From c589d467ba296f9c35d46dadb18a4d4b40340bb7 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 04 2014 08:27:17 +0000 Subject: * Thu Sep 04 2014 Lukas Vrabec 3.12.1-183 - Allow init to read all config files - Add new interface to allow creation of file with lib_t type - Add init_dontaudit_read_state() interface. - Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource (#1136128) - Allow docker to read all of /proc - Label /usr/sbin/unbound-control as named_exec_t (#1130510) - Dontaudit read init state for svirt_t. - Allow boinc_t manage boinc_project_tmp_t files and dirs (#1135687) - ALlow passeneger to read/write apache stream socket. - Allow geoclue to stream connect to smart card service - Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide - Allow jockey_t to use tmpfs files - Allow pppd to create sock_files in /var/run - Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface. - Allow usbmuxd connect to itself by stream socket. (#1135945) - Allow nswrapper_32_64.nppdf.so to be created with the proper label - Allow avahi_t communicate with pcp_pmproxy_t over dbus. - Allwo pki_tomcat to create link files in /var/lib/pki-ca. --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index a03f04d..dd7ff70 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -9757,7 +9757,7 @@ index c2c6e05..7996499 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..ac39d88 100644 +index 64ff4d7..989ca8b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13511,7 +13511,7 @@ index 64ff4d7..ac39d88 100644 ## ## ## -@@ -6035,19 +6814,1112 @@ interface(`files_list_pids',` +@@ -6035,19 +6814,1150 @@ interface(`files_list_pids',` ## ## # @@ -14610,32 +14610,70 @@ index 64ff4d7..ac39d88 100644 +## +# +interface(`files_relabel_all_spool_dirs',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute spoolfile; + type var_t; ++ ') ++ ++ relabel_dirs_pattern($1, spoolfile, spoolfile) ++') ++ ++######################################## ++## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_spool',` + gen_require(` +- type var_t, var_run_t; ++ type var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) -+ relabel_dirs_pattern($1, spoolfile, spoolfile) ++ dontaudit $1 var_spool_t:dir search_dir_perms; ') ######################################## ## -## Write named generic process ID pipes -+## Search the contents of generic spool -+## directories (/var/spool). ++## List the contents of generic spool ++## (/var/spool) directories. ## ## ## -@@ -6055,58 +7927,130 @@ interface(`files_read_generic_pids',` +@@ -6055,43 +7965,189 @@ interface(`files_read_generic_pids',` ## ## # -interface(`files_write_generic_pid_pipes',` -+interface(`files_search_spool',` ++interface(`files_list_spool',` gen_require(` - type var_run_t; + type var_t, var_spool_t; @@ -14643,87 +14681,20 @@ index 64ff4d7..ac39d88 100644 - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:fifo_file write; -+ search_dirs_pattern($1, var_t, var_spool_t) ++ list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## -## Create an object in the process ID directory, with a private type. -+## Do not audit attempts to search generic -+## spool directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_spool',` -+ gen_require(` -+ type var_spool_t; -+ ') -+ -+ dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of generic spool -+## (/var/spool) directories. - ## --## --##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

--##

--## Related interfaces: --##

--##
    --##
  • files_pid_file()
    • --##
--##

--## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

--##

--## type mypidfile_t; --## files_pid_file(mypidfile_t) --## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; --## files_pid_filetrans(mydomain_t, mypidfile_t, file) --##

--## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`files_list_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## +## Create, read, write, and delete generic +## spool directories (/var/spool). +## +## - ## --## The type of the object to be created. ++## +## Domain allowed access. - ## - ## --## ++## ++## +# +interface(`files_manage_generic_spool_dirs',` + gen_require(` @@ -14739,8 +14710,7 @@ index 64ff4d7..ac39d88 100644 +## Read generic spool files. +## +## - ## --## The object class of the object being created. ++## +## Domain allowed access. +## +## @@ -14793,19 +14763,14 @@ index 64ff4d7..ac39d88 100644 +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. - ## - ## - ## -@@ -6114,44 +8058,165 @@ interface(`files_write_generic_pid_pipes',` - ## The name of the object being created. - ## - ## --## - # --interface(`files_pid_filetrans',` -- gen_require(` -- type var_t, var_run_t; -- ') ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; @@ -14891,17 +14856,40 @@ index 64ff4d7..ac39d88 100644 +######################################## +## +## Create a core files in / -+## -+## -+##

+ ## + ## + ##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

+-##

+-## Related interfaces: +-##

+-##
    +-##
  • files_pid_file()
    • +-##
+-##

+-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

+-##

+-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +## Create a core file in /, -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## + ##

+ ## + ## +@@ -6099,14 +8155,82 @@ interface(`files_write_generic_pid_pipes',` + ## Domain allowed access. + ## + ## +-## +## +# +interface(`files_manage_root_files',` @@ -14932,173 +14920,208 @@ index 64ff4d7..ac39d88 100644 + gen_require(` + type default_t; + ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ + allow $1 default_t:dir create; - ') - - ######################################## - ## --## Create a generic lock directory within the run directories ++') ++ ++######################################## ++## +## Create, default_t objects with an automatic +## type transition. - ## - ## --## --## Domain allowed access ++## ++## +## +## Domain allowed access. ++## ++## ++## ++## ++## The class of the object being created. ++## ++## ++# ++interface(`files_root_filetrans_default',` ++ gen_require(` ++ type root_t, default_t; ++ ') ++ ++ filetrans_pattern($1, root_t, default_t, $2) ++') ++ ++######################################## ++## ++## Create, lib_t objects with an automatic ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## + ## +-## The type of the object to be created. ++## Type of the directory to be transitioned from ## ## --## -+## + ## ## --## The name of the object being created. +-## The object class of the object being created. +## The class of the object being created. ## ## + ## +@@ -6114,65 +8238,56 @@ interface(`files_write_generic_pid_pipes',` + ## The name of the object being created. + ## + ## +-## # --interface(`files_pid_filetrans_lock_dir',` +-interface(`files_pid_filetrans',` - gen_require(` -- type var_lock_t; +- type var_t, var_run_t; - ') -+interface(`files_root_filetrans_default',` ++interface(`files_filetrans_lib',` + gen_require(` -+ type root_t, default_t; ++ type lib_t, lib_t; + ') -- files_pid_filetrans($1, var_lock_t, dir, $2) -+ filetrans_pattern($1, root_t, default_t, $2) +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ filetrans_pattern($1, $2, lib_t, $3, $4) ') ######################################## ## --## Read and write generic process ID files. +-## Create a generic lock directory within the run directories +## manage generic symbolic links +## in the /var/run directory. ## ## +-## +-## Domain allowed access +-## +-## +-## ## -@@ -6159,20 +8224,18 @@ interface(`files_pid_filetrans_lock_dir',` +-## The name of the object being created. ++## Domain allowed access. ## ## # --interface(`files_rw_generic_pids',` +-interface(`files_pid_filetrans_lock_dir',` +interface(`files_manage_generic_pids_symlinks',` gen_require(` -- type var_t, var_run_t; +- type var_lock_t; + type var_run_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- rw_files_pattern($1, var_run_t, var_run_t) +- files_pid_filetrans($1, var_lock_t, dir, $2) + manage_lnk_files_pattern($1,var_run_t,var_run_t) ') ######################################## ## --## Do not audit attempts to get the attributes of --## daemon runtime data files. +-## Read and write generic process ID files. +## Do not audit attempts to getattr +## all tmpfs files. ## ## ## -@@ -6180,19 +8243,17 @@ interface(`files_rw_generic_pids',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_getattr_all_pids',` +-interface(`files_rw_generic_pids',` +interface(`files_dontaudit_getattr_tmpfs_files',` gen_require(` -- attribute pidfile; -- type var_run_t; +- type var_t, var_run_t; + attribute tmpfsfile; ') -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file getattr; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) + allow $1 tmpfsfile:file getattr; ') ######################################## ## --## Do not audit attempts to write to daemon runtime data files. +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. +## Allow read write all tmpfs files ## ## ## -@@ -6200,18 +8261,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6180,19 +8295,17 @@ interface(`files_rw_generic_pids',` ## ## # --interface(`files_dontaudit_write_all_pids',` +-interface(`files_dontaudit_getattr_all_pids',` +interface(`files_rw_tmpfs_files',` gen_require(` - attribute pidfile; +- type var_run_t; + attribute tmpfsfile; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file write; +- dontaudit $1 pidfile:file getattr; + allow $1 tmpfsfile:file { read write }; ') ######################################## ## --## Do not audit attempts to ioctl daemon runtime data files. +-## Do not audit attempts to write to daemon runtime data files. +## Do not audit attempts to read security files ## ## ## -@@ -6219,41 +8279,43 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6200,38 +8313,43 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # --interface(`files_dontaudit_ioctl_all_pids',` +-interface(`files_dontaudit_write_all_pids',` +interface(`files_dontaudit_read_security_files',` gen_require(` - attribute pidfile; -- type var_run_t; + attribute security_file_type; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file ioctl; +- dontaudit $1 pidfile:file write; + dontaudit $1 security_file_type:file read_file_perms; ') ######################################## ## --## Read all process ID files. +-## Do not audit attempts to ioctl daemon runtime data files. +## rw any files inherited from another process ## ## ## - ## Domain allowed access. +-## Domain to not audit. ++## Domain allowed access. ## ## --## +## +## +## Object type. +## +## # --interface(`files_read_all_pids',` +-interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_rw_all_inherited_files',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type var_run_t; + attribute file_type; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file ioctl; + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; @@ -15107,16 +15130,16 @@ index 64ff4d7..ac39d88 100644 ######################################## ## --## Delete all process IDs. +-## Read all process ID files. +## Allow any file point to be the entrypoint of this domain ## ## ## -@@ -6262,67 +8324,55 @@ interface(`files_read_all_pids',` +@@ -6240,127 +8358,111 @@ interface(`files_dontaudit_ioctl_all_pids',` ## ## # --interface(`files_delete_all_pids',` +-interface(`files_read_all_pids',` +interface(`files_entrypoint_all_files',` gen_require(` - attribute pidfile; @@ -15124,19 +15147,15 @@ index 64ff4d7..ac39d88 100644 + attribute file_type; ') - -- allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + allow $1 file_type:file entrypoint; ') ######################################## ## --## Delete all process ID directories. +-## Delete all process IDs. +## Do not audit attempts to rw inherited file perms +## of non security files. ## @@ -15146,8 +15165,9 @@ index 64ff4d7..ac39d88 100644 +## Domain to not audit. ## ## +-## # --interface(`files_delete_all_pid_dirs',` +-interface(`files_delete_all_pids',` +interface(`files_dontaudit_all_non_security_leaks',` gen_require(` - attribute pidfile; @@ -15157,66 +15177,73 @@ index 64ff4d7..ac39d88 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content +-## Delete all process ID directories. +## Do not audit attempts to read or write +## all leaked files. ## ## ## --## Domain alloed access. +-## Domain allowed access. +## Domain to not audit. ## ## # --interface(`files_manage_all_pids',` +-interface(`files_delete_all_pid_dirs',` +interface(`files_dontaudit_leaks',` gen_require(` - attribute pidfile; +- type var_t, var_run_t; + attribute file_type; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. +-## Create, read, write and delete all +-## var_run (pid) content +## Allow domain to create_file_ass all types ## ## ## -@@ -6330,37 +8380,37 @@ interface(`files_manage_all_pids',` +-## Domain alloed access. ++## Domain allowed access. ## ## # --interface(`files_mounton_all_poly_members',` +-interface(`files_manage_all_pids',` +interface(`files_create_as_is_all_files',` gen_require(` -- attribute polymember; +- attribute pidfile; + attribute file_type; + class kernel_service create_files_as; ') -- allow $1 polymember:dir mounton; +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 file_type:kernel_service create_files_as; ') ######################################## ## --## Search the contents of generic spool --## directories (/var/spool). +-## Mount filesystems on all polyinstantiation +-## member directories. +## Do not audit attempts to check the +## access on all files ## @@ -15227,69 +15254,69 @@ index 64ff4d7..ac39d88 100644 ## ## # --interface(`files_search_spool',` +-interface(`files_mounton_all_poly_members',` +interface(`files_dontaudit_all_access_check',` gen_require(` -- type var_t, var_spool_t; +- attribute polymember; + attribute file_type; ') -- search_dirs_pattern($1, var_t, var_spool_t) +- allow $1 polymember:dir mounton; + dontaudit $1 file_type:dir_file_class_set audit_access; ') ######################################## ## --## Do not audit attempts to search generic --## spool directories. +-## Search the contents of generic spool +-## directories (/var/spool). +## Do not audit attempts to write to all files ## ## ## -@@ -6368,132 +8418,206 @@ interface(`files_search_spool',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_search_spool',` +-interface(`files_search_spool',` +interface(`files_dontaudit_write_all_files',` gen_require(` -- type var_spool_t; +- type var_t, var_spool_t; + attribute file_type; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; +- search_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set write; ') ######################################## ## --## List the contents of generic spool --## (/var/spool) directories. +-## Do not audit attempts to search generic +-## spool directories. +## Allow domain to delete to all files ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -6368,132 +8470,188 @@ interface(`files_search_spool',` ## ## # --interface(`files_list_spool',` +-interface(`files_dontaudit_search_spool',` +interface(`files_delete_all_non_security_files',` gen_require(` -- type var_t, var_spool_t; +- type var_spool_t; + attribute non_security_file_type; ') -- list_dirs_pattern($1, var_t, var_spool_t) +- dontaudit $1 var_spool_t:dir search_dir_perms; + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; ') ######################################## ## --## Create, read, write, and delete generic --## spool directories (/var/spool). +-## List the contents of generic spool +-## (/var/spool) directories. +## Allow domain to delete to all dirs ## ## @@ -15299,21 +15326,21 @@ index 64ff4d7..ac39d88 100644 ## ## # --interface(`files_manage_generic_spool_dirs',` +-interface(`files_list_spool',` +interface(`files_delete_all_non_security_dirs',` gen_require(` - type var_t, var_spool_t; + attribute non_security_file_type; ') -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) +- list_dirs_pattern($1, var_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; ') ######################################## ## --## Read generic spool files. +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Transition named content in the var_run_t directory ## ## @@ -15323,7 +15350,7 @@ index 64ff4d7..ac39d88 100644 ## ## # --interface(`files_read_generic_spool',` +-interface(`files_manage_generic_spool_dirs',` +interface(`files_filetrans_named_content',` gen_require(` - type var_t, var_spool_t; @@ -15337,8 +15364,8 @@ index 64ff4d7..ac39d88 100644 + type tmp_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -15379,8 +15406,7 @@ index 64ff4d7..ac39d88 100644 ######################################## ## --## Create, read, write, and delete generic --## spool files. +-## Read generic spool files. +## Make the specified type a +## base file. ## @@ -15399,44 +15425,33 @@ index 64ff4d7..ac39d88 100644 ## +## # --interface(`files_manage_generic_spool',` +-interface(`files_read_generic_spool',` +interface(`files_base_file',` gen_require(` - type var_t, var_spool_t; + attribute base_file_type; ') -- -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) + files_type($1) + typeattribute $1 base_file_type; - ') ++') - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) ++######################################## ++## +## Make the specified type a +## base read only file. - ## --## --## --## Domain allowed access. --## --## --## ++## +## +##

+## Make the specified type readable for all domains. +##

+## +## - ## --## Type to which the created node will be transitioned. ++## +## Type to be used as a base read only files. - ## - ## --## ++## ++## +## +# +interface(`files_ro_base_file',` @@ -15445,42 +15460,62 @@ index 64ff4d7..ac39d88 100644 + ') + files_base_file($1) + typeattribute $1 base_ro_file_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Read all ro base files. -+## -+## + ## + ## ## --## Object class(es) (single or set including {}) for which this --## the transition will occur. -+## Domain allowed access. + ## Domain allowed access. ## ## --## +## -+# + # +-interface(`files_manage_generic_spool',` +interface(`files_read_all_base_ro_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_ro_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) + read_files_pattern($1, base_ro_file_type, base_ro_file_type) + read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Execute all base ro files. -+## -+## + ## + ## ## --## The name of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +## # -interface(`files_spool_filetrans',` @@ -15504,7 +15539,7 @@ index 64ff4d7..ac39d88 100644 ## ## ## -@@ -6501,53 +8625,17 @@ interface(`files_spool_filetrans',` +@@ -6501,53 +8659,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -15562,7 +15597,7 @@ index 64ff4d7..ac39d88 100644 ## ## ## -@@ -6555,10 +8643,10 @@ interface(`files_polyinstantiate_all',` +@@ -6555,10 +8677,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -30322,7 +30357,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..2863546 100644 +index 24e7804..6a39d34 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -30842,10 +30877,30 @@ index 24e7804..2863546 100644 files_search_etc($1) ') -@@ -1012,6 +1222,42 @@ interface(`init_read_state',` +@@ -1012,6 +1222,62 @@ interface(`init_read_state',` ######################################## ## ++## Dontaudit read the process state (/proc/pid) of init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dontaudit_read_state',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dontaudit $1 init_t:dir search_dir_perms; ++ dontaudit $1 init_t:file read_file_perms; ++ dontaudit $1 init_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## +## Read the process keyring of init. +## +## @@ -30885,7 +30940,7 @@ index 24e7804..2863546 100644 ## Ptrace init ## ## -@@ -1026,7 +1272,9 @@ interface(`init_ptrace',` +@@ -1026,7 +1292,9 @@ interface(`init_ptrace',` type init_t; ') @@ -30896,58 +30951,130 @@ index 24e7804..2863546 100644 ') ######################################## -@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',` +@@ -1125,7 +1393,8 @@ interface(`init_getattr_all_script_files',` ######################################## ## +-## Read all init script files. +## Allow the specified domain to modify the systemd configuration of +## all init scripts. -+## -+## -+## + ## + ## + ## +@@ -1133,59 +1402,95 @@ interface(`init_getattr_all_script_files',` + ## + ## + # +-interface(`init_read_all_script_files',` ++interface(`init_config_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + +- files_search_etc($1) +- allow $1 init_script_file_type:file read_file_perms; ++ allow $1 init_script_file_type:service all_service_perms; + ') + +-####################################### ++######################################## + ## +-## Dontaudit read all init script files. ++## Read all init script files. + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. + ## + ## + # +-interface(`init_dontaudit_read_all_script_files',` ++interface(`init_read_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + +- dontaudit $1 init_script_file_type:file read_file_perms; ++ files_search_etc($1) ++ allow $1 init_script_file_type:file read_file_perms; + ') + +-######################################## ++####################################### + ## +-## Execute all init scripts in the caller domain. ++## Dontaudit getattr all init script files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`init_exec_all_script_files',` ++interface(`init_dontaudit_getattr_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + +- files_list_etc($1) +- can_exec($1, init_script_file_type) ++ dontaudit $1 init_script_file_type:file getattr; + ') + +-######################################## ++####################################### + ## +-## Read the process state (/proc/pid) of the init scripts. ++## Dontaudit read all init script files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`init_config_all_script_files',` ++interface(`init_dontaudit_read_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + -+ allow $1 init_script_file_type:service all_service_perms; ++ dontaudit $1 init_script_file_type:file read_file_perms; +') + +######################################## +## - ## Read all init script files. - ## - ## -@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',` - - ####################################### - ## -+## Dontaudit getattr all init script files. ++## Execute all init scripts in the caller domain. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`init_dontaudit_getattr_all_script_files',` ++interface(`init_exec_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + -+ dontaudit $1 init_script_file_type:file getattr; ++ files_list_etc($1) ++ can_exec($1, init_script_file_type) +') + -+####################################### ++######################################## +## - ## Dontaudit read all init script files. - ## - ## -@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',` ++## Read the process state (/proc/pid) of the init scripts. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +@@ -1195,12 +1500,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -30961,85 +31088,32 @@ index 24e7804..2863546 100644 ') ######################################## -@@ -1314,7 +1594,7 @@ interface(`init_signal_script',` +@@ -1314,6 +1614,24 @@ interface(`init_signal_script',` ######################################## ## --## Send null signals to init scripts. +## Send kill signals to init scripts. - ## - ## - ## -@@ -1322,17 +1602,17 @@ interface(`init_signal_script',` - ## - ## - # --interface(`init_signull_script',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`init_sigkill_script',` - gen_require(` - type initrc_t; - ') - -- allow $1 initrc_t:process signull; -+ allow $1 initrc_t:process sigkill; - ') - - ######################################## - ## --## Read and write init script unnamed pipes. -+## Send null signals to init scripts. - ## - ## - ## -@@ -1340,17 +1620,17 @@ interface(`init_signull_script',` - ## - ## - # --interface(`init_rw_script_pipes',` -+interface(`init_signull_script',` - gen_require(` - type initrc_t; - ') - -- allow $1 initrc_t:fifo_file { read write }; -+ allow $1 initrc_t:process signull; - ') - - ######################################## - ## --## Send UDP network traffic to init scripts. (Deprecated) -+## Read and write init script unnamed pipes. - ## - ## - ## -@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',` - ## - ## - # --interface(`init_udp_send_script',` -+interface(`init_rw_script_pipes',` + gen_require(` + type initrc_t; + ') + -+ allow $1 initrc_t:fifo_file { read write }; ++ allow $1 initrc_t:process sigkill; +') + +######################################## +## -+## Send UDP network traffic to init scripts. (Deprecated) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_udp_send_script',` - refpolicywarn(`$0($*) has been deprecated.') - ') - -@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',` + ## Send null signals to init scripts. + ## + ## +@@ -1440,6 +1758,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -31067,7 +31141,7 @@ index 24e7804..2863546 100644 ## init scripts over dbus. ## ## -@@ -1526,6 +1845,25 @@ interface(`init_getattr_script_status_files',` +@@ -1526,6 +1865,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -31093,7 +31167,7 @@ index 24e7804..2863546 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1584,6 +1922,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1584,6 +1942,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -31118,7 +31192,7 @@ index 24e7804..2863546 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1656,6 +2012,43 @@ interface(`init_read_utmp',` +@@ -1656,6 +2032,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -31162,7 +31236,7 @@ index 24e7804..2863546 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1744,7 +2137,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1744,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -31171,7 +31245,7 @@ index 24e7804..2863546 100644 ') ######################################## -@@ -1785,6 +2178,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1785,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -31305,7 +31379,7 @@ index 24e7804..2863546 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2339,450 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -31757,7 +31831,7 @@ index 24e7804..2863546 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..04c271c 100644 +index dd3be8d..0973a7f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -31950,7 +32024,8 @@ index dd3be8d..04c271c 100644 +domain_read_all_domains_state(init_t) +domain_getattr_all_domains(init_t) - files_read_etc_files(init_t) +-files_read_etc_files(init_t) ++files_read_config_files(init_t) +files_read_all_pids(init_t) +files_read_system_conf_files(init_t) files_rw_generic_pids(init_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 8ed8f78..23597a4 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -3590,7 +3590,7 @@ index 550a69e..43bb1c9 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 83e899c..9426db5 100644 +index 83e899c..fca846b 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3755,11 +3755,11 @@ index 83e899c..9426db5 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) -+ -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) ++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; ++ + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; @@ -3985,7 +3985,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -348,13 +366,13 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +366,32 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -3997,12 +3997,31 @@ index 83e899c..9426db5 100644 ## -## Do not audit attempts to read and -## write httpd unix domain stream sockets. ++## Allow attempts to read and write Apache ++## unix domain stream sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`apache_rw_stream_sockets',` ++ gen_require(` ++ type httpd_t; ++ ') ++ ++ allow $1 httpd_t:unix_stream_socket { getattr read write }; ++') ++ ++######################################## ++## +## Do not audit attempts to read and write Apache +## unix domain stream sockets. ## ## ## -@@ -372,8 +390,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -372,8 +409,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` ######################################## ## @@ -4013,7 +4032,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -391,8 +409,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +428,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -4023,7 +4042,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -417,7 +434,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +453,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -4033,7 +4052,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -435,7 +453,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +472,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -4043,7 +4062,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -453,7 +472,8 @@ interface(`apache_list_cache',` +@@ -453,7 +491,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -4053,7 +4072,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -471,7 +491,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +510,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -4063,7 +4082,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -489,7 +510,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +529,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -4073,7 +4092,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -507,49 +529,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +548,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -4136,7 +4155,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -570,8 +594,8 @@ interface(`apache_manage_config',` +@@ -570,8 +613,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -4147,7 +4166,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -608,16 +632,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +651,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -4158,10 +4177,11 @@ index 83e899c..9426db5 100644 apache_domtrans_helper($1) - roleattribute $2 httpd_helper_roles; + role $2 types httpd_helper_t; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read httpd log files. +## dontaudit attempts to read +## apache log files. +## @@ -4179,17 +4199,16 @@ index 83e899c..9426db5 100644 + + dontaudit $1 httpd_log_t:file read_file_perms; + dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## --## Read httpd log files. ++') ++ ++######################################## ++## +## Allow the specified domain to read +## apache log files. ## ## ## -@@ -639,7 +685,8 @@ interface(`apache_read_log',` +@@ -639,7 +704,8 @@ interface(`apache_read_log',` ######################################## ## @@ -4199,7 +4218,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -657,10 +704,29 @@ interface(`apache_append_log',` +@@ -657,10 +723,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -4231,7 +4250,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -678,8 +744,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +763,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -4242,7 +4261,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -687,20 +753,21 @@ interface(`apache_dontaudit_append_log',` +@@ -687,20 +772,21 @@ interface(`apache_dontaudit_append_log',` ## ## # @@ -4272,7 +4291,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -708,19 +775,21 @@ interface(`apache_manage_log',` +@@ -708,19 +794,21 @@ interface(`apache_manage_log',` ## ## # @@ -4298,7 +4317,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -738,7 +807,8 @@ interface(`apache_dontaudit_search_modules',` +@@ -738,7 +826,8 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -4308,7 +4327,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -746,17 +816,19 @@ interface(`apache_dontaudit_search_modules',` +@@ -746,17 +835,19 @@ interface(`apache_dontaudit_search_modules',` ## ## # @@ -4331,7 +4350,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -764,19 +836,19 @@ interface(`apache_list_modules',` +@@ -764,19 +855,19 @@ interface(`apache_list_modules',` ## ## # @@ -4355,7 +4374,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -784,19 +856,19 @@ interface(`apache_exec_modules',` +@@ -784,19 +875,19 @@ interface(`apache_exec_modules',` ## ## # @@ -4380,7 +4399,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -809,13 +881,50 @@ interface(`apache_domtrans_rotatelogs',` +@@ -809,13 +900,50 @@ interface(`apache_domtrans_rotatelogs',` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') @@ -4433,7 +4452,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -829,13 +938,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +957,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4450,7 +4469,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -844,6 +954,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +973,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4458,7 +4477,7 @@ index 83e899c..9426db5 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +966,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +985,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -4484,31 +4503,11 @@ index 83e899c..9426db5 100644 +') + +###################################### -+## -+## Allow the specified domain to read -+## apache system content rw dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_dirs',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### ## -## Create, read, write, and delete -## httpd system rw content. -+## Allow the specified domain to manage -+## apache system content rw files. ++## Allow the specified domain to read ++## apache system content rw dirs. ## ## ## @@ -4518,12 +4517,32 @@ index 83e899c..9426db5 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_manage_sys_content_rw',` ++interface(`apache_read_sys_content_rw_dirs',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) ++ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to manage ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_manage_sys_content_rw',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ + files_search_var($1) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) @@ -4565,7 +4584,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -888,10 +1065,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1084,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4584,7 +4603,7 @@ index 83e899c..9426db5 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1085,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1104,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4596,7 +4615,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -941,7 +1124,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1143,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4605,7 +4624,7 @@ index 83e899c..9426db5 100644 ## to the specified role. ## ## -@@ -954,6 +1137,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1156,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4613,7 +4632,7 @@ index 83e899c..9426db5 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1150,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1169,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4623,7 +4642,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -979,12 +1164,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1183,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4639,7 +4658,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1002,7 +1188,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1207,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4648,7 +4667,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1015,13 +1201,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1220,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4663,7 +4682,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1041,7 +1226,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1245,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4672,7 +4691,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1059,8 +1244,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1263,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4682,7 +4701,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1070,13 +1254,22 @@ interface(`apache_search_sys_scripts',` +@@ -1070,13 +1273,22 @@ interface(`apache_search_sys_scripts',` ## # interface(`apache_manage_all_user_content',` @@ -4708,7 +4727,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1094,7 +1287,8 @@ interface(`apache_search_sys_script_state',` +@@ -1094,7 +1306,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4718,7 +4737,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1111,10 +1305,29 @@ interface(`apache_read_tmp_files',` +@@ -1111,10 +1324,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4750,7 +4769,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1127,7 +1340,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1127,7 +1359,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4759,7 +4778,7 @@ index 83e899c..9426db5 100644 ') ######################################## -@@ -1136,6 +1349,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1136,6 +1368,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4769,7 +4788,7 @@ index 83e899c..9426db5 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1165,8 +1381,30 @@ interface(`apache_cgi_domain',` +@@ -1165,8 +1400,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4802,7 +4821,7 @@ index 83e899c..9426db5 100644 ## ## ## -@@ -1183,18 +1421,19 @@ interface(`apache_cgi_domain',` +@@ -1183,18 +1440,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4831,7 +4850,7 @@ index 83e899c..9426db5 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1204,10 +1443,10 @@ interface(`apache_admin',` +@@ -1204,10 +1462,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4845,7 +4864,7 @@ index 83e899c..9426db5 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1218,9 +1457,141 @@ interface(`apache_admin',` +@@ -1218,9 +1476,141 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -8410,7 +8429,7 @@ index aebe7cb..33fe57b 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index 60e76be..0730647 100644 +index 60e76be..f1f2bcf 100644 --- a/avahi.te +++ b/avahi.te @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) @@ -8459,6 +8478,17 @@ index 60e76be..0730647 100644 userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) +@@ -102,6 +106,10 @@ optional_policy(` + ') + + optional_policy(` ++ pcp_pmproxy_dbus_chat(avahi_t) ++') ++ ++optional_policy(` + rpcbind_signull(avahi_t) + ') + diff --git a/awstats.te b/awstats.te index d6ab824..116176d 100644 --- a/awstats.te @@ -8689,10 +8719,10 @@ index 536ec3c..271b976 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..f755e6b 100644 +index 2b9a3a1..750788c 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,75 @@ +@@ -1,54 +1,76 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -8732,6 +8762,7 @@ index 2b9a3a1..f755e6b 100644 /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0) -/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -9765,7 +9796,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..44edba7 100644 +index 7c92aa1..b326c23 100644 --- a/boinc.te +++ b/boinc.te @@ -1,11 +1,20 @@ @@ -9791,7 +9822,7 @@ index 7c92aa1..44edba7 100644 type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) -@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t) +@@ -21,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) @@ -9870,7 +9901,11 @@ index 7c92aa1..44edba7 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + ++manage_dirs_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t) ++manage_files_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t) ++ manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -9967,7 +10002,7 @@ index 7c92aa1..44edba7 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +151,69 @@ init_read_utmp(boinc_t) +@@ -130,55 +154,69 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -24267,10 +24302,10 @@ index 0000000..683dfdc +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..2f0fa26 +index 0000000..2faebf0 --- /dev/null +++ b/docker.te -@@ -0,0 +1,279 @@ +@@ -0,0 +1,280 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24387,6 +24422,7 @@ index 0000000..2f0fa26 +kernel_read_all_sysctls(docker_t) +kernel_rw_net_sysctls(docker_t) +kernel_setsched(docker_t) ++kernel_read_all_proc(docker_t) + +domain_use_interactive_fds(docker_t) + @@ -28905,10 +28941,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..b9d0b86 +index 0000000..d964114 --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,59 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -28964,6 +29000,10 @@ index 0000000..b9d0b86 + networkmanager_dbus_chat(geoclue_t) + ') +') ++ ++optional_policy(` ++ pcscd_stream_connect(geoclue_t) ++') diff --git a/gift.te b/gift.te index 395238e..af76abb 100644 --- a/gift.te @@ -36334,10 +36374,31 @@ index 2fb7a20..c6ba007 100644 + ') +') diff --git a/jockey.te b/jockey.te -index d59ec10..dec1b3b 100644 +index d59ec10..a46018d 100644 --- a/jockey.te +++ b/jockey.te -@@ -44,16 +44,19 @@ dev_read_urand(jockey_t) +@@ -15,6 +15,9 @@ files_type(jockey_cache_t) + type jockey_var_log_t; + logging_log_file(jockey_var_log_t) + ++type jockey_tmpfs_t; ++files_tmpfs_file(jockey_tmpfs_t) ++ + ######################################## + # + # Local policy +@@ -33,6 +36,10 @@ create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) + setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) + logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) + ++manage_dirs_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t) ++manage_files_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t) ++fs_tmpfs_filetrans(jockey_t, jockey_tmpfs_t, { dir file }) ++ + kernel_read_system_state(jockey_t) + + corecmd_exec_bin(jockey_t) +@@ -44,16 +51,19 @@ dev_read_urand(jockey_t) domain_use_interactive_fds(jockey_t) @@ -45178,7 +45239,7 @@ index 6ffaba2..ab66d2f 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..7490fe3 100644 +index 6194b80..ecab2e6 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -45890,7 +45951,7 @@ index 6194b80..7490fe3 100644 ## ## ## -@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +520,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -45939,10 +46000,11 @@ index 6194b80..7490fe3 100644 + gen_require(` - type mozilla_plugin_home_t; -+ type mozilla_home_t; ++ type mozilla_home_t, mozilla_plugin_rw_t; ') - userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) ++ files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") @@ -56408,10 +56470,10 @@ index 379af96..41ff159 100644 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if -index 57c0161..dae3360 100644 +index 57c0161..4534676 100644 --- a/nut.if +++ b/nut.if -@@ -1,39 +1,24 @@ +@@ -1,39 +1,59 @@ -## Network UPS Tools +## nut - Network UPS Tools @@ -56420,36 +56482,67 @@ index 57c0161..dae3360 100644 ## -## All of the rules required to -## administrate an nut environment. -+## Execute swift server in the swift domain. ++## Creates types and rules for a basic ++## Network UPS Tools systemd daemon domain. ## - ## +-## -## -## Domain allowed access. -## -+## -+## Domain allowed to transition. -+## - ## +-## -## -## -## Role allowed access. -## --## ++## ++## ++## Prefix for the domain. ++## + ## -## # -interface(`nut_admin',` -- gen_require(` -- attribute nut_domain; ++template(`nut_domain_template',` + gen_require(` + attribute nut_domain; - type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; -- ') -- + ') + - allow $1 nut_domain:process { ptrace signal_perms }; - ps_process_pattern($1, nut_domain_t) -- ++ type nut_$1_t, nut_domain; ++ type nut_$1_exec_t; ++ init_daemon_domain(nut_$1_t, nut_$1_exec_t) ++ ++ type nut_$1_tmp_t; ++ files_tmp_file(nut_$1_tmp_t) ++ ++ manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) ++ manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) ++ manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) ++ files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) ++ fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) + - init_labeled_script_domtrans($1, nut_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nut_initrc_exec_t system_r; - allow $2 system_r; ++ auth_use_nsswitch(nut_$1_t) ++ ++ logging_send_syslog_msg(nut_$1_t) ++ ++') ++ ++####################################### ++## ++## Execute swift server in the swift domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# +interface(`nut_systemctl',` + gen_require(` + type nut_t; @@ -56467,7 +56560,7 @@ index 57c0161..dae3360 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 0c9deb7..76988d6 100644 +index 0c9deb7..8ee90b0 100644 --- a/nut.te +++ b/nut.te @@ -1,4 +1,4 @@ @@ -56476,10 +56569,29 @@ index 0c9deb7..76988d6 100644 ######################################## # -@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain; - type nut_upsdrvctl_exec_t; - init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) +@@ -7,131 +7,124 @@ policy_module(nut, 1.2.4) + + attribute nut_domain; + ++nut_domain_template(upsd) ++nut_domain_template(upsmon) ++nut_domain_template(upsdrvctl) ++ + type nut_conf_t; + files_config_file(nut_conf_t) +-type nut_upsd_t, nut_domain; +-type nut_upsd_exec_t; +-init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) +- +-type nut_upsmon_t, nut_domain; +-type nut_upsmon_exec_t; +-init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) +- +-type nut_upsdrvctl_t, nut_domain; +-type nut_upsdrvctl_exec_t; +-init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) +- -type nut_initrc_exec_t; -init_script_file(nut_initrc_exec_t) - @@ -56509,12 +56621,15 @@ index 0c9deb7..76988d6 100644 -manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) -- ++allow nut_domain self:capability { setgid setuid dac_override }; + -kernel_read_kernel_sysctls(nut_domain) - -logging_send_syslog_msg(nut_domain) -- ++allow nut_domain self:process signal_perms; + -miscfiles_read_localization(nut_domain) ++allow nut_domain self:fifo_file rw_fifo_file_perms; +allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; ######################################## @@ -56524,16 +56639,15 @@ index 0c9deb7..76988d6 100644 # -allow nut_upsd_t self:tcp_socket { accept listen }; -+allow nut_upsd_t self:capability { setgid setuid dac_override }; -+allow nut_upsd_t self:process signal_perms; ++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; -manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) -+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; ++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) -+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; ++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) -corenet_all_recvfrom_unlabeled(nut_upsd_t) -corenet_all_recvfrom_netlabel(nut_upsd_t) @@ -56541,29 +56655,25 @@ index 0c9deb7..76988d6 100644 -corenet_tcp_sendrecv_generic_node(nut_upsd_t) -corenet_tcp_sendrecv_all_ports(nut_upsd_t) -corenet_tcp_bind_generic_node(nut_upsd_t) -+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) - --corenet_sendrecv_ups_server_packets(nut_upsd_t) --corenet_tcp_bind_ups_port(nut_upsd_t) +# pid file +manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) --corenet_sendrecv_generic_server_packets(nut_upsd_t) --corenet_tcp_bind_generic_port(nut_upsd_t) +-corenet_sendrecv_ups_server_packets(nut_upsd_t) +-corenet_tcp_bind_ups_port(nut_upsd_t) +kernel_read_kernel_sysctls(nut_upsd_t) --files_read_usr_files(nut_upsd_t) +-corenet_sendrecv_generic_server_packets(nut_upsd_t) +corenet_tcp_bind_ups_port(nut_upsd_t) -+corenet_tcp_bind_generic_port(nut_upsd_t) + corenet_tcp_bind_generic_port(nut_upsd_t) +- +-files_read_usr_files(nut_upsd_t) +- +-auth_use_nsswitch(nut_upsd_t) +corenet_tcp_bind_all_nodes(nut_upsd_t) - auth_use_nsswitch(nut_upsd_t) - -+logging_send_syslog_msg(nut_upsd_t) -+ ######################################## # -# Upsmon local policy @@ -56572,11 +56682,9 @@ index 0c9deb7..76988d6 100644 -allow nut_upsmon_t self:capability dac_read_search; -allow nut_upsmon_t self:unix_stream_socket connectto; -+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; -+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; ++allow nut_upsmon_t self:tcp_socket create_socket_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; -+allow nut_upsmon_t self:tcp_socket create_socket_perms; + +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) @@ -56612,13 +56720,11 @@ index 0c9deb7..76988d6 100644 +# /usr/bin/wall term_write_all_terms(nut_upsmon_t) +-auth_use_nsswitch(nut_upsmon_t) +# upsmon runs shutdown, probably need a shutdown domain +init_rw_utmp(nut_upsmon_t) +init_telinit(nut_upsmon_t) + -+logging_send_syslog_msg(nut_upsmon_t) -+ - auth_use_nsswitch(nut_upsmon_t) mta_send_mail(nut_upsmon_t) @@ -56634,10 +56740,8 @@ index 0c9deb7..76988d6 100644 +# Local policy for upsdrvctl # -+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; -+allow nut_upsdrvctl_t self:process { sigchld signal signull }; ++allow nut_upsdrvctl_t self:capability { kill }; allow nut_upsdrvctl_t self:fd use; -+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; + @@ -56658,19 +56762,16 @@ index 0c9deb7..76988d6 100644 corecmd_exec_bin(nut_upsdrvctl_t) dev_read_sysfs(nut_upsdrvctl_t) -@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t) +@@ -139,22 +132,29 @@ dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) term_use_unallocated_ttys(nut_upsdrvctl_t) +- +-auth_use_nsswitch(nut_upsdrvctl_t) +term_use_usb_ttys(nut_upsdrvctl_t) - auth_use_nsswitch(nut_upsdrvctl_t) - init_sigchld(nut_upsdrvctl_t) -+logging_send_syslog_msg(nut_upsdrvctl_t) -+ -+ ####################################### # -# Cgi local policy @@ -61070,7 +61171,7 @@ index bf59ef7..2d8335f 100644 +') + diff --git a/passenger.te b/passenger.te -index 4e114ff..1b1cb71 100644 +index 4e114ff..d688bab 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -61149,7 +61250,7 @@ index 4e114ff..1b1cb71 100644 corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -66,14 +74,14 @@ dev_read_urand(passenger_t) +@@ -66,19 +74,20 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) @@ -61166,7 +61267,13 @@ index 4e114ff..1b1cb71 100644 userdom_dontaudit_use_user_terminals(passenger_t) optional_policy(` -@@ -90,14 +98,21 @@ optional_policy(` + apache_append_log(passenger_t) + apache_read_sys_content(passenger_t) ++ apache_rw_stream_sockets(passenger_t) + ') + + optional_policy(` +@@ -90,14 +99,21 @@ optional_policy(` ') optional_policy(` @@ -61256,10 +61363,10 @@ index 0000000..9b8cb6b +/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..ba24b40 +index 0000000..87aeb51 --- /dev/null +++ b/pcp.if -@@ -0,0 +1,139 @@ +@@ -0,0 +1,160 @@ +## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation + +###################################### @@ -61287,6 +61394,27 @@ index 0000000..ba24b40 + +') + ++######################################## ++## ++## Send and receive messages from ++## pcp_pmproxy_t over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pcp_pmproxy_dbus_chat',` ++ gen_require(` ++ type pcp_pmproxy_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 pcp_pmproxy_t:dbus send_msg; ++ allow pcp_pmproxy_t $1:dbus send_msg; ++') ++ +###################################### +## +## Allow domain to read pcp lib files @@ -63906,10 +64034,10 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..d1265c4 +index 0000000..47fb375 --- /dev/null +++ b/pki.te -@@ -0,0 +1,291 @@ +@@ -0,0 +1,292 @@ +policy_module(pki,10.0.11) + +######################################## @@ -63996,6 +64124,7 @@ index 0000000..d1265c4 + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) @@ -68610,7 +68739,7 @@ index cd8b8b9..6c73980 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..0d1dd3c 100644 +index b2b5dba..e71e924 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -68686,7 +68815,7 @@ index b2b5dba..0d1dd3c 100644 type pptp_log_t; logging_log_file(pptp_log_t) -@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t) +@@ -67,54 +74,59 @@ logging_log_file(pptp_log_t) type pptp_var_run_t; files_pid_file(pptp_var_run_t) @@ -68702,6 +68831,7 @@ index b2b5dba..0d1dd3c 100644 allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched setsched signal }; ++dontaudit pppd_t self:capability2 block_suspend; +allow pppd_t self:process { getsched setsched signal_perms }; allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; @@ -68743,6 +68873,7 @@ index b2b5dba..0d1dd3c 100644 manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) ++manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) -can_exec(pppd_t, pppd_exec_t) @@ -68760,7 +68891,7 @@ index b2b5dba..0d1dd3c 100644 kernel_read_kernel_sysctls(pppd_t) kernel_read_system_state(pppd_t) kernel_rw_net_sysctls(pppd_t) -@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t) +@@ -122,10 +134,10 @@ kernel_read_network_state(pppd_t) kernel_request_load_module(pppd_t) dev_read_urand(pppd_t) @@ -68772,7 +68903,7 @@ index b2b5dba..0d1dd3c 100644 corenet_all_recvfrom_netlabel(pppd_t) corenet_tcp_sendrecv_generic_if(pppd_t) corenet_raw_sendrecv_generic_if(pppd_t) -@@ -135,9 +145,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) +@@ -135,9 +147,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) corenet_udp_sendrecv_generic_node(pppd_t) corenet_tcp_sendrecv_all_ports(pppd_t) corenet_udp_sendrecv_all_ports(pppd_t) @@ -68796,7 +68927,7 @@ index b2b5dba..0d1dd3c 100644 corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) -@@ -147,36 +170,31 @@ files_exec_etc_files(pppd_t) +@@ -147,36 +172,31 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) @@ -68842,7 +68973,7 @@ index b2b5dba..0d1dd3c 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -186,11 +204,13 @@ optional_policy(` +@@ -186,11 +206,13 @@ optional_policy(` l2tpd_dgram_send(pppd_t) l2tpd_rw_socket(pppd_t) l2tpd_stream_connect(pppd_t) @@ -68857,7 +68988,7 @@ index b2b5dba..0d1dd3c 100644 ') ') -@@ -218,16 +238,19 @@ optional_policy(` +@@ -218,16 +240,19 @@ optional_policy(` ######################################## # @@ -68880,7 +69011,7 @@ index b2b5dba..0d1dd3c 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +259,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +261,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -68937,7 +69068,7 @@ index b2b5dba..0d1dd3c 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +303,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +305,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -68952,7 +69083,7 @@ index b2b5dba..0d1dd3c 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +320,10 @@ optional_policy(` +@@ -299,6 +322,10 @@ optional_policy(` ') optional_policy(` @@ -99847,15 +99978,17 @@ index cb9b5bb..3aa7952 100644 + modutils_read_module_deps(usbmodules_t) +') diff --git a/usbmuxd.fc b/usbmuxd.fc -index 220f6ad..cd80b9b 100644 +index 220f6ad..8e3bbd2 100644 --- a/usbmuxd.fc +++ b/usbmuxd.fc -@@ -1,3 +1,4 @@ +@@ -1,3 +1,6 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) -/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0) ++ ++/var/lib/lockdown -- gen_context(system_u:object_r:usbmuxd_var_lib_t,s0) diff --git a/usbmuxd.if b/usbmuxd.if index 1ec5e99..88e287d 100644 --- a/usbmuxd.if @@ -99928,10 +100061,10 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 8840be6..d2c7596 100644 +index 8840be6..bb7c53f 100644 --- a/usbmuxd.te +++ b/usbmuxd.te -@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles; +@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; type usbmuxd_t; type usbmuxd_exec_t; @@ -99942,21 +100075,40 @@ index 8840be6..d2c7596 100644 type usbmuxd_var_run_t; files_pid_file(usbmuxd_var_run_t) ++type usbmuxd_var_lib_t; ++files_type(usbmuxd_var_lib_t) ++ +type usbmuxd_unit_file_t; +systemd_unit_file(usbmuxd_unit_file_t) + ######################################## # # Local policy -@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t) + # + allow usbmuxd_t self:capability { kill setgid setuid }; ++dontaudit usbmuxd_t self:capability sys_resource; allow usbmuxd_t self:process { signal signull }; allow usbmuxd_t self:fifo_file rw_fifo_file_perms; +allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow usbmuxd_t self:unix_stream_socket connectto; manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) + manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) + files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) + ++manage_dirs_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) ++manage_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) ++manage_lnk_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) ++files_var_lib_filetrans(usbmuxd_t, usbmuxd_var_lib_t, { dir file }) ++ + kernel_read_kernel_sysctls(usbmuxd_t) + kernel_read_system_state(usbmuxd_t) + + dev_read_sysfs(usbmuxd_t) ++dev_read_urand(usbmuxd_t) + dev_rw_generic_usb_dev(usbmuxd_t) auth_use_nsswitch(usbmuxd_t) @@ -103051,7 +103203,7 @@ index 9dec06c..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index 1f22fba..34b36bc 100644 +index 1f22fba..d894b4d 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,224 @@ @@ -103349,7 +103501,7 @@ index 1f22fba..34b36bc 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -150,295 +227,130 @@ ifdef(`enable_mls',` +@@ -150,295 +227,132 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -103638,6 +103790,8 @@ index 1f22fba..34b36bc 100644 -corenet_sendrecv_all_client_packets(svirt_t) corenet_tcp_connect_all_ports(svirt_t) ++init_dontaudit_read_state(svirt_t) ++ +####################################### +# +# svirt_prot_exec local policy @@ -103720,7 +103874,7 @@ index 1f22fba..34b36bc 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +360,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -103767,7 +103921,7 @@ index 1f22fba..34b36bc 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +395,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -103777,19 +103931,19 @@ index 1f22fba..34b36bc 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +408,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -103797,7 +103951,7 @@ index 1f22fba..34b36bc 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +416,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +418,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -103825,7 +103979,7 @@ index 1f22fba..34b36bc 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +436,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +438,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -103858,7 +104012,7 @@ index 1f22fba..34b36bc 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +487,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +489,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -103878,7 +104032,7 @@ index 1f22fba..34b36bc 100644 selinux_validate_context(virtd_t) -@@ -613,18 +509,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +511,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -103915,7 +104069,7 @@ index 1f22fba..34b36bc 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +537,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +539,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -103924,7 +104078,7 @@ index 1f22fba..34b36bc 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +562,12 @@ optional_policy(` +@@ -658,20 +564,12 @@ optional_policy(` ') optional_policy(` @@ -103945,7 +104099,7 @@ index 1f22fba..34b36bc 100644 ') optional_policy(` -@@ -684,14 +580,20 @@ optional_policy(` +@@ -684,14 +582,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -103968,7 +104122,7 @@ index 1f22fba..34b36bc 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +606,13 @@ optional_policy(` +@@ -704,11 +608,13 @@ optional_policy(` ') optional_policy(` @@ -103982,7 +104136,7 @@ index 1f22fba..34b36bc 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +623,18 @@ optional_policy(` +@@ -719,10 +625,18 @@ optional_policy(` ') optional_policy(` @@ -104001,19 +104155,18 @@ index 1f22fba..34b36bc 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +649,277 @@ optional_policy(` +@@ -737,44 +651,277 @@ optional_policy(` udev_read_db(virtd_t) ') -######################################## --# --# Virsh local policy +optional_policy(` + unconfined_domain(virtd_t) +') + +######################################## -+# + # +-# Virsh local policy +# virtual domains common policy # +allow virt_domain self:capability2 compromise_kernel; @@ -104107,7 +104260,7 @@ index 1f22fba..34b36bc 100644 + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) -+ + +corenet_tcp_sendrecv_generic_if(virt_domain) +corenet_tcp_sendrecv_generic_node(virt_domain) +corenet_tcp_sendrecv_all_ports(virt_domain) @@ -104225,7 +104378,7 @@ index 1f22fba..34b36bc 100644 + fs_read_cifs_symlinks(virt_domain) + fs_getattr_cifs(virt_domain) +') - ++ +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) @@ -104303,7 +104456,7 @@ index 1f22fba..34b36bc 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +930,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +932,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -104330,7 +104483,7 @@ index 1f22fba..34b36bc 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +950,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -104364,7 +104517,7 @@ index 1f22fba..34b36bc 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +987,20 @@ optional_policy(` +@@ -847,14 +989,20 @@ optional_policy(` ') optional_policy(` @@ -104386,7 +104539,7 @@ index 1f22fba..34b36bc 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +1025,65 @@ optional_policy(` +@@ -879,49 +1027,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -104470,7 +104623,7 @@ index 1f22fba..34b36bc 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1095,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1097,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -104490,7 +104643,7 @@ index 1f22fba..34b36bc 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1116,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -104514,7 +104667,7 @@ index 1f22fba..34b36bc 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1141,315 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1143,315 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -104967,7 +105120,7 @@ index 1f22fba..34b36bc 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1462,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1464,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -104982,7 +105135,7 @@ index 1f22fba..34b36bc 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1480,8 @@ optional_policy(` +@@ -1183,9 +1482,8 @@ optional_policy(` ######################################## # @@ -104993,7 +105146,7 @@ index 1f22fba..34b36bc 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1494,219 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1496,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 521857e..4e54ce3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 182%{?dist} +Release: 183%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,26 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 04 2014 Lukas Vrabec 3.12.1-183 +- Allow init to read all config files +- Add new interface to allow creation of file with lib_t type +- Add init_dontaudit_read_state() interface. +- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource (#1136128) +- Allow docker to read all of /proc +- Label /usr/sbin/unbound-control as named_exec_t (#1130510) +- Dontaudit read init state for svirt_t. +- Allow boinc_t manage boinc_project_tmp_t files and dirs (#1135687) +- ALlow passeneger to read/write apache stream socket. +- Allow geoclue to stream connect to smart card service +- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide +- Allow jockey_t to use tmpfs files +- Allow pppd to create sock_files in /var/run +- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface. +- Allow usbmuxd connect to itself by stream socket. (#1135945) +- Allow nswrapper_32_64.nppdf.so to be created with the proper label +- Allow avahi_t communicate with pcp_pmproxy_t over dbus. +- Allwo pki_tomcat to create link files in /var/lib/pki-ca. + * Wed Aug 27 2014 Lukas Vrabec 3.12.1-182 - Allow pppd to connect to http port. (#1128947) - Allow fail2ban to read audit logs