From cccaf8f6468931e6b0093ceb084698d286b88796 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 20 2014 05:59:07 +0000 Subject: - geard seems to do a lot of relabeling - Allow system_mail_t to append to munin_var_lib_t - Allow mozilla_plugin to read alsa_rw_ content - Allow asterisk to connect to the apache ports - Dontaudit attempts to read fixed disk - Dontaudit search gconf_home_t - Allow rsync to create swift_server.lock with swift.log labeling - Add labeling for swift lock files - Use swift_virt_lock in swift.te - Allow openwsman to getattr on sblim_sfcbd executable - Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t - Allow openwsman_t to read/write sblim-sfcb shared mem - Allow openwsman to stream connec to sblim-sfcbd - Allow openwsman to create tmpfs files/dirs - dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcb - Allow sblim_sfcbd to execute shell - Allow swift to create lock file - Allow openwsman to use tcp/80 - Allow neutron to create also dirs in /tmp - Allow seunshare domains to getattr on all executables - Allow ssh-keygen to create temporary files/dirs needed by OpenSt - Allow named_filetrans_domain to create /run/netns - Allow ifconfig to create /run/netns --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b42061d..6ef5bc2 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3174,10 +3174,10 @@ index 1dc7a85..c6f4da0 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..fb30c11 100644 +index 7590165..b516b43 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -3203,6 +3203,7 @@ index 7590165..fb30c11 100644 -allow seunshare_t self:unix_stream_socket create_stream_socket_perms; +corecmd_exec_shell(seunshare_domain) +corecmd_exec_bin(seunshare_domain) ++corecmd_getattr_all_executables(seunshare_domain) -corecmd_exec_shell(seunshare_t) -corecmd_exec_bin(seunshare_t) @@ -8813,7 +8814,7 @@ index 6a1e4d1..1b9b0b5 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..b9da2b3 100644 +index cf04cb5..32d58ca 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -8961,7 +8962,7 @@ index cf04cb5..b9da2b3 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +237,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +237,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9155,6 +9156,7 @@ index cf04cb5..b9da2b3 100644 + +optional_policy(` + sysnet_filetrans_named_content(named_filetrans_domain) ++ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) +') + +optional_policy(` @@ -15037,13 +15039,13 @@ index e7d1738..089cc7a 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc -index 7be4ddf..d5ef507 100644 +index 7be4ddf..71e675a 100644 --- a/policy/modules/kernel/kernel.fc +++ b/policy/modules/kernel/kernel.fc @@ -1 +1,3 @@ -# This module currently does not have any file contexts. + -+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) ++/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0) +/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index e100d88..fb8a1f1 100644 @@ -22131,10 +22133,10 @@ index fe0c682..e8dcfa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..a8b01bf 100644 +index cc877c7..1d92018 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2) +@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2) # ## @@ -22178,6 +22180,9 @@ index cc877c7..a8b01bf 100644 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) -role system_r types ssh_keygen_t; + ++type ssh_keygen_tmp_t; ++files_tmp_file(ssh_keygen_tmp_t) ++ +type sshd_keygen_t; +type sshd_keygen_exec_t; +init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t) @@ -22214,7 +22219,7 @@ index cc877c7..a8b01bf 100644 type ssh_t; type ssh_exec_t; -@@ -73,9 +95,11 @@ type ssh_home_t; +@@ -73,9 +98,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -22228,7 +22233,7 @@ index cc877c7..a8b01bf 100644 ############################## # -@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -86,6 +113,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -22236,7 +22241,7 @@ index cc877c7..a8b01bf 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -93,15 +121,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -22253,7 +22258,7 @@ index cc877c7..a8b01bf 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -110,33 +134,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -22301,7 +22306,7 @@ index cc877c7..a8b01bf 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -157,40 +187,46 @@ files_read_var_files(ssh_t) +@@ -157,40 +190,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -22367,7 +22372,7 @@ index cc877c7..a8b01bf 100644 ') optional_policy(` -@@ -198,6 +234,7 @@ optional_policy(` +@@ -198,6 +237,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -22375,7 +22380,7 @@ index cc877c7..a8b01bf 100644 ############################## # # ssh_keysign_t local policy -@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -209,6 +249,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -22383,7 +22388,7 @@ index cc877c7..a8b01bf 100644 files_read_etc_files(ssh_keysign_t) -@@ -226,39 +264,57 @@ optional_policy(` +@@ -226,39 +267,57 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -22453,7 +22458,7 @@ index cc877c7..a8b01bf 100644 ') optional_policy(` -@@ -266,6 +322,15 @@ optional_policy(` +@@ -266,6 +325,15 @@ optional_policy(` ') optional_policy(` @@ -22469,7 +22474,7 @@ index cc877c7..a8b01bf 100644 inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') -@@ -275,6 +340,18 @@ optional_policy(` +@@ -275,6 +343,18 @@ optional_policy(` ') optional_policy(` @@ -22488,7 +22493,7 @@ index cc877c7..a8b01bf 100644 oddjob_domtrans_mkhomedir(sshd_t) ') -@@ -289,13 +366,93 @@ optional_policy(` +@@ -289,13 +369,93 @@ optional_policy(` ') optional_policy(` @@ -22582,7 +22587,7 @@ index cc877c7..a8b01bf 100644 ######################################## # # ssh_keygen local policy -@@ -304,19 +461,29 @@ optional_policy(` +@@ -304,19 +464,33 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -22600,6 +22605,10 @@ index cc877c7..a8b01bf 100644 +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) +userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) + ++manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) ++manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) ++files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir }) ++ +kernel_read_system_state(ssh_keygen_t) kernel_read_kernel_sysctls(ssh_keygen_t) @@ -22613,7 +22622,7 @@ index cc877c7..a8b01bf 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -333,6 +500,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -333,6 +507,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -22626,7 +22635,7 @@ index cc877c7..a8b01bf 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -341,3 +514,140 @@ optional_policy(` +@@ -341,3 +521,140 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -29787,7 +29796,7 @@ index 79a45f6..89b43aa 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..43c0bc6 100644 +index 17eda24..956662b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -30064,9 +30073,10 @@ index 17eda24..43c0bc6 100644 + fs_manage_tmpfs_files(init_t) + fs_manage_tmpfs_symlinks(init_t) + fs_manage_tmpfs_sockets(init_t) ++ fs_manage_tmpfs_chr_files(init_t) + fs_exec_tmpfs_files(init_t) fs_read_tmpfs_symlinks(init_t) - fs_rw_tmpfs_chr_files(init_t) +- fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) + fs_tmpfs_filetrans_named_content(init_t) + @@ -33440,7 +33450,7 @@ index 4e94884..b144ffe 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..1259fbd 100644 +index 59b04c1..13c21e8 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -33527,7 +33537,19 @@ index 59b04c1..1259fbd 100644 init_dontaudit_use_fds(auditctl_t) -@@ -148,6 +176,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -136,9 +164,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; + allow auditd_t auditd_etc_t:dir list_dir_perms; + allow auditd_t auditd_etc_t:file read_file_perms; + ++manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t) + manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) +-allow auditd_t var_log_t:dir search_dir_perms; ++logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit") + + manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) + manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) +@@ -148,6 +177,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -33535,7 +33557,7 @@ index 59b04c1..1259fbd 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +184,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +185,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -33545,7 +33567,7 @@ index 59b04c1..1259fbd 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +209,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +210,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -33567,7 +33589,7 @@ index 59b04c1..1259fbd 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +264,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +265,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -33598,7 +33620,7 @@ index 59b04c1..1259fbd 100644 ') ######################################## -@@ -268,7 +305,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +@@ -268,7 +306,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) @@ -33606,7 +33628,7 @@ index 59b04c1..1259fbd 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +316,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,10 +317,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -33626,7 +33648,7 @@ index 59b04c1..1259fbd 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +370,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +371,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -33634,7 +33656,7 @@ index 59b04c1..1259fbd 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +398,12 @@ optional_policy(` +@@ -355,13 +399,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -33651,7 +33673,7 @@ index 59b04c1..1259fbd 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,8 +411,10 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -33662,7 +33684,7 @@ index 59b04c1..1259fbd 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +433,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -33712,7 +33734,7 @@ index 59b04c1..1259fbd 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +482,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -33721,7 +33743,7 @@ index 59b04c1..1259fbd 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +494,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -33749,7 +33771,7 @@ index 59b04c1..1259fbd 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +527,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -33767,7 +33789,7 @@ index 59b04c1..1259fbd 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +549,11 @@ init_use_fds(syslogd_t) +@@ -466,11 +550,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -33782,7 +33804,7 @@ index 59b04c1..1259fbd 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -507,15 +590,40 @@ optional_policy(` +@@ -507,15 +591,40 @@ optional_policy(` ') optional_policy(` @@ -33823,7 +33845,7 @@ index 59b04c1..1259fbd 100644 ') optional_policy(` -@@ -526,3 +634,26 @@ optional_policy(` +@@ -526,3 +635,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -38115,7 +38137,7 @@ index 2cea692..e094fc0 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..f1782ee 100644 +index a392fc4..4302955 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -38403,7 +38425,7 @@ index a392fc4..f1782ee 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +377,50 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +377,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -38426,6 +38448,7 @@ index a392fc4..f1782ee 100644 +sysnet_dns_name_resolve(ifconfig_t) sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t) ++sysnet_filetrans_named_content_ifconfig(ifconfig_t) -userdom_use_user_terminals(ifconfig_t) +userdom_use_inherited_user_terminals(ifconfig_t) @@ -38460,7 +38483,7 @@ index a392fc4..f1782ee 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +431,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +432,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -38473,7 +38496,7 @@ index a392fc4..f1782ee 100644 ') optional_policy(` -@@ -350,7 +449,15 @@ optional_policy(` +@@ -350,7 +450,15 @@ optional_policy(` ') optional_policy(` @@ -38490,7 +38513,7 @@ index a392fc4..f1782ee 100644 ') optional_policy(` -@@ -371,3 +478,13 @@ optional_policy(` +@@ -371,3 +479,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -42095,7 +42118,7 @@ index db75976..4ca3a28 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..102478f 100644 +index 9dc60c6..87b5cc3 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -43573,13 +43596,14 @@ index 9dc60c6..102478f 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1559,14 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1559,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) + dev_rw_generic_usb_dev($1_t) + dev_rw_usbfs($1_t) + dev_read_kmsg($1_t) ++ dev_read_cpuid($1_t) domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) @@ -43588,7 +43612,7 @@ index 9dc60c6..102478f 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1577,38 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1578,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -43631,7 +43655,7 @@ index 9dc60c6..102478f 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1618,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1619,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -43640,7 +43664,7 @@ index 9dc60c6..102478f 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1627,17 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1628,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -43659,7 +43683,7 @@ index 9dc60c6..102478f 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1673,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1674,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -43668,7 +43692,7 @@ index 9dc60c6..102478f 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1683,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1684,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -43677,7 +43701,7 @@ index 9dc60c6..102478f 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1697,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1698,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -43689,7 +43713,7 @@ index 9dc60c6..102478f 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1711,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1712,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -43732,7 +43756,7 @@ index 9dc60c6..102478f 100644 ') optional_policy(` -@@ -1357,14 +1796,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1797,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -43751,7 +43775,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -1405,6 +1847,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1405,6 +1848,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -43803,7 +43827,7 @@ index 9dc60c6..102478f 100644 ## ## ## Domain allowed access. -@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -43835,7 +43859,7 @@ index 9dc60c6..102478f 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -43850,7 +43874,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -43862,7 +43886,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -1629,6 +2146,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1629,6 +2147,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -43905,7 +43929,7 @@ index 9dc60c6..102478f 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1708,6 +2261,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1708,6 +2262,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -43914,7 +43938,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -1741,10 +2296,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2297,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -43929,7 +43953,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -1769,7 +2326,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2327,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -43956,7 +43980,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -1779,53 +2354,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1779,53 +2355,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -44039,7 +44063,7 @@ index 9dc60c6..102478f 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1845,6 +2437,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1845,6 +2438,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -44065,7 +44089,7 @@ index 9dc60c6..102478f 100644 ## Mmap user home files. ## ## -@@ -1875,15 +2486,18 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1875,15 +2487,18 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -44086,7 +44110,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -1891,18 +2505,18 @@ interface(`userdom_read_user_home_content_files',` +@@ -1891,18 +2506,18 @@ interface(`userdom_read_user_home_content_files',` ## ## # @@ -44110,7 +44134,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -1910,17 +2524,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',` +@@ -1910,17 +2525,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',` ## ## # @@ -44136,7 +44160,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -1928,7 +2546,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',` +@@ -1928,7 +2547,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',` ## ## # @@ -44163,7 +44187,7 @@ index 9dc60c6..102478f 100644 gen_require(` type user_home_t; ') -@@ -1938,7 +2574,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2575,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -44172,7 +44196,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -1946,10 +2582,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2583,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -44185,7 +44209,7 @@ index 9dc60c6..102478f 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2593,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2594,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -44194,7 +44218,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -1966,12 +2601,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2602,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -44263,7 +44287,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -2007,8 +2696,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2697,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -44273,7 +44297,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -2024,20 +2712,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2713,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -44298,7 +44322,7 @@ index 9dc60c6..102478f 100644 ######################################## ## -@@ -2120,7 +2802,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2803,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -44307,7 +44331,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -2128,19 +2810,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2811,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -44331,7 +44355,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -2148,12 +2828,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2829,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -44347,7 +44371,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -2390,11 +3070,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2390,11 +3071,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -44362,7 +44386,7 @@ index 9dc60c6..102478f 100644 files_search_tmp($1) ') -@@ -2414,7 +3094,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3095,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -44371,7 +44395,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -2538,6 +3218,26 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,6 +3219,26 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -44398,7 +44422,7 @@ index 9dc60c6..102478f 100644 ## temporary symbolic links. ## ## -@@ -2661,6 +3361,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3362,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -44424,7 +44448,7 @@ index 9dc60c6..102478f 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3396,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3397,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -44440,7 +44464,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -2704,7 +3424,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3425,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -44449,7 +44473,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -2712,14 +3432,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3433,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -44484,7 +44508,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -2814,6 +3550,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3551,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -44509,7 +44533,7 @@ index 9dc60c6..102478f 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3586,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3587,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -44552,7 +44576,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -2856,14 +3622,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3623,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -44590,7 +44614,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -2882,8 +3667,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3668,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -44620,7 +44644,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -2955,69 +3759,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3760,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -44721,7 +44745,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -3025,12 +3828,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3829,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -44736,7 +44760,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -3094,7 +3897,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3898,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -44745,7 +44769,7 @@ index 9dc60c6..102478f 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,16 +3913,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,16 +3914,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -44767,7 +44791,7 @@ index 9dc60c6..102478f 100644 ## ## ## -@@ -3127,30 +3932,12 @@ interface(`userdom_search_user_home_content',` +@@ -3127,30 +3933,12 @@ interface(`userdom_search_user_home_content',` ## ## # @@ -44800,7 +44824,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -3214,7 +4001,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4002,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -44827,7 +44851,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -3269,7 +4074,83 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,7 +4075,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -44912,7 +44936,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -3287,7 +4168,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3287,7 +4169,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -44921,7 +44945,7 @@ index 9dc60c6..102478f 100644 ') ######################################## -@@ -3306,6 +4187,7 @@ interface(`userdom_read_all_users_state',` +@@ -3306,6 +4188,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -44929,7 +44953,7 @@ index 9dc60c6..102478f 100644 kernel_search_proc($1) ') -@@ -3382,6 +4264,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4265,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -44972,7 +44996,7 @@ index 9dc60c6..102478f 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4320,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4321,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -44997,7 +45021,7 @@ index 9dc60c6..102478f 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4371,1680 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4372,1680 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 960c0cc..f767c7a 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -536,7 +536,7 @@ index 058d908..2f6c3a9 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..5508cee 100644 +index eb50f07..cfd3aa9 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -731,7 +731,7 @@ index eb50f07..5508cee 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +189,40 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +189,42 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -756,14 +756,16 @@ index eb50f07..5508cee 100644 fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) -+logging_read_generic_logs(abrt_t) +-auth_use_nsswitch(abrt_t) ++storage_dontaudit_read_fixed_disk(abrt_t) + + logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) +logging_read_syslog_pid(abrt_t) + - auth_use_nsswitch(abrt_t) - --logging_read_generic_logs(abrt_t) ++auth_use_nsswitch(abrt_t) ++ +init_read_utmp(abrt_t) +miscfiles_read_generic_certs(abrt_t) @@ -775,7 +777,7 @@ index eb50f07..5508cee 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +230,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +232,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -792,7 +794,7 @@ index eb50f07..5508cee 100644 ') optional_policy(` -@@ -222,6 +242,20 @@ optional_policy(` +@@ -222,6 +244,20 @@ optional_policy(` ') optional_policy(` @@ -813,7 +815,7 @@ index eb50f07..5508cee 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +268,11 @@ optional_policy(` +@@ -234,6 +270,11 @@ optional_policy(` ') optional_policy(` @@ -825,7 +827,7 @@ index eb50f07..5508cee 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +282,7 @@ optional_policy(` +@@ -243,6 +284,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -833,7 +835,7 @@ index eb50f07..5508cee 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +293,17 @@ optional_policy(` +@@ -253,9 +295,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -852,7 +854,7 @@ index eb50f07..5508cee 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +314,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +316,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -867,7 +869,7 @@ index eb50f07..5508cee 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +333,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +335,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -875,7 +877,7 @@ index eb50f07..5508cee 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +342,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +344,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -896,7 +898,7 @@ index eb50f07..5508cee 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +363,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +365,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -923,7 +925,7 @@ index eb50f07..5508cee 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +399,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +401,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -937,7 +939,7 @@ index eb50f07..5508cee 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +417,11 @@ optional_policy(` +@@ -343,10 +419,11 @@ optional_policy(` ####################################### # @@ -951,7 +953,7 @@ index eb50f07..5508cee 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +440,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +442,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1003,7 +1005,7 @@ index eb50f07..5508cee 100644 ####################################### # -@@ -404,7 +489,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +491,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1012,7 +1014,7 @@ index eb50f07..5508cee 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +498,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +500,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1056,7 +1058,7 @@ index eb50f07..5508cee 100644 ') ####################################### -@@ -430,10 +541,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +543,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -7969,7 +7971,7 @@ index 2077053..198a02a 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 7e41350..1076937 100644 +index 7e41350..e8e1672 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; @@ -8003,7 +8005,15 @@ index 7e41350..1076937 100644 corenet_all_recvfrom_netlabel(asterisk_t) corenet_tcp_sendrecv_generic_if(asterisk_t) corenet_udp_sendrecv_generic_if(asterisk_t) -@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t) +@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t) + + corenet_sendrecv_sip_client_packets(asterisk_t) + corenet_tcp_connect_sip_port(asterisk_t) ++corenet_tcp_connect_http_port(asterisk_t) + + dev_rw_generic_usb_dev(asterisk_t) + dev_read_sysfs(asterisk_t) +@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) @@ -8011,7 +8021,7 @@ index 7e41350..1076937 100644 files_search_spool(asterisk_t) files_dontaudit_search_home(asterisk_t) -@@ -150,8 +148,6 @@ auth_use_nsswitch(asterisk_t) +@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t) logging_search_logs(asterisk_t) logging_send_syslog_msg(asterisk_t) @@ -28277,10 +28287,10 @@ index 0000000..04e159f +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..781c76d +index 0000000..cb68ca9 --- /dev/null +++ b/gear.te -@@ -0,0 +1,122 @@ +@@ -0,0 +1,125 @@ +policy_module(gear, 1.0.0) + +######################################## @@ -28315,6 +28325,8 @@ index 0000000..781c76d +allow gear_t self:unix_stream_socket create_stream_socket_perms; +allow gear_t self:tcp_socket create_stream_socket_perms; + ++allow gear_t gear_unit_file_t:dir { relabelfrom relabelto }; ++ +manage_dirs_pattern(gear_t, gear_log_t, gear_log_t) +manage_files_pattern(gear_t, gear_log_t, gear_log_t) +manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t) @@ -28328,6 +28340,7 @@ index 0000000..781c76d +manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) +manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) +files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file }) ++allow gear_t gear_var_lib_t:dir { relabelfrom relabelto }; + +manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t) +manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) @@ -45714,7 +45727,7 @@ index 6194b80..cafb2b0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..633063d 100644 +index 11ac8e4..fb431ea 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -46152,7 +46165,7 @@ index 11ac8e4..633063d 100644 ') optional_policy(` -@@ -300,259 +324,252 @@ optional_policy(` +@@ -300,259 +324,253 @@ optional_policy(` ######################################## # @@ -46474,6 +46487,7 @@ index 11ac8e4..633063d 100644 - allow mozilla_plugin_t self:process { execmem execstack }; +optional_policy(` + alsa_read_rw_config(mozilla_plugin_t) ++ alsa_read_rw_config(mozilla_plugin_config_t) + alsa_read_home_files(mozilla_plugin_t) ') @@ -46551,7 +46565,7 @@ index 11ac8e4..633063d 100644 ') optional_policy(` -@@ -560,7 +577,11 @@ optional_policy(` +@@ -560,7 +578,11 @@ optional_policy(` ') optional_policy(` @@ -46564,7 +46578,7 @@ index 11ac8e4..633063d 100644 ') optional_policy(` -@@ -568,108 +589,131 @@ optional_policy(` +@@ -568,108 +590,131 @@ optional_policy(` ') optional_policy(` @@ -48305,7 +48319,7 @@ index ed81cac..8f217ea 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..0c688c5 100644 +index ff1d68c..4cf1204 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -48532,7 +48546,7 @@ index ff1d68c..0c688c5 100644 ') optional_policy(` -@@ -258,10 +282,15 @@ optional_policy(` +@@ -258,10 +282,16 @@ optional_policy(` ') optional_policy(` @@ -48542,13 +48556,14 @@ index ff1d68c..0c688c5 100644 optional_policy(` + munin_dontaudit_leaks(system_mail_t) ++ munin_append_var_lib_files(system_mail_t) +') + +optional_policy(` nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +301,19 @@ optional_policy(` +@@ -272,6 +302,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -48568,7 +48583,7 @@ index ff1d68c..0c688c5 100644 ') optional_policy(` -@@ -287,42 +329,36 @@ optional_policy(` +@@ -287,42 +330,36 @@ optional_policy(` ') optional_policy(` @@ -48621,7 +48636,7 @@ index ff1d68c..0c688c5 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,40 +367,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,40 +368,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -48670,7 +48685,7 @@ index ff1d68c..0c688c5 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -372,6 +394,17 @@ optional_policy(` +@@ -372,6 +395,17 @@ optional_policy(` ') optional_policy(` @@ -48688,7 +48703,7 @@ index ff1d68c..0c688c5 100644 postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -381,24 +414,49 @@ optional_policy(` +@@ -381,24 +415,49 @@ optional_policy(` ######################################## # @@ -48875,7 +48890,7 @@ index eb4b72a..af28bb5 100644 +/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) +/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) diff --git a/munin.if b/munin.if -index b744fe3..900d083 100644 +index b744fe3..50c386e 100644 --- a/munin.if +++ b/munin.if @@ -1,12 +1,13 @@ @@ -48946,7 +48961,7 @@ index b744fe3..900d083 100644 ## ## ## -@@ -80,15 +84,53 @@ interface(`munin_read_config',` +@@ -80,15 +84,73 @@ interface(`munin_read_config',` type munin_etc_t; ') @@ -48978,6 +48993,26 @@ index b744fe3..900d083 100644 + +') + ++####################################### ++## ++## Append munin library files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`munin_append_var_lib_files',` ++ gen_require(` ++ type munin_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ append_files_pattern($1, munin_var_lib_t, munin_var_lib_t) ++ ++') ++ +###################################### +## +## dontaudit read and write an leaked file descriptors @@ -49002,7 +49037,7 @@ index b744fe3..900d083 100644 ## ## ## -@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',` +@@ -147,8 +209,8 @@ interface(`munin_dontaudit_search_lib',` ######################################## ## @@ -49013,7 +49048,7 @@ index b744fe3..900d083 100644 ## ## ## -@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',` +@@ -157,7 +219,7 @@ interface(`munin_dontaudit_search_lib',` ## ## ## @@ -49022,7 +49057,7 @@ index b744fe3..900d083 100644 ## ## ## -@@ -167,11 +209,15 @@ interface(`munin_admin',` +@@ -167,11 +229,15 @@ interface(`munin_admin',` attribute munin_plugin_domain, munin_plugin_tmp_content; type munin_t, munin_etc_t, munin_tmp_t; type munin_log_t, munin_var_lib_t, munin_var_run_t; @@ -49041,7 +49076,7 @@ index b744fe3..900d083 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) -@@ -193,5 +239,5 @@ interface(`munin_admin',` +@@ -193,5 +259,5 @@ interface(`munin_admin',` files_list_pids($1) admin_pattern($1, munin_var_run_t) @@ -53135,10 +53170,10 @@ index 0000000..28936b4 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..f691a30 +index 0000000..2c40c73 --- /dev/null +++ b/nova.te -@@ -0,0 +1,310 @@ +@@ -0,0 +1,314 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -53271,6 +53306,10 @@ index 0000000..f691a30 + ssh_exec_keygen(nova_api_t) +') + ++optional_policy(` ++ gnome_dontaudit_search_config(nova_api_t) ++') ++ +#optional_policy(` +# unconfined_domain(nova_api_t) +#') @@ -59379,10 +59418,10 @@ index 0000000..42ed4ba +') diff --git a/openwsman.te b/openwsman.te new file mode 100644 -index 0000000..a0161d5 +index 0000000..3bcd32c --- /dev/null +++ b/openwsman.te -@@ -0,0 +1,56 @@ +@@ -0,0 +1,74 @@ +policy_module(openwsman, 1.0.0) + +######################################## @@ -59397,6 +59436,9 @@ index 0000000..a0161d5 +type openwsman_tmp_t; +files_tmp_file(openwsman_tmp_t) + ++type openwsman_tmpfs_t; ++files_tmpfs_file(openwsman_tmpfs_t) ++ +type openwsman_log_t; +logging_log_file(openwsman_log_t) + @@ -59422,6 +59464,10 @@ index 0000000..a0161d5 +manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) +files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file }) + ++manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) ++manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) ++fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file }) ++ +manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t) +logging_log_filetrans(openwsman_t, openwsman_log_t, { file }) + @@ -59433,12 +59479,23 @@ index 0000000..a0161d5 + +corenet_tcp_connect_pegasus_https_port(openwsman_t) +corenet_tcp_bind_vnc_port(openwsman_t) ++corenet_tcp_bind_http_port(openwsman_t) + +dev_read_urand(openwsman_t) + +logging_send_syslog_msg(openwsman_t) +logging_send_audit_msgs(openwsman_t) + ++optional_policy(` ++ sblim_stream_connect_sfcbd(openwsman_t) ++ sblim_rw_semaphores_sfcbd(openwsman_t) ++ sblim_getattr_exec_sfcbd(openwsman_t) ++') ++ ++optional_policy(` ++ unconfined_domain(openwsman_t) ++') ++ diff --git a/oracleasm.fc b/oracleasm.fc new file mode 100644 index 0000000..80fb8c3 @@ -73632,10 +73689,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..9494e23 100644 +index 8644d8b..4398f8e 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,137 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -73699,7 +73756,8 @@ index 8644d8b..9494e23 100644 +logging_log_filetrans(neutron_t, neutron_log_t, dir) + +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) ++manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir }) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) @@ -82908,7 +82966,7 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..61b21d2 100644 +index abeb302..7c1f218 100644 --- a/rsync.te +++ b/rsync.te @@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) @@ -83029,7 +83087,7 @@ index abeb302..61b21d2 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -83155,6 +83213,8 @@ index abeb302..61b21d2 100644 optional_policy(` - inetd_service_domain(rsync_t, rsync_exec_t) + swift_manage_data_files(rsync_t) ++ swift_manage_lock(rsync_t) ++ swift_filetrans_named_lock(rsync_t) ') diff --git a/rtas.fc b/rtas.fc new file mode 100644 @@ -87331,7 +87391,7 @@ index 68a550d..e976fc6 100644 /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/sblim.if b/sblim.if -index 98c9e0a..d4aa009 100644 +index 98c9e0a..562666e 100644 --- a/sblim.if +++ b/sblim.if @@ -1,8 +1,36 @@ @@ -87382,39 +87442,116 @@ index 98c9e0a..d4aa009 100644 ## ## ## -@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',` +@@ -40,34 +68,129 @@ interface(`sblim_read_pid_files',` ######################################## ## -## All of the rules required to -## administrate an sblim environment. +## Transition to sblim named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sblim_filetrans_named_content',` ++ gen_require(` ++ type sblim_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, sblim_var_run_t, dir, "gather") ++') ++ ++######################################## ++## ++## Connect to sblim_sfcb over a unix stream socket. ## ## ## --## Domain allowed access. -+## Domain allowed access. + ## Domain allowed access. ## ## -## +# -+interface(`sblim_filetrans_named_content',` ++interface(`sblim_stream_connect_sfcbd',` + gen_require(` -+ type sblim_var_run_t; ++ type sblim_sfcb_t, sblim_var_lib_t; ++ type sblim_tmp_t; + ') + -+ files_pid_filetrans($1, sblim_var_run_t, dir, "gather") ++ files_search_pids($1) ++ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t) ++ stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t) +') + ++####################################### ++## ++## Getattr on sblim executable. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sblim_getattr_exec_sfcbd',` ++ gen_require(` ++ type sblim_sfcbd_exec_t; ++ ') ++ ++ allow $1 sblim_sfcbd_exec_t:file getattr; ++') ++ ++ +######################################## +## -+## All of the rules required to administrate -+## an gatherd environment ++## Connect to sblim_sfcb over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sblim_stream_connect_sfcb',` ++ gen_require(` ++ type sblim_sfcb_t, sblim_var_lib_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t) ++') ++ ++####################################### ++## ++## Allow read and write access to sblim semaphores. +## +## ## -## Role allowed access. +## Domain allowed access. ++## ++## ++# ++interface(`sblim_rw_semaphores_sfcbd',` ++ gen_require(` ++ type sblim_sfcbd_t; ++ ') ++ ++ allow $1 sblim_sfcbd_t:sem rw_sem_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gatherd environment ++## ++## ++## ++## Domain allowed access. ## ## ## @@ -87448,7 +87585,7 @@ index 98c9e0a..d4aa009 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..99eda9b 100644 +index 299756b..1edabdf 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -87554,7 +87691,7 @@ index 299756b..99eda9b 100644 ') optional_policy(` -@@ -117,6 +133,35 @@ optional_policy(` +@@ -117,6 +133,43 @@ optional_policy(` # Reposd local policy # @@ -87586,11 +87723,19 @@ index 299756b..99eda9b 100644 +corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) +corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t) + ++corecmd_exec_shell(sblim_sfcbd_t) ++corecmd_exec_bin(sblim_sfcbd_t) ++ +dev_read_rand(sblim_sfcbd_t) +dev_read_urand(sblim_sfcbd_t) + +domain_read_all_domains_state(sblim_sfcbd_t) +domain_use_interactive_fds(sblim_sfcbd_t) ++ ++optional_policy(` ++ rpm_exec(sblim_sfcbd_t) ++ rpm_dontaudit_manage_db(sblim_sfcbd_t) ++') diff --git a/screen.fc b/screen.fc index e7c2cf7..435aaa6 100644 --- a/screen.fc @@ -94054,10 +94199,10 @@ index 49d688d..f07cc80 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..744f0ce +index 0000000..a4ec18a --- /dev/null +++ b/swift.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,30 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -94077,6 +94222,7 @@ index 0000000..744f0ce + +/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) + ++/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0) +/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) +/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) + @@ -94089,10 +94235,10 @@ index 0000000..744f0ce +') diff --git a/swift.if b/swift.if new file mode 100644 -index 0000000..df82c36 +index 0000000..6a1f575 --- /dev/null +++ b/swift.if -@@ -0,0 +1,118 @@ +@@ -0,0 +1,155 @@ + +## policy for swift + @@ -94154,6 +94300,43 @@ index 0000000..df82c36 + manage_dirs_pattern($1, swift_data_t, swift_data_t) +') + ++##################################### ++## ++## Read and write swift lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_manage_lock',` ++ gen_require(` ++ type swift_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, swift_lock_t, swift_lock_t) ++') ++ ++####################################### ++## ++## Transition content labels to swift named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_filetrans_named_lock',` ++ gen_require(` ++ type swift_lock_t; ++ ') ++ ++ files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock") ++') ++ +######################################## +## +## Execute swift server in the swift domain. @@ -94213,10 +94396,10 @@ index 0000000..df82c36 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..159ae72 +index 0000000..9ee77b2 --- /dev/null +++ b/swift.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,97 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -94228,6 +94411,9 @@ index 0000000..159ae72 +type swift_exec_t; +init_daemon_domain(swift_t, swift_exec_t) + ++type swift_lock_t; ++files_lock_file(swift_lock_t) ++ +type swift_tmp_t; +files_tmp_file(swift_tmp_t) + @@ -94258,6 +94444,10 @@ index 0000000..159ae72 +allow swift_t self:unix_stream_socket create_stream_socket_perms; +allow swift_t self:unix_dgram_socket create_socket_perms; + ++manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t) ++manage_files_pattern(swift_t, swift_lock_t, swift_lock_t) ++files_lock_filetrans(swift_t, swift_lock_t, { dir file }) ++ +manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t) +manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t) +files_tmp_filetrans(swift_t, swift_tmp_t, { dir file }) @@ -94305,6 +94495,7 @@ index 0000000..159ae72 + +optional_policy(` + rpm_exec(swift_t) ++ rpm_dontaudit_manage_db(swift_t) +') diff --git a/swift_alias.fc b/swift_alias.fc new file mode 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 46b9b85..748e0ef 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 53%{?dist} +Release: 54%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,31 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue May 20 2014 Miroslav Grepl 3.13.1-54 +- geard seems to do a lot of relabeling +- Allow system_mail_t to append to munin_var_lib_t +- Allow mozilla_plugin to read alsa_rw_ content +- Allow asterisk to connect to the apache ports +- Dontaudit attempts to read fixed disk +- Dontaudit search gconf_home_t +- Allow rsync to create swift_server.lock with swift.log labeling +- Add labeling for swift lock files +- Use swift_virt_lock in swift.te +- Allow openwsman to getattr on sblim_sfcbd executable +- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t +- Allow openwsman_t to read/write sblim-sfcb shared mem +- Allow openwsman to stream connec to sblim-sfcbd +- Allow openwsman to create tmpfs files/dirs +- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t +- Allow sblim_sfcbd to execute shell +- Allow swift to create lock file +- Allow openwsman to use tcp/80 +- Allow neutron to create also dirs in /tmp +- Allow seunshare domains to getattr on all executables +- Allow ssh-keygen to create temporary files/dirs needed by OpenStack +- Allow named_filetrans_domain to create /run/netns +- Allow ifconfig to create /run/netns + * Tue May 13 2014 Miroslav Grepl 3.13.1-53 - Add missing dyntransition for sandbox_x_domain