From d673c86057c01f1c0c0fd01844eb348817b14104 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 10 2014 09:06:49 +0000 Subject: * Wed Sep 10 2014 Lukas Vrabec 3.12.1-184 - ALlow wine domains to create wine_home symlinks. - Allow policykit_auth_t access check and read usr config files. - Dontaudit access check on home_root_t for policykit-auth. - update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent. - Fix label for /usr/bin/courier/bin/sendmail - Add files_dontaudit_access_check_home_dir() inteface. - Allow udev_t mounton udev_var_run_t dirs #(1128618) --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index dd7ff70..653e1c3 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -9757,7 +9757,7 @@ index c2c6e05..7996499 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..989ca8b 100644 +index 64ff4d7..87da44f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10978,7 +10978,35 @@ index 64ff4d7..989ca8b 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4536,38 @@ interface(`files_list_mnt',` +@@ -3534,6 +4274,27 @@ interface(`files_dontaudit_getattr_home_dir',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on home root directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_access_check_home_dir',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ dontaudit $1 home_root_t:dir_file_class_set audit_access; ++') ++ ++ ++ ++######################################## ++## + ## Search home directories root (/home). + ## + ## +@@ -3796,20 +4557,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -11022,7 +11050,7 @@ index 64ff4d7..989ca8b 100644 ') ######################################## -@@ -4199,192 +4957,215 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,174 +4978,215 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11254,36 +11282,26 @@ index 64ff4d7..989ca8b 100644 +## File name transition for system db files in /var/lib. ## ## --## --## Domain allowed access. --## +## +## Domain allowed access. +## - ## - # --interface(`files_delete_tmp_dir_entry',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_filetrans_system_db_named_files',` + gen_require(` + type var_lib_t, system_db_t; + ') - -- allow $1 tmp_t:dir del_entry_dir_perms; ++ + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") - ') - - ######################################## - ## --## Read files in the tmp directory (/tmp). ++') ++ ++######################################## ++## +## Allow the specified type to associate +## to a filesystem with the type of the +## temporary directory (/tmp). - ## --## ++## +## ## -## Domain allowed access. @@ -11291,19 +11309,19 @@ index 64ff4d7..989ca8b 100644 ## ## # --interface(`files_read_generic_tmp_files',` +-interface(`files_delete_tmp_dir_entry',` +interface(`files_associate_tmp',` gen_require(` type tmp_t; ') -- read_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmp_t:dir del_entry_dir_perms; + allow $1 tmp_t:filesystem associate; ') ######################################## ## --## Manage temporary directories in /tmp. +-## Read files in the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system @@ -11316,42 +11334,42 @@ index 64ff4d7..989ca8b 100644 ## ## # --interface(`files_manage_generic_tmp_dirs',` +-interface(`files_read_generic_tmp_files',` +interface(`files_associate_rootfs',` gen_require(` - type tmp_t; + type root_t; ') -- manage_dirs_pattern($1, tmp_t, tmp_t) +- read_files_pattern($1, tmp_t, tmp_t) + allow $1 root_t:filesystem associate; ') ######################################## ## --## Manage temporary files and directories in /tmp. +-## Manage temporary directories in /tmp. +## Get the attributes of the tmp directory (/tmp). ## ## ## -@@ -4392,53 +5173,56 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4374,53 +5194,56 @@ interface(`files_read_generic_tmp_files',` ## ## # --interface(`files_manage_generic_tmp_files',` +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- manage_files_pattern($1, tmp_t, tmp_t) +- manage_dirs_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') ######################################## ## --## Read symbolic links in the tmp directory (/tmp). +-## Manage temporary files and directories in /tmp. +## Do not audit attempts to check the +## access on tmp files ## @@ -11362,20 +11380,20 @@ index 64ff4d7..989ca8b 100644 ## ## # --interface(`files_read_generic_tmp_symlinks',` +-interface(`files_manage_generic_tmp_files',` +interface(`files_dontaudit_access_check_tmp',` gen_require(` - type tmp_t; + type etc_t; ') -- read_lnk_files_pattern($1, tmp_t, tmp_t) +- manage_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; ') ######################################## ## --## Read and write generic named sockets in the tmp directory (/tmp). +-## Read symbolic links in the tmp directory (/tmp). +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). ## @@ -11386,42 +11404,41 @@ index 64ff4d7..989ca8b 100644 ## ## # --interface(`files_rw_generic_tmp_sockets',` +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) +- read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir getattr; ') ######################################## ## --## Set the attributes of all tmp directories. +-## Read and write generic named sockets in the tmp directory (/tmp). +## Search the tmp directory (/tmp). ## ## ## -@@ -4446,77 +5230,92 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4428,35 +5251,36 @@ interface(`files_read_generic_tmp_symlinks',` ## ## # --interface(`files_setattr_all_tmp_dirs',` +-interface(`files_rw_generic_tmp_sockets',` +interface(`files_search_tmp',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + type tmp_t; ') -- allow $1 tmpfile:dir { search_dir_perms setattr }; +- rw_sock_files_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; ') ######################################## ## --## List all tmp directories. +-## Set the attributes of all tmp directories. +## Do not audit attempts to search the tmp directory (/tmp). ## ## @@ -11431,83 +11448,93 @@ index 64ff4d7..989ca8b 100644 ## ## # --interface(`files_list_all_tmp',` +-interface(`files_setattr_all_tmp_dirs',` +interface(`files_dontaudit_search_tmp',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; +- allow $1 tmpfile:dir { search_dir_perms setattr }; + dontaudit $1 tmp_t:dir search_dir_perms; ') ######################################## ## --## Relabel to and from all temporary --## directory types. +-## List all tmp directories. +## Read the tmp directory (/tmp). ## ## ## - ## Domain allowed access. +@@ -4464,59 +5288,55 @@ interface(`files_setattr_all_tmp_dirs',` ## ## --## # --interface(`files_relabel_all_tmp_dirs',` +-interface(`files_list_all_tmp',` +interface(`files_list_tmp',` gen_require(` - attribute tmpfile; -- type var_t; + type tmp_t; ') -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) +- allow $1 tmpfile:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; ') ######################################## ## --## Do not audit attempts to get the attributes --## of all tmp files. +-## Relabel to and from all temporary +-## directory types. +## Do not audit listing of the tmp directory (/tmp). ## ## ## --## Domain not to audit. +-## Domain allowed access. +## Domain to not audit. ## ## +-## # --interface(`files_dontaudit_getattr_all_tmp_files',` +-interface(`files_relabel_all_tmp_dirs',` +interface(`files_dontaudit_list_tmp',` gen_require(` - attribute tmpfile; +- type var_t; + type tmp_t; ') -- dontaudit $1 tmpfile:file getattr; +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) + dontaudit $1 tmp_t:dir list_dir_perms; -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. +## Allow read and write to the tmp directory (/tmp). -+## -+## + ## + ## +-## +-## Domain not to audit. +-## +## +## Domain not to audit. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` +- gen_require(` +- attribute tmpfile; +- ') +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; + ') -+ + +- dontaudit $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; ') @@ -11520,7 +11547,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4524,110 +5323,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4524,110 +5344,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -11659,7 +11686,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4635,22 +5422,17 @@ interface(`files_tmp_filetrans',` +@@ -4635,22 +5443,17 @@ interface(`files_tmp_filetrans',` ## ## # @@ -11686,7 +11713,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4658,17 +5440,17 @@ interface(`files_purge_tmp',` +@@ -4658,17 +5461,17 @@ interface(`files_purge_tmp',` ## ## # @@ -11708,7 +11735,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4676,18 +5458,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4676,18 +5479,17 @@ interface(`files_setattr_usr_dirs',` ## ## # @@ -11731,7 +11758,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4695,35 +5476,35 @@ interface(`files_search_usr',` +@@ -4695,35 +5497,35 @@ interface(`files_search_usr',` ## ## # @@ -11776,7 +11803,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4731,36 +5512,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4731,36 +5533,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # @@ -11822,7 +11849,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4768,17 +5548,17 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4768,17 +5569,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # @@ -11844,7 +11871,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4786,73 +5566,59 @@ interface(`files_delete_usr_dirs',` +@@ -4786,73 +5587,59 @@ interface(`files_delete_usr_dirs',` ## ## # @@ -11937,7 +11964,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4860,55 +5626,58 @@ interface(`files_read_usr_files',` +@@ -4860,55 +5647,58 @@ interface(`files_read_usr_files',` ## ## # @@ -12012,7 +12039,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4916,67 +5685,70 @@ interface(`files_manage_usr_files',` +@@ -4916,67 +5706,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -12101,7 +12128,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -4985,35 +5757,50 @@ interface(`files_read_usr_symlinks',` +@@ -4985,35 +5778,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -12161,7 +12188,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5021,20 +5808,17 @@ interface(`files_dontaudit_search_src',` +@@ -5021,20 +5829,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -12186,7 +12213,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5042,20 +5826,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5042,20 +5847,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -12211,7 +12238,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5063,38 +5845,35 @@ interface(`files_read_usr_src_files',` +@@ -5063,38 +5866,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -12259,7 +12286,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5102,37 +5881,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5102,37 +5902,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -12307,7 +12334,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5140,35 +5918,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5140,35 +5939,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -12352,7 +12379,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5176,36 +5954,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5176,36 +5975,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -12418,7 +12445,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5213,36 +6010,37 @@ interface(`files_dontaudit_search_var',` +@@ -5213,36 +6031,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -12430,10 +12457,11 @@ index 64ff4d7..989ca8b 100644 ') - allow $1 var_t:dir list_dir_perms; +-') + allow $1 usr_t:dir list_dir_perms; + exec_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) - ') ++') ######################################## ## @@ -12466,7 +12494,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5250,17 +6048,17 @@ interface(`files_manage_var_dirs',` +@@ -5250,17 +6069,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -12488,7 +12516,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5268,17 +6066,17 @@ interface(`files_read_var_files',` +@@ -5268,17 +6087,17 @@ interface(`files_read_var_files',` ## ## # @@ -12510,7 +12538,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5286,73 +6084,86 @@ interface(`files_append_var_files',` +@@ -5286,73 +6105,86 @@ interface(`files_append_var_files',` ## ## # @@ -12617,7 +12645,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5360,50 +6171,41 @@ interface(`files_read_var_symlinks',` +@@ -5360,50 +6192,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -12682,7 +12710,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5411,69 +6213,56 @@ interface(`files_var_filetrans',` +@@ -5411,69 +6234,56 @@ interface(`files_var_filetrans',` ## ## # @@ -12767,7 +12795,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5481,17 +6270,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5481,17 +6291,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -12791,7 +12819,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5499,70 +6289,54 @@ interface(`files_list_var_lib',` +@@ -5499,70 +6310,54 @@ interface(`files_list_var_lib',` ## ## # @@ -12875,7 +12903,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5570,41 +6344,36 @@ interface(`files_read_var_lib_files',` +@@ -5570,41 +6365,36 @@ interface(`files_read_var_lib_files',` ## ## # @@ -12927,7 +12955,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5612,36 +6381,36 @@ interface(`files_manage_urandom_seed',` +@@ -5612,36 +6402,36 @@ interface(`files_manage_urandom_seed',` ## ## # @@ -12974,7 +13002,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5649,38 +6418,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5649,38 +6439,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -13022,7 +13050,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5688,19 +6454,17 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,19 +6475,17 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13046,7 +13074,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5708,60 +6472,54 @@ interface(`files_list_locks',` +@@ -5708,60 +6493,54 @@ interface(`files_list_locks',` ## ## # @@ -13122,7 +13150,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5769,20 +6527,18 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,20 +6548,18 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -13148,7 +13176,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -5790,185 +6546,207 @@ interface(`files_getattr_generic_locks',` +@@ -5790,86 +6567,120 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -13278,94 +13306,63 @@ index 64ff4d7..989ca8b 100644 -## manage all lock files. +## Do not audit attempts to search the +## contents of /var/lib. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## ++## ++## +## - # --interface(`files_manage_all_locks',` ++# +interface(`files_dontaudit_search_var_lib',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; ++ gen_require(` + type var_lib_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -- manage_lnk_files_pattern($1, lockfile, lockfile) ++ ') ++ + dontaudit $1 var_lib_t:dir search_dir_perms; - ') - - ######################################## - ## --## Create an object in the locks directory, with a private --## type using a type transition. ++') ++ ++######################################## ++## +## List the contents of the /var/lib directory. ## ## ## - ## Domain allowed access. +@@ -5877,37 +6688,66 @@ interface(`files_read_all_locks',` ## ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## # --interface(`files_lock_filetrans',` +-interface(`files_manage_all_locks',` +interface(`files_list_var_lib',` gen_require(` +- attribute lockfile; - type var_t, var_lock_t; + type var_t, var_lib_t; ') -- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_lock_t, $2, $3, $4) +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) + list_dirs_pattern($1, var_t, var_lib_t) - ') - --######################################## ++') ++ +########################################### - ## --## Do not audit attempts to get the attributes --## of the /var/run directory. ++## +## Read-write /var/lib directories - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_pid_dirs',` ++## ++## ++# +interface(`files_rw_var_lib_dirs',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir getattr; ++ ') ++ + rw_dirs_pattern($1, var_lib_t, var_lib_t) +') + @@ -13388,7 +13385,8 @@ index 64ff4d7..989ca8b 100644 ######################################## ## --## Set the attributes of the /var/run directory. +-## Create an object in the locks directory, with a private +-## type using a type transition. +## Create objects in the /var/lib directory ## ## @@ -13396,99 +13394,101 @@ index 64ff4d7..989ca8b 100644 ## Domain allowed access. ## ## +-## +## -+## + ## +-## The type of the object to be created. +## The type of the object to be created -+## -+## + ## + ## +-## +## -+## + ## +-## The object class of the object being created. +## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## + ## + ## + ## +@@ -5916,39 +6756,37 @@ interface(`files_manage_all_locks',` + ## + ## # --interface(`files_setattr_pid_dirs',` +-interface(`files_lock_filetrans',` +interface(`files_var_lib_filetrans',` gen_require(` -- type var_run_t; +- type var_t, var_lock_t; + type var_t, var_lib_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir setattr; -+ allow $1 var_t:dir search_dir_perms; + allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) + filetrans_pattern($1, var_lib_t, $2, $3, $4) ') ######################################## ## --## Search the contents of runtime process --## ID directories (/var/run). +-## Do not audit attempts to get the attributes +-## of the /var/run directory. +## Read generic files in /var/lib. ## ## ## -@@ -5976,39 +6754,37 @@ interface(`files_setattr_pid_dirs',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_search_pids',` +-interface(`files_dontaudit_getattr_pid_dirs',` +interface(`files_read_var_lib_files',` gen_require(` -- type var_t, var_run_t; +- type var_run_t; + type var_t, var_lib_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_run_t) +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; + allow $1 var_lib_t:dir list_dir_perms; + read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') ######################################## ## --## Do not audit attempts to search --## the /var/run directory. +-## Set the attributes of the /var/run directory. +## Read generic symbolic links in /var/lib ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5956,19 +6794,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # --interface(`files_dontaudit_search_pids',` +-interface(`files_setattr_pid_dirs',` +interface(`files_read_var_lib_symlinks',` gen_require(` - type var_run_t; + type var_t, var_lib_t; ') -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') ######################################## ## --## List the contents of the runtime process +-## Search the contents of runtime process -## ID directories (/var/run). +## manage generic symbolic links +## in the /var/lib directory. ## ## ## -@@ -6016,18 +6792,21 @@ interface(`files_dontaudit_search_pids',` +@@ -5976,18 +6813,495 @@ interface(`files_setattr_pid_dirs',` ## ## # --interface(`files_list_pids',` +-interface(`files_search_pids',` +interface(`files_manage_var_lib_symlinks',` gen_require(` - type var_t, var_run_t; @@ -13496,7 +13496,7 @@ index 64ff4d7..989ca8b 100644 ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) +- search_dirs_pattern($1, var_t, var_run_t) + manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ') @@ -13505,17 +13505,16 @@ index 64ff4d7..989ca8b 100644 + ######################################## ## --## Read generic process ID files. +-## Do not audit attempts to search +## Create, read, write, and delete the +## pseudorandom number generator seed. - ## - ## - ## -@@ -6035,19 +6814,1150 @@ interface(`files_list_pids',` - ## - ## - # --interface(`files_read_generic_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_urandom_seed',` + gen_require(` + type var_t, var_lib_t; @@ -13983,14 +13982,14 @@ index 64ff4d7..989ca8b 100644 +######################################## +## +## Do not audit attempts to search -+## the /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## the /var/run directory. + ## + ## +@@ -5996,19 +7310,675 @@ interface(`files_search_pids',` + ## + ## + # +-interface(`files_dontaudit_search_pids',` +interface(`files_dontaudit_search_pids',` + gen_require(` + type var_run_t; @@ -14650,82 +14649,93 @@ index 64ff4d7..989ca8b 100644 +# +interface(`files_dontaudit_search_spool',` gen_require(` -- type var_t, var_run_t; +- type var_run_t; + type var_spool_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; + dontaudit $1 var_spool_t:dir search_dir_perms; ') ######################################## ## --## Write named generic process ID pipes +-## List the contents of the runtime process +-## ID directories (/var/run). +## List the contents of generic spool +## (/var/spool) directories. ## ## ## -@@ -6055,43 +7965,189 @@ interface(`files_read_generic_pids',` +@@ -6016,18 +7986,18 @@ interface(`files_dontaudit_search_pids',` ## ## # --interface(`files_write_generic_pid_pipes',` +-interface(`files_list_pids',` +interface(`files_list_spool',` gen_require(` -- type var_run_t; +- type var_t, var_run_t; + type var_t, var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; +- list_dirs_pattern($1, var_t, var_run_t) + list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## --## Create an object in the process ID directory, with a private type. +-## Read generic process ID files. +## Create, read, write, and delete generic +## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6035,19 +8005,18 @@ interface(`files_list_pids',` + ## + ## + # +-interface(`files_read_generic_pids',` +interface(`files_manage_generic_spool_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write named generic process ID pipes +## Read generic spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6055,43 +8024,151 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_read_generic_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + list_dirs_pattern($1, var_t, var_spool_t) + read_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Create, read, write, and delete generic +## spool files. +## @@ -14885,7 +14895,7 @@ index 64ff4d7..989ca8b 100644 ##

## ## -@@ -6099,14 +8155,82 @@ interface(`files_write_generic_pid_pipes',` +@@ -6099,14 +8176,82 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ## ## @@ -14971,7 +14981,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -6114,65 +8238,56 @@ interface(`files_write_generic_pid_pipes',` +@@ -6114,65 +8259,56 @@ interface(`files_write_generic_pid_pipes',` ## The name of the object being created. ## ## @@ -15055,7 +15065,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -6180,19 +8295,17 @@ interface(`files_rw_generic_pids',` +@@ -6180,19 +8316,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -15079,7 +15089,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -6200,38 +8313,43 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6200,38 +8334,43 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -15135,7 +15145,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -6240,127 +8358,111 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6240,127 +8379,111 @@ interface(`files_dontaudit_ioctl_all_pids',` ## ## # @@ -15297,7 +15307,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -6368,132 +8470,188 @@ interface(`files_search_spool',` +@@ -6368,132 +8491,188 @@ interface(`files_search_spool',` ## ## # @@ -15539,7 +15549,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -6501,53 +8659,17 @@ interface(`files_spool_filetrans',` +@@ -6501,53 +8680,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -15597,7 +15607,7 @@ index 64ff4d7..989ca8b 100644 ## ## ## -@@ -6555,10 +8677,10 @@ interface(`files_polyinstantiate_all',` +@@ -6555,10 +8698,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -42996,7 +43006,7 @@ index 0f64692..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a5ec88b..f10561b 100644 +index a5ec88b..26bc8ba 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -43042,7 +43052,7 @@ index a5ec88b..f10561b 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -63,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -43065,6 +43075,7 @@ index a5ec88b..f10561b 100644 -files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) +files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) +allow udev_t udev_var_run_t:file mounton; ++allow udev_t udev_var_run_t:dir mounton; +allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms; +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) @@ -43089,7 +43100,7 @@ index a5ec88b..f10561b 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t) +@@ -98,6 +112,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -43097,7 +43108,7 @@ index a5ec88b..f10561b 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -106,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -43133,7 +43144,7 @@ index a5ec88b..f10561b 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t) +@@ -144,17 +167,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -43155,7 +43166,7 @@ index a5ec88b..f10561b 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -168,7 +193,11 @@ sysnet_read_dhcpc_pid(udev_t) +@@ -168,7 +194,11 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) @@ -43168,7 +43179,7 @@ index a5ec88b..f10561b 100644 userdom_dontaudit_search_user_home_content(udev_t) -@@ -179,16 +208,9 @@ ifdef(`distro_gentoo',` +@@ -179,16 +209,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -43187,7 +43198,7 @@ index a5ec88b..f10561b 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -226,19 +248,38 @@ optional_policy(` +@@ -226,19 +249,38 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -43226,7 +43237,7 @@ index a5ec88b..f10561b 100644 ') optional_policy(` -@@ -264,6 +305,10 @@ optional_policy(` +@@ -264,6 +306,10 @@ optional_policy(` ') optional_policy(` @@ -43237,7 +43248,7 @@ index a5ec88b..f10561b 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -278,6 +323,15 @@ optional_policy(` +@@ -278,6 +324,15 @@ optional_policy(` ') optional_policy(` @@ -43253,7 +43264,7 @@ index a5ec88b..f10561b 100644 unconfined_signal(udev_t) ') -@@ -290,6 +344,7 @@ optional_policy(` +@@ -290,6 +345,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 23597a4..70da7ca 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index e4f84de..6098f52 100644 +index e4f84de..b5f4f9a 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,30 +1,46 @@ +@@ -1,30 +1,48 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -14,7 +14,7 @@ index e4f84de..6098f52 100644 -/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0) + -+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) ++/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) +/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) @@ -36,6 +36,8 @@ index e4f84de..6098f52 100644 + +/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) + ++/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0) ++ +/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -566,7 +568,7 @@ index 058d908..cf17e67 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..9b01e12 100644 +index cc43d25..b2e7c34 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -575,7 +577,7 @@ index cc43d25..9b01e12 100644 ######################################## # -@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4) +@@ -6,105 +6,134 @@ policy_module(abrt, 1.3.4) # ## @@ -636,6 +638,9 @@ index cc43d25..9b01e12 100644 type abrt_var_log_t; logging_log_file(abrt_var_log_t) ++type abrt_var_lib_t; ++files_type(abrt_var_lib_t) ++ type abrt_tmp_t; files_tmp_file(abrt_tmp_t) @@ -751,7 +756,7 @@ index cc43d25..9b01e12 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -112,23 +141,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -783,7 +788,7 @@ index cc43d25..9b01e12 100644 kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) -@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +172,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -802,7 +807,7 @@ index cc43d25..9b01e12 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +193,43 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +196,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -849,7 +854,7 @@ index cc43d25..9b01e12 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +237,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +240,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -866,7 +871,7 @@ index cc43d25..9b01e12 100644 ') optional_policy(` -@@ -209,6 +249,20 @@ optional_policy(` +@@ -209,6 +252,20 @@ optional_policy(` ') optional_policy(` @@ -887,7 +892,7 @@ index cc43d25..9b01e12 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -221,6 +275,11 @@ optional_policy(` +@@ -221,6 +278,11 @@ optional_policy(` ') optional_policy(` @@ -899,7 +904,7 @@ index cc43d25..9b01e12 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -230,6 +289,7 @@ optional_policy(` +@@ -230,6 +292,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -907,7 +912,7 @@ index cc43d25..9b01e12 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +300,17 @@ optional_policy(` +@@ -240,9 +303,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -926,7 +931,7 @@ index cc43d25..9b01e12 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +321,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +324,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -941,7 +946,7 @@ index cc43d25..9b01e12 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +340,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +343,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -949,7 +954,7 @@ index cc43d25..9b01e12 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +349,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +352,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -970,7 +975,7 @@ index cc43d25..9b01e12 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +370,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +373,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -997,7 +1002,7 @@ index cc43d25..9b01e12 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +406,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +409,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1011,7 +1016,7 @@ index cc43d25..9b01e12 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +424,11 @@ optional_policy(` +@@ -330,10 +427,11 @@ optional_policy(` ####################################### # @@ -1025,7 +1030,7 @@ index cc43d25..9b01e12 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +447,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +450,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1057,6 +1062,9 @@ index cc43d25..9b01e12 100644 manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) +files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt") ++ ++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t) ++manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t) read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) @@ -1067,12 +1075,17 @@ index cc43d25..9b01e12 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) ++dev_read_urand(abrt_dump_oops_t) ++dev_read_rand(abrt_dump_oops_t) ++ domain_use_interactive_fds(abrt_dump_oops_t) ++fs_getattr_all_fs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) +fs_list_pstorefs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) ++logging_read_syslog_pid(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) ####################################### @@ -1087,7 +1100,7 @@ index cc43d25..9b01e12 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +505,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +516,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1113,19 +1126,19 @@ index cc43d25..9b01e12 100644 +files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir}) + +read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t) - --logging_send_syslog_msg(abrt_domain) ++ +manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t) - --miscfiles_read_localization(abrt_domain) ++ +corecmd_exec_bin(abrt_upload_watch_t) + +dev_read_urand(abrt_upload_watch_t) + +files_search_spool(abrt_upload_watch_t) -+ + +-logging_send_syslog_msg(abrt_domain) +auth_read_passwd(abrt_upload_watch_t) -+ + +-miscfiles_read_localization(abrt_domain) +tunable_policy(`abrt_upload_watch_anon_write',` + miscfiles_manage_public_files(abrt_upload_watch_t) +') @@ -30085,7 +30098,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..af9415c 100644 +index d03fd43..ba8cb38 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,157 @@ @@ -31148,7 +31161,7 @@ index d03fd43..af9415c 100644 ## ## ## -@@ -704,12 +778,966 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -31910,6 +31923,25 @@ index d03fd43..af9415c 100644 + userdom_search_user_home_dirs($1) +') + ++######################################## ++## ++## Check whether sendmail executable ++## files are executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_access_check_usr_config',` ++ gen_require(` ++ type config_usr_t; ++ ') ++ ++ allow $1 config_usr_t:dir_file_class_set audit_access;; ++') ++ +###################################### +## +## Allow read kde config content @@ -32964,7 +32996,7 @@ index 180f1b7..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 44cf341..4af1ba0 100644 +index 44cf341..2153214 100644 --- a/gpg.te +++ b/gpg.te @@ -1,47 +1,47 @@ @@ -33309,7 +33341,7 @@ index 44cf341..4af1ba0 100644 corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,37 +264,41 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,37 +264,42 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) @@ -33335,6 +33367,7 @@ index 44cf341..4af1ba0 100644 userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) ++ userdom_manage_all_user_tmp_content(gpg_agent_t) ') -tunable_policy(`use_nfs_home_dirs',` @@ -33363,7 +33396,7 @@ index 44cf341..4af1ba0 100644 ############################## # # Pinentry local policy -@@ -277,8 +306,17 @@ optional_policy(` +@@ -277,8 +307,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -33382,7 +33415,7 @@ index 44cf341..4af1ba0 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +325,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +326,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -47505,10 +47538,10 @@ index c97c177..9411154 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..1e1a679 100644 +index f42896c..bd1eb52 100644 --- a/mta.fc +++ b/mta.fc -@@ -1,34 +1,45 @@ +@@ -1,34 +1,44 @@ -HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) @@ -47547,7 +47580,7 @@ index f42896c..1e1a679 100644 /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -65114,7 +65147,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 49694e8..a1497cd 100644 +index 49694e8..55d1871 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ @@ -65286,7 +65319,7 @@ index 49694e8..a1497cd 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,65 +159,79 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -65296,7 +65329,10 @@ index 49694e8..a1497cd 100644 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) -@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t) + + files_read_etc_runtime_files(policykit_auth_t) + files_search_home(policykit_auth_t) ++files_dontaudit_access_check_home_dir(policykit_auth_t) fs_getattr_all_fs(policykit_auth_t) fs_search_tmpfs(policykit_auth_t) @@ -65324,10 +65360,14 @@ index 49694e8..a1497cd 100644 optional_policy(` consolekit_dbus_chat(policykit_auth_t) ') -- ++') + - optional_policy(` - policykit_dbus_chat(policykit_auth_t) - ') ++optional_policy(` ++ gnome_read_config(policykit_auth_t) ++ gnome_access_check_usr_config(policykit_auth_t) ') optional_policy(` @@ -65371,7 +65411,7 @@ index 49694e8..a1497cd 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +239,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -65398,7 +65438,7 @@ index 49694e8..a1497cd 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +254,28 @@ optional_policy(` +@@ -235,26 +260,28 @@ optional_policy(` ######################################## # @@ -65433,7 +65473,7 @@ index 49694e8..a1497cd 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +287,6 @@ optional_policy(` +@@ -266,6 +293,6 @@ optional_policy(` ') optional_policy(` @@ -103203,7 +103243,7 @@ index 9dec06c..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index 1f22fba..d894b4d 100644 +index 1f22fba..e8ed215 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,224 @@ @@ -104667,7 +104707,7 @@ index 1f22fba..d894b4d 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1143,315 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -104716,6 +104756,8 @@ index 1f22fba..d894b4d 100644 +# svirt_sandbox_domain local policy # +allow svirt_sandbox_domain self:key manage_key_perms; ++dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; ++ +allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow svirt_sandbox_domain self:fifo_file manage_file_perms; +allow svirt_sandbox_domain self:sem create_sem_perms; @@ -105120,7 +105162,7 @@ index 1f22fba..d894b4d 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1464,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -105135,7 +105177,7 @@ index 1f22fba..d894b4d 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1482,8 @@ optional_policy(` +@@ -1183,9 +1484,8 @@ optional_policy(` ######################################## # @@ -105146,7 +105188,7 @@ index 1f22fba..d894b4d 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1496,219 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -106609,7 +106651,7 @@ index fd2b6cc..938c4a7 100644 +') + diff --git a/wine.te b/wine.te -index b51923c..4906ce0 100644 +index b51923c..f38d4b1 100644 --- a/wine.te +++ b/wine.te @@ -14,10 +14,11 @@ policy_module(wine, 1.10.1) @@ -106625,7 +106667,7 @@ index b51923c..4906ce0 100644 type wine_exec_t; userdom_user_application_domain(wine_t, wine_exec_t) role wine_roles types wine_t; -@@ -25,56 +26,58 @@ role wine_roles types wine_t; +@@ -25,56 +26,59 @@ role wine_roles types wine_t; type wine_home_t; userdom_user_home_content(wine_home_t) @@ -106662,6 +106704,7 @@ index b51923c..4906ce0 100644 +can_exec(wine_domain, wine_exec_t) + +manage_files_pattern(wine_domain, wine_home_t, wine_home_t) ++manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) +userdom_tmpfs_filetrans(wine_domain, file) +wine_filetrans_named_content(wine_domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index 4e54ce3..073278f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 183%{?dist} +Release: 184%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Sep 10 2014 Lukas Vrabec 3.12.1-184 +- ALlow wine domains to create wine_home symlinks. +- Allow policykit_auth_t access check and read usr config files. +- Dontaudit access check on home_root_t for policykit-auth. +- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent. +- Fix label for /usr/bin/courier/bin/sendmail +- Add files_dontaudit_access_check_home_dir() inteface. +- Allow udev_t mounton udev_var_run_t dirs #(1128618) + * Thu Sep 04 2014 Lukas Vrabec 3.12.1-183 - Allow init to read all config files - Add new interface to allow creation of file with lib_t type