal }; + @@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd @@ -33122,6 +33168,15 @@ index 09b791d..fde4518 100644 miscfiles_read_generic_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) +@@ -330,7 +351,7 @@ optional_policy(` + # updpwd local policy + # + +-allow updpwd_t self:capability { chown dac_override }; ++allow updpwd_t self:capability { chown dac_read_search dac_override }; + allow updpwd_t self:process setfscreate; + allow updpwd_t self:fifo_file rw_fifo_file_perms; + allow updpwd_t self:unix_stream_socket create_stream_socket_perms; @@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) @@ -33465,9 +33520,18 @@ index d475c2d..55305d5 100644 + files_etc_filetrans($1, adjtime_t, file, "adjtime" ) +') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te -index edece47..cb014fd 100644 +index edece47..2e7b811 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te +@@ -20,7 +20,7 @@ role system_r types hwclock_t; + + # Give hwclock the capabilities it requires. dac_override is a surprise, + # but hwclock does require it. +-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; ++allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config }; + dontaudit hwclock_t self:capability sys_tty_config; + allow hwclock_t self:process signal_perms; + allow hwclock_t self:fifo_file rw_fifo_file_perms; @@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t) term_dontaudit_use_console(hwclock_t) @@ -33845,10 +33909,10 @@ index e4376aa..2c98c56 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index f6743ea..22425f5 100644 +index f6743ea..ef08ff3 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te -@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t) +@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) type getty_var_run_t; files_pid_file(getty_var_run_t) @@ -33866,6 +33930,14 @@ index f6743ea..22425f5 100644 ######################################## # # Getty local policy + # + + # Use capabilities. +-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; ++allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; + dontaudit getty_t self:capability sys_tty_config; + allow getty_t self:process { getpgid setpgid getsession signal_perms }; + allow getty_t self:fifo_file rw_fifo_file_perms; @@ -56,6 +67,7 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) files_pid_filetrans(getty_t, getty_var_run_t, file) @@ -35958,7 +36030,7 @@ index 79a45f6..4181811 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..9c87847 100644 +index 17eda24..a11f1ad 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36083,7 +36155,7 @@ index 17eda24..9c87847 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +161,48 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +161,49 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -36116,6 +36188,7 @@ index 17eda24..9c87847 100644 +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +files_var_lib_filetrans(init_t, init_var_lib_t, { dir file }) ++allow init_t init_var_lib_t:dir mounton; + +manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t) +manage_files_pattern(init_t, init_var_run_t, init_var_run_t) @@ -36138,7 +36211,7 @@ index 17eda24..9c87847 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +212,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +213,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -36163,7 +36236,7 @@ index 17eda24..9c87847 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +236,26 @@ domain_signal_all_domains(init_t) +@@ -139,14 +237,26 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -36192,7 +36265,7 @@ index 17eda24..9c87847 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +264,73 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +265,73 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -36271,7 +36344,7 @@ index 17eda24..9c87847 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +339,283 @@ ifdef(`distro_gentoo',` +@@ -186,29 +340,283 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -36564,7 +36637,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -216,7 +623,30 @@ optional_policy(` +@@ -216,7 +624,30 @@ optional_policy(` ') optional_policy(` @@ -36596,7 +36669,7 @@ index 17eda24..9c87847 100644 ') ######################################## -@@ -225,9 +655,9 @@ optional_policy(` +@@ -225,9 +656,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -36608,7 +36681,7 @@ index 17eda24..9c87847 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +688,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +689,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -36625,7 +36698,7 @@ index 17eda24..9c87847 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +713,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +714,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -36668,7 +36741,7 @@ index 17eda24..9c87847 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +750,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +751,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -36680,7 +36753,7 @@ index 17eda24..9c87847 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +762,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +763,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -36691,7 +36764,7 @@ index 17eda24..9c87847 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +773,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +774,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -36701,7 +36774,7 @@ index 17eda24..9c87847 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +782,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +783,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -36709,7 +36782,7 @@ index 17eda24..9c87847 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +789,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +790,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -36717,7 +36790,7 @@ index 17eda24..9c87847 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +797,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +798,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -36735,7 +36808,7 @@ index 17eda24..9c87847 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +815,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +816,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -36749,7 +36822,7 @@ index 17eda24..9c87847 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +830,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +831,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -36763,7 +36836,7 @@ index 17eda24..9c87847 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +843,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +844,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -36774,7 +36847,7 @@ index 17eda24..9c87847 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +856,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +857,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -36782,7 +36855,7 @@ index 17eda24..9c87847 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +875,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +876,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -36806,7 +36879,7 @@ index 17eda24..9c87847 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +908,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +909,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -36814,7 +36887,7 @@ index 17eda24..9c87847 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +942,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +943,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -36825,7 +36898,7 @@ index 17eda24..9c87847 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +966,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +967,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -36834,7 +36907,7 @@ index 17eda24..9c87847 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +981,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +982,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -36842,7 +36915,7 @@ index 17eda24..9c87847 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1002,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1003,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -36850,7 +36923,7 @@ index 17eda24..9c87847 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1012,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1013,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -36895,7 +36968,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -559,14 +1057,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1058,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -36927,7 +37000,7 @@ index 17eda24..9c87847 100644 ') ') -@@ -577,6 +1092,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1093,39 @@ ifdef(`distro_suse',` ') ') @@ -36967,7 +37040,7 @@ index 17eda24..9c87847 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1137,8 @@ optional_policy(` +@@ -589,6 +1138,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -36976,7 +37049,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -610,6 +1160,7 @@ optional_policy(` +@@ -610,6 +1161,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -36984,7 +37057,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -626,6 +1177,17 @@ optional_policy(` +@@ -626,6 +1178,17 @@ optional_policy(` ') optional_policy(` @@ -37002,7 +37075,7 @@ index 17eda24..9c87847 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1204,13 @@ optional_policy(` +@@ -642,9 +1205,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37016,7 +37089,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -657,15 +1223,11 @@ optional_policy(` +@@ -657,15 +1224,11 @@ optional_policy(` ') optional_policy(` @@ -37034,7 +37107,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -686,6 +1248,15 @@ optional_policy(` +@@ -686,6 +1249,15 @@ optional_policy(` ') optional_policy(` @@ -37050,7 +37123,7 @@ index 17eda24..9c87847 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1297,7 @@ optional_policy(` +@@ -726,6 +1298,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37058,7 +37131,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -743,7 +1315,13 @@ optional_policy(` +@@ -743,7 +1316,13 @@ optional_policy(` ') optional_policy(` @@ -37073,7 +37146,7 @@ index 17eda24..9c87847 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1344,10 @@ optional_policy(` +@@ -766,6 +1345,10 @@ optional_policy(` ') optional_policy(` @@ -37084,7 +37157,7 @@ index 17eda24..9c87847 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1357,20 @@ optional_policy(` +@@ -775,10 +1358,20 @@ optional_policy(` ') optional_policy(` @@ -37105,7 +37178,7 @@ index 17eda24..9c87847 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1379,10 @@ optional_policy(` +@@ -787,6 +1380,10 @@ optional_policy(` ') optional_policy(` @@ -37116,7 +37189,7 @@ index 17eda24..9c87847 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1404,6 @@ optional_policy(` +@@ -808,8 +1405,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37125,7 +37198,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -818,6 +1412,10 @@ optional_policy(` +@@ -818,6 +1413,10 @@ optional_policy(` ') optional_policy(` @@ -37136,7 +37209,7 @@ index 17eda24..9c87847 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1425,12 @@ optional_policy(` +@@ -827,10 +1426,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37149,7 +37222,7 @@ index 17eda24..9c87847 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1457,62 @@ optional_policy(` +@@ -857,21 +1458,62 @@ optional_policy(` ') optional_policy(` @@ -37213,7 +37286,7 @@ index 17eda24..9c87847 100644 ') optional_policy(` -@@ -887,6 +1528,10 @@ optional_policy(` +@@ -887,6 +1529,10 @@ optional_policy(` ') optional_policy(` @@ -37224,7 +37297,7 @@ index 17eda24..9c87847 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1542,218 @@ optional_policy(` +@@ -897,3 +1543,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -38992,7 +39065,7 @@ index 808ba93..baca326 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5..544b8e3 100644 +index 54f8fa5..b9dbbe0 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -39012,9 +39085,12 @@ index 54f8fa5..544b8e3 100644 ifdef(`distro_gentoo',` # openrc unfortunately mounts a tmpfs -@@ -59,9 +59,11 @@ optional_policy(` +@@ -57,11 +57,13 @@ optional_policy(` + # ldconfig local policy + # - allow ldconfig_t self:capability { dac_override sys_chroot }; +-allow ldconfig_t self:capability { dac_override sys_chroot }; ++allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot }; +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) @@ -39190,7 +39266,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..d66491c 100644 +index 446fa99..fcf08ac 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -39225,7 +39301,7 @@ index 446fa99..d66491c 100644 -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; -+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; ++allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; @@ -39327,7 +39403,7 @@ index 446fa99..d66491c 100644 # -allow sulogin_t self:capability dac_override; -+allow sulogin_t self:capability { dac_override sys_admin }; ++allow sulogin_t self:capability { dac_read_search dac_override sys_admin }; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms; @@ -40084,7 +40160,7 @@ index 4e94884..0690edf 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..2be561d 100644 +index 59b04c1..2ce4886 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -40239,6 +40315,15 @@ index 59b04c1..2be561d 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) +@@ -219,7 +258,7 @@ optional_policy(` + # audit dispatcher local policy + # + +-allow audisp_t self:capability { dac_override setpcap sys_nice }; ++allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice }; + allow audisp_t self:process { getcap signal_perms setcap setsched }; + allow audisp_t self:fifo_file rw_fifo_file_perms; + allow audisp_t self:unix_stream_socket create_stream_socket_perms; @@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -40324,7 +40409,7 @@ index 59b04c1..2be561d 100644 # sys_nice for rsyslog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; ++allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; +dontaudit syslogd_t self:cap_userns sys_ptrace; +allow syslogd_t self:capability2 { syslog block_suspend }; @@ -40996,7 +41081,7 @@ index 58bc27f..9e86fce 100644 + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..262c9ec 100644 +index 79048c4..b0cb1e5 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -41080,7 +41165,13 @@ index 79048c4..262c9ec 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,15 +181,22 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -165,20 +176,27 @@ optional_policy(` + # DAC overrides and mknod for modifying /dev entries (vgmknodes) + # rawio needed for dmraid + # net_admin for multipath +-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; ++allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; + dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -41856,7 +41947,7 @@ index 7449974..b792900 100644 + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8..3f02a36 100644 +index 7a363b8..3788291 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -41962,7 +42053,7 @@ index 7a363b8..3f02a36 100644 # -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; -+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; ++allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; @@ -43888,7 +43979,7 @@ index 3822072..d358162 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..ab282cf 100644 +index dc46420..f9c5d20 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -43977,7 +44068,7 @@ index dc46420..ab282cf 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,34 +105,43 @@ type run_init_t; +@@ -92,40 +105,49 @@ type run_init_t; type run_init_exec_t; application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) @@ -44030,6 +44121,13 @@ index dc46420..ab282cf 100644 ######################################## # # Checkpolicy local policy + # + +-allow checkpolicy_t self:capability dac_override; ++allow checkpolicy_t self:capability { dac_read_search dac_override }; + + # able to create and modify binary policy files + manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t) @@ -137,6 +159,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) @@ -44047,6 +44145,15 @@ index dc46420..ab282cf 100644 userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` +@@ -165,7 +188,7 @@ ifdef(`distro_ubuntu',` + # Load_policy local policy + # + +-allow load_policy_t self:capability dac_override; ++allow load_policy_t self:capability { dac_read_search dac_override }; + + # only allow read of policy config files + read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) @@ -188,13 +211,13 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) @@ -44091,7 +44198,7 @@ index dc46420..ab282cf 100644 # -allow newrole_t self:capability { fowner setuid setgid dac_override }; -+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override }; ++allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; @@ -44652,7 +44759,7 @@ index dc46420..ab282cf 100644 + dbus_read_pid_files(setfiles_domain) ') -+allow policy_manager_domain self:capability { dac_override sys_nice sys_resource }; ++allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource }; +dontaudit policy_manager_domain self:capability sys_tty_config; +allow policy_manager_domain self:process { signal setsched }; +allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; @@ -45428,7 +45535,7 @@ index 2cea692..e3cb4f2 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..b7497fc 100644 +index a392fc4..41a5b08 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -45470,11 +45577,13 @@ index a392fc4..b7497fc 100644 ifdef(`distro_debian',` init_daemon_run_dir(net_conf_t, "network") -@@ -48,10 +61,11 @@ ifdef(`distro_debian',` +@@ -47,11 +60,12 @@ ifdef(`distro_debian',` + # # DHCP client local policy # - allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; -dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; ++allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; @@ -47779,10 +47888,10 @@ index 0000000..d1356af +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..5146f85 +index 0000000..9318a15 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,980 @@ +@@ -0,0 +1,982 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -47931,7 +48040,7 @@ index 0000000..5146f85 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config sys_admin }; ++allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin }; +allow systemd_logind_t self:capability2 block_suspend; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -48093,7 +48202,7 @@ index 0000000..5146f85 +# systemd_machined local policy +# + -+allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace kill }; ++allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill }; +allow systemd_machined_t systemd_unit_file_t:service { status start }; +allow systemd_machined_t self:unix_dgram_socket create_socket_perms; + @@ -48148,7 +48257,7 @@ index 0000000..5146f85 +# systemd-networkd local policy +# + -+allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap }; ++allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap }; +allow systemd_networkd_t self:process { getcap setcap }; + +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -48211,7 +48320,7 @@ index 0000000..5146f85 +# Local policy +# + -+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; ++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override }; +allow systemd_passwd_agent_t self:process { setsockcreate }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + @@ -48255,7 +48364,7 @@ index 0000000..5146f85 +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod sys_admin }; ++allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; @@ -48526,7 +48635,7 @@ index 0000000..5146f85 +# Timedated policy +# + -+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override }; ++allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override }; +allow systemd_timedated_t self:process { getattr getsched setfscreate }; +allow systemd_timedated_t self:fifo_file rw_fifo_file_perms; +allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms; @@ -48755,6 +48864,8 @@ index 0000000..5146f85 +# systemd_modules_load domain +# + ++allow systemd_modules_load_t self:system module_load; ++ +kernel_dgram_send(systemd_modules_load_t) +kernel_load_module(systemd_modules_load_t) + diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index 93708cc..5749a1a 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..963ccdc 100644 +index eb50f07..53512e8 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1080,7 +1080,7 @@ index eb50f07..963ccdc 100644 # -allow abrt_dump_oops_t self:capability dac_override; -+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid }; ++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search dac_override setuid setgid }; +allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace }; +allow abrt_dump_oops_t self:process {setfscreate setcap}; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; @@ -1175,7 +1175,7 @@ index eb50f07..963ccdc 100644 # Upload watch local policy # -+allow abrt_upload_watch_t self:capability { dac_override chown fsetid }; ++allow abrt_upload_watch_t self:capability { dac_read_search dac_override chown fsetid }; + +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) @@ -1291,7 +1291,7 @@ index bd5ec9a..554177c 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 3593510..9617b13 100644 +index 3593510..7c13845 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1305,7 +1305,7 @@ index 3593510..9617b13 100644 ######################################## # # Declarations -@@ -11,11 +15,15 @@ gen_require(` +@@ -11,17 +15,21 @@ gen_require(` type accountsd_t; type accountsd_exec_t; @@ -1322,6 +1322,13 @@ index 3593510..9617b13 100644 ######################################## # # Local policy + # + +-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace }; ++allow accountsd_t self:capability { chown dac_read_search dac_override setuid setgid sys_ptrace }; + allow accountsd_t self:process signal; + allow accountsd_t self:fifo_file rw_fifo_file_perms; + allow accountsd_t self:passwd { rootok passwd chfn chsh }; @@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t) dev_read_sysfs(accountsd_t) @@ -1526,9 +1533,18 @@ index 3b41be6..97d99f9 100644 afs_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index 90ce637..07db31b 100644 +index 90ce637..8cf712d 100644 --- a/afs.te +++ b/afs.te +@@ -72,7 +72,7 @@ role system_r types afs_vlserver_t; + # afs client local policy + # + +-allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config }; ++allow afs_t self:capability { dac_read_search dac_override sys_admin sys_nice sys_tty_config }; + allow afs_t self:process { setsched signal }; + allow afs_t self:fifo_file rw_file_perms; + allow afs_t self:unix_stream_socket { accept listen }; @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) kernel_rw_afs_state(afs_t) @@ -1581,7 +1597,7 @@ index 90ce637..07db31b 100644 corenet_all_recvfrom_netlabel(afs_bosserver_t) corenet_udp_sendrecv_generic_if(afs_bosserver_t) corenet_udp_sendrecv_generic_node(afs_bosserver_t) -@@ -136,10 +152,13 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) +@@ -136,24 +152,24 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) files_list_home(afs_bosserver_t) @@ -1596,7 +1612,12 @@ index 90ce637..07db31b 100644 ######################################## # # fileserver local policy -@@ -151,9 +170,6 @@ allow afs_fsserver_t self:process { setsched signal_perms }; + # + +-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; ++allow afs_fsserver_t self:capability { kill dac_read_search dac_override chown fowner sys_nice }; + dontaudit afs_fsserver_t self:capability fsetid; + allow afs_fsserver_t self:process { setsched signal_perms }; allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; @@ -1780,7 +1801,7 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 03831e6..94a723f 100644 +index 03831e6..3d35fff 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1796,7 +1817,7 @@ index 03831e6..94a723f 100644 # -allow aide_t self:capability { dac_override fowner }; -+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin }; ++allow aide_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin }; +allow aide_t self:process signal; manage_files_pattern(aide_t, aide_db_t, aide_db_t) @@ -2291,7 +2312,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..c3a718a 100644 +index 519051c..6f75843 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2322,11 +2343,13 @@ index 519051c..c3a718a 100644 type amanda_amandates_t; files_type(amanda_amandates_t) -@@ -60,7 +66,7 @@ optional_policy(` +@@ -59,8 +65,8 @@ optional_policy(` + # Local policy # - allow amanda_t self:capability { chown dac_override setuid kill }; +-allow amanda_t self:capability { chown dac_override setuid kill }; -allow amanda_t self:process { setpgid signal }; ++allow amanda_t self:capability { chown dac_read_search dac_override setuid kill }; +allow amanda_t self:process { getsched setsched setpgid signal }; allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; @@ -2391,6 +2414,15 @@ index 519051c..c3a718a 100644 auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) +@@ -141,7 +157,7 @@ logging_send_syslog_msg(amanda_t) + # Recover local policy + # + +-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; ++allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search dac_override }; + allow amanda_recover_t self:process { sigkill sigstop signal }; + allow amanda_recover_t self:fifo_file rw_fifo_file_perms; + allow amanda_recover_t self:unix_stream_socket create_socket_perms; @@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2490,10 +2522,10 @@ index 60d4f8c..18ef077 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 91fa72a..0b1afd6 100644 +index 91fa72a..1736250 100644 --- a/amavis.te +++ b/amavis.te -@@ -39,7 +39,7 @@ type amavis_quarantine_t; +@@ -39,14 +39,14 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) type amavis_spool_t; @@ -2502,6 +2534,14 @@ index 91fa72a..0b1afd6 100644 ######################################## # + # Local policy + # + +-allow amavis_t self:capability { kill chown dac_override setgid setuid }; ++allow amavis_t self:capability { kill chown dac_read_search dac_override setgid setuid }; + dontaudit amavis_t self:capability sys_tty_config; + allow amavis_t self:process signal_perms; + allow amavis_t self:fifo_file rw_fifo_file_perms; @@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) @@ -3235,7 +3275,7 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..c679dd3 +index 0000000..d202f69 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,274 @@ @@ -3305,7 +3345,7 @@ index 0000000..c679dd3 +# antivirus domain local policy +# + -+allow antivirus_domain self:capability { dac_override chown kill fsetid setgid setuid sys_admin }; ++allow antivirus_domain self:capability { dac_read_search dac_override chown kill fsetid setgid setuid sys_admin }; +dontaudit antivirus_domain self:capability sys_tty_config; +allow antivirus_domain self:process signal_perms; + @@ -5530,7 +5570,7 @@ index f6eb485..fe461a3 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..721a639 100644 +index 6649962..4e15480 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6168,7 +6208,7 @@ index 6649962..721a639 100644 -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; -dontaudit httpd_t self:capability net_admin; -+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot }; ++allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot }; +dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; @@ -7668,7 +7708,8 @@ index 6649962..721a639 100644 +# httpd_rotatelogs local policy # - allow httpd_rotatelogs_t self:capability dac_override; +-allow httpd_rotatelogs_t self:capability dac_override; ++allow httpd_rotatelogs_t self:capability { dac_read_search dac_override }; manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) @@ -8041,10 +8082,10 @@ index f3c0aba..f6e25ed 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..f46078f 100644 +index 080bc4d..a78dbce 100644 --- a/apcupsd.te +++ b/apcupsd.te -@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) +@@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t) type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) @@ -8057,6 +8098,13 @@ index 080bc4d..f46078f 100644 ######################################## # # Local policy + # + +-allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; ++allow apcupsd_t self:capability { dac_read_search dac_override setgid sys_tty_config }; + allow apcupsd_t self:process signal; + allow apcupsd_t self:fifo_file rw_file_perms; + allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; @@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms; allow apcupsd_t apcupsd_lock_t:file manage_file_perms; files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) @@ -8249,7 +8297,7 @@ index 1a7a97e..2c7252a 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..a1b6c41 100644 +index 7fd431b..f944ecc 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -8265,7 +8313,7 @@ index 7fd431b..a1b6c41 100644 # -allow apm_t self:capability { dac_override sys_admin }; -+allow apm_t self:capability { dac_override sys_admin sys_resource }; ++allow apm_t self:capability { dac_read_search dac_override sys_admin sys_resource }; kernel_read_system_state(apm_t) @@ -8378,9 +8426,18 @@ index cde81d2..2fe0201 100644 ') diff --git a/apt.te b/apt.te -index efa8530..f928b63 100644 +index efa8530..ae5d0c9 100644 --- a/apt.te +++ b/apt.te +@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) + # Local policy + # + +-allow apt_t self:capability { chown dac_override fowner fsetid }; ++allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid }; + allow apt_t self:process { signal setpgid fork }; + allow apt_t self:fd use; + allow apt_t self:fifo_file rw_fifo_file_perms; @@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t) corecmd_exec_bin(apt_t) corecmd_exec_shell(apt_t) @@ -8577,7 +8634,7 @@ index 2077053..198a02a 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 7e41350..e8e1672 100644 +index 7e41350..1e0f4c4 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; @@ -8589,6 +8646,15 @@ index 7e41350..e8e1672 100644 type asterisk_tmp_t; files_tmp_file(asterisk_tmp_t) +@@ -39,7 +39,7 @@ init_daemon_run_dir(asterisk_var_run_t, "asterisk") + # Local policy + # + +-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; ++allow asterisk_t self:capability { dac_read_search dac_override chown setgid setuid sys_nice net_admin }; + dontaudit asterisk_t self:capability { sys_module sys_tty_config }; + allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; + allow asterisk_t self:fifo_file rw_fifo_file_perms; @@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) @@ -8928,7 +8994,7 @@ index f24e369..4484a98 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f40..daed3ef 100644 +index 27d2f40..1297f5b 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -8946,7 +9012,7 @@ index 27d2f40..daed3ef 100644 # -allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; -+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; ++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search dac_override sys_admin }; +allow automount_t self:capability2 block_suspend; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; @@ -9091,10 +9157,10 @@ index 9078c3d..2f6b250 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index b8355b3..ad2aa45 100644 +index b8355b3..51ce1b6 100644 --- a/avahi.te +++ b/avahi.te -@@ -13,10 +13,14 @@ type avahi_initrc_exec_t; +@@ -13,17 +13,21 @@ type avahi_initrc_exec_t; init_script_file(avahi_initrc_exec_t) type avahi_var_lib_t; @@ -9110,6 +9176,14 @@ index b8355b3..ad2aa45 100644 ######################################## # + # Local policy + # + +-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; ++allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; + dontaudit avahi_t self:capability sys_tty_config; + allow avahi_t self:process { setrlimit signal_perms getcap setcap }; + allow avahi_t self:fifo_file rw_fifo_file_perms; @@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t) corecmd_exec_bin(avahi_t) corecmd_exec_shell(avahi_t) @@ -9218,9 +9292,18 @@ index c1b16c3..ffbf2cb 100644 +read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) +files_search_var_lib(awstats_script_t) diff --git a/backup.te b/backup.te -index 7811450..d8a8bd6 100644 +index 7811450..e787033 100644 --- a/backup.te +++ b/backup.te +@@ -21,7 +21,7 @@ files_type(backup_store_t) + # Local policy + # + +-allow backup_t self:capability dac_override; ++allow backup_t self:capability { dac_read_search dac_override }; + allow backup_t self:process signal; + allow backup_t self:fifo_file rw_fifo_file_perms; + allow backup_t self:tcp_socket create_socket_perms; @@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t) corecmd_exec_bin(backup_t) corecmd_exec_shell(backup_t) @@ -9814,7 +9897,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..bec431b 100644 +index 1241123..5d5bb14 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9841,7 +9924,7 @@ index 1241123..bec431b 100644 # -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -+allow named_t self:capability { chown dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource }; ++allow named_t self:capability { chown dac_read_search dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; +allow named_t self:capability2 block_suspend; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; @@ -9937,11 +10020,13 @@ index 1241123..bec431b 100644 kerberos_use(named_t) ') -@@ -215,7 +245,8 @@ optional_policy(` +@@ -214,8 +244,9 @@ optional_policy(` + # NDC local policy # - allow ndc_t self:capability { dac_override net_admin }; +-allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t self:process signal_perms; ++allow ndc_t self:capability { dac_read_search dac_override net_admin }; +allow ndc_t self:capability2 block_suspend; +allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; @@ -10023,12 +10108,15 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48..d8e7d55 100644 +index f5c1a48..102fa8e 100644 --- a/bitlbee.te +++ b/bitlbee.te -@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) +@@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t) + # Local policy + # - allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; +-allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; ++allow bitlbee_t self:capability { dac_read_search dac_override kill setgid setuid sys_nice }; allow bitlbee_t self:process { setsched signal }; + allow bitlbee_t self:fifo_file rw_fifo_file_perms; @@ -10556,10 +10644,10 @@ index c723a0a..1c29d21 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 851769e..3dc3f36 100644 +index 851769e..4b11e96 100644 --- a/bluetooth.te +++ b/bluetooth.te -@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) +@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t) type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) @@ -10569,6 +10657,13 @@ index 851769e..3dc3f36 100644 ######################################## # # Local policy + # + +-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_read_search dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; + dontaudit bluetooth_t self:capability sys_tty_config; + allow bluetooth_t self:process { getcap setcap getsched signal_perms }; + allow bluetooth_t self:fifo_file rw_fifo_file_perms; @@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) @@ -11897,7 +11992,7 @@ index 8de2ab9..3b41945 100644 + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) ') diff --git a/cachefilesd.te b/cachefilesd.te -index a3760bc..660e5d3 100644 +index a3760bc..22ed920 100644 --- a/cachefilesd.te +++ b/cachefilesd.te @@ -1,52 +1,125 @@ @@ -11960,6 +12055,7 @@ index a3760bc..660e5d3 100644 + rpm_use_script_fds(cachefilesd_t) +') +-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; +############################################################################### +# +# cachefilesd local policy @@ -11972,7 +12068,7 @@ index a3760bc..660e5d3 100644 +# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow +# rules. +# - allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; ++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search dac_override }; +allow cachefilesd_t self:process signal_perms; +# Allow manipulation of pid file @@ -12061,9 +12157,18 @@ index cd9c528..ba793b7 100644 ') diff --git a/calamaris.te b/calamaris.te -index 7e57460..b0cf254 100644 +index 7e57460..8d8cd78 100644 --- a/calamaris.te +++ b/calamaris.te +@@ -23,7 +23,7 @@ files_type(calamaris_www_t) + # Local policy + # + +-allow calamaris_t self:capability dac_override; ++allow calamaris_t self:capability { dac_read_search dac_override }; + allow calamaris_t self:process { signal_perms setsched }; + allow calamaris_t self:fifo_file rw_fifo_file_perms; + allow calamaris_t self:unix_stream_socket { accept listen }; @@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t) corecmd_exec_bin(calamaris_t) @@ -12247,9 +12352,18 @@ index fbc20f6..4de4a00 100644 ps_process_pattern($2, cdrecord_t) ') diff --git a/cdrecord.te b/cdrecord.te -index 16883c9..0f4ccb0 100644 +index 16883c9..97e9a42 100644 --- a/cdrecord.te +++ b/cdrecord.te +@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t; + # Local policy + # + +-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; ++allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search dac_override sys_rawio }; + allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; + allow cdrecord_t self:unix_stream_socket { accept listen }; + @@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t) domain_interactive_fd(cdrecord_t) domain_use_interactive_fds(cdrecord_t) @@ -12925,7 +13039,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a2..71c25c3 100644 +index 80a88a2..514eb47 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -12953,7 +13067,15 @@ index 80a88a2..71c25c3 100644 domain_setpriority_all_domains(cgclear_t) fs_manage_cgroup_dirs(cgclear_t) -@@ -64,23 +66,26 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; +@@ -57,30 +59,33 @@ fs_unmount_cgroup(cgclear_t) + # cgconfig local policy + # + +-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; ++allow cgconfig_t self:capability { dac_read_search dac_override fowner fsetid chown sys_admin sys_tty_config }; + + allow cgconfig_t cgconfig_etc_t:file read_file_perms; + kernel_list_unlabeled(cgconfig_t) kernel_read_system_state(cgconfig_t) @@ -12971,7 +13093,7 @@ index 80a88a2..71c25c3 100644 # # cgred local policy # -+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; ++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search dac_override sys_ptrace }; +allow cgred_t self:process signal_perms; -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; @@ -13161,7 +13283,7 @@ index 0000000..aa308eb +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..5955ff0 +index 0000000..435a5cd --- /dev/null +++ b/chrome.te @@ -0,0 +1,256 @@ @@ -13199,7 +13321,7 @@ index 0000000..5955ff0 +# chrome_sandbox local policy +# +allow chrome_sandbox_t self:capability2 block_suspend; -+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; ++allow chrome_sandbox_t self:capability { chown dac_read_search dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +dontaudit chrome_sandbox_t self:capability sys_nice; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:process setsched; @@ -13630,7 +13752,7 @@ index 32e8265..ac74503 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..eba4e6d 100644 +index e5b621c..c028dfd 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13649,7 +13771,7 @@ index e5b621c..eba4e6d 100644 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit signal }; -+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown }; ++allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown }; +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:udp_socket create_socket_perms; @@ -14268,7 +14390,7 @@ index 4cc4a5c..a6c6322 100644 + ') diff --git a/clamav.te b/clamav.te -index ce3836a..8dc2b45 100644 +index ce3836a..10595e6 100644 --- a/clamav.te +++ b/clamav.te @@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false) @@ -14290,8 +14412,12 @@ index ce3836a..8dc2b45 100644 type clamd_tmp_t; files_tmp_file(clamd_tmp_t) -@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t) - allow clamd_t self:capability { kill setgid setuid dac_override }; +@@ -70,9 +73,10 @@ logging_log_file(freshclam_var_log_t) + # Clamd local policy + # + +-allow clamd_t self:capability { kill setgid setuid dac_override }; ++allow clamd_t self:capability { kill setgid setuid dac_read_search dac_override }; dontaudit clamd_t self:capability sys_tty_config; allow clamd_t self:process signal; + @@ -14334,7 +14460,7 @@ index ce3836a..8dc2b45 100644 amavis_create_pid_files(clamd_t) ') -@@ -165,6 +161,31 @@ optional_policy(` +@@ -165,12 +161,37 @@ optional_policy(` mta_send_mail(clamd_t) ') @@ -14366,6 +14492,13 @@ index ce3836a..8dc2b45 100644 ######################################## # # Freshclam local policy + # + +-allow freshclam_t self:capability { setgid setuid dac_override }; ++allow freshclam_t self:capability { setgid setuid dac_read_search dac_override }; + allow freshclam_t self:fifo_file rw_fifo_file_perms; + allow freshclam_t self:unix_stream_socket { accept listen }; + allow freshclam_t self:tcp_socket { accept listen }; @@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t) logging_send_syslog_msg(freshclam_t) @@ -14385,6 +14518,15 @@ index ce3836a..8dc2b45 100644 cron_system_entry(freshclam_t, freshclam_exec_t) ') +@@ -249,7 +273,7 @@ optional_policy(` + # Clamscam local policy + # + +-allow clamscan_t self:capability { setgid setuid dac_override }; ++allow clamscan_t self:capability { setgid setuid dac_read_search dac_override }; + allow clamscan_t self:fifo_file rw_fifo_file_perms; + allow clamscan_t self:unix_stream_socket create_stream_socket_perms; + allow clamscan_t self:unix_dgram_socket create_socket_perms; @@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) kernel_read_system_state(clamscan_t) @@ -14628,7 +14770,7 @@ index 0000000..55fe0d6 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..27c0ed9 +index 0000000..21e6ae7 --- /dev/null +++ b/cloudform.te @@ -0,0 +1,249 @@ @@ -14698,7 +14840,7 @@ index 0000000..27c0ed9 +# cloud-init local policy +# + -+allow cloud_init_t self:capability { fowner chown fsetid dac_override }; ++allow cloud_init_t self:capability { fowner chown fsetid dac_read_search dac_override }; + +allow cloud_init_t self:udp_socket create_socket_perms; + @@ -14806,7 +14948,7 @@ index 0000000..27c0ed9 +# deltacloudd local policy +# + -+allow deltacloudd_t self:capability { dac_override setuid setgid }; ++allow deltacloudd_t self:capability { dac_read_search dac_override setuid setgid }; + +allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; +allow deltacloudd_t self:udp_socket create_socket_perms; @@ -15046,10 +15188,16 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..cf347c6 100644 +index 5f306dd..36fb0e4 100644 --- a/cobbler.te +++ b/cobbler.te -@@ -67,6 +67,7 @@ dontaudit cobblerd_t self:capability sys_tty_config; +@@ -62,11 +62,12 @@ files_tmp_file(cobbler_tmp_t) + # Local policy + # + +-allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; ++allow cobblerd_t self:capability { chown dac_read_search dac_override fowner fsetid sys_nice }; + dontaudit cobblerd_t self:capability sys_tty_config; allow cobblerd_t self:process { getsched setsched signal }; allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket { accept listen }; @@ -15371,7 +15519,7 @@ index 0000000..d5920c0 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..0167d62 +index 0000000..3b59470 --- /dev/null +++ b/cockpit.te @@ -0,0 +1,120 @@ @@ -15465,7 +15613,7 @@ index 0000000..0167d62 +# + +# cockpit-session changes to the actual logged in user -+allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid sys_resource}; ++allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource}; +allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit }; + +read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) @@ -15698,7 +15846,7 @@ index 954309e..6780142 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..228b603 100644 +index 6471fa8..90a9319 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) @@ -15720,7 +15868,7 @@ index 6471fa8..228b603 100644 # -allow collectd_t self:capability { ipc_lock sys_nice }; -+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override setuid setgid }; ++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search dac_override setuid setgid }; allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; @@ -16522,7 +16670,7 @@ index 881d92f..a2d588a 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..08c8e6a 100644 +index ce9f040..99189b5 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16548,7 +16696,7 @@ index ce9f040..08c8e6a 100644 # Global local policy # -+allow condor_domain self:capability dac_override; ++allow condor_domain self:capability { dac_read_search dac_override }; +allow condor_domain self:capability2 block_suspend; + allow condor_domain self:process signal_perms; @@ -16647,12 +16795,21 @@ index ce9f040..08c8e6a 100644 # Procd local policy # - allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; +-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; ++allow condor_procd_t self:capability { fowner chown kill dac_read_search dac_override sys_ptrace }; +allow condor_procd_t self:cap_userns { sys_ptrace }; allow condor_procd_t condor_domain:process sigkill; -@@ -206,6 +228,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -199,13 +221,15 @@ domain_read_all_domains_state(condor_procd_t) + # Schedd local policy + # + +-allow condor_schedd_t self:capability { setuid chown setgid dac_override }; ++allow condor_schedd_t self:capability { setuid chown setgid dac_read_search dac_override }; + + allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; + allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -16661,7 +16818,7 @@ index ce9f040..08c8e6a 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -214,6 +238,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -214,12 +238,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -16675,6 +16832,13 @@ index ce9f040..08c8e6a 100644 ##################################### # # Startd local policy + # + +-allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; ++allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search dac_override }; + allow condor_startd_t self:process execmem; + + manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) @@ -238,11 +269,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) @@ -17098,7 +17262,7 @@ index 5b830ec..78025c5 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index bd18063..47c8fd0 100644 +index bd18063..94407f8 100644 --- a/consolekit.te +++ b/consolekit.te @@ -19,21 +19,23 @@ type consolekit_var_run_t; @@ -17113,7 +17277,8 @@ index bd18063..47c8fd0 100644 # Local policy # - allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; +-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; ++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search dac_override sys_nice sys_ptrace }; + allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; @@ -17333,10 +17498,10 @@ index 694a037..d859681 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index d5aa1e4..837e0a8 100644 +index d5aa1e4..9a25701 100644 --- a/corosync.te +++ b/corosync.te -@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t) +@@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t) type corosync_var_run_t; files_pid_file(corosync_var_run_t) @@ -17346,6 +17511,13 @@ index d5aa1e4..837e0a8 100644 ######################################## # # Local policy + # + +-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; ++allow corosync_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; + # for hearbeat + allow corosync_t self:capability { net_raw chown }; + allow corosync_t self:process { setpgid setrlimit setsched signal signull }; @@ -93,7 +96,6 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) @@ -17937,7 +18109,7 @@ index 10f820f..acdb179 100644 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/courier.te b/courier.te -index ae3bc70..9090d75 100644 +index ae3bc70..d64452f 100644 --- a/courier.te +++ b/courier.te @@ -18,7 +18,7 @@ type courier_etc_t; @@ -17949,6 +18121,15 @@ index ae3bc70..9090d75 100644 type courier_var_lib_t; files_type(courier_var_lib_t) +@@ -34,7 +34,7 @@ mta_agent_executable(courier_exec_t) + # Common local policy + # + +-allow courier_domain self:capability dac_override; ++allow courier_domain self:capability { dac_read_search dac_override }; + dontaudit courier_domain self:capability sys_tty_config; + allow courier_domain self:process { setpgid signal_perms }; + allow courier_domain self:fifo_file rw_fifo_file_perms; @@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) files_pid_filetrans(courier_domain, courier_var_run_t, dir) @@ -19330,7 +19511,7 @@ index 1303b30..f13c532 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..65e947c 100644 +index 7de3859..fd5dafc 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20242,7 +20423,7 @@ index 7de3859..65e947c 100644 +# + +# dac_override is to create the file in the directory under /tmp -+allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; ++allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search dac_override }; +allow crontab_domain self:process { getcap setsched signal_perms }; +allow crontab_domain self:fifo_file rw_fifo_file_perms; + @@ -21050,7 +21231,7 @@ index 3023be7..5afde80 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..6f66ea4 100644 +index c91813c..1585454 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21190,7 +21371,7 @@ index c91813c..6f66ea4 100644 # -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config }; ++allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:capability2 block_suspend; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; @@ -21444,7 +21625,7 @@ index c91813c..6f66ea4 100644 # -allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; -+allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; ++allow cupsd_config_t self:capability { chown dac_read_search dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; -allow cupsd_config_t self:process { getsched signal_perms }; -allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -21580,11 +21761,13 @@ index c91813c..6f66ea4 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +602,6 @@ optional_policy(` +@@ -549,8 +601,7 @@ optional_policy(` + # Pdf local policy # - allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; +-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; -allow cups_pdf_t self:fifo_file rw_fifo_file_perms; ++allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search dac_override }; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) @@ -21880,7 +22063,7 @@ index 64775fd..91a6056 100644 + admin_pattern($1, cvs_home_t) ') diff --git a/cvs.te b/cvs.te -index 0f77550..cd608bc 100644 +index 0f77550..36e4a38 100644 --- a/cvs.te +++ b/cvs.te @@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2) @@ -21933,7 +22116,7 @@ index 0f77550..cd608bc 100644 dev_read_urand(cvs_t) files_read_etc_runtime_files(cvs_t) -@@ -86,18 +101,16 @@ auth_use_nsswitch(cvs_t) +@@ -86,19 +101,17 @@ auth_use_nsswitch(cvs_t) init_read_utmp(cvs_t) @@ -21951,10 +22134,12 @@ index 0f77550..cd608bc 100644 # cjp: typeattribute doesnt work in conditionals yet auth_can_read_shadow_passwords(cvs_t) -tunable_policy(`allow_cvs_read_shadow',` +- allow cvs_t self:capability dac_override; +tunable_policy(`cvs_read_shadow',` - allow cvs_t self:capability dac_override; ++ allow cvs_t self:capability { dac_read_search dac_override }; auth_tunable_read_shadow(cvs_t) ') + @@ -116,8 +129,10 @@ optional_policy(` optional_policy(` @@ -22041,7 +22226,7 @@ index 83bfda6..92d9fb2 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index 4283f2d..30b684c 100644 +index 4283f2d..41de1bd 100644 --- a/cyrus.te +++ b/cyrus.te @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t) @@ -22049,7 +22234,7 @@ index 4283f2d..30b684c 100644 # -allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; -+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource }; ++allow cyrus_t self:capability { fsetid dac_read_search dac_override net_bind_service setgid setuid sys_resource }; dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; @@ -23218,7 +23403,7 @@ index 62d22cb..1287d08 100644 + ') diff --git a/dbus.te b/dbus.te -index c9998c8..8b447a3 100644 +index c9998c8..d91f2c0 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23273,10 +23458,11 @@ index c9998c8..8b447a3 100644 +# System bus local policy # +-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; +# dac_override: /var/run/dbus is owned by messagebus on Debian +# cjp: dac_override should probably go in a distro_debian +allow system_dbusd_t self:capability2 block_suspend; - allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; ++allow system_dbusd_t self:capability { sys_resource dac_read_search dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; @@ -24413,7 +24599,7 @@ index 8ce99ff..1bc5d3a 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003..86a7ed2 100644 +index 77a5003..cb628f9 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -24466,7 +24652,7 @@ index 77a5003..86a7ed2 100644 # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; + allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; @@ -24569,7 +24755,7 @@ index 77a5003..86a7ed2 100644 # -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; ++allow devicekit_power_t self:capability { dac_read_search dac_override net_admin sys_admin sys_tty_config sys_nice }; +#allow devicekit_power_t self:capability2 compromise_kernel; allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; @@ -24751,7 +24937,7 @@ index c697edb..954c090 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 98a24b9..02c58ea 100644 +index 98a24b9..d6cb9e7 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -24769,7 +24955,7 @@ index 98a24b9..02c58ea 100644 # -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; -+allow dhcpd_t self:capability { chown dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; ++allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process { getcap setcap signal_perms }; allow dhcpd_t self:fifo_file rw_fifo_file_perms; @@ -24821,7 +25007,7 @@ index 98a24b9..02c58ea 100644 +') + +ifdef(`distro_gentoo',` -+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; ++ allow dhcpd_t self:capability { chown dac_read_search dac_override setgid setuid sys_chroot }; +') + +optional_policy(` @@ -25522,7 +25708,7 @@ index 0000000..b3784d8 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..fa74f85 +index 0000000..383bb96 --- /dev/null +++ b/dirsrv.te @@ -0,0 +1,204 @@ @@ -25579,7 +25765,7 @@ index 0000000..fa74f85 +# dirsrv local policy +# +allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; -+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; ++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner }; +allow dirsrv_t self:fifo_file manage_fifo_file_perms; +allow dirsrv_t self:sem create_sem_perms; +allow dirsrv_t self:tcp_socket create_stream_socket_perms; @@ -26173,10 +26359,10 @@ index 19aa0b8..a79982c 100644 + + diff --git a/dnsmasq.te b/dnsmasq.te -index 37a3b7b..9af09cc 100644 +index 37a3b7b..78c681c 100644 --- a/dnsmasq.te +++ b/dnsmasq.te -@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) +@@ -24,12 +24,15 @@ logging_log_file(dnsmasq_var_log_t) type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) @@ -26186,6 +26372,13 @@ index 37a3b7b..9af09cc 100644 ######################################## # # Local policy + # + +-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw }; ++allow dnsmasq_t self:capability { chown dac_read_search dac_override net_admin setgid setuid net_raw }; + dontaudit dnsmasq_t self:capability sys_tty_config; + allow dnsmasq_t self:process { getcap setcap signal_perms }; + allow dnsmasq_t self:fifo_file rw_fifo_file_perms; @@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms; @@ -26812,7 +27005,7 @@ index d5badb7..c2431fc 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..3d8233b 100644 +index 0aabc7e..994752c 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -27076,7 +27269,8 @@ index 0aabc7e..3d8233b 100644 +# dovecot auth local policy # - allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; +-allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; ++allow dovecot_auth_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_nice }; allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; -allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; +allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -27253,6 +27447,19 @@ index 0aabc7e..3d8233b 100644 + # Handle sieve scripts sendmail_domtrans(dovecot_deliver_t) ') +diff --git a/dpkg.te b/dpkg.te +index 50af48c..5ab4901 100644 +--- a/dpkg.te ++++ b/dpkg.te +@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) + # Local policy + # + +-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; ++allow dpkg_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; + allow dpkg_t self:process { setpgid fork getsched setfscreate }; + allow dpkg_t self:fd use; + allow dpkg_t self:fifo_file rw_fifo_file_perms; diff --git a/drbd.fc b/drbd.fc index 671a3fb..47b4958 100644 --- a/drbd.fc @@ -27874,7 +28081,7 @@ index ef62363..0841716 100644 + procmail_domtrans(dspam_t) +') diff --git a/entropyd.te b/entropyd.te -index b8b8328..111084c 100644 +index b8b8328..e3dc7c7 100644 --- a/entropyd.te +++ b/entropyd.te @@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0) @@ -27886,6 +28093,15 @@ index b8b8328..111084c 100644 type entropyd_t; type entropyd_exec_t; +@@ -29,7 +29,7 @@ files_pid_file(entropyd_var_run_t) + # Local policy + # + +-allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; ++allow entropyd_t self:capability { dac_read_search dac_override ipc_lock sys_admin }; + dontaudit entropyd_t self:capability sys_tty_config; + allow entropyd_t self:process signal_perms; + @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t) dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) @@ -28850,7 +29066,7 @@ index cf0e567..7bebd26 100644 + apache_read_log(fail2ban_client_t) +') diff --git a/fcoe.te b/fcoe.te -index ce358fb..8cc3ca2 100644 +index ce358fb..cdc11a7 100644 --- a/fcoe.te +++ b/fcoe.te @@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t) @@ -28858,7 +29074,7 @@ index ce358fb..8cc3ca2 100644 # -allow fcoemon_t self:capability { dac_override kill net_admin }; -+allow fcoemon_t self:capability { net_admin net_raw dac_override }; ++allow fcoemon_t self:capability { net_admin net_raw dac_read_search dac_override }; allow fcoemon_t self:fifo_file rw_fifo_file_perms; allow fcoemon_t self:unix_stream_socket { accept listen }; allow fcoemon_t self:netlink_socket create_socket_perms; @@ -29208,10 +29424,10 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..e6904e2 100644 +index 98072a3..42ee4d3 100644 --- a/firewalld.te +++ b/firewalld.te -@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) +@@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t) type firewalld_tmp_t; files_tmp_file(firewalld_tmp_t) @@ -29227,6 +29443,13 @@ index 98072a3..e6904e2 100644 ######################################## # # Local policy + # + +-allow firewalld_t self:capability { dac_override net_admin }; ++allow firewalld_t self:capability { dac_read_search dac_override net_admin }; + dontaudit firewalld_t self:capability sys_tty_config; + allow firewalld_t self:fifo_file rw_fifo_file_perms; + allow firewalld_t self:unix_stream_socket { accept listen }; @@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms; manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) @@ -29492,7 +29715,7 @@ index 280f875..f3a67c9 100644 ## ## diff --git a/firstboot.te b/firstboot.te -index 5010f04..3b73741 100644 +index 5010f04..0341ae1 100644 --- a/firstboot.te +++ b/firstboot.te @@ -1,7 +1,7 @@ @@ -29523,8 +29746,12 @@ index 5010f04..3b73741 100644 type firstboot_etc_t; files_config_file(firstboot_etc_t) -@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t) - allow firstboot_t self:capability { dac_override setgid }; +@@ -29,31 +24,28 @@ files_config_file(firstboot_etc_t) + # Local policy + # + +-allow firstboot_t self:capability { dac_override setgid }; ++allow firstboot_t self:capability { dac_read_search dac_override setgid }; allow firstboot_t self:process setfscreate; allow firstboot_t self:fifo_file rw_fifo_file_perms; -allow firstboot_t self:tcp_socket { accept listen }; @@ -31302,7 +31529,7 @@ index 0000000..d745c67 +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..0685927 +index 0000000..33dbdf7 --- /dev/null +++ b/gear.te @@ -0,0 +1,136 @@ @@ -31333,7 +31560,7 @@ index 0000000..0685927 +# +# gear local policy +# -+allow gear_t self:capability { chown net_admin fowner dac_override }; ++allow gear_t self:capability { chown net_admin fowner dac_read_search dac_override }; +dontaudit gear_t self:capability sys_ptrace; +allow gear_t self:capability2 block_suspend; +allow gear_t self:process { getattr signal_perms }; @@ -35249,7 +35476,7 @@ index ab09d61..72d67c2 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..3508b98 100644 +index 63893eb..5664744 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -35383,7 +35610,7 @@ index 63893eb..3508b98 100644 -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) -+allow gconfdefaultsm_t self:capability { dac_override sys_nice }; ++allow gconfdefaultsm_t self:capability { dac_read_search dac_override sys_nice }; +allow gconfdefaultsm_t self:process getsched; +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; @@ -35641,7 +35868,7 @@ index 3f55702..25c7ab8 100644 ## ## diff --git a/gnomeclock.te b/gnomeclock.te -index 7cd7435..79bff0d 100644 +index 7cd7435..8f26e98 100644 --- a/gnomeclock.te +++ b/gnomeclock.te @@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0) @@ -35666,7 +35893,7 @@ index 7cd7435..79bff0d 100644 # -allow gnomeclock_t self:capability { sys_nice sys_time }; -+allow gnomeclock_t self:capability { sys_nice sys_time dac_override }; ++allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search dac_override }; allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; -allow gnomeclock_t self:unix_stream_socket { accept listen }; @@ -36549,7 +36776,7 @@ index 0e97e82..2569781 100644 + miscfiles_manage_public_files(gpg_web_t) ') diff --git a/gpm.te b/gpm.te -index 69734fd..d99009a 100644 +index 69734fd..a659808 100644 --- a/gpm.te +++ b/gpm.te @@ -13,7 +13,7 @@ type gpm_initrc_exec_t; @@ -36561,6 +36788,15 @@ index 69734fd..d99009a 100644 type gpm_tmp_t; files_tmp_file(gpm_tmp_t) +@@ -29,7 +29,7 @@ files_type(gpmctl_t) + # Local policy + # + +-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; ++allow gpm_t self:capability { setpcap setuid dac_read_search dac_override sys_admin sys_tty_config }; + allow gpm_t self:process { signal signull getcap setcap }; + allow gpm_t self:unix_stream_socket { accept listen }; + @@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t) dev_rw_input_dev(gpm_t) dev_rw_mouse(gpm_t) @@ -36855,7 +37091,7 @@ index 0000000..8a2013a +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..27abcbb +index 0000000..79e22c5 --- /dev/null +++ b/gssproxy.te @@ -0,0 +1,74 @@ @@ -36883,7 +37119,7 @@ index 0000000..27abcbb +# +# gssproxy local policy +# -+allow gssproxy_t self:capability { setuid setgid dac_override }; ++allow gssproxy_t self:capability { setuid setgid dac_read_search dac_override }; +allow gssproxy_t self:capability2 block_suspend; +allow gssproxy_t self:fifo_file rw_fifo_file_perms; +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; @@ -36981,7 +37217,7 @@ index e151378..04d173d 100644 fs_getattr_xattr_fs(zookeeper_server_t) diff --git a/hal.te b/hal.te -index bbccc79..435ac42 100644 +index bbccc79..b027202 100644 --- a/hal.te +++ b/hal.te @@ -61,7 +61,6 @@ files_type(hald_var_lib_t) @@ -37001,6 +37237,15 @@ index bbccc79..435ac42 100644 kernel_request_load_module(hald_t) corecmd_exec_all_executables(hald_t) +@@ -339,7 +338,7 @@ optional_policy(` + # ACL local policy + # + +-allow hald_acl_t self:capability { dac_override fowner sys_resource }; ++allow hald_acl_t self:capability { dac_read_search dac_override fowner sys_resource }; + allow hald_acl_t self:process { getattr signal }; + allow hald_acl_t self:fifo_file rw_fifo_file_perms; + @@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) dev_rw_input_dev(hald_keymap_t) @@ -38189,9 +38434,18 @@ index 580b533..c267cea 100644 domain_system_change_exemption($1) role_transition $2 icecast_initrc_exec_t system_r; diff --git a/icecast.te b/icecast.te -index a9e573a..6420131 100644 +index a9e573a..9a9245f 100644 --- a/icecast.te +++ b/icecast.te +@@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t) + # Local policy + # + +-allow icecast_t self:capability { dac_override setgid setuid sys_nice }; ++allow icecast_t self:capability { dac_read_search dac_override setgid setuid sys_nice }; + allow icecast_t self:process { getsched setsched signal }; + allow icecast_t self:fifo_file rw_fifo_file_perms; + allow icecast_t self:unix_stream_socket create_stream_socket_perms; @@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t) dev_read_urand(icecast_t) dev_read_rand(icecast_t) @@ -38564,7 +38818,7 @@ index eb87f23..d3d32c3 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te -index d39f0cc..d141652 100644 +index d39f0cc..2422996 100644 --- a/inn.te +++ b/inn.te @@ -15,6 +15,9 @@ files_config_file(innd_etc_t) @@ -38577,7 +38831,7 @@ index d39f0cc..d141652 100644 type innd_log_t; logging_log_file(innd_log_t) -@@ -26,6 +29,7 @@ files_pid_file(innd_var_run_t) +@@ -26,13 +29,14 @@ files_pid_file(innd_var_run_t) type news_spool_t; files_mountpoint(news_spool_t) @@ -38585,6 +38839,14 @@ index d39f0cc..d141652 100644 ######################################## # + # Local policy + # + +-allow innd_t self:capability { dac_override kill setgid setuid }; ++allow innd_t self:capability { dac_read_search dac_override kill setgid setuid }; + dontaudit innd_t self:capability sys_tty_config; + allow innd_t self:process { setsched signal_perms }; + allow innd_t self:fifo_file rw_fifo_file_perms; @@ -43,10 +47,9 @@ allow innd_t self:tcp_socket { accept listen }; read_files_pattern(innd_t, innd_etc_t, innd_etc_t) read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) @@ -39143,7 +39405,7 @@ index 0000000..a25fe88 + diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..55e151e +index 0000000..ffb6e4f --- /dev/null +++ b/ipa.te @@ -0,0 +1,264 @@ @@ -39234,7 +39496,7 @@ index 0000000..55e151e +# + + -+allow ipa_helper_t self:capability { net_admin dac_override chown }; ++allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown }; + +#kernel bug +dontaudit ipa_helper_t self:capability2 block_suspend; @@ -40088,7 +40350,7 @@ index 1a35420..8101022 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020fa..d546e07 100644 +index ca020fa..9c628b2 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -40115,7 +40377,7 @@ index ca020fa..d546e07 100644 -allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; -+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; ++allow iscsid_t self:capability { dac_read_search dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; @@ -42009,7 +42271,7 @@ index 3a00b3a..92f125f 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc21..14a5a0f 100644 +index 715fc21..667947d 100644 --- a/kdump.te +++ b/kdump.te @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) @@ -42044,7 +42306,7 @@ index 715fc21..14a5a0f 100644 # -allow kdump_t self:capability { sys_boot dac_override }; -+allow kdump_t self:capability { sys_admin sys_boot dac_override }; ++allow kdump_t self:capability { sys_admin sys_boot dac_read_search dac_override }; +#allow kdump_t self:capability2 compromise_kernel; + +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) @@ -42085,11 +42347,12 @@ index 715fc21..14a5a0f 100644 +# kdumpctl local policy # +-allow kdumpctl_t self:capability { dac_override sys_chroot }; +#cjp:almost all rules are needed by dracut + +kdump_domtrans(kdumpctl_t) + - allow kdumpctl_t self:capability { dac_override sys_chroot }; ++allow kdumpctl_t self:capability { dac_read_search dac_override sys_chroot }; allow kdumpctl_t self:process setfscreate; + allow kdumpctl_t self:fifo_file rw_fifo_file_perms; @@ -43367,7 +43630,7 @@ index f6c00d8..214369f 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..3fde8ee 100644 +index 8833d59..655bdf4 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -43424,9 +43687,10 @@ index 8833d59..3fde8ee 100644 # kadmind local policy # -+# Use capabilities. Surplus capabilities may be allowed. - allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; +-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; -dontaudit kadmind_t self:capability sys_tty_config; ++# Use capabilities. Surplus capabilities may be allowed. ++allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search dac_override sys_nice }; allow kadmind_t self:capability2 block_suspend; +dontaudit kadmind_t self:capability sys_tty_config; allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; @@ -43548,9 +43812,10 @@ index 8833d59..3fde8ee 100644 # Krb5kdc local policy # -+# Use capabilities. Surplus capabilities may be allowed. - allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; +-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; -dontaudit krb5kdc_t self:capability sys_tty_config; ++# Use capabilities. Surplus capabilities may be allowed. ++allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search dac_override sys_nice }; allow krb5kdc_t self:capability2 block_suspend; +dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; @@ -44216,9 +44481,18 @@ index aa2a337..7ff229f 100644 files_search_var_lib($1) admin_pattern($1, kismet_var_lib_t) diff --git a/kismet.te b/kismet.te -index 8ad0d4d..4e66536 100644 +index 8ad0d4d..01e5037 100644 --- a/kismet.te +++ b/kismet.te +@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t) + # Local policy + # + +-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; ++allow kismet_t self:capability { dac_read_search dac_override kill net_admin net_raw setuid setgid }; + allow kismet_t self:process signal_perms; + allow kismet_t self:fifo_file rw_fifo_file_perms; + allow kismet_t self:packet_socket create_socket_perms; @@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t) corecmd_exec_bin(kismet_t) @@ -44865,9 +45139,18 @@ index 5297064..6ba8108 100644 domain_system_change_exemption($1) role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 1664036..51dd14f 100644 +index 1664036..ee7a9a1 100644 --- a/kudzu.te +++ b/kudzu.te +@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t) + # Local policy + # + +-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; ++allow kudzu_t self:capability { dac_read_search dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; + dontaudit kudzu_t self:capability sys_tty_config; + allow kudzu_t self:process { signal_perms execmem }; + allow kudzu_t self:fifo_file rw_fifo_file_perms; @@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t) kernel_read_kernel_sysctls(kudzu_t) kernel_read_network_state(kudzu_t) @@ -45810,7 +46093,7 @@ index bd20e8c..3393a01 100644 - admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) -') diff --git a/likewise.te b/likewise.te -index d8c2442..ef30d42 100644 +index d8c2442..f5dff31 100644 --- a/likewise.te +++ b/likewise.te @@ -26,7 +26,7 @@ type likewise_var_lib_t; @@ -45843,6 +46126,15 @@ index d8c2442..ef30d42 100644 ################################# # # dcerpcd local policy +@@ -102,7 +95,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t) + # lsassd local policy + # + +-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; ++allow lsassd_t self:capability { fowner chown fsetid dac_read_search dac_override sys_time }; + allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; + @@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t) corecmd_exec_shell(lsassd_t) @@ -45851,6 +46143,24 @@ index d8c2442..ef30d42 100644 corenet_tcp_sendrecv_generic_if(lsassd_t) corenet_tcp_sendrecv_generic_node(lsassd_t) +@@ -165,7 +157,7 @@ optional_policy(` + # lwiod local policy + # + +-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource }; ++allow lwiod_t self:capability { fowner chown fsetid dac_read_search dac_override sys_resource }; + allow lwiod_t self:process setrlimit; + allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; + +@@ -221,7 +213,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ + # netlogond local policy + # + +-allow netlogond_t self:capability dac_override; ++allow netlogond_t self:capability { dac_read_search dac_override }; + + manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) + @@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) @@ -46207,7 +46517,7 @@ index dff21a7..b6981c8 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 483c87b..df73ba0 100644 +index 483c87b..eecd4c1 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -46224,7 +46534,7 @@ index 483c87b..df73ba0 100644 # -allow lircd_t self:capability { chown kill sys_admin }; -+allow lircd_t self:capability { setuid setgid dac_override chown kill sys_admin }; ++allow lircd_t self:capability { setuid setgid dac_read_search dac_override chown kill sys_admin }; allow lircd_t self:process signal; allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:tcp_socket { accept listen }; @@ -46417,7 +46727,7 @@ index d18c960..b7bd752 100644 + allow $1 lldpad_tmpfs_t:file relabelto; +') diff --git a/lldpad.te b/lldpad.te -index 2a491d9..42e5578 100644 +index 2a491d9..3399d59 100644 --- a/lldpad.te +++ b/lldpad.te @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) @@ -46429,7 +46739,7 @@ index 2a491d9..42e5578 100644 allow lldpad_t self:shm create_shm_perms; allow lldpad_t self:fifo_file rw_fifo_file_perms; allow lldpad_t self:unix_stream_socket { accept listen }; -@@ -51,12 +51,16 @@ kernel_request_load_module(lldpad_t) +@@ -51,12 +51,20 @@ kernel_request_load_module(lldpad_t) dev_read_sysfs(lldpad_t) @@ -46448,6 +46758,10 @@ index 2a491d9..42e5578 100644 +optional_policy(` + networkmanager_dgram_send(lldpad_t) +') ++ ++optional_policy(` ++ virt_dgram_send(lldpad_t) ++') diff --git a/loadkeys.te b/loadkeys.te index d2f4643..c8e6b37 100644 --- a/loadkeys.te @@ -47220,7 +47534,7 @@ index 6256371..ce2acb8 100644 can_exec($1, lpr_exec_t) ') diff --git a/lpd.te b/lpd.te -index 39d3164..4b1b70c 100644 +index 39d3164..1ec2cd2 100644 --- a/lpd.te +++ b/lpd.te @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -47232,6 +47546,15 @@ index 39d3164..4b1b70c 100644 ubac_constrained(print_spool_t) type printer_t; +@@ -62,7 +62,7 @@ files_config_file(printconf_t) + # Checkpc local policy + # + +-allow checkpc_t self:capability { setgid setuid dac_override }; ++allow checkpc_t self:capability { setgid setuid dac_read_search dac_override }; + allow checkpc_t self:process signal_perms; + allow checkpc_t self:unix_stream_socket create_socket_perms; + allow checkpc_t self:tcp_socket create_socket_perms; @@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms; kernel_read_system_state(checkpc_t) @@ -47288,6 +47611,15 @@ index 39d3164..4b1b70c 100644 sysnet_read_config(lpd_t) +@@ -214,7 +208,7 @@ optional_policy(` + # Lpr local policy + # + +-allow lpr_t self:capability { setuid dac_override net_bind_service chown }; ++allow lpr_t self:capability { setuid dac_read_search dac_override net_bind_service chown }; + allow lpr_t self:unix_stream_socket { accept listen }; + + allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; @@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t) kernel_read_crypto_sysctls(lpr_t) kernel_read_kernel_sysctls(lpr_t) @@ -48141,7 +48473,7 @@ index 108c0f1..a248501 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index ac81c7f..f24f0ef 100644 +index ac81c7f..a9faca9 100644 --- a/mailman.te +++ b/mailman.te @@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0) @@ -48201,7 +48533,7 @@ index ac81c7f..f24f0ef 100644 -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; -allow mailman_mail_t self:process { signal signull }; -+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config }; ++allow mailman_mail_t self:capability { kill dac_read_search dac_override setuid setgid sys_nice sys_tty_config }; +allow mailman_mail_t self:process { setsched signal signull }; +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; @@ -48325,10 +48657,16 @@ index 214cb44..bd1d48e 100644 + files_list_pids($1) ') diff --git a/mailscanner.te b/mailscanner.te -index 6b6e2e1..9889cef 100644 +index 6b6e2e1..3fb3393 100644 --- a/mailscanner.te +++ b/mailscanner.te -@@ -34,6 +34,7 @@ allow mscan_t self:process signal; +@@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t) + # Local policy + # + +-allow mscan_t self:capability { setuid chown setgid dac_override }; ++allow mscan_t self:capability { setuid chown setgid dac_read_search dac_override }; + allow mscan_t self:process signal; allow mscan_t self:fifo_file rw_fifo_file_perms; read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) @@ -49551,7 +49889,7 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 4dc99f4..c11bec2 100644 +index 4dc99f4..48e3f38 100644 --- a/milter.te +++ b/milter.te @@ -5,73 +5,117 @@ policy_module(milter, 1.5.0) @@ -49653,10 +49991,11 @@ index 4dc99f4..c11bec2 100644 +# http://hcpnet.free.fr/milter-greylist/ # +-allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; +# It removes any existing socket (not owned by root) whilst running as root, +# fixes permissions, renices itself and then calls setgid() and setuid() to +# drop privileges - allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; ++allow greylist_milter_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; +allow greylist_milter_t self:tcp_socket create_stream_socket_perms; @@ -49709,9 +50048,10 @@ index 4dc99f4..c11bec2 100644 +# http://www.benzedrine.cx/milter-regex.html # +-allow regex_milter_t self:capability { setuid setgid dac_override }; +# It removes any existing socket (not owned by root) whilst running as root +# and then calls setgid() and setuid() to drop privileges - allow regex_milter_t self:capability { setuid setgid dac_override }; ++allow regex_milter_t self:capability { setuid setgid dac_read_search dac_override }; +# The milter's socket directory lives under /var/spool files_search_spool(regex_milter_t) @@ -50559,7 +50899,7 @@ index 0000000..f5b98e6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..c3fda0f +index 0000000..f647022 --- /dev/null +++ b/mock.te @@ -0,0 +1,288 @@ @@ -50609,7 +50949,7 @@ index 0000000..c3fda0f +# mock local policy +# + -+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_t self:capability2 block_suspend; +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; +# Needed because mock can run java and mono withing build environment @@ -50767,7 +51107,7 @@ index 0000000..c3fda0f +# +# mock_build local policy +# -+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace }; ++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search dac_override sys_nice mknod fsetid setgid fowner sys_ptrace }; +dontaudit mock_build_t self:capability audit_write; +allow mock_build_t self:process { fork setsched setpgid signal_perms }; +allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; @@ -53750,10 +54090,10 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index fe72523..953e3bf 100644 +index fe72523..062ad64 100644 --- a/mpd.te +++ b/mpd.te -@@ -62,6 +62,12 @@ files_type(mpd_var_lib_t) +@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) type mpd_user_data_t; userdom_user_home_content(mpd_user_data_t) # customizable @@ -53766,7 +54106,13 @@ index fe72523..953e3bf 100644 ######################################## # # Local policy -@@ -74,6 +80,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; + # + +-allow mpd_t self:capability { dac_override kill setgid setuid }; ++allow mpd_t self:capability { dac_read_search dac_override kill setgid setuid }; + allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; + allow mpd_t self:fifo_file rw_fifo_file_perms; + allow mpd_t self:unix_stream_socket { accept connectto listen }; allow mpd_t self:unix_dgram_socket sendto; allow mpd_t self:tcp_socket { accept listen }; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -55279,7 +55625,7 @@ index ed81cac..ad452db 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..86d8c9b 100644 +index ff1d68c..94b1dfc 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -55391,12 +55737,13 @@ index ff1d68c..86d8c9b 100644 # System local policy # -+# newalias required this, not sure if it is needed in 'if' file - allow system_mail_t self:capability { dac_override fowner }; +-allow system_mail_t self:capability { dac_override fowner }; - -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) - -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) ++# newalias required this, not sure if it is needed in 'if' file ++allow system_mail_t self:capability { dac_read_search dac_override fowner }; +dontaudit system_mail_t self:capability net_admin; allow system_mail_t mail_home_t:file manage_file_perms; @@ -55730,7 +56077,8 @@ index ff1d68c..86d8c9b 100644 +') optional_policy(` - allow user_mail_t self:capability dac_override; +- allow user_mail_t self:capability dac_override; ++ allow user_mail_t self:capability {dac_read_search dac_override }; + # Read user temporary files. + # postfix seems to need write access if the file handle is opened read/write @@ -56084,7 +56432,7 @@ index b744fe3..cb0e2af 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b708708..f4c0e61 100644 +index b708708..1ea095c 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -56136,6 +56484,15 @@ index b708708..f4c0e61 100644 optional_policy(` nscd_use(munin_plugin_domain) +@@ -89,7 +88,7 @@ optional_policy(` + # Local policy + # + +-allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; ++allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio }; + dontaudit munin_t self:capability sys_tty_config; + allow munin_t self:process { getsched setsched signal_perms }; + allow munin_t self:unix_stream_socket { accept connectto listen }; @@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) @@ -56221,7 +56578,7 @@ index b708708..f4c0e61 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -272,6 +264,10 @@ optional_policy(` +@@ -272,34 +264,50 @@ optional_policy(` fstools_exec(disk_munin_plugin_t) ') @@ -56232,14 +56589,15 @@ index b708708..f4c0e61 100644 #################################### # # Mail local policy -@@ -279,27 +275,39 @@ optional_policy(` - - allow mail_munin_plugin_t self:capability dac_override; + # +-allow mail_munin_plugin_t self:capability dac_override; ++allow mail_munin_plugin_t self:capability { dac_read_search dac_override }; ++ +allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; +allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow mail_munin_plugin_t self:udp_socket create_socket_perms; -+ + rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +kernel_read_net_sysctls(mail_munin_plugin_t) @@ -56972,7 +57330,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..1443a3a 100644 +index 7584bbe..8174c48 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -57028,7 +57386,7 @@ index 7584bbe..1443a3a 100644 # -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; -+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; ++allow mysqld_t self:capability { dac_read_search dac_override ipc_lock setgid setuid sys_resource net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; @@ -57165,7 +57523,7 @@ index 7584bbe..1443a3a 100644 # -allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource }; ++allow mysqld_safe_t self:capability { chown dac_read_search dac_override fowner kill sys_nice sys_resource }; +dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -57231,7 +57589,7 @@ index 7584bbe..1443a3a 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +239,7 @@ optional_policy(` +@@ -209,20 +239,21 @@ optional_policy(` ######################################## # @@ -57239,8 +57597,10 @@ index 7584bbe..1443a3a 100644 +# MySQL Manager Policy # - allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +248,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +-allow mysqlmanagerd_t self:capability { dac_override kill }; ++allow mysqlmanagerd_t self:capability { dac_read_search dac_override kill }; + allow mysqlmanagerd_t self:process signal; + allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -58422,7 +58782,7 @@ index 0641e97..f3b1111 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..69e6bf8 100644 +index 7b3e682..e3a1bc5 100644 --- a/nagios.te +++ b/nagios.te @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0) @@ -58478,7 +58838,7 @@ index 7b3e682..69e6bf8 100644 type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -63,19 +86,21 @@ files_pid_file(nrpe_var_run_t) +@@ -63,30 +86,33 @@ files_pid_file(nrpe_var_run_t) allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; @@ -58507,7 +58867,12 @@ index 7b3e682..69e6bf8 100644 ######################################## # -@@ -87,6 +112,7 @@ dontaudit nagios_t self:capability sys_tty_config; + # Nagios local policy + # + +-allow nagios_t self:capability { dac_override setgid setuid }; ++allow nagios_t self:capability { dac_read_search dac_override setgid setuid }; + dontaudit nagios_t self:capability sys_tty_config; allow nagios_t self:process { setpgid signal_perms }; allow nagios_t self:fifo_file rw_fifo_file_perms; allow nagios_t self:tcp_socket { accept listen }; @@ -58739,11 +59104,13 @@ index 7b3e682..69e6bf8 100644 optional_policy(` inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) ') -@@ -310,15 +396,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -309,16 +395,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) + # Mail local policy # - allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; +-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; -allow nagios_mail_plugin_t self:tcp_socket { accept listen }; ++allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search dac_override }; +allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; +allow nagios_mail_plugin_t self:udp_socket create_socket_perms; @@ -58799,7 +59166,12 @@ index 7b3e682..69e6bf8 100644 ') optional_policy(` -@@ -406,28 +504,36 @@ allow nagios_system_plugin_t self:capability dac_override; +@@ -402,32 +500,40 @@ optional_policy(` + # System local policy + # + +-allow nagios_system_plugin_t self:capability dac_override; ++allow nagios_system_plugin_t self:capability { dac_read_search dac_override }; dontaudit nagios_system_plugin_t self:capability { setuid setgid }; read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) @@ -58944,7 +59316,7 @@ index 0000000..8d7c751 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 0000000..e289f2d +index 0000000..814e62e --- /dev/null +++ b/namespace.te @@ -0,0 +1,41 @@ @@ -58965,7 +59337,7 @@ index 0000000..e289f2d +# namespace_init local policy +# + -+allow namespace_init_t self:capability dac_override; ++allow namespace_init_t self:capability { dac_read_search dac_override}; + +allow namespace_init_t self:fifo_file manage_fifo_file_perms; +allow namespace_init_t self:unix_stream_socket create_stream_socket_perms; @@ -59709,7 +60081,7 @@ index 86dc29d..c7d9376 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..b073836 100644 +index 55f2009..4419e35 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -59743,7 +60115,7 @@ index 55f2009..b073836 100644 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +# networkmanager will ptrace itself if gdb is installed +# and it receives a unexpected signal (rh bug #204161) -+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; ++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; +dontaudit NetworkManager_t self:capability sys_tty_config; + +ifdef(`hide_broken_symptoms',` @@ -60136,7 +60508,7 @@ index 55f2009..b073836 100644 ') optional_policy(` -@@ -338,6 +431,13 @@ optional_policy(` +@@ -338,12 +431,19 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -60150,6 +60522,13 @@ index 55f2009..b073836 100644 ######################################## # # wpa_cli local policy + # + +-allow wpa_cli_t self:capability dac_override; ++allow wpa_cli_t self:capability { dac_read_search dac_override }; + allow wpa_cli_t self:unix_dgram_socket create_socket_perms; + + allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; @@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -60603,7 +60982,7 @@ index 46e55c3..afe399a 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3a6b035..ff6d218 100644 +index 3a6b035..5145db5 100644 --- a/nis.te +++ b/nis.te @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0) @@ -60717,7 +61096,12 @@ index 3a6b035..ff6d218 100644 init_dbus_chat_script(ypbind_t) optional_policy(` -@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override; +@@ -145,11 +144,12 @@ optional_policy(` + # yppasswdd local policy + # + +-allow yppasswdd_t self:capability dac_override; ++allow yppasswdd_t self:capability { dac_read_search dac_override }; dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { getsched setfscreate signal_perms }; @@ -60994,7 +61378,7 @@ index 0000000..e328327 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..a10559b +index 0000000..2259a51 --- /dev/null +++ b/nova.te @@ -0,0 +1,203 @@ @@ -61065,7 +61449,7 @@ index 0000000..a10559b +# nova general domain local policy +# + -+allow nova_domain self:capability { dac_override net_admin net_bind_service }; ++allow nova_domain self:capability { dac_read_search dac_override net_admin net_bind_service }; +allow nova_domain self:process { getcap setcap signal_perms setfscreate }; +allow nova_domain self:fifo_file rw_fifo_file_perms; +allow nova_domain self:tcp_socket create_stream_socket_perms; @@ -61857,7 +62241,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..45ea5b7 100644 +index 47bb1d2..1e55673 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -61898,7 +62282,7 @@ index 47bb1d2..45ea5b7 100644 # -allow nsd_t self:capability { chown dac_override kill setgid setuid }; -+allow nsd_t self:capability { chown dac_override kill setgid setuid net_admin }; ++allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; +allow nsd_t self:tcp_socket create_stream_socket_perms; @@ -61982,8 +62366,9 @@ index 47bb1d2..45ea5b7 100644 +# Zone update cron job local policy # +-allow nsd_crond_t self:capability { dac_override kill }; +# kill capability for root cron job and non-root daemon - allow nsd_crond_t self:capability { dac_override kill }; ++allow nsd_crond_t self:capability { dac_read_search dac_override kill }; dontaudit nsd_crond_t self:capability sys_nice; allow nsd_crond_t self:process { setsched signal_perms }; allow nsd_crond_t self:fifo_file rw_fifo_file_perms; @@ -62182,7 +62567,7 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 421bf1a..fd870fc 100644 +index 421bf1a..1be3b6b 100644 --- a/nslcd.te +++ b/nslcd.te @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) @@ -62196,7 +62581,7 @@ index 421bf1a..fd870fc 100644 -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket { accept listen }; -+allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice }; ++allow nslcd_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice }; +allow nslcd_t self:process { setsched signal signull }; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; @@ -63063,7 +63448,7 @@ index 0000000..7d839fe + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index 8ec7859..6c23623 100644 +index 8ec7859..c696f67 100644 --- a/ntop.te +++ b/ntop.te @@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t) @@ -63071,7 +63456,7 @@ index 8ec7859..6c23623 100644 # -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; -+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_override }; ++allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search dac_override }; dontaudit ntop_t self:capability sys_tty_config; allow ntop_t self:process signal_perms; allow ntop_t self:fifo_file rw_fifo_file_perms; @@ -63372,7 +63757,7 @@ index e96a309..4245308 100644 +') + diff --git a/ntp.te b/ntp.te -index f81b113..6d039fb 100644 +index f81b113..fec2028 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -63385,7 +63770,14 @@ index f81b113..6d039fb 100644 type ntp_conf_t; files_config_file(ntp_conf_t) -@@ -50,9 +53,12 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; +@@ -44,15 +47,18 @@ init_system_domain(ntpd_t, ntpdate_exec_t) + # Local policy + # + +-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; ++allow ntpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; + dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; + allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:tcp_socket { accept listen }; @@ -63409,7 +63801,14 @@ index f81b113..6d039fb 100644 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -@@ -83,21 +87,16 @@ kernel_read_system_state(ntpd_t) +@@ -77,27 +81,23 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) + files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) + + can_exec(ntpd_t, ntpd_exec_t) ++can_exec(ntpd_t, ntpupdate_exec_t) + + kernel_read_kernel_sysctls(ntpd_t) + kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -63433,7 +63832,7 @@ index f81b113..6d039fb 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t) +@@ -110,13 +110,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_runtime_files(ntpd_t) @@ -63450,7 +63849,7 @@ index f81b113..6d039fb 100644 auth_use_nsswitch(ntpd_t) -@@ -124,12 +125,14 @@ init_exec_script_files(ntpd_t) +@@ -124,12 +126,14 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -63467,7 +63866,7 @@ index f81b113..6d039fb 100644 cron_system_entry(ntpd_t, ntpdate_exec_t) ') -@@ -152,9 +155,18 @@ optional_policy(` +@@ -152,9 +156,18 @@ optional_policy(` ') optional_policy(` @@ -63806,7 +64205,7 @@ index 57c0161..c554eb6 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..ccaa0d4 100644 +index 5b2cb0d..605b54b 100644 --- a/nut.te +++ b/nut.te @@ -7,154 +7,155 @@ policy_module(nut, 1.3.0) @@ -63850,7 +64249,7 @@ index 5b2cb0d..ccaa0d4 100644 # -allow nut_domain self:capability { setgid setuid dac_override kill }; -+allow nut_domain self:capability { setgid setuid dac_override }; ++allow nut_domain self:capability { setgid setuid dac_read_search dac_override }; + allow nut_domain self:process signal_perms; -allow nut_domain self:fifo_file rw_fifo_file_perms; @@ -64597,7 +64996,7 @@ index c87bd2a..6180fba 100644 + allow $1 oddjob_mkhomedir_exec_t:file entrypoint; ') diff --git a/oddjob.te b/oddjob.te -index e403097..9080b3f 100644 +index e403097..c60887d 100644 --- a/oddjob.te +++ b/oddjob.te @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0) @@ -64668,7 +65067,8 @@ index e403097..9080b3f 100644 +# oddjob_mkhomedir local policy # - allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; ++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search dac_override }; allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; -allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; @@ -65207,7 +65607,7 @@ index 0000000..7581b52 +') diff --git a/openfortivpn.te b/openfortivpn.te new file mode 100644 -index 0000000..3142896 +index 0000000..5a3c62b --- /dev/null +++ b/openfortivpn.te @@ -0,0 +1,67 @@ @@ -65235,7 +65635,7 @@ index 0000000..3142896 +# + +# User certificates are typically not world-readable and are owned by the user -+allow openfortivpn_t self:capability dac_override; ++allow openfortivpn_t self:capability { dac_read_search dac_override }; + +# Talking to pppd via the PTY +allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; @@ -66332,7 +66732,7 @@ index 0000000..c20cac3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..c8e810c +index 0000000..a98990f --- /dev/null +++ b/openshift.te @@ -0,0 +1,634 @@ @@ -66888,7 +67288,7 @@ index 0000000..c8e810c +# +# openshift_cron local policy +# -+allow openshift_cron_t self:capability { dac_override net_admin sys_admin }; ++allow openshift_cron_t self:capability { dac_read_search dac_override net_admin sys_admin }; +allow openshift_cron_t self:process signal_perms; +allow openshift_cron_t self:tcp_socket create_stream_socket_perms; +allow openshift_cron_t self:udp_socket create_socket_perms; @@ -68277,7 +68677,7 @@ index 0000000..6ae382c + diff --git a/oracleasm.te b/oracleasm.te new file mode 100644 -index 0000000..c4b5ddb +index 0000000..41f3e07 --- /dev/null +++ b/oracleasm.te @@ -0,0 +1,66 @@ @@ -68306,7 +68706,7 @@ index 0000000..c4b5ddb +# oracleasm local policy +# + -+allow oracleasm_t self:capability { dac_override fsetid fowner chown }; ++allow oracleasm_t self:capability { dac_read_search dac_override fsetid fowner chown }; +allow oracleasm_t self:fifo_file rw_fifo_file_perms; +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; + @@ -68815,7 +69215,7 @@ index 9682d9a..f1f421f 100644 + ') ') diff --git a/pacemaker.te b/pacemaker.te -index 6e6efb6..3dc917d 100644 +index 6e6efb6..d56c049 100644 --- a/pacemaker.te +++ b/pacemaker.te @@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0) @@ -68832,7 +69232,7 @@ index 6e6efb6..3dc917d 100644 type pacemaker_t; type pacemaker_exec_t; init_daemon_domain(pacemaker_t, pacemaker_exec_t) -@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) +@@ -12,31 +19,36 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) type pacemaker_initrc_exec_t; init_script_file(pacemaker_initrc_exec_t) @@ -68858,10 +69258,11 @@ index 6e6efb6..3dc917d 100644 ######################################## # -@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t) + # Local policy # - allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; +-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; ++allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search dac_override setuid }; +allow pacemaker_t self:capability2 block_suspend; allow pacemaker_t self:process { setrlimit signal setpgid }; allow pacemaker_t self:fifo_file rw_fifo_file_perms; @@ -68941,13 +69342,15 @@ index 6e097c9..503c97a 100644 domain_system_change_exemption($1) role_transition $2 pads_initrc_exec_t system_r; diff --git a/pads.te b/pads.te -index 078adc4..77513a4 100644 +index 078adc4..f0c65e5 100644 --- a/pads.te +++ b/pads.te -@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t) +@@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t) + # Declarations # - allow pads_t self:capability { dac_override net_raw }; +-allow pads_t self:capability { dac_override net_raw }; ++allow pads_t self:capability { dac_read_search dac_override net_raw }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; allow pads_t self:packet_socket create_socket_perms; allow pads_t self:socket create_socket_perms; @@ -69173,7 +69576,7 @@ index bf59ef7..0e33327 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..3ad995c 100644 +index 08ec33b..e73b8a6 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -69200,8 +69603,9 @@ index 08ec33b..3ad995c 100644 +# passanger local policy # - allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; +-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; -allow passenger_t self:process { setpgid setsched sigkill signal }; ++allow passenger_t self:capability { chown dac_read_search dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; +allow passenger_t self:capability2 block_suspend; +allow passenger_t self:process { setpgid setsched getsession signal_perms }; allow passenger_t self:fifo_file rw_fifo_file_perms; @@ -69519,7 +69923,7 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..d19e18f +index 0000000..d859d4c --- /dev/null +++ b/pcp.te @@ -0,0 +1,312 @@ @@ -69574,7 +69978,7 @@ index 0000000..d19e18f +# pcp domain local policy +# + -+allow pcp_domain self:capability { setuid setgid dac_override }; ++allow pcp_domain self:capability { setuid setgid dac_read_search dac_override }; +allow pcp_domain self:process signal_perms; +allow pcp_domain self:tcp_socket create_stream_socket_perms; +allow pcp_domain self:udp_socket create_socket_perms; @@ -70273,7 +70677,7 @@ index d2fc677..86dce34 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..270648d 100644 +index 608f454..8cccfd7 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -70353,7 +70757,7 @@ index 608f454..270648d 100644 +# pegasus openlmi account local policy +# + -+allow pegasus_openlmi_account_t self:capability { chown dac_override fowner fsetid }; ++allow pegasus_openlmi_account_t self:capability { chown dac_read_search dac_override fowner fsetid }; +allow pegasus_openlmi_account_t self:process setfscreate; + +auth_manage_passwd(pegasus_openlmi_account_t) @@ -70390,7 +70794,7 @@ index 608f454..270648d 100644 +# pegasus openlmi logicalfile local policy +# + -+allow pegasus_openlmi_logicalfile_t self:capability { dac_override }; ++allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search dac_override }; +files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t) +files_manage_non_security_files(pegasus_openlmi_logicalfile_t) + @@ -70617,7 +71021,7 @@ index 608f454..270648d 100644 # -allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; -+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service sys_ptrace }; ++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search dac_override net_admin net_bind_service sys_ptrace }; dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; +allow pegasus_t self:process { setsched signal }; @@ -72254,7 +72658,7 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..555b44a +index 0000000..afa1ba1 --- /dev/null +++ b/pki.te @@ -0,0 +1,283 @@ @@ -72332,7 +72736,7 @@ index 0000000..555b44a +# pki-tomcat local policy +# + -+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid }; ++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search dac_override sys_nice fsetid }; +dontaudit pki_tomcat_t self:capability net_admin; +allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate }; + @@ -72465,7 +72869,7 @@ index 0000000..555b44a +# + + -+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; ++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search dac_override fowner fsetid kill chown}; +allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill}; + +allow pki_apache_domain self:sem all_sem_perms; @@ -72883,7 +73287,7 @@ index 30e751f..61feb3a 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..c57d1cf 100644 +index 3078ce9..ac0b7a5 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -72906,7 +73310,7 @@ index 3078ce9..c57d1cf 100644 allow plymouthd_t self:capability { sys_admin sys_tty_config }; -dontaudit plymouthd_t self:capability dac_override; allow plymouthd_t self:capability2 block_suspend; -+dontaudit plymouthd_t self:capability dac_override; ++dontaudit plymouthd_t self:capability{ dac_read_search dac_override }; allow plymouthd_t self:process { signal getsched }; +allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms; allow plymouthd_t self:fifo_file rw_fifo_file_perms; @@ -73004,14 +73408,16 @@ index 3078ce9..c57d1cf 100644 hal_dontaudit_write_log(plymouth_t) hal_dontaudit_rw_pipes(plymouth_t) diff --git a/podsleuth.te b/podsleuth.te -index 9123f71..c06ace5 100644 +index 9123f71..232e28a 100644 --- a/podsleuth.te +++ b/podsleuth.te -@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) +@@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) + # Local policy # - allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; ++allow podsleuth_t self:capability { kill dac_read_search dac_override sys_admin sys_rawio }; +allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; + allow podsleuth_t self:fifo_file rw_fifo_file_perms; @@ -74182,19 +74588,23 @@ index 9764bfe..8870de7 100644 -miscfiles_read_localization(polipo_daemon) diff --git a/portage.if b/portage.if -index 67e8c12..18b89d7 100644 +index 67e8c12..058c994 100644 --- a/portage.if +++ b/portage.if -@@ -67,6 +67,7 @@ interface(`portage_compile_domain',` +@@ -67,9 +67,10 @@ interface(`portage_compile_domain',` class dbus send_msg; type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; type portage_tmpfs_t; + type portage_sandbox_t; ') - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; +- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; ++ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search dac_override net_raw }; + dontaudit $1 self:capability sys_chroot; + allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; + allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/portage.te b/portage.te -index b410c67..2713b26 100644 +index b410c67..f1ec41d 100644 --- a/portage.te +++ b/portage.te @@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) @@ -74205,6 +74615,15 @@ index b410c67..2713b26 100644 files_search_var_lib(gcc_config_t) files_search_pids(gcc_config_t) # complains loudly about not being able to list +@@ -239,7 +238,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms; + # + + allow portage_fetch_t self:process signal; +-allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; ++allow portage_fetch_t self:capability { dac_read_search dac_override fowner fsetid chown }; + allow portage_fetch_t self:fifo_file rw_fifo_file_perms; + allow portage_fetch_t self:tcp_socket { accept listen }; + allow portage_fetch_t self:unix_stream_socket create_socket_perms; @@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t) domain_use_interactive_fds(portage_fetch_t) @@ -74440,7 +74859,7 @@ index c0e8785..3070aa0 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) diff --git a/postfix.if b/postfix.if -index ded95ec..3cf7146 100644 +index ded95ec..db49c57 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -74534,7 +74953,7 @@ index ded95ec..3cf7146 100644 - # - # Declarations - # -+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override }; ++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search dac_override }; + allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; + allow postfix_$1_t self:tcp_socket create_socket_perms; + allow postfix_$1_t self:udp_socket create_socket_perms; @@ -74591,7 +75010,8 @@ index ded95ec..3cf7146 100644 - # Policy - # - - allow postfix_$1_t self:capability dac_override; +- allow postfix_$1_t self:capability dac_override; ++ allow postfix_$1_t self:capability { dac_read_search dac_override }; domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) @@ -75324,7 +75744,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..b140dcb 100644 +index 5cfb83e..b5e3e1f 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -75516,7 +75936,7 @@ index 5cfb83e..b140dcb 100644 - -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs -+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; ++allow postfix_master_t self:capability { chown dac_read_search dac_override kill setgid setuid net_bind_service sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; + allow postfix_master_t self:process setrlimit; @@ -75841,14 +76261,15 @@ index 5cfb83e..b140dcb 100644 -# Map local policy +# Postfix map local policy # -- - allow postfix_map_t self:capability { dac_override setgid setuid }; --allow postfix_map_t self:tcp_socket { accept listen }; ++allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid }; +allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; +allow postfix_map_t self:unix_dgram_socket create_socket_perms; +allow postfix_map_t self:tcp_socket create_stream_socket_perms; +allow postfix_map_t self:udp_socket create_socket_perms; +-allow postfix_map_t self:capability { dac_override setgid setuid }; +-allow postfix_map_t self:tcp_socket { accept listen }; +- -allow postfix_map_t postfix_etc_t:dir manage_dir_perms; -allow postfix_map_t postfix_etc_t:file manage_file_perms; -allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; @@ -76364,7 +76785,7 @@ index b9e71b5..a7502cd 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805..3b2474d 100644 +index fd58805..2ff8a1e 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -76376,6 +76797,15 @@ index fd58805..3b2474d 100644 type postgrey_var_lib_t; files_type(postgrey_var_lib_t) +@@ -29,7 +29,7 @@ files_pid_file(postgrey_var_run_t) + # Local policy + # + +-allow postgrey_t self:capability { chown dac_override setgid setuid }; ++allow postgrey_t self:capability { chown dac_read_search dac_override setgid setuid }; + dontaudit postgrey_t self:capability sys_tty_config; + allow postgrey_t self:process signal_perms; + allow postgrey_t self:fifo_file create_fifo_file_perms; @@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t) corecmd_search_bin(postgrey_t) @@ -76968,7 +77398,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..001dc51 100644 +index d616ca3..c87b87a 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -77052,7 +77482,7 @@ index d616ca3..001dc51 100644 # -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; -+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice sys_chroot }; ++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search dac_override sys_nice sys_chroot }; dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched setsched signal }; +dontaudit pppd_t self:capability2 block_suspend; @@ -77490,7 +77920,7 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index 8e26216..98068fc 100644 +index 8e26216..c1d33ac 100644 --- a/prelink.te +++ b/prelink.te @@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0) @@ -77507,7 +77937,15 @@ index 8e26216..98068fc 100644 type prelink_cache_t; files_type(prelink_cache_t) -@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms; +@@ -40,31 +37,34 @@ files_type(prelink_var_lib_t) + # Local policy + # + +-allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource }; ++allow prelink_t self:capability { chown dac_read_search dac_override fowner fsetid setfcap sys_resource }; + allow prelink_t self:process { execheap execmem execstack signal }; + allow prelink_t self:fifo_file rw_fifo_file_perms; + allow prelink_t prelink_cache_t:file manage_file_perms; files_etc_filetrans(prelink_t, prelink_cache_t, file) @@ -77872,7 +78310,7 @@ index c83a838..f41a4f7 100644 admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index 8f44609..e1f4f70 100644 +index 8f44609..dd70653 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -77884,6 +78322,15 @@ index 8f44609..e1f4f70 100644 type prelude_log_t; logging_log_file(prelude_log_t) +@@ -54,7 +54,7 @@ files_pid_file(prelude_lml_var_run_t) + # Prelude local policy + # + +-allow prelude_t self:capability { dac_override sys_tty_config }; ++allow prelude_t self:capability { dac_read_search dac_override sys_tty_config }; + allow prelude_t self:fifo_file rw_fifo_file_perms; + allow prelude_t self:unix_stream_socket { accept listen }; + allow prelude_t self:tcp_socket { accept listen }; @@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t) corecmd_search_bin(prelude_t) @@ -77909,6 +78356,15 @@ index 8f44609..e1f4f70 100644 optional_policy(` mysql_stream_connect(prelude_t) mysql_tcp_connect(prelude_t) +@@ -125,7 +121,7 @@ optional_policy(` + # Audisp local policy + # + +-allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; ++allow prelude_audisp_t self:capability { dac_read_search dac_override ipc_lock setpcap }; + allow prelude_audisp_t self:process { getcap setcap }; + allow prelude_audisp_t self:fifo_file rw_fifo_file_perms; + allow prelude_audisp_t self:unix_stream_socket { accept listen }; @@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t) corecmd_search_bin(prelude_audisp_t) @@ -77933,6 +78389,15 @@ index 8f44609..e1f4f70 100644 sysnet_dns_name_resolve(prelude_audisp_t) ######################################## +@@ -171,7 +163,7 @@ sysnet_dns_name_resolve(prelude_audisp_t) + # Correlator local policy + # + +-allow prelude_correlator_t self:capability dac_override; ++allow prelude_correlator_t self:capability { dac_read_search dac_override }; + allow prelude_correlator_t self:tcp_socket { accept listen }; + + manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t) @@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t) corecmd_search_bin(prelude_correlator_t) @@ -77956,10 +78421,12 @@ index 8f44609..e1f4f70 100644 sysnet_dns_name_resolve(prelude_correlator_t) ######################################## -@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t) +@@ -211,7 +198,9 @@ sysnet_dns_name_resolve(prelude_correlator_t) + # Lml local declarations # - allow prelude_lml_t self:capability dac_override; +-allow prelude_lml_t self:capability dac_override; ++allow prelude_lml_t self:capability { dac_read_search dac_override }; +allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; +allow prelude_lml_t self:unix_dgram_socket create_socket_perms; allow prelude_lml_t self:fifo_file rw_fifo_file_perms; @@ -78233,7 +78700,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index cc426e6..fe5d842 100644 +index cc426e6..91a1f53 100644 --- a/procmail.te +++ b/procmail.te @@ -14,7 +14,7 @@ type procmail_home_t; @@ -78245,8 +78712,12 @@ index cc426e6..fe5d842 100644 type procmail_tmp_t; files_tmp_file(procmail_tmp_t) -@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t) - allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; +@@ -24,13 +24,17 @@ files_tmp_file(procmail_tmp_t) + # Local policy + # + +-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; ++allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search dac_override }; allow procmail_t self:process { setsched signal signull }; allow procmail_t self:fifo_file rw_fifo_file_perms; -allow procmail_t self:tcp_socket { accept listen }; @@ -78967,9 +79438,18 @@ index d4dcf78..3cce82e 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/psad.te b/psad.te -index b5d717b..0de086e 100644 +index b5d717b..9fd153b 100644 --- a/psad.te +++ b/psad.te +@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t) + # Local policy + # + +-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; ++allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search dac_override }; + dontaudit psad_t self:capability sys_tty_config; + allow psad_t self:process signal_perms; + allow psad_t self:fifo_file rw_fifo_file_perms; @@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t) corecmd_exec_bin(psad_t) corecmd_exec_shell(psad_t) @@ -79013,6 +79493,19 @@ index 28d2abc..c2cfb5e 100644 -miscfiles_read_localization(ptchown_t) +auth_read_passwd(ptchown_t) +diff --git a/publicfile.te b/publicfile.te +index 3246bef..dd66a21 100644 +--- a/publicfile.te ++++ b/publicfile.te +@@ -17,7 +17,7 @@ files_type(publicfile_content_t) + # Local policy + # + +-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; ++allow publicfile_t self:capability { dac_read_search dac_override setgid setuid sys_chroot }; + + allow publicfile_t publicfile_content_t:dir list_dir_perms; + allow publicfile_t publicfile_content_t:file read_file_perms; diff --git a/pulseaudio.fc b/pulseaudio.fc index 6864479..0e7d875 100644 --- a/pulseaudio.fc @@ -80123,7 +80616,7 @@ index 7cb8b1f..bef7217 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..bba4a3e 100644 +index 618dcfe..d5d0cfc 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -80289,7 +80782,7 @@ index 618dcfe..bba4a3e 100644 - -tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) -+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; ++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search dac_override sys_nice sys_tty_config }; +allow puppetagent_t self:process { signal signull getsched setsched }; +allow puppetagent_t self:fifo_file rw_fifo_file_perms; +allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms; @@ -80465,7 +80958,8 @@ index 618dcfe..bba4a3e 100644 +# PuppetCA personal policy # - allow puppetca_t self:capability { dac_override setgid setuid }; +-allow puppetca_t self:capability { dac_override setgid setuid }; ++allow puppetca_t self:capability { dac_read_search dac_override setgid setuid }; allow puppetca_t self:fifo_file rw_fifo_file_perms; -allow puppetca_t puppet_etc_t:dir list_dir_perms; @@ -83219,7 +83713,7 @@ index afc0068..589a7fd 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..e39f835 100644 +index 8644d8b..97a9b7e 100644 --- a/quantum.te +++ b/quantum.te @@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0) @@ -83309,7 +83803,7 @@ index 8644d8b..e39f835 100644 - -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) -+allow neutron_t self:capability { chown dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; ++allow neutron_t self:capability { chown dac_read_search dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; + @@ -83752,7 +84246,7 @@ index da64218..3fb8575 100644 + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ') diff --git a/quota.te b/quota.te -index f47c8e8..af09c76 100644 +index f47c8e8..ba74734 100644 --- a/quota.te +++ b/quota.te @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0) @@ -83780,7 +84274,12 @@ index f47c8e8..af09c76 100644 type quota_nld_var_run_t; files_pid_file(quota_nld_var_run_t) -@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override }; +@@ -33,10 +28,11 @@ files_pid_file(quota_nld_var_run_t) + # Local policy + # + +-allow quota_t self:capability { sys_admin dac_override }; ++allow quota_t self:capability { sys_admin dac_read_search dac_override }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; @@ -84221,7 +84720,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..07b9baf 100644 +index 403a4fe..482046a 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -84238,7 +84737,7 @@ index 403a4fe..07b9baf 100644 type radiusd_t; type radiusd_exec_t; init_daemon_domain(radiusd_t, radiusd_exec_t) -@@ -27,6 +34,9 @@ files_type(radiusd_var_lib_t) +@@ -27,14 +34,17 @@ files_type(radiusd_var_lib_t) type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -84248,9 +84747,10 @@ index 403a4fe..07b9baf 100644 ######################################## # # Local policy -@@ -34,7 +44,7 @@ files_pid_file(radiusd_var_run_t) + # - allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; +-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; ++allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config}; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace}; @@ -84409,7 +84909,7 @@ index ac7058d..48739ac 100644 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radvd.te b/radvd.te -index 6d162e4..9027807 100644 +index 6d162e4..502ca16 100644 --- a/radvd.te +++ b/radvd.te @@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t) @@ -84417,7 +84917,7 @@ index 6d162e4..9027807 100644 # -allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; -+allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_override }; ++allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_read_search dac_override }; dontaudit radvd_t self:capability sys_tty_config; allow radvd_t self:process signal_perms; allow radvd_t self:fifo_file rw_fifo_file_perms; @@ -84675,7 +85175,7 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..6d4d0e9 100644 +index c99753f..55294ac 100644 --- a/raid.te +++ b/raid.te @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; @@ -84706,9 +85206,10 @@ index c99753f..6d4d0e9 100644 # Local policy # - allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; +-allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; -dontaudit mdadm_t self:capability sys_tty_config; -allow mdadm_t self:process { getsched setsched signal_perms }; ++allow mdadm_t self:capability { dac_read_search dac_override sys_admin ipc_lock }; +dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace }; +allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; @@ -86572,10 +87073,10 @@ index a9ce68e..92520aa 100644 + allow $1 remote_login_t:process signull; ') diff --git a/remotelogin.te b/remotelogin.te -index ae30871..43fd6e8 100644 +index ae30871..15a669c 100644 --- a/remotelogin.te +++ b/remotelogin.te -@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t) +@@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t) auth_login_pgm_domain(remote_login_t) auth_login_entry_type(remote_login_t) @@ -86588,8 +87089,9 @@ index ae30871..43fd6e8 100644 +# Remote login remote policy # - allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl +-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; ++allow remote_login_t self:capability { dac_read_search dac_read_search dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; + allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; allow remote_login_t self:fifo_file rw_fifo_file_perms; @@ -86687,9 +87189,18 @@ index ae30871..43fd6e8 100644 ') diff --git a/resmgr.te b/resmgr.te -index f6eb358..e4fc73d 100644 +index f6eb358..b631919 100644 --- a/resmgr.te +++ b/resmgr.te +@@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t) + # Local policy + # + +-allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; ++allow resmgrd_t self:capability { dac_read_search dac_override sys_admin sys_rawio }; + dontaudit resmgrd_t self:capability sys_tty_config; + allow resmgrd_t self:process signal_perms; + @@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t) domain_use_interactive_fds(resmgrd_t) @@ -86934,7 +87445,7 @@ index 1c2f9aa..a4133dc 100644 + allow $1 rgmanager_var_lib_t:dir search_dir_perms; +') diff --git a/rgmanager.te b/rgmanager.te -index c8a1e16..2d409bf 100644 +index c8a1e16..f9d6fb3 100644 --- a/rgmanager.te +++ b/rgmanager.te @@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0) @@ -86969,7 +87480,8 @@ index c8a1e16..2d409bf 100644 +# rgmanager local policy # - allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; ++allow rgmanager_t self:capability { dac_read_search dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; allow rgmanager_t self:process { setsched signal }; + allow rgmanager_t self:fifo_file rw_fifo_file_perms; @@ -88169,7 +88681,7 @@ index c8bdea2..beb2872 100644 + allow $1 haproxy_unit_file_t:service {status start}; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..5279416 100644 +index 6cf79c4..519e676 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -88289,7 +88801,7 @@ index 6cf79c4..5279416 100644 +# cluster domain local policy +# + -+allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner }; ++allow cluster_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner }; +# for hearbeat +allow cluster_t self:capability { net_raw chown }; +allow cluster_t self:capability2 block_suspend; @@ -88506,7 +89018,7 @@ index 6cf79c4..5279416 100644 # -allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; -+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource }; ++allow dlm_controld_t self:capability { dac_read_search dac_override net_admin sys_admin sys_resource }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; +files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir) @@ -88708,7 +89220,7 @@ index 6cf79c4..5279416 100644 +# + +# bug in haproxy and process vs pid owner -+allow haproxy_t self:capability { dac_override kill }; ++allow haproxy_t self:capability { dac_read_search dac_override kill }; + +allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw }; +allow haproxy_t self:capability2 block_suspend; @@ -89982,7 +90494,7 @@ index 2ab3ed1..23d579c 100644 role_transition $2 ricci_initrc_exec_t system_r; allow $2 system_r; diff --git a/ricci.te b/ricci.te -index 0ba2569..64a0237 100644 +index 0ba2569..161850d 100644 --- a/ricci.te +++ b/ricci.te @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) @@ -90083,6 +90595,15 @@ index 0ba2569..64a0237 100644 optional_policy(` oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) +@@ -418,7 +401,7 @@ optional_policy(` + # Modservice local policy + # + +-allow ricci_modservice_t self:capability { dac_override sys_nice }; ++allow ricci_modservice_t self:capability {dac_read_search dac_override sys_nice }; + allow ricci_modservice_t self:process setsched; + allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; + @@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t) corecmd_exec_bin(ricci_modservice_t) corecmd_exec_shell(ricci_modservice_t) @@ -90471,11 +90992,15 @@ index 050479d..0e1b364 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index ee27948..c2826a1 100644 +index ee27948..34d2ee9 100644 --- a/rlogin.te +++ b/rlogin.te -@@ -34,7 +34,9 @@ files_pid_file(rlogind_var_run_t) - allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +@@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t) + # Local policy + # + +-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; ++allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; -allow rlogind_t self:tcp_socket { accept listen }; @@ -91448,7 +91973,7 @@ index 0bf13c2..9572351 100644 + allow $1 gssd_t:process { noatsecure rlimitinh }; +') diff --git a/rpc.te b/rpc.te -index 2da9fca..f97a61a 100644 +index 2da9fca..49c37e8 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91571,7 +92096,8 @@ index 2da9fca..f97a61a 100644 +# RPC local policy # - allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; +-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; ++allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search dac_override setgid setuid }; allow rpcd_t self:capability2 block_suspend; + allow rpcd_t self:process { getcap setcap }; @@ -91987,7 +92513,7 @@ index 3b5e9ee..ff1163f 100644 + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/rpcbind.te b/rpcbind.te -index 54de77c..8891c9d 100644 +index 54de77c..db13fcf 100644 --- a/rpcbind.te +++ b/rpcbind.te @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t) @@ -92013,7 +92539,7 @@ index 54de77c..8891c9d 100644 # -allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; -+allow rpcbind_t self:capability { chown dac_override setgid setuid sys_tty_config }; ++allow rpcbind_t self:capability { chown dac_read_search dac_override setgid setuid sys_tty_config }; allow rpcbind_t self:fifo_file rw_fifo_file_perms; allow rpcbind_t self:unix_stream_socket { accept listen }; allow rpcbind_t self:tcp_socket { accept listen }; @@ -92819,7 +93345,7 @@ index ef3b225..b15d901 100644 admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) diff --git a/rpm.te b/rpm.te -index 6fc360e..77ca468 100644 +index 6fc360e..2f24b1e 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -92880,8 +93406,9 @@ index 6fc360e..77ca468 100644 # rpm Local policy # +-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; +allow rpm_t self:capability2 block_suspend; - allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; ++allow rpm_t self:capability { chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; @@ -93351,7 +93878,7 @@ index 7ad29c0..2e87d76 100644 domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te -index 864e089..925203c 100644 +index 864e089..a28dccd 100644 --- a/rshd.te +++ b/rshd.te @@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1) @@ -93374,8 +93901,9 @@ index 864e089..925203c 100644 # Local policy # - - allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; +-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; -allow rshd_t self:process { signal_perms setsched setpgid setexec }; ++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search dac_override }; +allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; @@ -95429,7 +95957,7 @@ index 50d07fb..a34db48 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..0aaed65 100644 +index 2b7c441..d79c136 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -96294,7 +96822,7 @@ index 2b7c441..0aaed65 100644 -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; -allow smbmount_t self:process signal_perms; -allow smbmount_t self:tcp_socket { accept listen }; -+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? ++allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search dac_override chown }; # FIXME: is all of this really necessary? +allow smbmount_t self:process { fork signal_perms }; +allow smbmount_t self:tcp_socket create_stream_socket_perms; +allow smbmount_t self:udp_socket connect; @@ -96390,7 +96918,8 @@ index 2b7c441..0aaed65 100644 +# SWAT Local policy # - allow swat_t self:capability { dac_override setuid setgid sys_resource }; +-allow swat_t self:capability { dac_override setuid setgid sys_resource }; ++allow swat_t self:capability { dac_read_search dac_override setuid setgid sys_resource }; +allow swat_t self:capability2 block_suspend; allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; @@ -96530,7 +97059,7 @@ index 2b7c441..0aaed65 100644 -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; -dontaudit winbind_t self:capability sys_tty_config; -+allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice }; ++allow winbind_t self:capability { kill dac_read_search dac_override ipc_lock setuid sys_nice }; +allow winbind_t self:capability2 block_suspend; +dontaudit winbind_t self:capability { net_admin sys_tty_config }; allow winbind_t self:process { signal_perms getsched setsched }; @@ -96772,9 +97301,18 @@ index 2b7c441..0aaed65 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index e18b0a2..dc2a745 100644 +index e18b0a2..1b1db01 100644 --- a/sambagui.te +++ b/sambagui.te +@@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t; + # Local policy + # + +-allow sambagui_t self:capability dac_override; ++allow sambagui_t self:capability { dac_read_search dac_override }; + allow sambagui_t self:fifo_file rw_fifo_file_perms; + + kernel_read_system_state(sambagui_t) @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -98213,7 +98751,7 @@ index cd6c213..6d3cdc4 100644 + ') ') diff --git a/sanlock.te b/sanlock.te -index 0045465..5be86bf 100644 +index 0045465..ee3b993 100644 --- a/sanlock.te +++ b/sanlock.te @@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0) @@ -98289,7 +98827,8 @@ index 0045465..5be86bf 100644 +# sanlock local policy # - - allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; +-allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; ++allow sanlock_t self:capability { chown dac_read_search dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; + allow sanlock_t self:fifo_file rw_fifo_file_perms; @@ -98392,7 +98931,7 @@ index 0045465..5be86bf 100644 +# sanlk_resetd local policy +# + -+allow sanlk_resetd_t self:capability dac_override; ++allow sanlk_resetd_t self:capability { dac_read_search dac_override }; +allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms; +allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto; + @@ -98466,7 +99005,7 @@ index 8c3c151..93b7227 100644 domain_system_change_exemption($1) role_transition $2 saslauthd_initrc_exec_t system_r; diff --git a/sasl.te b/sasl.te -index 6c3bc20..14e8575 100644 +index 6c3bc20..eb05a49 100644 --- a/sasl.te +++ b/sasl.te @@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1) @@ -98533,7 +99072,7 @@ index 6c3bc20..14e8575 100644 fs_getattr_all_fs(saslauthd_t) fs_search_auto_mountpoints(saslauthd_t) -@@ -78,20 +70,25 @@ selinux_compute_access_vector(saslauthd_t) +@@ -78,34 +70,39 @@ selinux_compute_access_vector(saslauthd_t) auth_use_pam(saslauthd_t) @@ -98559,11 +99098,12 @@ index 6c3bc20..14e8575 100644 +# cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) -tunable_policy(`allow_saslauthd_read_shadow',` +- allow saslauthd_t self:capability dac_override; +tunable_policy(`saslauthd_read_shadow',` - allow saslauthd_t self:capability dac_override; ++ allow saslauthd_t self:capability { dac_read_search dac_override }; auth_tunable_read_shadow(saslauthd_t) ') -@@ -99,13 +96,13 @@ tunable_policy(`allow_saslauthd_read_shadow',` + optional_policy(` kerberos_read_keytab(saslauthd_t) kerberos_manage_host_rcache(saslauthd_t) @@ -98726,7 +99266,7 @@ index 0000000..7a058a8 +') diff --git a/sbd.te b/sbd.te new file mode 100644 -index 0000000..9c44c87 +index 0000000..b86f200 --- /dev/null +++ b/sbd.te @@ -0,0 +1,54 @@ @@ -98751,7 +99291,7 @@ index 0000000..9c44c87 +# +# sbd local policy +# -+allow sbd_t self:capability { dac_override ipc_lock sys_nice sys_admin}; ++allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_nice sys_admin}; +allow sbd_t self:process { fork setsched signal_perms }; +allow sbd_t self:fifo_file rw_fifo_file_perms; +allow sbd_t self:unix_stream_socket create_stream_socket_perms; @@ -98994,7 +99534,7 @@ index 98c9e0a..562666e 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..a256f80 100644 +index 299756b..5719ae9 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -99076,7 +99616,7 @@ index 299756b..a256f80 100644 -allow sblim_gatherd_t self:capability dac_override; -allow sblim_gatherd_t self:process signal; -+allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace }; ++allow sblim_gatherd_t self:capability { dac_read_search dac_override sys_nice sys_ptrace }; +allow sblim_gatherd_t self:process { setsched signal }; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; @@ -99328,7 +99868,7 @@ index be5cce2..b81f5df 100644 +') + diff --git a/screen.te b/screen.te -index 5466a73..ba26a6a 100644 +index 5466a73..33598f3 100644 --- a/screen.te +++ b/screen.te @@ -5,9 +5,7 @@ policy_module(screen, 2.6.0) @@ -99364,7 +99904,7 @@ index 5466a73..ba26a6a 100644 -allow screen_domain self:capability { setuid setgid fsetid }; +allow screen_domain self:capability { fsetid setgid setuid sys_tty_config }; -+dontaudit screen_domain self:capability dac_override; ++dontaudit screen_domain self:capability { dac_read_search dac_override }; allow screen_domain self:process signal_perms; -allow screen_domain self:fd use; allow screen_domain self:fifo_file rw_fifo_file_perms; @@ -99512,7 +100052,7 @@ index c78a569..9007451 100644 - allow sectoolm_t $2:unix_dgram_socket sendto; -') diff --git a/sectoolm.te b/sectoolm.te -index 4bc8c13..726ef2c 100644 +index 4bc8c13..e05d74d 100644 --- a/sectoolm.te +++ b/sectoolm.te @@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0) @@ -99533,7 +100073,7 @@ index 4bc8c13..726ef2c 100644 # -allow sectoolm_t self:capability { dac_override net_admin sys_nice }; -+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; ++allow sectoolm_t self:capability { dac_read_search dac_override net_admin sys_nice sys_ptrace }; allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; @@ -99916,7 +100456,7 @@ index 35ad2a7..afdc7da 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b4..b520092 100644 +index 12700b4..86f608e 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; @@ -99928,7 +100468,7 @@ index 12700b4..b520092 100644 # -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; -+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; ++allow sendmail_t self:capability { dac_read_search dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; +dontaudit sendmail_t self:capability net_admin; +dontaudit sendmail_t self:capability2 block_suspend; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; @@ -100694,7 +101234,7 @@ index 0000000..c9d2d9c + diff --git a/sge.te b/sge.te new file mode 100644 -index 0000000..b2096dd +index 0000000..1c1ec06 --- /dev/null +++ b/sge.te @@ -0,0 +1,196 @@ @@ -100744,7 +101284,7 @@ index 0000000..b2096dd +# sge_execd local policy +# + -+allow sge_execd_t self:capability { dac_override kill setuid chown setgid }; ++allow sge_execd_t self:capability { dac_read_search dac_override kill setuid chown setgid }; +allow sge_execd_t self:process { setsched signal setpgid }; + +allow sge_execd_t sge_shepherd_t:process signal; @@ -100777,7 +101317,7 @@ index 0000000..b2096dd +# sge_shepherd local policy +# + -+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override }; ++allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search dac_override }; +allow sge_shepherd_t self:process { setsched setrlimit setpgid }; +allow sge_shepherd_t self:process signal_perms; + @@ -101078,12 +101618,15 @@ index 1aeef8a..d5ce40a 100644 admin_pattern($1, shorewall_etc_t) diff --git a/shorewall.te b/shorewall.te -index 7710b9f..b33b936 100644 +index 7710b9f..04af4ec 100644 --- a/shorewall.te +++ b/shorewall.te -@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t) +@@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t) + # Local policy + # - allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; +-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; ++allow shorewall_t self:capability { dac_read_search dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:process signal_perms; allow shorewall_t self:fifo_file rw_fifo_file_perms; @@ -101311,9 +101854,18 @@ index d1706bf..3aa7c9f 100644 ## ## diff --git a/shutdown.te b/shutdown.te -index e2544e1..d3fbd78 100644 +index e2544e1..2196974 100644 --- a/shutdown.te +++ b/shutdown.te +@@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t) + # Local policy + # + +-allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; ++allow shutdown_t self:capability { dac_read_search dac_override kill setuid sys_nice sys_tty_config }; + allow shutdown_t self:process { setsched signal signull }; + allow shutdown_t self:fifo_file manage_fifo_file_perms; + allow shutdown_t self:unix_stream_socket create_stream_socket_perms; @@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t) mls_file_write_to_clearance(shutdown_t) @@ -101539,9 +102091,18 @@ index e0644b5..ea347cc 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9cf6582..db6cc30 100644 +index 9cf6582..052179c 100644 --- a/smartmon.te +++ b/smartmon.te +@@ -38,7 +38,7 @@ ifdef(`enable_mls',` + # Local policy + # + +-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; ++allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin }; + dontaudit fsdaemon_t self:capability sys_tty_config; + allow fsdaemon_t self:process { getcap setcap signal_perms }; + allow fsdaemon_t self:fifo_file rw_fifo_file_perms; @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) corecmd_exec_all_executables(fsdaemon_t) @@ -102306,7 +102867,7 @@ index 0000000..88490d5 + diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..939b8be +index 0000000..5c2cbe0 --- /dev/null +++ b/snapper.te @@ -0,0 +1,83 @@ @@ -102335,7 +102896,7 @@ index 0000000..939b8be +# snapperd local policy +# + -+allow snapperd_t self:capability { dac_override sys_admin }; ++allow snapperd_t self:capability { dac_read_search dac_override sys_admin }; +allow snapperd_t self:process setsched; + +allow snapperd_t self:fifo_file rw_fifo_file_perms; @@ -102558,13 +103119,15 @@ index 7a9cc9d..23cb658 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 9dcaeb8..490a046 100644 +index 9dcaeb8..e8446db 100644 --- a/snmp.te +++ b/snmp.te -@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) +@@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t) + # Local policy # - allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; +-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; ++allow snmpd_t self:capability { chown dac_read_search dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; @@ -102689,11 +103252,15 @@ index 7d86b34..5f58180 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 1af72df..ffccc41 100644 +index 1af72df..d545f2a 100644 --- a/snort.te +++ b/snort.te -@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) - allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; +@@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t) + # Local policy + # + +-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; ++allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search dac_override }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; +allow snort_t self:netlink_route_socket create_netlink_socket_perms; @@ -102786,7 +103353,7 @@ index 634c6b4..f6db7a7 100644 +') + diff --git a/sosreport.te b/sosreport.te -index f2f507d..7db383e 100644 +index f2f507d..0ac6752 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -102808,9 +103375,12 @@ index f2f507d..7db383e 100644 optional_policy(` pulseaudio_tmpfs_content(sosreport_tmpfs_t) ') -@@ -33,10 +33,12 @@ optional_policy(` +@@ -31,12 +31,14 @@ optional_policy(` + # Local policy + # - allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; +-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; ++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search dac_override }; dontaudit sosreport_t self:capability sys_ptrace; -allow sosreport_t self:process { setsched signull }; +allow sosreport_t self:process { setpgid setsched signal_perms }; @@ -103021,9 +103591,18 @@ index a5abc5a..b9eff74 100644 domain_system_change_exemption($1) role_transition $2 soundd_initrc_exec_t system_r; diff --git a/soundserver.te b/soundserver.te -index 0919e0c..56a984b 100644 +index 0919e0c..df28aad 100644 --- a/soundserver.te +++ b/soundserver.te +@@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t) + # Declarations + # + +-allow soundd_t self:capability dac_override; ++allow soundd_t self:capability { dac_read_search dac_override }; + dontaudit soundd_t self:capability sys_tty_config; + allow soundd_t self:process { setpgid signal_perms }; + allow soundd_t self:shm create_shm_perms; @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) kernel_read_proc_symlinks(soundd_t) @@ -103570,7 +104149,7 @@ index 1499b0b..e695a62 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..1e34535 100644 +index cc58e35..85e9f59 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -103922,7 +104501,7 @@ index cc58e35..1e34535 100644 +spamassassin_filetrans_home_content(spamc_t) +spamassassin_filetrans_admin_home_content(spamc_t) +# for /root/.pyzor -+allow spamc_t self:capability dac_override; ++allow spamc_t self:capability { dac_read_search dac_override }; list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) @@ -104042,11 +104621,12 @@ index cc58e35..1e34535 100644 +# Server local policy # +-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; +# Spamassassin, when run as root and using per-user config files, +# setuids to the user running spamc. Comment this if you are not +# using this ability. + - allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; ++allow spamd_t self:capability { kill setuid setgid dac_read_search dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; @@ -104702,7 +105282,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 03472ed..e03b69a 100644 +index 03472ed..9148ef5 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -104714,7 +105294,7 @@ index 03472ed..e03b69a 100644 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) -@@ -37,15 +37,22 @@ init_script_file(squid_initrc_exec_t) +@@ -37,21 +37,28 @@ init_script_file(squid_initrc_exec_t) type squid_log_t; logging_log_file(squid_log_t) @@ -104739,6 +105319,13 @@ index 03472ed..e03b69a 100644 ######################################## # # Local policy + # + +-allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; ++allow squid_t self:capability { setgid kill setuid dac_read_search dac_override sys_resource }; + dontaudit squid_t self:capability sys_tty_config; + allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; + allow squid_t self:fifo_file rw_fifo_file_perms; @@ -68,6 +75,7 @@ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) @@ -105991,7 +106578,7 @@ diff --git a/systemtap.te b/stapserver.te similarity index 64% rename from systemtap.te rename to stapserver.te -index ffde368..e847ea3 100644 +index ffde368..20b924b 100644 --- a/systemtap.te +++ b/stapserver.te @@ -1,4 +1,4 @@ @@ -106032,7 +106619,7 @@ index ffde368..e847ea3 100644 +allow stapserver_t self:capability { setuid setgid }; +allow stapserver_t self:process setsched; + -+allow stapserver_t self:capability { dac_override kill sys_ptrace}; ++allow stapserver_t self:capability { dac_read_search dac_override kill sys_ptrace}; +allow stapserver_t self:process { setrlimit signal }; + allow stapserver_t self:fifo_file rw_fifo_file_perms; @@ -106813,10 +107400,15 @@ index 01a9d0a..154872e 100644 userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te -index b92f677..6dc2de3 100644 +index b92f677..a2690e3 100644 --- a/sysstat.te +++ b/sysstat.te -@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co +@@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t) + # Local policy + # + +-allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; ++allow sysstat_t self:capability { dac_read_search dac_override sys_admin sys_resource sys_tty_config }; allow sysstat_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) @@ -107249,9 +107841,18 @@ index b42ec1d..91b8f71 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te -index b26d44a..5ab05dc 100644 +index b26d44a..5a79afd 100644 --- a/tcsd.te +++ b/tcsd.te +@@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t) + # Local policy + # + +-allow tcsd_t self:capability { dac_override setuid }; ++allow tcsd_t self:capability { dac_read_search dac_override setuid }; + allow tcsd_t self:process { signal sigkill }; + allow tcsd_t self:tcp_socket { accept listen }; + @@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) dev_read_urand(tcsd_t) dev_rw_tpm(tcsd_t) @@ -108313,11 +108914,15 @@ index 9afcbc9..7b8ddb4 100644 xserver_rw_xdm_pipes(telepathy_domain) ') diff --git a/telnet.te b/telnet.te -index d7c8633..a91c027 100644 +index d7c8633..0d3d439 100644 --- a/telnet.te +++ b/telnet.te -@@ -30,16 +30,19 @@ files_pid_file(telnetd_var_run_t) - allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +@@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t) + # Local policy + # + +-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; ++allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override }; allow telnetd_t self:process signal_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms; -allow telnetd_t self:tcp_socket { accept listen }; @@ -108879,7 +109484,7 @@ index 5406b6e..dc5b46e 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index d010963..e7e55c7 100644 +index d010963..7308fa9 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t) @@ -108888,7 +109493,7 @@ index d010963..e7e55c7 100644 -allow tgtd_t self:capability sys_resource; -allow tgtd_t self:capability2 block_suspend; -+allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin }; ++allow tgtd_t self:capability { dac_read_search dac_override ipc_lock sys_resource sys_rawio sys_admin }; +allow tgtd_t self:capability2 { block_suspend wake_alarm }; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; @@ -109021,7 +109626,7 @@ index 0000000..5e3637e +') diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..39d17b7 +index 0000000..e66fc8c --- /dev/null +++ b/thin.te @@ -0,0 +1,115 @@ @@ -109100,7 +109705,7 @@ index 0000000..39d17b7 +# thin local policy +# + -+allow thin_t self:capability { setuid kill setgid dac_override }; ++allow thin_t self:capability { setuid kill setgid dac_read_search dac_override }; +allow thin_t self:capability2 block_suspend; + +allow thin_t self:netlink_route_socket r_netlink_socket_perms; @@ -110692,9 +111297,18 @@ index 34973ee..1c9a4c6 100644 userdom_dontaudit_use_unpriv_user_fds(transproxy_t) diff --git a/tripwire.te b/tripwire.te -index 03aa6b7..a9ff883 100644 +index 03aa6b7..53c0c73 100644 --- a/tripwire.te +++ b/tripwire.te +@@ -47,7 +47,7 @@ role twprint_roles types twprint_t; + # Local policy + # + +-allow tripwire_t self:capability { setgid setuid dac_override }; ++allow tripwire_t self:capability { setgid setuid dac_read_search dac_override }; + + allow tripwire_t tripwire_etc_t:dir list_dir_perms; + allow tripwire_t tripwire_etc_t:file read_file_perms; @@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t) logging_send_syslog_msg(tripwire_t) @@ -110754,7 +111368,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..0691d4a 100644 +index 393a330..76390e2 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -110772,9 +111386,10 @@ index 393a330..0691d4a 100644 # -allow tuned_t self:capability { sys_admin sys_nice }; -+allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; - dontaudit tuned_t self:capability { dac_override sys_tty_config }; +-dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; ++allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; ++dontaudit tuned_t self:capability { dac_read_search dac_override sys_tty_config }; +allow tuned_t self:process { setsched signal }; allow tuned_t self:fifo_file rw_fifo_file_perms; +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -111403,9 +112018,18 @@ index b68bd49..da0c691 100644 userdom_dontaudit_search_user_home_dirs(uml_switch_t) diff --git a/updfstab.te b/updfstab.te -index 5ceb912..dfec9ac 100644 +index 5ceb912..232e9ac 100644 --- a/updfstab.te +++ b/updfstab.te +@@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t) + # Local policy + # + +-allow updfstab_t self:capability dac_override; ++allow updfstab_t self:capability { dac_read_search dac_override }; + dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; + allow updfstab_t self:process signal_perms; + allow updfstab_t self:fifo_file rw_fifo_file_perms; @@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t) logging_search_logs(updfstab_t) logging_send_syslog_msg(updfstab_t) @@ -111663,7 +112287,7 @@ index c416a83..cd83b89 100644 +/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 98b51fd..2a003a5 100644 +index 98b51fd..c7e44ca 100644 --- a/userhelper.if +++ b/userhelper.if @@ -1,4 +1,4 @@ @@ -111712,7 +112336,7 @@ index 98b51fd..2a003a5 100644 - # Consolehelper local policy + # Local policy # -+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; ++ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search dac_override chown sys_tty_config }; + allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_userhelper_t self:process setexec; + allow $1_userhelper_t self:fd use; @@ -111989,7 +112613,7 @@ index 98b51fd..2a003a5 100644 ## ## Execute the consolehelper program diff --git a/userhelper.te b/userhelper.te -index 42cfce0..1733490 100644 +index 42cfce0..b7e3e25 100644 --- a/userhelper.te +++ b/userhelper.te @@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1) @@ -112022,7 +112646,7 @@ index 42cfce0..1733490 100644 -dontaudit consolehelper_type userhelper_conf_t:file audit_access; -read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) +allow consolehelper_domain self:shm create_shm_perms; -+allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice }; ++allow consolehelper_domain self:capability { setgid setuid dac_read_search dac_override sys_nice }; +allow consolehelper_domain self:process { signal_perms getsched setsched }; -domain_use_interactive_fds(consolehelper_type) @@ -112208,10 +112832,10 @@ index 7deec55..c542887 100644 ') diff --git a/usernetctl.te b/usernetctl.te -index f973af8..de458c2 100644 +index f973af8..8606439 100644 --- a/usernetctl.te +++ b/usernetctl.te -@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.7.0) +@@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0) # attribute_role usernetctl_roles; @@ -112225,6 +112849,14 @@ index f973af8..de458c2 100644 ######################################## # + # Local policy + # + +-allow usernetctl_t self:capability { setuid setgid dac_override }; ++allow usernetctl_t self:capability { setuid setgid dac_read_search dac_override }; + allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow usernetctl_t self:fd use; + allow usernetctl_t self:fifo_file rw_fifo_file_perms; @@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t) files_read_etc_runtime_files(usernetctl_t) files_list_pids(usernetctl_t) @@ -112414,9 +113046,18 @@ index f8e52fc..b283c25 100644 -miscfiles_read_localization(uuidd_t) diff --git a/uwimap.te b/uwimap.te -index acdc78a..7a18090 100644 +index acdc78a..9e5ee47 100644 --- a/uwimap.te +++ b/uwimap.te +@@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t) + # Local policy + # + +-allow imapd_t self:capability { dac_override setgid setuid sys_resource }; ++allow imapd_t self:capability { dac_read_search dac_override setgid setuid sys_resource }; + dontaudit imapd_t self:capability sys_tty_config; + allow imapd_t self:process signal_perms; + allow imapd_t self:fifo_file rw_fifo_file_perms; @@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t) kernel_list_proc(imapd_t) kernel_read_proc_symlinks(imapd_t) @@ -112481,7 +113122,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..1189323 100644 +index 9d4d8cb..e73bd98 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -112506,7 +113147,7 @@ index 9d4d8cb..1189323 100644 # -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner fsetid }; ++allow varnishd_t self:capability { kill dac_read_search dac_override ipc_lock setuid setgid chown fowner fsetid }; dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; @@ -112531,13 +113172,15 @@ index 9d4d8cb..1189323 100644 tunable_policy(`varnishd_connect_any',` corenet_sendrecv_all_client_packets(varnishd_t) diff --git a/vbetool.te b/vbetool.te -index 2a61f75..b026ab7 100644 +index 2a61f75..fa84e40 100644 --- a/vbetool.te +++ b/vbetool.te -@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t; +@@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t; + # Local policy # - allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; +-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; ++allow vbetool_t self:capability { dac_read_search dac_override sys_tty_config sys_admin }; +#allow vbetool_t self:capability2 compromise_kernel; allow vbetool_t self:process execmem; @@ -112712,9 +113355,18 @@ index 22edd58..c3a5364 100644 domain_system_change_exemption($1) role_transition $2 vhostmd_initrc_exec_t system_r; diff --git a/vhostmd.te b/vhostmd.te -index 3d11c6a..b19a117 100644 +index 3d11c6a..c5d8428 100644 --- a/vhostmd.te +++ b/vhostmd.te +@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t) + # Local policy + # + +-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; ++allow vhostmd_t self:capability { dac_read_search dac_override ipc_lock setuid setgid }; + allow vhostmd_t self:process { setsched getsched signal }; + allow vhostmd_t self:fifo_file rw_fifo_file_perms; + @@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t) dev_read_sysfs(vhostmd_t) @@ -112891,7 +113543,7 @@ index a4f20bc..9777de2 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..487857a 100644 +index facdee8..43a3fb0 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,111 @@ @@ -113744,7 +114396,7 @@ index facdee8..487857a 100644 ## ## ## -@@ -673,54 +565,571 @@ interface(`virt_home_filetrans',` +@@ -673,54 +565,607 @@ interface(`virt_home_filetrans',` ## ## # @@ -114322,6 +114974,43 @@ index facdee8..487857a 100644 +interface(`virt_dontaudit_write_pipes',` + gen_require(` + type virtd_t; ++ ') ++ ++ dontaudit $1 virtd_t:fd use; ++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++') ++ ++######################################## ++## ++## Send a sigkill to virtual machines ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_kill_svirt',` ++ gen_require(` ++ attribute virt_domain; ++ ') ++ ++ allow $1 virt_domain:process sigkill; ++') ++ ++######################################## ++## ++## Send a sigkill to virtd daemon. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_kill',` ++ gen_require(` ++ type virtd_t; ') - tunable_policy(`virt_use_samba',` @@ -114329,26 +115018,25 @@ index facdee8..487857a 100644 - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -+ dontaudit $1 virtd_t:fd use; -+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++ allow $1 virtd_t:process sigkill; ') ######################################## ## -## Relabel virt home content. -+## Send a sigkill to virtual machines ++## Send a signal to virtd daemon. ## ## ## -@@ -728,52 +1137,53 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +1173,35 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # -interface(`virt_relabel_generic_virt_home_content',` -+interface(`virt_kill_svirt',` ++interface(`virt_signal',` gen_require(` - type virt_home_t; -+ attribute virt_domain; ++ type virtd_t; ') - userdom_search_user_home_dirs($1) @@ -114357,7 +115045,7 @@ index facdee8..487857a 100644 - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; -+ allow $1 virt_domain:process sigkill; ++ allow $1 virtd_t:process signal; ') ######################################## @@ -114365,7 +115053,7 @@ index facdee8..487857a 100644 -## Create specified objects in user home -## directories with the generic virt -## home type. -+## Send a sigkill to virtd daemon. ++## Send null signal to virtd daemon. ## ## ## @@ -114378,137 +115066,124 @@ index facdee8..487857a 100644 -## -## -## -+# -+interface(`virt_kill',` -+ gen_require(` -+ type virtd_t; -+ ') -+ -+ allow $1 virtd_t:process sigkill; -+') -+ -+######################################## -+## -+## Send a signal to virtd daemon. -+## -+## - ## +-## -## The name of the object being created. -+## Domain allowed access. - ## - ## +-## +-## # -interface(`virt_home_filetrans_virt_home',` -+interface(`virt_signal',` ++interface(`virt_signull',` gen_require(` - type virt_home_t; + type virtd_t; ') - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) -+ allow $1 virtd_t:process signal; ++ allow $1 virtd_t:process signull; ') ######################################## ## -## Read virt pid files. -+## Send null signal to virtd daemon. ++## Send a signal to virtual machines ## ## ## -@@ -781,19 +1191,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1209,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # -interface(`virt_read_pid_files',` -+interface(`virt_signull',` ++interface(`virt_signal_svirt',` gen_require(` - type virt_var_run_t; -+ type virtd_t; ++ attribute virt_domain; ') - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virtd_t:process signull; ++ allow $1 virt_domain:process signal; ') ######################################## ## -## Create, read, write, and delete -## virt pid files. -+## Send a signal to virtual machines ++## Send a signal to sandbox domains ## ## ## -@@ -801,18 +1209,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1227,17 @@ interface(`virt_read_pid_files',` ## ## # -interface(`virt_manage_pid_files',` -+interface(`virt_signal_svirt',` ++interface(`virt_signal_sandbox',` gen_require(` - type virt_var_run_t; -+ attribute virt_domain; ++ attribute svirt_sandbox_domain; ') - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virt_domain:process signal; ++ allow $1 svirt_sandbox_domain:process signal; ') ######################################## ## -## Search virt lib directories. -+## Send a signal to sandbox domains ++## Manage virt home files. ## ## ## -@@ -820,18 +1227,17 @@ interface(`virt_manage_pid_files',` +@@ -820,211 +1245,247 @@ interface(`virt_manage_pid_files',` ## ## # -interface(`virt_search_lib',` -+interface(`virt_signal_sandbox',` ++interface(`virt_manage_home_files',` gen_require(` - type virt_var_lib_t; -+ attribute svirt_sandbox_domain; ++ type virt_home_t; ') - files_search_var_lib($1) - allow $1 virt_var_lib_t:dir search_dir_perms; -+ allow $1 svirt_sandbox_domain:process signal; ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) ') ######################################## ## -## Read virt lib files. -+## Manage virt home files. ++## allow domain to read ++## virt tmpfs files ## ## ## -@@ -839,192 +1245,247 @@ interface(`virt_search_lib',` +-## Domain allowed access. ++## Domain allowed access ## ## # -interface(`virt_read_lib_files',` -+interface(`virt_manage_home_files',` ++interface(`virt_read_tmpfs_files',` gen_require(` - type virt_var_lib_t; -+ type virt_home_t; ++ attribute virt_tmpfs_type; ') - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) ++ allow $1 virt_tmpfs_type:file read_file_perms; ') ######################################## ## -## Create, read, write, and delete -## virt lib files. -+## allow domain to read ++## allow domain to manage +## virt tmpfs files ## ## @@ -114519,7 +115194,7 @@ index facdee8..487857a 100644 ## # -interface(`virt_manage_lib_files',` -+interface(`virt_read_tmpfs_files',` ++interface(`virt_manage_tmpfs_files',` gen_require(` - type virt_var_lib_t; + attribute virt_tmpfs_type; @@ -114527,43 +115202,26 @@ index facdee8..487857a 100644 - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ allow $1 virt_tmpfs_type:file read_file_perms; ++ allow $1 virt_tmpfs_type:file manage_file_perms; ') ######################################## ## -## Create objects in virt pid -## directories with a private type. -+## allow domain to manage -+## virt tmpfs files ++## Create .virt directory in the user home directory ++## with an correct label. ## ## ## --## Domain allowed access. -+## Domain allowed access + ## Domain allowed access. ## ## -## -+# -+interface(`virt_manage_tmpfs_files',` -+ gen_require(` -+ attribute virt_tmpfs_type; -+ ') -+ -+ allow $1 virt_tmpfs_type:file manage_file_perms; -+') -+ -+######################################## -+## -+## Create .virt directory in the user home directory -+## with an correct label. -+## -+## - ## +-## -## The type of the object to be created. -+## Domain allowed access. - ## - ## +-## +-## -## +# +interface(`virt_filetrans_home_content',` @@ -114930,7 +115588,7 @@ index facdee8..487857a 100644 ## ## ## -@@ -1136,50 +1574,129 @@ interface(`virt_manage_images',` +@@ -1136,50 +1574,148 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -115066,9 +115724,7 @@ index facdee8..487857a 100644 + + domtrans_pattern($1,container_file_t, $2) +') - -- files_search_locks($1) -- admin_pattern($1, virt_lock_t) ++ +######################################## +## +## Dontaudit read the process state (/proc/pid) of libvirt @@ -115083,15 +115739,36 @@ index facdee8..487857a 100644 + gen_require(` + type virtd_t; + ') - -- dev_list_all_dev_nodes($1) -- allow $1 virt_ptynode:chr_file rw_term_perms; ++ + dontaudit $1 virtd_t:dir search_dir_perms; + dontaudit $1 virtd_t:file read_file_perms; + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ++') + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) ++####################################### ++## ++## Send to libvirt with a unix dgram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_dgram_send',` ++ gen_require(` ++ type virtd_t, virt_var_run_t; ++ ') + +- dev_list_all_dev_nodes($1) +- allow $1 virt_ptynode:chr_file rw_term_perms; ++ files_search_pids($1) ++ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf5..39524ae 100644 +index f03dcf5..bb06f38 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,414 @@ @@ -115756,7 +116433,7 @@ index f03dcf5..39524ae 100644 # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; ++allow virtd_t self:capability { chown dac_read_search dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +#allow virtd_t self:capability2 compromise_kernel; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` @@ -116446,7 +117123,7 @@ index f03dcf5..39524ae 100644 +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; + -+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; ++allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -116590,7 +117267,7 @@ index f03dcf5..39524ae 100644 -# Lxc local policy +# virt_lxc local policy # -+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; ++allow virtd_lxc_t self:capability { dac_read_search dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; +allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms }; +#allow virtd_lxc_t self:capability2 compromise_kernel; @@ -117485,8 +118162,8 @@ index f03dcf5..39524ae 100644 + systemd_dbus_chat_logind(sandbox_net_domain) +') + -+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; -+allow sandbox_caps_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; ++allow sandbox_caps_domain self:capability { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; ++allow sandbox_caps_domain self:cap_userns { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; + +list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) +read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) @@ -117771,7 +118448,7 @@ index 20a1fb2..470ea95 100644 allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; diff --git a/vmware.te b/vmware.te -index 4ad1894..840409e 100644 +index 4ad1894..b589158 100644 --- a/vmware.te +++ b/vmware.te @@ -65,7 +65,8 @@ ifdef(`enable_mcs',` @@ -117780,7 +118457,7 @@ index 4ad1894..840409e 100644 -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; +allow vmware_host_t self:capability { net_admin sys_module }; -+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; ++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search dac_override }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; @@ -117846,6 +118523,15 @@ index 4ad1894..840409e 100644 optional_policy(` samba_read_config(vmware_host_t) +@@ -182,7 +187,7 @@ optional_policy(` + # Guest local policy + # + +-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; ++allow vmware_t self:capability { dac_read_search dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; + dontaudit vmware_t self:capability sys_tty_config; + allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow vmware_t self:process { execmem execstack }; @@ -244,9 +249,7 @@ dev_search_sysfs(vmware_t) domain_use_interactive_fds(vmware_t) @@ -118637,9 +119323,18 @@ index 64baf67..76c753b 100644 -/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) +/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0) diff --git a/webalizer.te b/webalizer.te -index ae919b9..32cbf8c 100644 +index ae919b9..cdd9359 100644 --- a/webalizer.te +++ b/webalizer.te +@@ -33,7 +33,7 @@ files_type(webalizer_write_t) + # Local policy + # + +-allow webalizer_t self:capability dac_override; ++allow webalizer_t self:capability { dac_read_search dac_override }; + allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow webalizer_t self:fd use; + allow webalizer_t self:fifo_file rw_fifo_file_perms; @@ -55,29 +55,36 @@ can_exec(webalizer_t, webalizer_exec_t) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) @@ -119605,7 +120300,7 @@ index f93558c..16e29c1 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index 6f736a9..0fa964c 100644 +index 6f736a9..c1ba3ba 100644 --- a/xen.te +++ b/xen.te @@ -4,39 +4,31 @@ policy_module(xen, 1.13.0) @@ -119848,7 +120543,7 @@ index 6f736a9..0fa964c 100644 -dontaudit xend_t self:capability { sys_ptrace }; -allow xend_t self:process { setrlimit signal sigkill }; -dontaudit xend_t self:process ptrace; -+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; ++allow xend_t self:capability { dac_read_search dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; +allow xend_t self:process { signal sigkill }; + +# needed by qemu_dm @@ -120044,7 +120739,13 @@ index 6f736a9..0fa964c 100644 virt_search_images(xend_t) virt_read_config(xend_t) ') -@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit; +@@ -360,18 +376,14 @@ optional_policy(` + # Xen console local policy + # + +-allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; ++allow xenconsoled_t self:capability { dac_read_search dac_override fsetid ipc_lock }; + allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; @@ -120089,11 +120790,13 @@ index 6f736a9..0fa964c 100644 xen_stream_connect_xenstore(xenconsoled_t) optional_policy(` -@@ -416,24 +422,26 @@ optional_policy(` +@@ -415,25 +421,27 @@ optional_policy(` + # Xen store local policy # - allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; +-allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; -allow xenstored_t self:unix_stream_socket { accept listen }; ++allow xenstored_t self:capability { dac_read_search dac_override ipc_lock sys_resource }; +allow xenstored_t self:unix_stream_socket create_stream_socket_perms; +allow xenstored_t self:unix_dgram_socket create_socket_perms; @@ -120297,9 +121000,18 @@ index 6f736a9..0fa964c 100644 - fs_manage_xenfs_files(xm_ssh_t) -') diff --git a/xfs.te b/xfs.te -index 0928c5d..d270a72 100644 +index 0928c5d..b9bcf88 100644 --- a/xfs.te +++ b/xfs.te +@@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t) + # Local policy + # + +-allow xfs_t self:capability { dac_override setgid setuid }; ++allow xfs_t self:capability { dac_read_search dac_override setgid setuid }; + dontaudit xfs_t self:capability sys_tty_config; + allow xfs_t self:process { signal_perms setpgid }; + allow xfs_t self:unix_stream_socket { accept listen }; @@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t) kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) @@ -120638,9 +121350,18 @@ index 04096a0..98a8205 100644 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/yam.te b/yam.te -index 2695db2..123c042 100644 +index 2695db2..c1ec893 100644 --- a/yam.te +++ b/yam.te +@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t) + # Local policy + # + +-allow yam_t self:capability { chown fowner fsetid dac_override }; ++allow yam_t self:capability { chown fowner fsetid dac_read_search dac_override }; + allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; + allow yam_t self:fd use; + allow yam_t self:fifo_file rw_fifo_file_perms; @@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t) logging_send_syslog_msg(yam_t) @@ -121396,7 +122117,7 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index 3fded1c..91ce270 100644 +index 3fded1c..8bea5e8 100644 --- a/zarafa.te +++ b/zarafa.te @@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0) @@ -121586,6 +122307,8 @@ index 3fded1c..91ce270 100644 # +corenet_tcp_bind_pop_port(zarafa_gateway_t) +-allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; +-allow zarafa_domain self:process { setrlimit signal }; +####################################### +# +# zarafa-ical local policy @@ -121605,8 +122328,7 @@ index 3fded1c..91ce270 100644 +# + +# bad permission on /etc/zarafa - allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; --allow zarafa_domain self:process { setrlimit signal }; ++allow zarafa_domain self:capability { kill dac_read_search dac_override chown setgid setuid }; +allow zarafa_domain self:process { signal_perms }; allow zarafa_domain self:fifo_file rw_fifo_file_perms; -allow zarafa_domain self:tcp_socket { accept listen }; @@ -122346,7 +123068,7 @@ index 0000000..fb0519e + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..184e3d5 +index 0000000..c9ad1b3 --- /dev/null +++ b/zoneminder.te @@ -0,0 +1,187 @@ @@ -122407,7 +123129,7 @@ index 0000000..184e3d5 +# +# zoneminder local policy +# -+allow zoneminder_t self:capability { chown dac_override }; ++allow zoneminder_t self:capability { chown dac_read_search dac_override }; +allow zoneminder_t self:process { signal_perms setpgid }; +allow zoneminder_t self:shm create_shm_perms; +allow zoneminder_t self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index e369745..c8b07a6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.19%{?dist} +Release: 225.20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -683,6 +683,9 @@ exit 0 %endif %changelog +* Mon Aug 07 2017 Lukas Vrabec - 3.13.1-225.20 +- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy + * Fri Jun 23 2017 Lukas Vrabec - 3.13.1-225.19 - Allow boinc_t nsswitch - Dontaudit firewalld to write to lib_t dirs