From d6b6514403272d1f0742d715536da7a192598e31 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 17 2013 09:10:05 +0000 Subject: - Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv - Allow mailserver_domains to manage and transition to mailman data - Allow svirt_domains to read sysctl_net_t - Allow thumb_t to use tmpfs inherited from the user - Allow mozilla_plugin to bind to the vnc port if running with spice - Add new attribute to discover confined_admins and assign confined admin to - Fix zabbix to handle attributes in interfaces - Fix zabbix to read system states for all zabbix domains - Fix piranha_domain_template() - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow lldpad sys_rouserce cap due to #986870 - Allow dovecot-auth to read nologin - Allow openlmi-networking to read /proc/net/dev - Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t - Add zabbix_domain attribute for zabbix domains to treat them together - Add labels for zabbix-poxy-* (#1018221) - Update openlmi-storage policy to reflect #1015067 - Back port piranha tmpfs fixes from RHEL6 - Update httpd_can_sendmail boolean to allow read/write postfix spool maildro - Add postfix_rw_spool_maildrop_files interface - Call new userdom_admin_user_templat() also for sysadm_secadm.pp - Fix typo in userdom_admin_user_template() - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it - Dontaudit leaked write descriptor to dmesg Conflicts: selinux-policy.spec --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 583b8b8..c09ae40 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1490,7 +1490,7 @@ index d6cc2d9..0685b19 100644 + +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 72bc6d8..ff164b3 100644 +index 72bc6d8..17357e5 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -9,6 +9,10 @@ type dmesg_t; @@ -1504,7 +1504,7 @@ index 72bc6d8..ff164b3 100644 ######################################## # # Local policy -@@ -19,6 +23,7 @@ dontaudit dmesg_t self:capability sys_tty_config; +@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config; allow dmesg_t self:process signal_perms; @@ -1512,20 +1512,22 @@ index 72bc6d8..ff164b3 100644 kernel_read_kernel_sysctls(dmesg_t) kernel_read_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t) -@@ -27,6 +32,7 @@ kernel_list_proc(dmesg_t) + kernel_change_ring_buffer_level(dmesg_t) + kernel_list_proc(dmesg_t) kernel_read_proc_symlinks(dmesg_t) ++kernel_dontaudit_write_kernel_sysctl(dmesg_t) dev_read_sysfs(dmesg_t) +dev_read_kmsg(dmesg_t) fs_search_auto_mountpoints(dmesg_t) -@@ -44,10 +50,13 @@ init_use_script_ptys(dmesg_t) +@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t) logging_send_syslog_msg(dmesg_t) logging_write_generic_logs(dmesg_t) -miscfiles_read_localization(dmesg_t) - +- userdom_dontaudit_use_unpriv_user_fds(dmesg_t) -userdom_use_user_terminals(dmesg_t) +userdom_use_inherited_user_terminals(dmesg_t) @@ -17039,9 +17041,18 @@ index 0000000..48caabc +allow domain unlabeled_t:packet { send recv }; + diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te -index 834a065..1105353 100644 +index 834a065..c769f81 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te +@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) + + role auditadm_r; + role system_r; +-userdom_unpriv_user_template(auditadm) ++userdom_confined_admin_template(auditadm) + + ######################################## + # @@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t) domain_kill_all_domains(auditadm_t) @@ -17065,10 +17076,18 @@ index 834a065..1105353 100644 consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te -index 3a45a3e..6b08160 100644 +index 3a45a3e..7499f24 100644 --- a/policy/modules/roles/logadm.te +++ b/policy/modules/roles/logadm.te -@@ -14,6 +14,5 @@ userdom_base_user_template(logadm) +@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) + + role logadm_r; + +-userdom_base_user_template(logadm) ++userdom_confined_admin_template(logadm) + + ######################################## + # # logadmin local policy # @@ -17077,13 +17096,17 @@ index 3a45a3e..6b08160 100644 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da11120..34f3a61 100644 +index da11120..d67bcca 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te -@@ -9,6 +9,8 @@ role secadm_r; +@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0) + + role secadm_r; - userdom_unpriv_user_template(secadm) - userdom_security_admin_template(secadm_t, secadm_r) +-userdom_unpriv_user_template(secadm) +-userdom_security_admin_template(secadm_t, secadm_r) ++userdom_confined_admin_template(secadm) ++userdom_security_admin(secadm_t, secadm_r) +userdom_inherit_append_admin_home_files(secadm_t) +userdom_read_admin_home_files(secadm_t) @@ -18080,7 +18103,7 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te new file mode 100644 -index 0000000..63bc797 +index 0000000..3175fd7 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.te @@ -0,0 +1,25 @@ @@ -18096,7 +18119,7 @@ index 0000000..63bc797 + role sysadm_r; +') + -+userdom_security_admin_template(sysadm_t, sysadm_r) ++userdom_admin_user_template(sysadm_t, sysadm_r) + +####################################### +# @@ -24669,7 +24692,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..eb629f0 100644 +index 3efd5b6..f0151a8 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -24858,7 +24881,32 @@ index 3efd5b6..eb629f0 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -402,6 +438,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -322,6 +358,24 @@ interface(`auth_rw_cache',` + + ######################################## + ## ++## Create authentication cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_create_cache',` ++ gen_require(` ++ type auth_cache_t; ++ ') ++ ++ create_files_pattern($1, auth_cache_t, auth_cache_t) ++') ++ ++######################################## ++## + ## Manage authentication cache + ## + ## +@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -24867,7 +24915,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -428,6 +466,24 @@ interface(`auth_domtrans_chkpwd',` +@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',` ######################################## ## @@ -24892,7 +24940,7 @@ index 3efd5b6..eb629f0 100644 ## Execute chkpwd programs in the chkpwd domain. ## ## -@@ -448,6 +504,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -24918,7 +24966,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -467,7 +542,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -24926,7 +24974,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -664,6 +738,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -24937,7 +24985,7 @@ index 3efd5b6..eb629f0 100644 ') ####################################### -@@ -763,7 +841,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -24989,7 +25037,7 @@ index 3efd5b6..eb629f0 100644 ') ####################################### -@@ -824,9 +945,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -25020,7 +25068,7 @@ index 3efd5b6..eb629f0 100644 ## ## ## -@@ -834,12 +975,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -25051,7 +25099,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -854,15 +1010,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -25070,7 +25118,7 @@ index 3efd5b6..eb629f0 100644 ## ## ## -@@ -875,13 +1031,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',` ## ## # @@ -25108,7 +25156,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -959,9 +1135,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -25142,7 +25190,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -1040,6 +1237,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -25153,7 +25201,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -1176,6 +1377,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -25161,7 +25209,7 @@ index 3efd5b6..eb629f0 100644 ') ####################################### -@@ -1576,6 +1778,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -25187,7 +25235,7 @@ index 3efd5b6..eb629f0 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1947,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -25213,7 +25261,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -1767,11 +1971,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -25230,7 +25278,7 @@ index 3efd5b6..eb629f0 100644 ') ######################################## -@@ -1805,3 +2011,241 @@ interface(`auth_unconfined',` +@@ -1805,3 +2029,241 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -26009,7 +26057,7 @@ index 3694bfe..7fcd27a 100644 ') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index a97a096..f65892c 100644 +index a97a096..bf726c3 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,4 +1,3 @@ @@ -26025,7 +26073,14 @@ index a97a096..f65892c 100644 /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -41,7 +39,46 @@ +@@ -35,13 +33,53 @@ + /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + + /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29149,10 +29204,10 @@ index dd3be8d..4d15ea1 100644 + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..97f750e 100644 +index 662e79b..ae5a411 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,21 @@ +@@ -1,14 +1,22 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) @@ -29169,14 +29224,14 @@ index 662e79b..97f750e 100644 /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) --/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + -+/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +33,22 @@ +@@ -26,16 +34,22 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -36021,10 +36076,10 @@ index 0000000..e9f1096 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..685e79a +index 0000000..f0fe449 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1393 @@ +@@ -0,0 +1,1394 @@ +## SELinux policy for systemd components + +###################################### @@ -36433,6 +36488,7 @@ index 0000000..685e79a + allow systemd_logind_t $1:dbus send_msg; + ps_process_pattern(systemd_logind_t, $1) + allow systemd_logind_t $1:process signal; ++ allow $1 systemd_logind_t:fd use; +') + +####################################### @@ -39453,7 +39509,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..f15c4f0 100644 +index 3c5dba7..9b2cdf7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40423,7 +40479,7 @@ index 3c5dba7..f15c4f0 100644 userdom_change_password_template($1) -@@ -761,82 +984,100 @@ template(`userdom_login_user_template', ` +@@ -761,82 +984,101 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -40482,6 +40538,7 @@ index 3c5dba7..f15c4f0 100644 + fs_rw_anon_inodefs_files($1_usertype) + auth_role($1_r, $1_t) ++ auth_create_cache($1_t) + auth_rw_cache($1_t) + auth_search_pam_console_data($1_t) + auth_dontaudit_read_login_records($1_t) @@ -40560,7 +40617,7 @@ index 3c5dba7..f15c4f0 100644 ') ') -@@ -868,6 +1109,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -40573,7 +40630,7 @@ index 3c5dba7..f15c4f0 100644 ############################## # # Local policy -@@ -907,42 +1154,99 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -40686,7 +40743,7 @@ index 3c5dba7..f15c4f0 100644 ') optional_policy(` -@@ -951,15 +1255,36 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -40726,7 +40783,7 @@ index 3c5dba7..f15c4f0 100644 ## ## The template for creating a unprivileged user roughly ## equivalent to a regular linux user. -@@ -990,27 +1315,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -40764,7 +40821,7 @@ index 3c5dba7..f15c4f0 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1352,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -40835,7 +40892,7 @@ index 3c5dba7..f15c4f0 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1414,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -40846,16 +40903,26 @@ index 3c5dba7..f15c4f0 100644 ') ') -@@ -1082,7 +1452,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; - class passwd { passwd chfn chsh rootok }; ++ attribute confined_admindomain; ++ + class passwd { passwd chfn chsh rootok crontab }; ') ############################## -@@ -1109,6 +1479,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',` + role system_r types $1_t; + + typeattribute $1_t admindomain; ++ typeattribute $1_t confined_admindomain; + + ifdef(`direct_sysadm_daemon',` + domain_system_change_exemption($1_t) +@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -40863,7 +40930,7 @@ index 3c5dba7..f15c4f0 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1488,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -40873,7 +40940,7 @@ index 3c5dba7..f15c4f0 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -40881,7 +40948,7 @@ index 3c5dba7..f15c4f0 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -40896,7 +40963,7 @@ index 3c5dba7..f15c4f0 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -40939,7 +41006,7 @@ index 3c5dba7..f15c4f0 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -40948,7 +41015,7 @@ index 3c5dba7..f15c4f0 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -40967,7 +41034,16 @@ index 3c5dba7..f15c4f0 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1647,8 @@ template(`userdom_security_admin_template',` +@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',` + ## + ## + # +-template(`userdom_security_admin_template',` ++template(`userdom_security_admin',` + allow $1 self:capability { dac_read_search dac_override }; + + corecmd_exec_shell($1) +@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -40976,7 +41052,7 @@ index 3c5dba7..f15c4f0 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1661,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -40988,7 +41064,7 @@ index 3c5dba7..f15c4f0 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1675,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -41031,7 +41107,7 @@ index 3c5dba7..f15c4f0 100644 ') optional_policy(` -@@ -1360,14 +1760,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -41050,7 +41126,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -1408,6 +1811,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -41102,7 +41178,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1960,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -41134,7 +41210,7 @@ index 3c5dba7..f15c4f0 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +2026,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -41149,7 +41225,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -1573,9 +2049,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -41161,7 +41237,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -1632,6 +2110,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -41204,7 +41280,7 @@ index 3c5dba7..f15c4f0 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2225,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -41213,7 +41289,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -1744,10 +2260,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -41228,7 +41304,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -1772,7 +2290,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -41255,7 +41331,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -1782,53 +2318,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -41338,7 +41414,7 @@ index 3c5dba7..f15c4f0 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1848,6 +2401,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -41364,7 +41440,7 @@ index 3c5dba7..f15c4f0 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2450,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -41402,7 +41478,7 @@ index 3c5dba7..f15c4f0 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2490,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -41420,7 +41496,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -1941,7 +2538,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -41429,7 +41505,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -1949,19 +2546,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -41453,7 +41529,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -1969,35 +2564,35 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -41497,7 +41573,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -2005,45 +2600,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` +@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` ## ## # @@ -41604,7 +41680,7 @@ index 3c5dba7..f15c4f0 100644 ## Do not audit attempts to execute user home files. ## ## -@@ -2123,7 +2765,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -41613,7 +41689,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -2131,19 +2773,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -41637,7 +41713,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -2151,12 +2791,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -41653,7 +41729,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -2393,11 +3033,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -41668,7 +41744,7 @@ index 3c5dba7..f15c4f0 100644 files_search_tmp($1) ') -@@ -2417,7 +3057,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -41677,7 +41753,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -2664,6 +3304,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -41703,7 +41779,7 @@ index 3c5dba7..f15c4f0 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3339,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -41719,7 +41795,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -2707,7 +3367,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -41728,7 +41804,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -2715,14 +3375,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -41763,7 +41839,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -2817,6 +3493,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -41788,7 +41864,7 @@ index 3c5dba7..f15c4f0 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3529,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -41831,7 +41907,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -2859,14 +3565,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -41869,7 +41945,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -2885,8 +3610,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -41899,7 +41975,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -2958,69 +3702,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -42000,7 +42076,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -3028,12 +3771,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -42015,7 +42091,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -3097,7 +3840,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -42024,7 +42100,7 @@ index 3c5dba7..f15c4f0 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3856,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -42058,7 +42134,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -3217,7 +3944,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -42085,7 +42161,7 @@ index 3c5dba7..f15c4f0 100644 ') ######################################## -@@ -3272,12 +4017,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -42101,7 +42177,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -3285,36 +4031,37 @@ interface(`userdom_write_user_tmp_files',` +@@ -3285,36 +4035,37 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -42149,7 +42225,7 @@ index 3c5dba7..f15c4f0 100644 ## ## ## -@@ -3322,25 +4069,81 @@ interface(`userdom_read_all_users_state',` +@@ -3322,21 +4073,77 @@ interface(`userdom_read_all_users_state',` ## ## # @@ -42172,10 +42248,9 @@ index 3c5dba7..f15c4f0 100644 ## -## Domain allowed access. +## Domain to not audit. - ## - ## - # --interface(`userdom_use_all_users_fds',` ++## ++## ++# +interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` + type user_tty_device_t; @@ -42229,14 +42304,10 @@ index 3c5dba7..f15c4f0 100644 +## +## +## Domain allowed access. -+## -+## -+# -+interface(`userdom_use_all_users_fds',` - gen_require(` - attribute userdomain; - ') -@@ -3385,6 +4188,42 @@ interface(`userdom_signal_all_users',` + ## + ## + # +@@ -3385,6 +4192,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -42279,7 +42350,7 @@ index 3c5dba7..f15c4f0 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4244,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4248,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -42304,7 +42375,7 @@ index 3c5dba7..f15c4f0 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4295,1493 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4299,1533 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -43797,12 +43868,52 @@ index 3c5dba7..f15c4f0 100644 + ') + + dontaudit $1 user_home_type:dir_file_class_set audit_access; ++') ++ ++####################################### ++## ++## The template containing the most basic rules common to confined admin. ++## ++## ++##

++## The template containing the most basic rules common to all users. ++##

++##

++## This template creates a user domain, types, and ++## rules for the user's tty and pty. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++# ++template(`userdom_confined_admin_template',` ++ ++ gen_require(` ++ attribute confined_admindomain; ++ attribute userdomain; ++ type user_devpts_t, user_tty_device_t; ++ class context contains; ++ ') ++ ++ type $1_t, userdomain, confined_admindomain; ++ role $1_r; ++ role $1_r types $1_t; ++ domain_type($1_t) ++ domain_user_exemption_target($1_t) ++ ubac_constrained($1_t) ++ ++ auth_use_nsswitch($1_t) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..fe99b11 100644 +index e2b538b..e0c6eeb 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te -@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) +@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) ## ##

@@ -43859,10 +43970,11 @@ index e2b538b..fe99b11 100644 attribute admindomain; +attribute login_userdomain; ++attribute confined_admindomain; # all user domains attribute userdomain; -@@ -58,6 +52,24 @@ attribute unpriv_userdomain; +@@ -58,6 +53,24 @@ attribute unpriv_userdomain; attribute user_home_content_type; @@ -43887,7 +43999,7 @@ index e2b538b..fe99b11 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -44117,6 +44229,138 @@ index e2b538b..fe99b11 100644 + xserver_filetrans_home_content(userdom_filetrans_type) + xserver_filetrans_admin_home_content(userdom_filetrans_type) +') ++ ++############################################################ ++# Local Policy Confined Admin ++# ++gen_require(` ++ class context contains; ++') ++ ++corecmd_shell_entry_type(confined_admindomain) ++corecmd_bin_entry_type(confined_admindomain) ++ ++term_user_pty(confined_admindomain, user_devpts_t) ++term_user_tty(confined_admindomain, user_tty_device_t) ++term_dontaudit_getattr_generic_ptys(confined_admindomain) ++ ++allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; ++tunable_policy(`deny_ptrace',`',` ++ allow confined_admindomain self:process ptrace; ++') ++allow confined_admindomain self:fd use; ++allow confined_admindomain self:key manage_key_perms; ++ ++allow confined_admindomain self:fifo_file rw_fifo_file_perms; ++allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto }; ++allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow confined_admindomain self:shm create_shm_perms; ++allow confined_admindomain self:sem create_sem_perms; ++allow confined_admindomain self:msgq create_msgq_perms; ++allow confined_admindomain self:msg { send receive }; ++allow confined_admindomain self:context contains; ++dontaudit confined_admindomain self:socket create; ++ ++allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms }; ++term_create_pty(confined_admindomain, user_devpts_t) ++# avoid annoying messages on terminal hangup on role change ++dontaudit confined_admindomain user_devpts_t:chr_file ioctl; ++ ++allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms }; ++# avoid annoying messages on terminal hangup on role change ++dontaudit confined_admindomain user_tty_device_t:chr_file ioctl; ++ ++application_exec_all(confined_admindomain) ++ ++kernel_read_kernel_sysctls(confined_admindomain) ++kernel_read_all_sysctls(confined_admindomain) ++kernel_dontaudit_list_unlabeled(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_files(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain) ++kernel_dontaudit_list_proc(confined_admindomain) ++ ++dev_dontaudit_getattr_all_blk_files(confined_admindomain) ++dev_dontaudit_getattr_all_chr_files(confined_admindomain) ++dev_getattr_mtrr_dev(confined_admindomain) ++ ++# When the user domain runs ps, there will be a number of access ++# denials when ps tries to search /proc. Do not audit these denials. ++domain_dontaudit_read_all_domains_state(confined_admindomain) ++domain_dontaudit_getattr_all_domains(confined_admindomain) ++domain_dontaudit_getsession_all_domains(confined_admindomain) ++dev_dontaudit_all_access_check(confined_admindomain) ++ ++files_read_etc_files(confined_admindomain) ++files_list_mnt(confined_admindomain) ++files_list_var(confined_admindomain) ++files_read_mnt_files(confined_admindomain) ++files_dontaudit_all_access_check(confined_admindomain) ++files_read_etc_runtime_files(confined_admindomain) ++files_read_usr_files(confined_admindomain) ++files_read_usr_src_files(confined_admindomain) ++# Read directories and files with the readable_t type. ++# This type is a general type for "world"-readable files. ++files_list_world_readable(confined_admindomain) ++files_read_world_readable_files(confined_admindomain) ++files_read_world_readable_symlinks(confined_admindomain) ++files_read_world_readable_pipes(confined_admindomain) ++files_read_world_readable_sockets(confined_admindomain) ++# old broswer_domain(): ++files_dontaudit_getattr_all_dirs(confined_admindomain) ++files_dontaudit_list_non_security(confined_admindomain) ++files_dontaudit_getattr_all_files(confined_admindomain) ++files_dontaudit_getattr_non_security_symlinks(confined_admindomain) ++files_dontaudit_getattr_non_security_pipes(confined_admindomain) ++files_dontaudit_getattr_non_security_sockets(confined_admindomain) ++files_dontaudit_setattr_etc_runtime_files(confined_admindomain) ++ ++files_exec_usr_files(confined_admindomain) ++ ++fs_list_cgroup_dirs(confined_admindomain) ++fs_dontaudit_rw_cgroup_files(confined_admindomain) ++ ++storage_rw_fuse(confined_admindomain) ++ ++init_stream_connect(confined_admindomain) ++# The library functions always try to open read-write first, ++# then fall back to read-only if it fails. ++init_dontaudit_rw_utmp(confined_admindomain) ++ ++libs_exec_ld_so(confined_admindomain) ++ ++miscfiles_read_generic_certs(confined_admindomain) ++ ++miscfiles_read_all_certs(confined_admindomain) ++miscfiles_read_public_files(confined_admindomain) ++ ++systemd_dbus_chat_logind(confined_admindomain) ++systemd_read_logind_sessions_files(confined_admindomain) ++systemd_write_inhibit_pipes(confined_admindomain) ++systemd_write_inherited_logind_sessions_pipes(confined_admindomain) ++systemd_login_read_pid_files(confined_admindomain) ++tunable_policy(`deny_execmem',`', ` ++ # Allow loading DSOs that require executable stack. ++ allow confined_admindomain self:process execmem; ++') ++ ++tunable_policy(`selinuxuser_execstack',` ++ # Allow making the stack executable via mprotect. ++ allow confined_admindomain self:process execstack; ++') ++ ++optional_policy(` ++ fs_list_cgroup_dirs(confined_admindomain) ++') ++ ++optional_policy(` ++ ssh_rw_stream_sockets(confined_admindomain) ++ ssh_delete_tmp(confined_admindomain) ++ ssh_signal(confined_admindomain) ++') diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d545..101086d 100644 --- a/policy/support/misc_patterns.spt diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3ce3069..3ce5e12 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3007,10 +3007,10 @@ index 0000000..784557c + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..842225c 100644 +index 550a69e..66ba451 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,161 +1,199 @@ +@@ -1,161 +1,200 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3076,6 +3076,7 @@ index 550a69e..842225c 100644 +/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) -/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -4706,7 +4707,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..217ba9e 100644 +index 1a82e29..19bd545 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5685,7 +5686,7 @@ index 1a82e29..217ba9e 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5730,6 +5731,7 @@ index 1a82e29..217ba9e 100644 + corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) mta_signal_system_mail(httpd_t) ++ postfix_rw_spool_maildrop_files(httpd_t) ') -optional_policy(` @@ -5775,7 +5777,7 @@ index 1a82e29..217ba9e 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5856,7 +5858,7 @@ index 1a82e29..217ba9e 100644 ') optional_policy(` -@@ -743,14 +870,6 @@ optional_policy(` +@@ -743,14 +871,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5871,7 +5873,7 @@ index 1a82e29..217ba9e 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +884,23 @@ optional_policy(` +@@ -765,6 +885,23 @@ optional_policy(` ') optional_policy(` @@ -5895,7 +5897,7 @@ index 1a82e29..217ba9e 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +917,46 @@ optional_policy(` +@@ -781,34 +918,46 @@ optional_policy(` ') optional_policy(` @@ -5953,7 +5955,7 @@ index 1a82e29..217ba9e 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +964,18 @@ optional_policy(` +@@ -816,8 +965,18 @@ optional_policy(` ') optional_policy(` @@ -5972,7 +5974,7 @@ index 1a82e29..217ba9e 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +984,7 @@ optional_policy(` +@@ -826,6 +985,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5980,7 +5982,7 @@ index 1a82e29..217ba9e 100644 ') optional_policy(` -@@ -836,20 +995,39 @@ optional_policy(` +@@ -836,20 +996,39 @@ optional_policy(` ') optional_policy(` @@ -6026,7 +6028,7 @@ index 1a82e29..217ba9e 100644 ') optional_policy(` -@@ -857,19 +1035,35 @@ optional_policy(` +@@ -857,19 +1036,35 @@ optional_policy(` ') optional_policy(` @@ -6062,7 +6064,7 @@ index 1a82e29..217ba9e 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1071,170 @@ optional_policy(` +@@ -877,65 +1072,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6255,7 +6257,7 @@ index 1a82e29..217ba9e 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6410,7 +6412,7 @@ index 1a82e29..217ba9e 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1327,104 @@ optional_policy(` +@@ -1077,172 +1328,104 @@ optional_policy(` ') ') @@ -6646,7 +6648,7 @@ index 1a82e29..217ba9e 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1432,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6743,7 +6745,7 @@ index 1a82e29..217ba9e 100644 ######################################## # -@@ -1315,8 +1507,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6760,7 +6762,7 @@ index 1a82e29..217ba9e 100644 ') ######################################## -@@ -1324,49 +1523,38 @@ optional_policy(` +@@ -1324,49 +1524,38 @@ optional_policy(` # User content local policy # @@ -6825,7 +6827,7 @@ index 1a82e29..217ba9e 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1564,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -16917,7 +16919,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 6ce66e7..f8e9ecc 100644 +index 6ce66e7..03bc338 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -16930,7 +16932,7 @@ index 6ce66e7..f8e9ecc 100644 type ctdbd_var_run_t; files_pid_file(ctdbd_var_run_t) -@@ -33,6 +36,7 @@ files_pid_file(ctdbd_var_run_t) +@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t) # allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; @@ -16938,7 +16940,14 @@ index 6ce66e7..f8e9ecc 100644 allow ctdbd_t self:process { setpgid signal_perms setsched }; allow ctdbd_t self:fifo_file rw_fifo_file_perms; allow ctdbd_t self:unix_stream_socket { accept connectto listen }; -@@ -59,6 +63,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) + allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; + allow ctdbd_t self:packet_socket create_socket_perms; + allow ctdbd_t self:tcp_socket create_stream_socket_perms; ++allow ctdbd_t self:udp_socket create_socket_perms; + + append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) + create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) @@ -16950,7 +16959,7 @@ index 6ce66e7..f8e9ecc 100644 manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) -@@ -72,9 +81,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -16962,7 +16971,7 @@ index 6ce66e7..f8e9ecc 100644 corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,12 +96,12 @@ dev_read_urand(ctdbd_t) +@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -16977,7 +16986,7 @@ index 6ce66e7..f8e9ecc 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +120,7 @@ optional_policy(` +@@ -109,6 +121,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -18265,10 +18274,18 @@ index 98a2d6a..fff0987 100644 fs_getattr_all_fs(dante_t) diff --git a/dbadm.te b/dbadm.te -index a67870a..76435d4 100644 +index a67870a..f7c0e61 100644 --- a/dbadm.te +++ b/dbadm.te -@@ -30,7 +30,7 @@ userdom_base_user_template(dbadm) +@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false) + + role dbadm_r; + +-userdom_base_user_template(dbadm) ++userdom_confined_admin_template(dbadm) + + ######################################## + # # Local policy # @@ -22154,7 +22171,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..934045c 100644 +index a7bfaf0..d4a79a1 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -22408,7 +22425,7 @@ index a7bfaf0..934045c 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +214,63 @@ optional_policy(` +@@ -221,46 +214,65 @@ optional_policy(` ######################################## # @@ -22465,6 +22482,8 @@ index a7bfaf0..934045c 100644 sysnet_use_ldap(dovecot_auth_t) ++systemd_login_read_pid_files(dovecot_auth_t) ++ +userdom_getattr_user_home_dirs(dovecot_auth_t) + optional_policy(` @@ -22481,7 +22500,7 @@ index a7bfaf0..934045c 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -271,15 +281,30 @@ optional_policy(` +@@ -271,15 +283,30 @@ optional_policy(` ') optional_policy(` @@ -22513,7 +22532,7 @@ index a7bfaf0..934045c 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +314,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -22574,7 +22593,7 @@ index a7bfaf0..934045c 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +359,6 @@ optional_policy(` +@@ -326,5 +361,6 @@ optional_policy(` ') optional_policy(` @@ -23359,7 +23378,7 @@ index 6041113..ef3b449 100644 role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; diff --git a/exim.te b/exim.te -index 19325ce..b5c157f 100644 +index 19325ce..3e86b12 100644 --- a/exim.te +++ b/exim.te @@ -49,7 +49,7 @@ type exim_log_t; @@ -23416,18 +23435,19 @@ index 19325ce..b5c157f 100644 ') optional_policy(` -@@ -192,8 +190,9 @@ optional_policy(` +@@ -192,11 +190,6 @@ optional_policy(` ') optional_policy(` - mailman_read_data_files(exim_t) -+ mailman_manage_data_files(exim_t) - mailman_domtrans(exim_t) -+ mailman_read_log(exim_t) +- mailman_domtrans(exim_t) +-') +- +-optional_policy(` + nagios_search_spool(exim_t) ') - optional_policy(` -@@ -218,6 +217,7 @@ optional_policy(` +@@ -218,6 +211,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -35143,7 +35163,7 @@ index ee0c7cc..c54e3d2 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index d7d9b09..562c288 100644 +index d7d9b09..b93f460 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -35156,6 +35176,15 @@ index d7d9b09..562c288 100644 type slapd_lock_t; files_lock_file(slapd_lock_t) +@@ -44,7 +47,7 @@ files_pid_file(slapd_var_run_t) + # Local policy + # + +-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; ++allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search sys_resource }; + dontaudit slapd_t self:capability sys_tty_config; + allow slapd_t self:process setsched; + allow slapd_t self:fifo_file rw_fifo_file_perms; @@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -40492,7 +40521,7 @@ index 6194b80..1e67988 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..2356e2b 100644 +index 6a306ee..11a0f02 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -40766,12 +40795,12 @@ index 6a306ee..2356e2b 100644 - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -40901,34 +40930,34 @@ index 6a306ee..2356e2b 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ java_domtrans(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ lpd_domtrans_lpr(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ nscd_socket_use(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) -+ nscd_socket_use(mozilla_t) -+') -+ -+optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -41019,12 +41048,12 @@ index 6a306ee..2356e2b 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -41195,12 +41224,12 @@ index 6a306ee..2356e2b 100644 -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) -+systemd_read_logind_sessions_files(mozilla_plugin_t) - +- -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -41224,30 +41253,30 @@ index 6a306ee..2356e2b 100644 -ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) - fs_read_dos_files(mozilla_plugin_t) +- +- fs_search_removable(mozilla_plugin_t) +- fs_read_removable_files(mozilla_plugin_t) +- fs_read_removable_symlinks(mozilla_plugin_t) +userdom_read_user_home_content_files(mozilla_plugin_t) +userdom_read_user_home_content_symlinks(mozilla_plugin_t) +userdom_read_home_certs(mozilla_plugin_t) +userdom_read_home_audio_files(mozilla_plugin_t) +userdom_exec_user_tmp_files(mozilla_plugin_t) -- fs_search_removable(mozilla_plugin_t) -- fs_read_removable_files(mozilla_plugin_t) -- fs_read_removable_symlinks(mozilla_plugin_t) -+userdom_home_manager(mozilla_plugin_t) - - fs_read_iso9660_files(mozilla_plugin_t) -+tunable_policy(`mozilla_plugin_can_network_connect',` -+ corenet_tcp_connect_all_ports(mozilla_plugin_t) - ') - +-') +- -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process execmem; -') -- ++userdom_home_manager(mozilla_plugin_t) + -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_t self:process { execmem execstack }; --') -- ++tunable_policy(`mozilla_plugin_can_network_connect',` ++ corenet_tcp_connect_all_ports(mozilla_plugin_t) + ') + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) @@ -41332,7 +41361,7 @@ index 6a306ee..2356e2b 100644 ') optional_policy(` -@@ -568,108 +568,128 @@ optional_policy(` +@@ -568,108 +568,130 @@ optional_policy(` ') optional_policy(` @@ -41370,14 +41399,13 @@ index 6a306ee..2356e2b 100644 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -+allow mozilla_plugin_config_t self:fifo_file rw_file_perms; -+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; - +- -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") -+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) ++allow mozilla_plugin_config_t self:fifo_file rw_file_perms; ++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") @@ -41387,36 +41415,40 @@ index 6a306ee..2356e2b 100644 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") ++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) + +-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +dev_read_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) +dev_dontaudit_rw_dri(mozilla_plugin_config_t) --filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +fs_search_auto_mountpoints(mozilla_plugin_config_t) +fs_list_inotifyfs(mozilla_plugin_config_t) --can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +- +-kernel_read_system_state(mozilla_plugin_config_t) +-kernel_request_load_module(mozilla_plugin_config_t) +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) - --ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) ++ +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +mozilla_filetrans_home_content(mozilla_plugin_t) - --kernel_read_system_state(mozilla_plugin_config_t) --kernel_request_load_module(mozilla_plugin_config_t) ++ +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) +userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file }) +mozilla_filetrans_home_content(mozilla_plugin_config_t) ++dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom; corecmd_exec_bin(mozilla_plugin_config_t) corecmd_exec_shell(mozilla_plugin_config_t) @@ -41510,6 +41542,7 @@ index 6a306ee..2356e2b 100644 - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_spice',` + dev_rw_generic_usb_dev(mozilla_plugin_t) ++ corenet_tcp_bind_vnc_port(mozilla_plugin_t) ') -optional_policy(` @@ -43037,7 +43070,7 @@ index ed81cac..566684a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..363dd67 100644 +index afd2fad..79fe381 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -43243,11 +43276,11 @@ index afd2fad..363dd67 100644 + +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) - --userdom_use_user_terminals(system_mail_t) + -+logging_append_all_logs(system_mail_t) + ++logging_append_all_logs(system_mail_t) + +-userdom_use_user_terminals(system_mail_t) +logging_send_syslog_msg(system_mail_t) optional_policy(` @@ -43453,7 +43486,7 @@ index afd2fad..363dd67 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -387,24 +276,165 @@ optional_policy(` +@@ -387,24 +276,173 @@ optional_policy(` ######################################## # @@ -43626,6 +43659,14 @@ index afd2fad..363dd67 100644 + antivirus_stream_connect(user_mail_domain) + antivirus_stream_connect(mta_user_agent) +') ++ ++optional_policy(` ++ mailman_manage_data_files(mailserver_domain) ++ mailman_domtrans(mailserver_domain) ++ mailman_append_log(mailserver_domain) ++ mailman_read_log(mailserver_domain) ++') ++ diff --git a/munin.fc b/munin.fc index eb4b72a..4968324 100644 --- a/munin.fc @@ -54649,7 +54690,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..073dbf3 100644 +index 7bcf327..ba2f9bb 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -54673,7 +54714,7 @@ index 7bcf327..073dbf3 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,256 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,260 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -54814,6 +54855,8 @@ index 7bcf327..073dbf3 100644 + +allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;; + ++kernel_read_network_state(pegasus_openlmi_system_t) ++ +dev_rw_sysfs(pegasus_openlmi_system_t) +dev_read_urand(pegasus_openlmi_system_t) + @@ -54861,6 +54904,7 @@ index 7bcf327..073dbf3 100644 +files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) + +kernel_read_all_sysctls(pegasus_openlmi_storage_t) ++kernel_get_sysvipc_info(pegasus_openlmi_storage_t) + +dev_read_rand(pegasus_openlmi_storage_t) +dev_read_urand(pegasus_openlmi_storage_t) @@ -54872,7 +54916,8 @@ index 7bcf327..073dbf3 100644 + +seutil_read_file_contexts(pegasus_openlmi_storage_t) + -+storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_storage_t) ++storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) ++storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) + +fs_getattr_all_fs(pegasus_openlmi_storage_t) + @@ -54935,7 +54980,7 @@ index 7bcf327..073dbf3 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +289,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +293,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -54966,7 +55011,7 @@ index 7bcf327..073dbf3 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +315,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +319,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -54999,7 +55044,7 @@ index 7bcf327..073dbf3 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +343,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +347,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -55007,7 +55052,7 @@ index 7bcf327..073dbf3 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +358,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +362,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -55039,7 +55084,7 @@ index 7bcf327..073dbf3 100644 ') optional_policy(` -@@ -151,16 +388,24 @@ optional_policy(` +@@ -151,16 +392,24 @@ optional_policy(` ') optional_policy(` @@ -55068,7 +55113,7 @@ index 7bcf327..073dbf3 100644 ') optional_policy(` -@@ -168,7 +413,7 @@ optional_policy(` +@@ -168,7 +417,7 @@ optional_policy(` ') optional_policy(` @@ -55322,10 +55367,10 @@ index 0000000..20ea9f5 + diff --git a/piranha.if b/piranha.if new file mode 100644 -index 0000000..8d681d1 +index 0000000..cf54103 --- /dev/null +++ b/piranha.if -@@ -0,0 +1,179 @@ +@@ -0,0 +1,187 @@ +##

policy for piranha + +####################################### @@ -55353,6 +55398,10 @@ index 0000000..8d681d1 + type piranha_$1_exec_t; + init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) + ++ # tmpfs files ++ type piranha_$1_tmpfs_t, piranha_tmpfs; ++ files_tmpfs_file(piranha_$1_tmpfs_t) ++ + # pid files + type piranha_$1_var_run_t; + files_pid_file(piranha_$1_var_run_t) @@ -55362,6 +55411,10 @@ index 0000000..8d681d1 + # piranha_$1_t local policy + # + ++ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) ++ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) ++ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file }) ++ + manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) @@ -55507,10 +55560,10 @@ index 0000000..8d681d1 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..34e591f +index 0000000..a989aea --- /dev/null +++ b/piranha.te -@@ -0,0 +1,293 @@ +@@ -0,0 +1,292 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -55526,6 +55579,7 @@ index 0000000..34e591f +gen_tunable(piranha_lvs_can_network_connect, false) + +attribute piranha_domain; ++attribute piranha_tmpfs; + +piranha_domain_template(fos) + @@ -55538,9 +55592,6 @@ index 0000000..34e591f + +piranha_domain_template(web) + -+type piranha_web_tmpfs_t; -+files_tmpfs_file(piranha_web_tmpfs_t) -+ +type piranha_web_conf_t; +files_config_file(piranha_web_conf_t) + @@ -55602,10 +55653,6 @@ index 0000000..34e591f +manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) +files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir }) + -+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) -+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) -+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file }) -+ +piranha_pulse_initrc_domtrans(piranha_web_t) + +kernel_read_kernel_sysctls(piranha_web_t) @@ -55655,6 +55702,9 @@ index 0000000..34e591f +allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; +allow piranha_lvs_t self:rawip_socket create_socket_perms; + ++manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) ++manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) ++ +kernel_read_kernel_sysctls(piranha_lvs_t) + +# needed by nanny @@ -55788,6 +55838,9 @@ index 0000000..34e591f + +read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t) + ++manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs) ++manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs) ++ +kernel_read_network_state(piranha_domain) + +corenet_tcp_sendrecv_generic_if(piranha_domain) @@ -55799,7 +55852,6 @@ index 0000000..34e591f +corenet_tcp_bind_generic_node(piranha_domain) +corenet_udp_bind_generic_node(piranha_domain) + -+ +corecmd_exec_bin(piranha_domain) +corecmd_exec_shell(piranha_domain) + @@ -58689,7 +58741,7 @@ index c0e8785..c0e0959 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/postfix.if b/postfix.if -index 2e23946..e9ac366 100644 +index 2e23946..0b76d72 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -59029,8 +59081,10 @@ index 2e23946..e9ac366 100644 ') + -+######################################## -+## + ######################################## + ## +-## Execute the master postfix program +-## in the caller domain. +## Execute the master postfix in the postfix master domain. +## +## @@ -59047,10 +59101,8 @@ index 2e23946..e9ac366 100644 + init_labeled_script_domtrans($1, postfix_initrc_exec_t) +') + - ######################################## - ## --## Execute the master postfix program --## in the caller domain. ++######################################## ++## +## Execute the master postfix program in the +## caller domain. ## @@ -59148,15 +59200,18 @@ index 2e23946..e9ac366 100644 ## -## Domain allowed access. +## Domain allowed to transition. -+## -+## + ## + ## +## +## +## The role to be allowed the iptables domain. +## +## +## -+# + # +-interface(`posftix_exec_postqueue',` +- refpolicywarn(`$0($*) has been deprecated.') +- postfix_exec_postqueue($1) + +interface(`postfix_run_postqueue',` + gen_require(` @@ -59166,8 +59221,8 @@ index 2e23946..e9ac366 100644 + postfix_domtrans_postqueue($1) + role $2 types postfix_postqueue_t; + allow postfix_postqueue_t $1:unix_stream_socket { read write getattr }; -+') -+ + ') + +######################################## +## +## Execute postfix_postgqueue in the postfix_postgqueue domain. @@ -59194,18 +59249,15 @@ index 2e23946..e9ac366 100644 +## +## +## Domain allowed to transition. - ## - ## ++## ++## +## +## +## Role allowed access. +## +## +## - # --interface(`posftix_exec_postqueue',` -- refpolicywarn(`$0($*) has been deprecated.') -- postfix_exec_postqueue($1) ++# +interface(`postfix_run_postgqueue',` + gen_require(` + type postfix_postgqueue_t; @@ -59213,8 +59265,8 @@ index 2e23946..e9ac366 100644 + + postfix_domtrans_postgqueue($1) + role $2 types postfix_postgqueue_t; - ') - ++') ++ + ####################################### ## @@ -59346,7 +59398,7 @@ index 2e23946..e9ac366 100644 ## ## ## -@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',` +@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -59361,6 +59413,25 @@ index 2e23946..e9ac366 100644 + +####################################### +## ++## Read, write, and delete postfix maildrop spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_rw_spool_maildrop_files',` ++ gen_require(` ++ type postfix_spool_maildrop_t; ++ ') ++ ++ files_search_spool($1) ++ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++') ++ ++####################################### ++## +## Create, read, write, and delete postfix maildrop spool files. +## +## @@ -59380,7 +59451,7 @@ index 2e23946..e9ac366 100644 ') ######################################## -@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',` ######################################## ## @@ -59391,7 +59462,7 @@ index 2e23946..e9ac366 100644 ## ## ## -@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin',` gen_require(` @@ -59550,7 +59621,7 @@ index 2e23946..e9ac366 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..2177e93 100644 +index 191a66f..f19bca4 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -59732,8 +59803,9 @@ index 191a66f..2177e93 100644 -######################################## -# -# Common postfix user domain local policy --# -- ++# Postfix master process local policy + # + -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -59741,9 +59813,8 @@ index 191a66f..2177e93 100644 -######################################## -# -# Master local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -59767,10 +59838,10 @@ index 191a66f..2177e93 100644 -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; ++ ++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; -+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -+ +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; + +manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -59811,29 +59882,29 @@ index 191a66f..2177e93 100644 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") -- + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") ++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") -- --can_exec(postfix_master_t, postfix_exec_t) -+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++kernel_read_all_sysctls(postfix_master_t) +-can_exec(postfix_master_t, postfix_exec_t) +- -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -+kernel_read_all_sysctls(postfix_master_t) - +- -corenet_all_recvfrom_unlabeled(postfix_master_t) corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -59893,32 +59964,30 @@ index 191a66f..2177e93 100644 mta_read_sendmail_bin(postfix_master_t) mta_getattr_spool(postfix_master_t) +-optional_policy(` +- cyrus_stream_connect(postfix_master_t) +-') +- +-optional_policy(` +- kerberos_keytab_template(postfix, postfix_t) +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + mta_manage_aliases(postfix_master_t) + mta_etc_filetrans_aliases(postfix_master_t) -+') -+ - optional_policy(` - cyrus_stream_connect(postfix_master_t) - ') -@@ -316,14 +212,11 @@ optional_policy(` ') optional_policy(` -+# for postalias - mailman_manage_data_files(postfix_master_t) +- mailman_manage_data_files(postfix_master_t) ++ cyrus_stream_connect(postfix_master_t) ') optional_policy(` - mysql_stream_connect(postfix_master_t) --') -- --optional_policy(` - postgrey_search_spool(postfix_master_t) ++ kerberos_keytab_template(postfix, postfix_t) ') -@@ -333,12 +226,14 @@ optional_policy(` + optional_policy(` +@@ -333,12 +221,14 @@ optional_policy(` ######################################## # @@ -59935,7 +60004,7 @@ index 191a66f..2177e93 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -59982,7 +60051,7 @@ index 191a66f..2177e93 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -393,36 +285,50 @@ optional_policy(` +@@ -393,36 +280,50 @@ optional_policy(` ######################################## # @@ -60042,7 +60111,7 @@ index 191a66f..2177e93 100644 ') optional_policy(` -@@ -434,6 +340,7 @@ optional_policy(` +@@ -434,6 +335,7 @@ optional_policy(` ') optional_policy(` @@ -60050,7 +60119,7 @@ index 191a66f..2177e93 100644 mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) mailman_read_log(postfix_local_t) -@@ -444,6 +351,10 @@ optional_policy(` +@@ -444,6 +346,10 @@ optional_policy(` ') optional_policy(` @@ -60061,7 +60130,7 @@ index 191a66f..2177e93 100644 procmail_domtrans(postfix_local_t) ') -@@ -458,15 +369,17 @@ optional_policy(` +@@ -458,15 +364,17 @@ optional_policy(` ######################################## # @@ -60085,7 +60154,7 @@ index 191a66f..2177e93 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -60105,7 +60174,7 @@ index 191a66f..2177e93 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -60113,7 +60182,7 @@ index 191a66f..2177e93 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -60139,7 +60208,7 @@ index 191a66f..2177e93 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -60159,7 +60228,7 @@ index 191a66f..2177e93 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +489,26 @@ optional_policy(` +@@ -576,19 +484,26 @@ optional_policy(` ######################################## # @@ -60191,7 +60260,7 @@ index 191a66f..2177e93 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +523,7 @@ optional_policy(` +@@ -603,10 +518,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -60203,7 +60272,7 @@ index 191a66f..2177e93 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +538,24 @@ optional_policy(` +@@ -621,17 +533,24 @@ optional_policy(` ####################################### # @@ -60231,7 +60300,7 @@ index 191a66f..2177e93 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +571,77 @@ optional_policy(` +@@ -647,67 +566,77 @@ optional_policy(` ######################################## # @@ -60327,7 +60396,7 @@ index 191a66f..2177e93 100644 ') optional_policy(` -@@ -720,29 +654,30 @@ optional_policy(` +@@ -720,29 +649,30 @@ optional_policy(` ######################################## # @@ -60366,7 +60435,7 @@ index 191a66f..2177e93 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +689,7 @@ optional_policy(` +@@ -754,6 +684,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -60374,7 +60443,7 @@ index 191a66f..2177e93 100644 ') optional_policy(` -@@ -764,31 +700,99 @@ optional_policy(` +@@ -764,31 +695,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -77187,7 +77256,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..b2225a3 100644 +index 57c034b..9e91107 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -77817,7 +77886,7 @@ index 57c034b..b2225a3 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +555,40 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -77879,10 +77948,11 @@ index 57c034b..b2225a3 100644 - files_manage_non_auth_files(nmbd_t) +optional_policy(` + ctdbd_stream_connect(nmbd_t) ++ ctdbd_manage_var_files(nmbd_t) ') optional_policy(` -@@ -600,19 +601,26 @@ optional_policy(` +@@ -600,19 +602,26 @@ optional_policy(` ######################################## # @@ -77914,7 +77984,7 @@ index 57c034b..b2225a3 100644 samba_search_var(smbcontrol_t) samba_read_winbind_pid(smbcontrol_t) -@@ -620,16 +628,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -77932,7 +78002,7 @@ index 57c034b..b2225a3 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +641,23 @@ optional_policy(` +@@ -637,22 +642,23 @@ optional_policy(` ######################################## # @@ -77964,7 +78034,7 @@ index 57c034b..b2225a3 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +666,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -78000,7 +78070,7 @@ index 57c034b..b2225a3 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +693,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -78092,7 +78162,7 @@ index 57c034b..b2225a3 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +772,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -78116,7 +78186,7 @@ index 57c034b..b2225a3 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +786,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -78159,7 +78229,7 @@ index 57c034b..b2225a3 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +816,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -78173,7 +78243,7 @@ index 57c034b..b2225a3 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -834,16 +840,19 @@ optional_policy(` +@@ -834,16 +841,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -78197,7 +78267,7 @@ index 57c034b..b2225a3 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +862,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -78208,7 +78278,7 @@ index 57c034b..b2225a3 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +873,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -78238,7 +78308,7 @@ index 57c034b..b2225a3 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +896,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -78259,7 +78329,7 @@ index 57c034b..b2225a3 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +914,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -78270,7 +78340,7 @@ index 57c034b..b2225a3 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +922,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -78312,7 +78382,7 @@ index 57c034b..b2225a3 100644 ') optional_policy(` -@@ -952,31 +970,29 @@ optional_policy(` +@@ -952,31 +971,29 @@ optional_policy(` # Winbind helper local policy # @@ -78350,7 +78420,7 @@ index 57c034b..b2225a3 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1006,38 @@ optional_policy(` +@@ -990,25 +1007,38 @@ optional_policy(` ######################################## # @@ -82821,10 +82891,10 @@ index 0000000..52450c7 +') diff --git a/smsd.te b/smsd.te new file mode 100644 -index 0000000..92c3638 +index 0000000..1fad7b8 --- /dev/null +++ b/smsd.te -@@ -0,0 +1,72 @@ +@@ -0,0 +1,73 @@ +policy_module(smsd, 1.0.0) + +######################################## @@ -82882,6 +82952,7 @@ index 0000000..92c3638 +manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) +manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) +files_spool_filetrans(smsd_t, smsd_spool_t, { dir }) ++can_exec(smsd_t, smsd_spool_t) + +manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t) +manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t) @@ -88707,10 +88778,10 @@ index 0000000..8b2dfff +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..ec3eb8f +index 0000000..1a7c61d --- /dev/null +++ b/thumb.te -@@ -0,0 +1,147 @@ +@@ -0,0 +1,148 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -88759,6 +88830,7 @@ index 0000000..ec3eb8f +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") +userdom_dontaudit_access_check_user_content(thumb_t) ++userdom_rw_inherited_user_tmpfs_files(thumb_t) + +manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) @@ -93208,7 +93280,7 @@ index 9dec06c..73549fd 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..64b3da9 100644 +index 1f22fba..a77dab1 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,167 @@ @@ -94113,7 +94185,7 @@ index 1f22fba..64b3da9 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +602,262 @@ optional_policy(` +@@ -737,44 +602,264 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -94149,6 +94221,14 @@ index 1f22fba..64b3da9 100644 -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++kernel_read_net_sysctls(virt_domain) + +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -94159,19 +94239,14 @@ index 1f22fba..64b3da9 100644 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -94203,13 +94278,12 @@ index 1f22fba..64b3da9 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --dontaudit virsh_t virt_var_lib_t:file read_file_perms; -+dontaudit virt_domain virt_tmpfs_type:file { read write }; - -allow virsh_t svirt_lxc_domain:process transition; -+append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++dontaudit virt_domain virt_tmpfs_type:file { read write }; -can_exec(virsh_t, virsh_exec_t) ++append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++ +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virt_domain) @@ -94304,7 +94378,7 @@ index 1f22fba..64b3da9 100644 + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) +') - ++ +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) @@ -94312,7 +94386,7 @@ index 1f22fba..64b3da9 100644 + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) +') -+ + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) @@ -94398,7 +94472,7 @@ index 1f22fba..64b3da9 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +868,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +870,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -94425,7 +94499,7 @@ index 1f22fba..64b3da9 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +888,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +890,23 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -94458,7 +94532,7 @@ index 1f22fba..64b3da9 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +923,20 @@ optional_policy(` +@@ -847,14 +925,20 @@ optional_policy(` ') optional_policy(` @@ -94480,7 +94554,7 @@ index 1f22fba..64b3da9 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +961,65 @@ optional_policy(` +@@ -879,49 +963,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -94564,7 +94638,7 @@ index 1f22fba..64b3da9 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1031,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1033,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -94584,7 +94658,7 @@ index 1f22fba..64b3da9 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1052,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1054,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -94608,7 +94682,7 @@ index 1f22fba..64b3da9 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1077,238 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1079,238 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -94983,7 +95057,7 @@ index 1f22fba..64b3da9 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1321,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1323,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -94998,7 +95072,7 @@ index 1f22fba..64b3da9 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1339,8 @@ optional_policy(` +@@ -1183,9 +1341,8 @@ optional_policy(` ######################################## # @@ -95009,7 +95083,7 @@ index 1f22fba..64b3da9 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1353,194 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1355,194 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -97854,6 +97928,27 @@ index d837e88..910aeec 100644 userdom_use_unpriv_users_fds(yam_t) userdom_search_user_home_dirs(yam_t) +diff --git a/zabbix.fc b/zabbix.fc +index ce10cb1..3181728 100644 +--- a/zabbix.fc ++++ b/zabbix.fc +@@ -4,11 +4,15 @@ + /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) + +-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) ++/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) + + /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + diff --git a/zabbix.if b/zabbix.if index dd63de0..38ce620 100644 --- a/zabbix.if @@ -98017,10 +98112,10 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..dea93eb 100644 +index 46e4cd3..79317e6 100644 --- a/zabbix.te +++ b/zabbix.te -@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3) +@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3) # ## @@ -98029,9 +98124,64 @@ index 46e4cd3..dea93eb 100644 ## Determine whether zabbix can ## connect to all TCP ports ##

-@@ -52,11 +52,10 @@ allow zabbix_t self:sem create_sem_perms; - allow zabbix_t self:shm create_shm_perms; - allow zabbix_t self:tcp_socket create_stream_socket_perms; + ## + gen_tunable(zabbix_can_network, false) + +-type zabbix_t; ++attribute zabbix_domain; ++ ++type zabbix_t, zabbix_domain; + type zabbix_exec_t; + init_daemon_domain(zabbix_t, zabbix_exec_t) + + type zabbix_initrc_exec_t; + init_script_file(zabbix_initrc_exec_t) + +-type zabbix_agent_t; ++type zabbix_agent_t, zabbix_domain; + type zabbix_agent_exec_t; + init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) + +@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t) + + ######################################## + # ++# zabbix domain local policy ++# ++ ++allow zabbix_domain self:capability { setuid setgid }; ++allow zabbix_domain self:process { setpgid setsched getsched signal_perms }; ++allow zabbix_domain self:fifo_file rw_fifo_file_perms; ++allow zabbix_domain self:sem create_sem_perms; ++allow zabbix_domain self:shm create_shm_perms; ++allow zabbix_domain self:tcp_socket { accept listen }; ++allow zabbix_domain self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_all_sysctls(zabbix_domain) ++ ++corenet_tcp_sendrecv_generic_if(zabbix_domain) ++corenet_tcp_sendrecv_generic_node(zabbix_domain) ++corenet_tcp_bind_generic_node(zabbix_domain) ++ ++corecmd_exec_shell(zabbix_domain) ++corecmd_exec_bin(zabbix_domain) ++ ++dev_read_sysfs(zabbix_domain) ++dev_read_urand(zabbix_domain) ++ ++######################################## ++# + # Local policy + # + +-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; +-allow zabbix_t self:process { setsched signal_perms }; +-allow zabbix_t self:fifo_file rw_fifo_file_perms; +-allow zabbix_t self:unix_stream_socket create_stream_socket_perms; +-allow zabbix_t self:sem create_sem_perms; +-allow zabbix_t self:shm create_shm_perms; +-allow zabbix_t self:tcp_socket create_stream_socket_perms; ++allow zabbix_t self:capability { dac_read_search dac_override }; -allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) @@ -98045,10 +98195,29 @@ index 46e4cd3..dea93eb 100644 manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -@@ -95,12 +94,8 @@ corecmd_exec_shell(zabbix_t) +@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) + files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) + + kernel_read_system_state(zabbix_t) +-kernel_read_kernel_sysctls(zabbix_t) - dev_read_urand(zabbix_t) + corenet_all_recvfrom_unlabeled(zabbix_t) + corenet_all_recvfrom_netlabel(zabbix_t) +-corenet_tcp_sendrecv_generic_if(zabbix_t) +-corenet_tcp_sendrecv_generic_node(zabbix_t) +-corenet_tcp_bind_generic_node(zabbix_t) + corenet_sendrecv_ftp_client_packets(zabbix_t) + corenet_tcp_connect_ftp_port(zabbix_t) +@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t) + corenet_tcp_bind_zabbix_port(zabbix_t) + corenet_tcp_sendrecv_zabbix_port(zabbix_t) + +-corecmd_exec_bin(zabbix_t) +-corecmd_exec_shell(zabbix_t) +- +-dev_read_urand(zabbix_t) +- -files_read_usr_files(zabbix_t) - auth_use_nsswitch(zabbix_t) @@ -98058,7 +98227,7 @@ index 46e4cd3..dea93eb 100644 zabbix_agent_tcp_connect(zabbix_t) tunable_policy(`zabbix_can_network',` -@@ -110,12 +105,11 @@ tunable_policy(`zabbix_can_network',` +@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',` ') optional_policy(` @@ -98073,7 +98242,7 @@ index 46e4cd3..dea93eb 100644 ') optional_policy(` -@@ -125,6 +119,7 @@ optional_policy(` +@@ -125,6 +131,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -98081,18 +98250,18 @@ index 46e4cd3..dea93eb 100644 ') ######################################## -@@ -133,17 +128,14 @@ optional_policy(` +@@ -132,18 +139,7 @@ optional_policy(` + # Agent local policy # - allow zabbix_agent_t self:capability { setuid setgid }; +-allow zabbix_agent_t self:capability { setuid setgid }; -allow zabbix_agent_t self:process { setsched getsched signal }; -+allow zabbix_agent_t self:process { setpgid setsched getsched signal }; - allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; - allow zabbix_agent_t self:sem create_sem_perms; - allow zabbix_agent_t self:shm create_shm_perms; - allow zabbix_agent_t self:tcp_socket { accept listen }; - allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; - +-allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; +-allow zabbix_agent_t self:sem create_sem_perms; +-allow zabbix_agent_t self:shm create_shm_perms; +-allow zabbix_agent_t self:tcp_socket { accept listen }; +-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; +- -append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) @@ -98101,16 +98270,26 @@ index 46e4cd3..dea93eb 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -154,6 +146,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) - kernel_read_all_sysctls(zabbix_agent_t) - kernel_read_system_state(zabbix_agent_t) +@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) + manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) + files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) -+corecmd_exec_shell(zabbix_agent_t) -+corecmd_exec_bin(zabbix_agent_t) - corecmd_read_all_executables(zabbix_agent_t) +-kernel_read_all_sysctls(zabbix_agent_t) + kernel_read_system_state(zabbix_agent_t) +-corecmd_read_all_executables(zabbix_agent_t) +- corenet_all_recvfrom_unlabeled(zabbix_agent_t) -@@ -182,7 +176,6 @@ domain_search_all_domains_state(zabbix_agent_t) + corenet_all_recvfrom_netlabel(zabbix_agent_t) +-corenet_tcp_sendrecv_generic_if(zabbix_agent_t) +-corenet_tcp_sendrecv_generic_node(zabbix_agent_t) +-corenet_tcp_bind_generic_node(zabbix_agent_t) ++ ++corecmd_read_all_executables(zabbix_agent_t) + + corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) + corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t) files_getattr_all_dirs(zabbix_agent_t) files_getattr_all_files(zabbix_agent_t) files_read_all_symlinks(zabbix_agent_t) @@ -98118,7 +98297,7 @@ index 46e4cd3..dea93eb 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -190,8 +183,11 @@ init_read_utmp(zabbix_agent_t) +@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 866a110..319b537 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 90%{?dist} +Release: 91%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -572,6 +572,36 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Oct 17 2013 Miroslav Grepl 3.12.1-91 +- Allow mailserver_domains to manage and transition to mailman data +- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands +- Allow mailserver_domains to manage and transition to mailman data +- Allow svirt_domains to read sysctl_net_t +- Allow thumb_t to use tmpfs inherited from the user +- Allow mozilla_plugin to bind to the vnc port if running with spice +- Add new attribute to discover confined_admins and assign confined admin to it +- Fix zabbix to handle attributes in interfaces +- Fix zabbix to read system states for all zabbix domains +- Fix piranha_domain_template() +- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. +- Allow lldpad sys_rouserce cap due to #986870 +- Allow dovecot-auth to read nologin +- Allow openlmi-networking to read /proc/net/dev +- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t +- Add zabbix_domain attribute for zabbix domains to treat them together +- Add labels for zabbix-poxy-* (#1018221) +- Update openlmi-storage policy to reflect #1015067 +- Back port piranha tmpfs fixes from RHEL6 +- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop +- Add postfix_rw_spool_maildrop_files interface +- Call new userdom_admin_user_templat() also for sysadm_secadm.pp +- Fix typo in userdom_admin_user_template() +- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey +- Add new attribute to discover confined_admins +- Fix labeling for /etc/strongswan/ipsec.d +- systemd_logind seems to pass fd to anyone who dbus communicates with it +- Dontaudit leaked write descriptor to dmesg + * Mon Oct 14 2013 Miroslav Grepl 3.12.1-90 - Activate motion policy