From a4a46743eb9f12e41ccfddbb4a650d3f84ccbfba Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 29 2014 09:45:04 +0000 Subject: - Allow domains to append rkhunter lib files - Allow snapperd to getattr on all fs - Allow xdm to create /var/gdm with correct labeling - Add label for snapper.log - Allow fail2ban-client to read apache log files - Allow thumb_t to execute dbus-daemon in thumb_t --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 69cca27..504052b 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -8888,7 +8888,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..c58f23f 100644 +index cf04cb5..4b49713 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -9026,7 +9026,7 @@ index cf04cb5..c58f23f 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +232,322 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +232,326 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9329,6 +9329,10 @@ index cf04cb5..c58f23f 100644 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + +optional_policy(` ++ rkhunter_append_lib_files(domain) ++') ++ ++optional_policy(` + rpm_rw_script_inherited_pipes(domain) + rpm_use_fds(domain) + rpm_read_pipes(domain) @@ -9600,7 +9604,7 @@ index c2c6e05..2282452 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..49a7b11 100644 +index 64ff4d7..8eb459b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10647,10 +10651,29 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -3132,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3686,44 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## ++## Getattr all file opbjects on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_isid_type',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir_file_class_set getattr; ++') ++ ++######################################## ++## +## Setattr of directories on new filesystems +## that have not yet been labeled. +## @@ -10673,7 +10696,7 @@ index 64ff4d7..49a7b11 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3205,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',` +@@ -3205,6 +3797,62 @@ interface(`files_delete_isid_type_dirs',` delete_dirs_pattern($1, file_t, file_t) ') @@ -10736,7 +10759,7 @@ index 64ff4d7..49a7b11 100644 ######################################## ## -@@ -3246,6 +3875,25 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3246,6 +3894,25 @@ interface(`files_mounton_isid_type_dirs',` ######################################## ## @@ -10762,7 +10785,7 @@ index 64ff4d7..49a7b11 100644 ## Read files on new filesystems ## that have not yet been labeled. ## -@@ -3455,6 +4103,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +4122,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -10788,7 +10811,7 @@ index 64ff4d7..49a7b11 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4463,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4482,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10832,7 +10855,7 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -4199,6 +4884,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +4903,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11005,7 +11028,7 @@ index 64ff4d7..49a7b11 100644 ######################################## ## ## Allow the specified type to associate -@@ -4221,6 +5072,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +5091,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -11032,7 +11055,7 @@ index 64ff4d7..49a7b11 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +5105,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -11071,7 +11094,7 @@ index 64ff4d7..49a7b11 100644 ## ## # -@@ -4271,6 +5162,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +5181,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -11079,7 +11102,7 @@ index 64ff4d7..49a7b11 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +5199,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +5218,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -11087,7 +11110,7 @@ index 64ff4d7..49a7b11 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +5209,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +5228,7 @@ interface(`files_list_tmp',` ## ## ## @@ -11096,10 +11119,11 @@ index 64ff4d7..49a7b11 100644 ## ## # -@@ -4328,6 +5221,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,7 +5240,26 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') +-######################################## +####################################### +## +## Allow read and write to the tmp directory (/tmp). @@ -11119,10 +11143,11 @@ index 64ff4d7..49a7b11 100644 + allow $1 tmp_t:dir rw_dir_perms; +') + - ######################################## ++######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +5255,7 @@ interface(`files_delete_tmp_dir_entry',` + ## +@@ -4343,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -11130,11 +11155,10 @@ index 64ff4d7..49a7b11 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,7 +5297,33 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,6 +5316,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## --## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. +## +## @@ -11161,11 +11185,10 @@ index 64ff4d7..49a7b11 100644 + +######################################## +## -+## Manage temporary files and directories in /tmp. + ## Manage temporary files and directories in /tmp. ## ## - ## -@@ -4438,6 +5377,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4438,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -11208,7 +11231,7 @@ index 64ff4d7..49a7b11 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4456,6 +5431,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4456,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -11269,7 +11292,7 @@ index 64ff4d7..49a7b11 100644 ## List all tmp directories. ## ## -@@ -4501,7 +5530,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4501,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11278,7 +11301,7 @@ index 64ff4d7..49a7b11 100644 ## ## # -@@ -4561,7 +5590,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4561,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -11287,7 +11310,7 @@ index 64ff4d7..49a7b11 100644 ## ## # -@@ -4593,6 +5622,44 @@ interface(`files_read_all_tmp_files',` +@@ -4593,6 +5641,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11332,7 +11355,7 @@ index 64ff4d7..49a7b11 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4646,6 +5713,16 @@ interface(`files_purge_tmp',` +@@ -4646,6 +5732,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11349,7 +11372,7 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -5223,6 +6300,24 @@ interface(`files_list_var',` +@@ -5223,6 +6319,24 @@ interface(`files_list_var',` ######################################## ## @@ -11374,7 +11397,7 @@ index 64ff4d7..49a7b11 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5507,6 +6602,23 @@ interface(`files_rw_var_lib_dirs',` +@@ -5507,6 +6621,23 @@ interface(`files_rw_var_lib_dirs',` rw_dirs_pattern($1, var_lib_t, var_lib_t) ') @@ -11398,7 +11421,7 @@ index 64ff4d7..49a7b11 100644 ######################################## ## ## Create objects in the /var/lib directory -@@ -5578,6 +6690,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6709,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11424,7 +11447,7 @@ index 64ff4d7..49a7b11 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6754,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6773,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11433,7 +11456,7 @@ index 64ff4d7..49a7b11 100644 ## ## ## -@@ -5631,12 +6762,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6781,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11449,7 +11472,7 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -5654,6 +6786,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6805,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11457,7 +11480,7 @@ index 64ff4d7..49a7b11 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6813,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6832,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11485,7 +11508,7 @@ index 64ff4d7..49a7b11 100644 ## ## ## -@@ -5688,13 +6840,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6859,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11502,7 +11525,7 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -5713,7 +6864,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6883,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11511,7 +11534,7 @@ index 64ff4d7..49a7b11 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6897,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6916,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11519,7 +11542,7 @@ index 64ff4d7..49a7b11 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5761,7 +6911,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5761,7 +6930,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11528,7 +11551,7 @@ index 64ff4d7..49a7b11 100644 ## ## ## -@@ -5769,13 +6919,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,13 +6938,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11563,7 +11586,7 @@ index 64ff4d7..49a7b11 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6961,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6980,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11581,7 +11604,7 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -5816,9 +6985,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +7004,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11592,7 +11615,7 @@ index 64ff4d7..49a7b11 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +7027,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +7046,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11602,7 +11625,7 @@ index 64ff4d7..49a7b11 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +7049,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +7068,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11612,7 +11635,7 @@ index 64ff4d7..49a7b11 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +7086,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +7105,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11622,7 +11645,7 @@ index 64ff4d7..49a7b11 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +7125,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +7144,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11631,7 +11654,7 @@ index 64ff4d7..49a7b11 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +7145,48 @@ interface(`files_search_pids',` +@@ -5981,10 +7164,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11680,77 +11703,51 @@ index 64ff4d7..49a7b11 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,27 +7209,27 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +7228,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## --## List the contents of the runtime process --## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_pids',` ++## ++## ++# +interface(`files_dontaudit_search_all_pids',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6021,7 +7261,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -+ dontaudit $1 pidfile:dir search_dir_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) ') - ######################################## - ## --## Read generic process ID files. -+## List the contents of the runtime process -+## ID directories (/var/run). - ## - ## - ## -@@ -6035,12 +7237,31 @@ interface(`files_list_pids',` - ## - ## - # --interface(`files_read_generic_pids',` -+interface(`files_list_pids',` - gen_require(` +@@ -6040,7 +7280,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+') -+ -+######################################## -+## -+## Read generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7281,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7300,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11759,7 +11756,7 @@ index 64ff4d7..49a7b11 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7343,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7362,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11767,7 +11764,7 @@ index 64ff4d7..49a7b11 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6151,6 +7371,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6151,6 +7390,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11792,7 +11789,7 @@ index 64ff4d7..49a7b11 100644 ## Read and write generic process ID files. ## ## -@@ -6164,7 +7402,7 @@ interface(`files_rw_generic_pids',` +@@ -6164,7 +7421,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11801,7 +11798,7 @@ index 64ff4d7..49a7b11 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6231,6 +7469,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,6 +7488,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11918,7 +11915,7 @@ index 64ff4d7..49a7b11 100644 ## Read all process ID files. ## ## -@@ -6243,12 +7591,86 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6243,12 +7610,86 @@ interface(`files_dontaudit_ioctl_all_pids',` interface(`files_read_all_pids',` gen_require(` attribute pidfile; @@ -12007,7 +12004,7 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -6268,8 +7690,8 @@ interface(`files_delete_all_pids',` +@@ -6268,8 +7709,8 @@ interface(`files_delete_all_pids',` type var_t, var_run_t; ') @@ -12017,7 +12014,7 @@ index 64ff4d7..49a7b11 100644 allow $1 var_run_t:dir rmdir; allow $1 var_run_t:lnk_file delete_lnk_file_perms; delete_files_pattern($1, pidfile, pidfile) -@@ -6293,36 +7715,80 @@ interface(`files_delete_all_pid_dirs',` +@@ -6293,36 +7734,80 @@ interface(`files_delete_all_pid_dirs',` type var_t, var_run_t; ') @@ -12109,7 +12106,7 @@ index 64ff4d7..49a7b11 100644 ## ## ## -@@ -6330,12 +7796,33 @@ interface(`files_manage_all_pids',` +@@ -6330,12 +7815,33 @@ interface(`files_manage_all_pids',` ## ## # @@ -12146,7 +12143,7 @@ index 64ff4d7..49a7b11 100644 ') ######################################## -@@ -6562,3 +8049,514 @@ interface(`files_unconfined',` +@@ -6562,3 +8068,514 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -23337,7 +23334,7 @@ index 6bf0ecc..115c533 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..adbe339 100644 +index 2696452..38c1435 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -23809,7 +23806,7 @@ index 2696452..adbe339 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -23824,6 +23821,7 @@ index 2696452..adbe339 100644 +manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xdm_t, xserver_log_t, file) ++files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm") kernel_read_system_state(xdm_t) +kernel_read_device_sysctls(xdm_t) @@ -23841,7 +23839,7 @@ index 2696452..adbe339 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23895,7 +23893,7 @@ index 2696452..adbe339 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +610,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +611,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23924,7 +23922,7 @@ index 2696452..adbe339 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23973,7 +23971,7 @@ index 2696452..adbe339 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24124,7 +24122,7 @@ index 2696452..adbe339 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -24151,7 +24149,7 @@ index 2696452..adbe339 100644 ') optional_policy(` -@@ -514,12 +865,57 @@ optional_policy(` +@@ -514,12 +866,57 @@ optional_policy(` ') optional_policy(` @@ -24209,7 +24207,7 @@ index 2696452..adbe339 100644 hostname_exec(xdm_t) ') -@@ -537,28 +933,78 @@ optional_policy(` +@@ -537,28 +934,78 @@ optional_policy(` ') optional_policy(` @@ -24297,7 +24295,7 @@ index 2696452..adbe339 100644 ') optional_policy(` -@@ -570,6 +1016,14 @@ optional_policy(` +@@ -570,6 +1017,14 @@ optional_policy(` ') optional_policy(` @@ -24312,7 +24310,7 @@ index 2696452..adbe339 100644 xfs_stream_connect(xdm_t) ') -@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -584,7 +1039,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -24321,7 +24319,7 @@ index 2696452..adbe339 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -24334,7 +24332,7 @@ index 2696452..adbe339 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -24350,7 +24348,7 @@ index 2696452..adbe339 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -24361,7 +24359,7 @@ index 2696452..adbe339 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24383,7 +24381,7 @@ index 2696452..adbe339 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -24397,7 +24395,7 @@ index 2696452..adbe339 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -24429,7 +24427,7 @@ index 2696452..adbe339 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -24447,7 +24445,7 @@ index 2696452..adbe339 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1197,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1198,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -24471,7 +24469,7 @@ index 2696452..adbe339 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -24480,7 +24478,7 @@ index 2696452..adbe339 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1260,44 @@ optional_policy(` +@@ -775,16 +1261,44 @@ optional_policy(` ') optional_policy(` @@ -24526,7 +24524,7 @@ index 2696452..adbe339 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1306,10 @@ optional_policy(` +@@ -793,6 +1307,10 @@ optional_policy(` ') optional_policy(` @@ -24537,7 +24535,7 @@ index 2696452..adbe339 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -24551,7 +24549,7 @@ index 2696452..adbe339 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -24560,7 +24558,7 @@ index 2696452..adbe339 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1349,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1350,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24595,7 +24593,7 @@ index 2696452..adbe339 100644 ') optional_policy(` -@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24604,7 +24602,7 @@ index 2696452..adbe339 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -24636,7 +24634,7 @@ index 2696452..adbe339 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -28408,7 +28406,7 @@ index 24e7804..45d0b37 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..fb85065 100644 +index dd3be8d..3f4f878 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28933,7 +28931,7 @@ index dd3be8d..fb85065 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +585,37 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28954,7 +28952,6 @@ index dd3be8d..fb85065 100644 +files_exec_etc_files(initrc_t) +files_manage_etc_symlinks(initrc_t) +files_manage_system_conf_files(initrc_t) -+files_filetrans_named_content(initrc_t) + +fs_manage_tmpfs_dirs(initrc_t) +fs_manage_tmpfs_symlinks(initrc_t) @@ -28977,7 +28974,7 @@ index dd3be8d..fb85065 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +623,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28989,7 +28986,7 @@ index dd3be8d..fb85065 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +635,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +634,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29000,7 +28997,7 @@ index dd3be8d..fb85065 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +646,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +645,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29010,7 +29007,7 @@ index dd3be8d..fb85065 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +655,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +654,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29018,7 +29015,7 @@ index dd3be8d..fb85065 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +662,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29026,7 +29023,7 @@ index dd3be8d..fb85065 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +670,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +669,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29044,7 +29041,7 @@ index dd3be8d..fb85065 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +688,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +687,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29058,7 +29055,7 @@ index dd3be8d..fb85065 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +703,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +702,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29072,7 +29069,7 @@ index dd3be8d..fb85065 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +716,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +715,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29080,7 +29077,7 @@ index dd3be8d..fb85065 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +728,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +727,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29088,7 +29085,7 @@ index dd3be8d..fb85065 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +747,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +746,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29112,7 +29109,7 @@ index dd3be8d..fb85065 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +780,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +779,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29120,7 +29117,7 @@ index dd3be8d..fb85065 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +814,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +813,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -29131,7 +29128,7 @@ index dd3be8d..fb85065 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +838,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +837,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29140,7 +29137,7 @@ index dd3be8d..fb85065 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +853,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +852,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -29148,7 +29145,7 @@ index dd3be8d..fb85065 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +874,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +873,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -29156,7 +29153,7 @@ index dd3be8d..fb85065 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +884,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +883,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -29201,7 +29198,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -558,14 +929,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +928,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29233,7 +29230,7 @@ index dd3be8d..fb85065 100644 ') ') -@@ -576,6 +964,39 @@ ifdef(`distro_suse',` +@@ -576,6 +963,39 @@ ifdef(`distro_suse',` ') ') @@ -29273,7 +29270,7 @@ index dd3be8d..fb85065 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1009,8 @@ optional_policy(` +@@ -588,6 +1008,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29282,7 +29279,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -609,6 +1032,7 @@ optional_policy(` +@@ -609,6 +1031,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29290,7 +29287,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -625,6 +1049,17 @@ optional_policy(` +@@ -625,6 +1048,17 @@ optional_policy(` ') optional_policy(` @@ -29308,7 +29305,7 @@ index dd3be8d..fb85065 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1076,13 @@ optional_policy(` +@@ -641,9 +1075,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29322,7 +29319,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -656,15 +1095,11 @@ optional_policy(` +@@ -656,15 +1094,11 @@ optional_policy(` ') optional_policy(` @@ -29340,7 +29337,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -685,6 +1120,15 @@ optional_policy(` +@@ -685,6 +1119,15 @@ optional_policy(` ') optional_policy(` @@ -29356,7 +29353,7 @@ index dd3be8d..fb85065 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1169,7 @@ optional_policy(` +@@ -725,6 +1168,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -29364,7 +29361,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -742,7 +1187,13 @@ optional_policy(` +@@ -742,7 +1186,13 @@ optional_policy(` ') optional_policy(` @@ -29379,7 +29376,7 @@ index dd3be8d..fb85065 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1216,10 @@ optional_policy(` +@@ -765,6 +1215,10 @@ optional_policy(` ') optional_policy(` @@ -29390,7 +29387,7 @@ index dd3be8d..fb85065 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1229,20 @@ optional_policy(` +@@ -774,10 +1228,20 @@ optional_policy(` ') optional_policy(` @@ -29411,7 +29408,7 @@ index dd3be8d..fb85065 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1251,10 @@ optional_policy(` +@@ -786,6 +1250,10 @@ optional_policy(` ') optional_policy(` @@ -29422,7 +29419,7 @@ index dd3be8d..fb85065 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1276,6 @@ optional_policy(` +@@ -807,8 +1275,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29431,7 +29428,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -817,6 +1284,10 @@ optional_policy(` +@@ -817,6 +1283,10 @@ optional_policy(` ') optional_policy(` @@ -29442,7 +29439,7 @@ index dd3be8d..fb85065 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1297,12 @@ optional_policy(` +@@ -826,10 +1296,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29455,7 +29452,7 @@ index dd3be8d..fb85065 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1329,35 @@ optional_policy(` +@@ -856,12 +1328,35 @@ optional_policy(` ') optional_policy(` @@ -29492,7 +29489,7 @@ index dd3be8d..fb85065 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1367,18 @@ optional_policy(` +@@ -871,6 +1366,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29511,7 +29508,7 @@ index dd3be8d..fb85065 100644 ') optional_policy(` -@@ -886,6 +1394,10 @@ optional_policy(` +@@ -886,6 +1393,10 @@ optional_policy(` ') optional_policy(` @@ -29522,7 +29519,7 @@ index dd3be8d..fb85065 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1408,218 @@ optional_policy(` +@@ -896,3 +1407,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -30820,7 +30817,7 @@ index 73bb3c0..5b9420f 100644 + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..9d8f729 100644 +index 808ba93..57a68da 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -30956,7 +30953,7 @@ index 808ba93..9d8f729 100644 ') ######################################## -@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',` +@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -30973,10 +30970,12 @@ index 808ba93..9d8f729 100644 +# +interface(`libs_filetrans_named_content',` + gen_require(` ++ type lib_t; + type ld_so_cache_t; + type ldconfig_cache_t; + ') + ++ files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug") + files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") @@ -38253,7 +38252,7 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0ad142f +index 0000000..ca12f04 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,657 @@ @@ -38518,7 +38517,7 @@ index 0000000..0ad142f +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 8e61db7..6fa48c8 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -19128,7 +19128,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index afcf3a2..e6ecc4d 100644 +index afcf3a2..49bb04b 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -19137,16 +19137,33 @@ index afcf3a2..e6ecc4d 100644 ######################################## ## -@@ -19,7 +19,7 @@ interface(`dbus_stub',` +@@ -19,7 +19,24 @@ interface(`dbus_stub',` ######################################## ## -## Role access for dbus. ++## Execute dbus-daemon in the caller domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`dbus_exec_dbusd',` ++ gen_require(` ++ type dbusd_exec_t; ++ ') ++ can_exec($1, dbusd_exec_t) ++') ++ ++######################################## ++## +## Role access for dbus ## ## ## -@@ -41,59 +41,68 @@ interface(`dbus_stub',` +@@ -41,59 +58,68 @@ interface(`dbus_stub',` template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; @@ -19236,7 +19253,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -103,65 +112,29 @@ template(`dbus_role_template',` +@@ -103,65 +129,29 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -19311,7 +19328,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',` +@@ -175,19 +165,21 @@ interface(`dbus_connect_all_session_bus',` ## ## # @@ -19338,7 +19355,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',` +@@ -196,72 +188,23 @@ interface(`dbus_connect_spec_session_bus',` ## # interface(`dbus_session_bus_client',` @@ -19418,7 +19435,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',` +@@ -270,59 +213,17 @@ interface(`dbus_spec_session_bus_client',` ## # interface(`dbus_send_session_bus',` @@ -19480,21 +19497,23 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',` +@@ -380,69 +281,32 @@ interface(`dbus_manage_lib_files',` ######################################## ## -## Allow a application domain to be -## started by the specified session bus. --## ++## Connect to the system DBUS ++## for service (acquire_svc). + ## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## --## --## + ## + ## -## Type to be used as a domain. -## -## @@ -19514,11 +19533,9 @@ index afcf3a2..e6ecc4d 100644 -## -## Allow a application domain to be -## started by the specified session bus. -+## Connect to the system DBUS -+## for service (acquire_svc). - ## - ## - ## +-## +-## +-## -## Type to be used as a domain. -## -## @@ -19561,7 +19578,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',` +@@ -457,20 +321,21 @@ interface(`dbus_all_session_domain',` ## ## # @@ -19587,7 +19604,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',` +@@ -489,7 +354,7 @@ interface(`dbus_connect_system_bus',` ######################################## ## @@ -19596,7 +19613,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',` +@@ -508,7 +373,7 @@ interface(`dbus_send_system_bus',` ######################################## ## @@ -19605,7 +19622,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',` +@@ -527,8 +392,8 @@ interface(`dbus_system_bus_unconfined',` ######################################## ## @@ -19616,7 +19633,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',` +@@ -543,33 +408,24 @@ interface(`dbus_system_bus_unconfined',` # interface(`dbus_system_domain',` gen_require(` @@ -19654,7 +19671,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',` +@@ -587,26 +443,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## @@ -19687,7 +19704,7 @@ index afcf3a2..e6ecc4d 100644 ## ## ## -@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -614,10 +469,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -25087,7 +25104,7 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..95bb886 100644 +index 0872e50..cdea6d0 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -25164,7 +25181,7 @@ index 0872e50..95bb886 100644 shorewall_domtrans(fail2ban_t) ') -@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -129,22 +142,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -25194,6 +25211,10 @@ index 0872e50..95bb886 100644 - userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) ++ ++optional_policy(` ++ apache_read_log(fail2ban_client_t) ++') diff --git a/fcoe.te b/fcoe.te index 79b9273..6bf3534 100644 --- a/fcoe.te @@ -81047,10 +81068,10 @@ index 9927d29..6746952 100644 +userdom_getattr_user_terminals(rwho_t) + diff --git a/samba.fc b/samba.fc -index b8b66ff..2ccac49 100644 +index b8b66ff..d1fa967 100644 --- a/samba.fc +++ b/samba.fc -@@ -1,42 +1,54 @@ +@@ -1,42 +1,55 @@ -/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) + @@ -81076,6 +81097,7 @@ index b8b66ff..2ccac49 100644 +# +/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) +/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) ++/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) -/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) -/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) @@ -81131,7 +81153,7 @@ index b8b66ff..2ccac49 100644 /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) /var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -@@ -45,7 +57,11 @@ +@@ -45,7 +58,11 @@ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) @@ -87938,11 +87960,13 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..3f412d5 +index 0000000..48c0623 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1 @@ +@@ -0,0 +1,3 @@ +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) ++ ++/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/snapper.if b/snapper.if new file mode 100644 index 0000000..94105ee @@ -94023,10 +94047,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..ed78f6f +index 0000000..81e8be9 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,154 @@ +@@ -0,0 +1,155 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -94146,6 +94170,7 @@ index 0000000..ed78f6f +') + +optional_policy(` ++ dbus_exec_dbusd(thumb_t) + dbus_dontaudit_stream_connect_session_bus(thumb_t) + dbus_dontaudit_chat_session_bus(thumb_t) +') @@ -100833,10 +100858,10 @@ index 0000000..044be2f +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..b4d2dac +index 0000000..1398ead --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,42 @@ +@@ -0,0 +1,44 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -100876,6 +100901,8 @@ index 0000000..b4d2dac +dev_read_urand(vmtools_t) +dev_getattr_all_blk_files(vmtools_t) + ++fs_getattr_all_fs(vmtools_t) ++ +auth_use_nsswitch(vmtools_t) + +logging_send_syslog_msg(vmtools_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6246a43..13d6c68 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -581,6 +581,12 @@ SELinux Reference policy mls base module. %changelog * Tue Jan 28 2014 Miroslav Grepl 3.12.1-122 - Update snapper policy +- Allow domains to append rkhunter lib files +- Allow snapperd to getattr on all fs +- Allow xdm to create /var/gdm with correct labeling +- Add label for snapper.log +- Allow fail2ban-client to read apache log files +- Allow thumb_t to execute dbus-daemon in thumb_t * Mon Jan 27 2014 Miroslav Grepl 3.12.1-121 - Allow gdm to create /var/gdm with correct labeling