From da973f372216a40580a28b50dab21d883fe13e97 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 05 2013 10:01:00 +0000 Subject: - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Fix ntp_filetrans_named_content calling in init.te - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync working - Change ntp.conf to be labeled net_conf_t - Allow useradd to create homedirs in /run. ircd-ratbox does this and we sho - Allow xdm_t to execute gstreamer home content - Allod initrc_t and unconfined domains, and sysadm_t to manage ntp - New policy for openstack swift domains - More access required for openshift_cron_t - Use cupsd_log_t instead of cupsd_var_log_t - rpm_script_roles should be used in rpm_run - Fix rpm_run() interface - Fix openshift_initrc_run() - Fix sssd_dontaudit_stream_connect() interface - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow mozilla-plugin-config to read power_supply info - Implement cups_domain attribute for cups domains - We now need access to user terminals since we start by executing a command - We now need access to user terminals since we start by executing a command - svirt lxc containers want to execute userhelper apps, need these changes to - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Change rpm to use rpm_script_roles - More fixes for rsync to make rsync wokring - Allow logwatch to domtrans to mdadm - Allow pacemaker to domtrans to ifconfig - Allow pacemaker to setattr on corosync.log - Add pacemaker_use_execmem for memcheck-amd64 command - Allow block_suspend capability - Allow create fifo_file in /tmp with pacemaker_tmp_t - Allow systat to getattr on fixed disk - Relabel /etc/ntp.conf to be net_conf_t - ntp_admin should create files in /etc with the correct label - Add interface to create ntp_conf_t files in /etc - Add additional labeling for quantum - Allow quantum to execute dnsmasq with transition --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a8ed505..fe45995 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -205108,7 +205108,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..2f68b4d 100644 +index d555767..fdd0567 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -205173,7 +205173,7 @@ index d555767..2f68b4d 100644 type sysadm_passwd_tmp_t; files_tmp_file(sysadm_passwd_tmp_t) -@@ -61,8 +65,10 @@ files_tmp_file(sysadm_passwd_tmp_t) +@@ -61,8 +65,13 @@ files_tmp_file(sysadm_passwd_tmp_t) type useradd_t; type useradd_exec_t; domain_obj_id_change_exemption(useradd_t) @@ -205182,10 +205182,13 @@ index d555767..2f68b4d 100644 -role useradd_roles types useradd_t; +#role useradd_roles types useradd_t; +role system_r types useradd_t; ++ ++type useradd_var_run_t; ++files_pid_file(useradd_var_run_t) ######################################## # -@@ -86,6 +92,7 @@ allow chfn_t self:unix_stream_socket connectto; +@@ -86,6 +95,7 @@ allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) kernel_read_kernel_sysctls(chfn_t) @@ -205193,7 +205196,7 @@ index d555767..2f68b4d 100644 selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) -@@ -94,25 +101,29 @@ selinux_compute_create_context(chfn_t) +@@ -94,25 +104,29 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -205229,7 +205232,7 @@ index d555767..2f68b4d 100644 files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) files_dontaudit_search_home(chfn_t) -@@ -120,19 +131,29 @@ files_dontaudit_search_home(chfn_t) +@@ -120,19 +134,29 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(chfn_t) @@ -205262,7 +205265,7 @@ index d555767..2f68b4d 100644 ######################################## # # Crack local policy -@@ -209,8 +230,8 @@ selinux_compute_create_context(groupadd_t) +@@ -209,8 +233,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -205273,7 +205276,7 @@ index d555767..2f68b4d 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -218,8 +239,8 @@ init_dontaudit_write_utmp(groupadd_t) +@@ -218,8 +242,8 @@ init_dontaudit_write_utmp(groupadd_t) domain_use_interactive_fds(groupadd_t) @@ -205283,7 +205286,7 @@ index d555767..2f68b4d 100644 files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) -@@ -229,14 +250,15 @@ corecmd_exec_bin(groupadd_t) +@@ -229,14 +253,15 @@ corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) logging_send_syslog_msg(groupadd_t) @@ -205302,7 +205305,7 @@ index d555767..2f68b4d 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) -@@ -253,7 +275,8 @@ optional_policy(` +@@ -253,7 +278,8 @@ optional_policy(` ') optional_policy(` @@ -205312,7 +205315,7 @@ index d555767..2f68b4d 100644 ') optional_policy(` -@@ -285,6 +308,7 @@ allow passwd_t self:shm create_shm_perms; +@@ -285,6 +311,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; @@ -205320,7 +205323,7 @@ index d555767..2f68b4d 100644 allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -293,6 +317,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -293,6 +320,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -205328,7 +205331,7 @@ index d555767..2f68b4d 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -307,26 +332,38 @@ selinux_compute_create_context(passwd_t) +@@ -307,26 +335,38 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -205372,7 +205375,7 @@ index d555767..2f68b4d 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -335,12 +372,11 @@ init_use_fds(passwd_t) +@@ -335,12 +375,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -205386,7 +205389,7 @@ index d555767..2f68b4d 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -349,9 +385,15 @@ userdom_read_user_tmp_files(passwd_t) +@@ -349,9 +388,15 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -205403,7 +205406,7 @@ index d555767..2f68b4d 100644 ') ######################################## -@@ -398,9 +440,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -398,9 +443,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -205416,7 +205419,7 @@ index d555767..2f68b4d 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -413,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -413,7 +459,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -205424,7 +205427,7 @@ index d555767..2f68b4d 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -423,19 +465,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -423,19 +468,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -205446,7 +205449,7 @@ index d555767..2f68b4d 100644 ') ######################################## -@@ -443,7 +483,8 @@ optional_policy(` +@@ -443,7 +486,8 @@ optional_policy(` # Useradd local policy # @@ -205456,7 +205459,18 @@ index d555767..2f68b4d 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -465,36 +506,35 @@ corecmd_exec_shell(useradd_t) +@@ -458,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; + allow useradd_t self:unix_dgram_socket sendto; + allow useradd_t self:unix_stream_socket connectto; + ++manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) ++manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) ++files_pid_filetrans(useradd_t, useradd_var_run_t, dir) ++ + # for getting the number of groups + kernel_read_kernel_sysctls(useradd_t) + +@@ -465,36 +513,35 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -205504,7 +205518,7 @@ index d555767..2f68b4d 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -505,33 +545,36 @@ init_rw_utmp(useradd_t) +@@ -505,33 +552,36 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -205555,7 +205569,7 @@ index d555767..2f68b4d 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +585,8 @@ optional_policy(` +@@ -542,7 +592,8 @@ optional_policy(` ') optional_policy(` @@ -205565,7 +205579,7 @@ index d555767..2f68b4d 100644 ') optional_policy(` -@@ -550,6 +594,11 @@ optional_policy(` +@@ -550,6 +601,11 @@ optional_policy(` ') optional_policy(` @@ -205577,7 +205591,7 @@ index d555767..2f68b4d 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +608,7 @@ optional_policy(` +@@ -559,3 +615,7 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -210351,7 +210365,7 @@ index 6a1e4d1..70c5c72 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..ba58454 100644 +index cf04cb5..3980a24 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -210477,7 +210491,7 @@ index cf04cb5..ba58454 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -210587,6 +210601,10 @@ index cf04cb5..ba58454 100644 +') + +optional_policy(` ++ ntp_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + nx_filetrans_named_content(unconfined_domain_type) +') + @@ -215653,7 +215671,7 @@ index 649e458..31a14c8 100644 + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 6fac350..6c81d4e 100644 +index 6fac350..e7add10 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -215748,7 +215766,7 @@ index 6fac350..6c81d4e 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +294,48 @@ files_list_root(kernel_t) +@@ -277,25 +294,49 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -215768,6 +215786,7 @@ index 6fac350..6c81d4e 100644 +mls_socket_write_all_levels(kernel_t) +mls_fd_share_all_levels(kernel_t) +mls_fd_use_all_levels(kernel_t) ++mls_process_set_level(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 @@ -215797,7 +215816,7 @@ index 6fac350..6c81d4e 100644 ') optional_policy(` -@@ -305,6 +345,19 @@ optional_policy(` +@@ -305,6 +346,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -215817,7 +215836,7 @@ index 6fac350..6c81d4e 100644 ') optional_policy(` -@@ -334,7 +387,6 @@ optional_policy(` +@@ -334,7 +388,6 @@ optional_policy(` rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) @@ -215825,7 +215844,7 @@ index 6fac350..6c81d4e 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +395,7 @@ optional_policy(` +@@ -343,9 +396,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -215836,7 +215855,7 @@ index 6fac350..6c81d4e 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +404,7 @@ optional_policy(` +@@ -354,7 +405,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -215845,7 +215864,7 @@ index 6fac350..6c81d4e 100644 ') ') -@@ -367,6 +417,15 @@ optional_policy(` +@@ -367,6 +418,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -215861,7 +215880,7 @@ index 6fac350..6c81d4e 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +468,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +469,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -218133,7 +218152,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..2268840 100644 +index 88d0028..8c061b9 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.1) @@ -218381,7 +218400,7 @@ index 88d0028..2268840 100644 ') optional_policy(` -@@ -241,25 +297,47 @@ optional_policy(` +@@ -241,14 +297,27 @@ optional_policy(` ') optional_policy(` @@ -218401,14 +218420,15 @@ index 88d0028..2268840 100644 +optional_policy(` ntp_stub() corenet_udp_bind_ntp_port(sysadm_t) - ') - - optional_policy(` -+ nx_filetrans_named_content(sysadm_t) ++ ntp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` - oav_run_update(sysadm_t, sysadm_r) ++ nx_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -256,10 +325,20 @@ optional_policy(` ') optional_policy(` @@ -218429,7 +218449,7 @@ index 88d0028..2268840 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +348,36 @@ optional_policy(` +@@ -270,31 +349,36 @@ optional_policy(` ') optional_policy(` @@ -218473,7 +218493,7 @@ index 88d0028..2268840 100644 ') optional_policy(` -@@ -319,12 +402,18 @@ optional_policy(` +@@ -319,12 +403,18 @@ optional_policy(` ') optional_policy(` @@ -218493,7 +218513,7 @@ index 88d0028..2268840 100644 ') optional_policy(` -@@ -349,7 +438,18 @@ optional_policy(` +@@ -349,7 +439,18 @@ optional_policy(` ') optional_policy(` @@ -218513,7 +218533,7 @@ index 88d0028..2268840 100644 ') optional_policy(` -@@ -360,19 +460,15 @@ optional_policy(` +@@ -360,19 +461,15 @@ optional_policy(` ') optional_policy(` @@ -218535,7 +218555,7 @@ index 88d0028..2268840 100644 ') optional_policy(` -@@ -384,10 +480,6 @@ optional_policy(` +@@ -384,10 +481,6 @@ optional_policy(` ') optional_policy(` @@ -218546,7 +218566,7 @@ index 88d0028..2268840 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +487,9 @@ optional_policy(` +@@ -395,6 +488,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -218556,7 +218576,7 @@ index 88d0028..2268840 100644 ') optional_policy(` -@@ -402,31 +497,34 @@ optional_policy(` +@@ -402,31 +498,34 @@ optional_policy(` ') optional_policy(` @@ -218597,7 +218617,7 @@ index 88d0028..2268840 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +537,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +538,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -218608,7 +218628,7 @@ index 88d0028..2268840 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +557,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +558,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -220137,7 +220157,7 @@ index 9d2f311..c8a2637 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 346d011..d55e727 100644 +index 346d011..59ee2a5 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -220189,7 +220209,7 @@ index 346d011..d55e727 100644 allow postgresql_t self:process { setsockcreate }; ') -@@ -270,13 +278,13 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) +@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) @@ -220205,7 +220225,13 @@ index 346d011..d55e727 100644 can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; -@@ -304,7 +312,6 @@ kernel_list_proc(postgresql_t) + files_lock_filetrans(postgresql_t, postgresql_lock_t, file) + ++manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) + manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) + logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) + +@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t) kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) @@ -220213,7 +220239,7 @@ index 346d011..d55e727 100644 corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) -@@ -342,8 +349,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -220223,7 +220249,7 @@ index 346d011..d55e727 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -354,7 +360,6 @@ init_read_utmp(postgresql_t) +@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) @@ -220231,7 +220257,7 @@ index 346d011..d55e727 100644 seutil_libselinux_linked(postgresql_t) seutil_read_default_contexts(postgresql_t) -@@ -367,7 +372,7 @@ optional_policy(` +@@ -367,7 +373,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') @@ -220240,7 +220266,7 @@ index 346d011..d55e727 100644 allow postgresql_t self:process execmem; ') -@@ -488,7 +493,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db +@@ -488,7 +494,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db # Note that permission of creation/deletion are eventually controlled by # create or drop permission of individual objects within shared schemas. # So, it just allows to create/drop user specific types. @@ -220249,7 +220275,7 @@ index 346d011..d55e727 100644 allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -536,7 +541,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +542,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -220258,7 +220284,7 @@ index 346d011..d55e727 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +594,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +595,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -220940,7 +220966,7 @@ index fe0c682..da12170 100644 + allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..f0a738c 100644 +index 5fc0391..94900fb 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3) @@ -221269,10 +221295,14 @@ index 5fc0391..f0a738c 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,6 +338,28 @@ optional_policy(` +@@ -279,6 +338,32 @@ optional_policy(` ') optional_policy(` ++ rsync_read_data(sshd_t) ++') ++ ++optional_policy(` + systemd_exec_systemctl(sshd_t) +') + @@ -221298,7 +221328,7 @@ index 5fc0391..f0a738c 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -286,6 +367,29 @@ optional_policy(` +@@ -286,6 +371,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -221328,7 +221358,7 @@ index 5fc0391..f0a738c 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +398,26 @@ optional_policy(` +@@ -294,19 +402,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -221356,7 +221386,7 @@ index 5fc0391..f0a738c 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +434,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +438,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -221369,7 +221399,7 @@ index 5fc0391..f0a738c 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +448,123 @@ optional_policy(` +@@ -331,3 +452,123 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -221494,7 +221524,7 @@ index 5fc0391..f0a738c 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..c92d1e2 100644 +index d1f64a0..146340a 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -221555,7 +221585,7 @@ index d1f64a0..c92d1e2 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +75,30 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +75,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -221589,10 +221619,11 @@ index d1f64a0..c92d1e2 100644 /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,25 +125,49 @@ ifndef(`distro_debian',` +@@ -92,25 +126,49 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -221648,7 +221679,7 @@ index d1f64a0..c92d1e2 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..f74788a 100644 +index 6bf0ecc..8a8ed32 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -222445,7 +222476,7 @@ index 6bf0ecc..f74788a 100644 ') ######################################## -@@ -1284,10 +1618,559 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1618,577 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -222669,6 +222700,24 @@ index 6bf0ecc..f74788a 100644 + +######################################## +## ++## Allow ioctl the xdm log files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_xdm_ioctl_log',` ++ gen_require(` ++ type xdm_log_t; ++ ') ++ ++ allow $1 xdm_log_t:file ioctl; ++') ++ ++######################################## ++## +## Allow append the xdm +## tmp files. +## @@ -223008,7 +223057,7 @@ index 6bf0ecc..f74788a 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..92cfa7e 100644 +index 2696452..5a2bd5f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -223689,7 +223738,7 @@ index 2696452..92cfa7e 100644 ') optional_policy(` -@@ -514,12 +739,71 @@ optional_policy(` +@@ -514,12 +739,72 @@ optional_policy(` ') optional_policy(` @@ -223746,6 +223795,7 @@ index 2696452..92cfa7e 100644 optional_policy(` + gnome_stream_connect_gkeyringd(xdm_t) ++ gnome_exec_gstreamer_home_files(xdm_t) + gnome_exec_keyringd(xdm_t) + gnome_manage_config(xdm_t) + gnome_manage_gconf_home_files(xdm_t) @@ -223761,7 +223811,7 @@ index 2696452..92cfa7e 100644 hostname_exec(xdm_t) ') -@@ -537,28 +821,78 @@ optional_policy(` +@@ -537,28 +822,78 @@ optional_policy(` ') optional_policy(` @@ -223849,7 +223899,7 @@ index 2696452..92cfa7e 100644 ') optional_policy(` -@@ -570,6 +904,14 @@ optional_policy(` +@@ -570,6 +905,14 @@ optional_policy(` ') optional_policy(` @@ -223864,7 +223914,7 @@ index 2696452..92cfa7e 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +936,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -223877,7 +223927,7 @@ index 2696452..92cfa7e 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +953,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -223893,7 +223943,7 @@ index 2696452..92cfa7e 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +980,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -223915,7 +223965,7 @@ index 2696452..92cfa7e 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1000,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -223929,7 +223979,7 @@ index 2696452..92cfa7e 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1026,27 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1027,27 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -223960,7 +224010,7 @@ index 2696452..92cfa7e 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1057,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1058,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -223974,7 +224024,7 @@ index 2696452..92cfa7e 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,20 +1076,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1077,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -223998,7 +224048,7 @@ index 2696452..92cfa7e 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1095,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1096,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -224007,7 +224057,7 @@ index 2696452..92cfa7e 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1139,40 @@ optional_policy(` +@@ -775,16 +1140,44 @@ optional_policy(` ') optional_policy(` @@ -224040,6 +224090,10 @@ index 2696452..92cfa7e 100644 +') + +optional_policy(` ++ tcpd_wrapped_domain(xserver_t, xserver_exec_t) ++') ++ ++optional_policy(` udev_read_db(xserver_t) ') @@ -224049,7 +224103,7 @@ index 2696452..92cfa7e 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1181,10 @@ optional_policy(` +@@ -793,6 +1186,10 @@ optional_policy(` ') optional_policy(` @@ -224060,7 +224114,7 @@ index 2696452..92cfa7e 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1205,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -224074,7 +224128,7 @@ index 2696452..92cfa7e 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1216,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -224083,7 +224137,7 @@ index 2696452..92cfa7e 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1224,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1229,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -224118,7 +224172,7 @@ index 2696452..92cfa7e 100644 ') optional_policy(` -@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1294,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -224127,7 +224181,7 @@ index 2696452..92cfa7e 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1348,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -224159,7 +224213,7 @@ index 2696452..92cfa7e 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1394,40 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -225773,7 +225827,7 @@ index 016a770..1effeb4 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 6c4b6ee..417f5e5 100644 +index 6c4b6ee..4ea7640 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,6 +13,9 @@ role system_r types fsadm_t; @@ -225821,7 +225875,7 @@ index 6c4b6ee..417f5e5 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -133,21 +147,24 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -225830,6 +225884,8 @@ index 6c4b6ee..417f5e5 100644 term_use_console(fsadm_t) ++auth_read_passwd(fsadm_t) ++ +init_read_state(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) @@ -225848,7 +225904,7 @@ index 6c4b6ee..417f5e5 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +183,11 @@ optional_policy(` +@@ -166,6 +185,11 @@ optional_policy(` ') optional_policy(` @@ -225860,7 +225916,7 @@ index 6c4b6ee..417f5e5 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -179,6 +201,10 @@ optional_policy(` +@@ -179,6 +203,10 @@ optional_policy(` ') optional_policy(` @@ -225871,7 +225927,7 @@ index 6c4b6ee..417f5e5 100644 nis_use_ypbind(fsadm_t) ') -@@ -192,6 +218,10 @@ optional_policy(` +@@ -192,6 +220,10 @@ optional_policy(` ') optional_policy(` @@ -227302,7 +227358,7 @@ index 24e7804..386109d 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..aab0c5a 100644 +index dd3be8d..6114976 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -227488,7 +227544,7 @@ index dd3be8d..aab0c5a 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +221,45 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +221,48 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -227496,8 +227552,11 @@ index dd3be8d..aab0c5a 100644 mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) ++mls_file_downgrade(init_t) ++mls_file_upgrade(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) ++mls_fd_share_all_levels(init_t) +mls_socket_read_all_levels(init_t) +mls_socket_write_all_levels(init_t) + @@ -227537,7 +227596,7 @@ index dd3be8d..aab0c5a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +268,177 @@ ifdef(`distro_gentoo',` +@@ -186,29 +271,177 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -227723,7 +227782,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -216,6 +446,27 @@ optional_policy(` +@@ -216,6 +449,27 @@ optional_policy(` ') optional_policy(` @@ -227751,7 +227810,7 @@ index dd3be8d..aab0c5a 100644 unconfined_domain(init_t) ') -@@ -225,8 +476,9 @@ optional_policy(` +@@ -225,8 +479,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -227763,7 +227822,7 @@ index dd3be8d..aab0c5a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +509,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +512,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -227780,7 +227839,7 @@ index dd3be8d..aab0c5a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +534,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +537,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -227823,7 +227882,7 @@ index dd3be8d..aab0c5a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +571,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +574,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -227835,7 +227894,7 @@ index dd3be8d..aab0c5a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +583,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +586,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -227846,7 +227905,7 @@ index dd3be8d..aab0c5a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +594,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +597,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -227856,7 +227915,7 @@ index dd3be8d..aab0c5a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +603,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +606,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -227864,7 +227923,7 @@ index dd3be8d..aab0c5a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +610,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -227872,7 +227931,7 @@ index dd3be8d..aab0c5a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +618,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +621,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -227890,7 +227949,7 @@ index dd3be8d..aab0c5a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +636,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -227904,7 +227963,7 @@ index dd3be8d..aab0c5a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +651,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -227918,7 +227977,7 @@ index dd3be8d..aab0c5a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +664,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -227926,7 +227985,7 @@ index dd3be8d..aab0c5a 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +676,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -227934,7 +227993,7 @@ index dd3be8d..aab0c5a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +695,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -227958,7 +228017,7 @@ index dd3be8d..aab0c5a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +728,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +731,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -227966,7 +228025,7 @@ index dd3be8d..aab0c5a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +762,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +765,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -227977,7 +228036,7 @@ index dd3be8d..aab0c5a 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +786,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +789,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -227986,7 +228045,7 @@ index dd3be8d..aab0c5a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +801,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +804,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -227994,7 +228053,7 @@ index dd3be8d..aab0c5a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +822,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +825,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -228002,7 +228061,7 @@ index dd3be8d..aab0c5a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +832,40 @@ ifdef(`distro_redhat',` +@@ -549,8 +835,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -228039,11 +228098,15 @@ index dd3be8d..aab0c5a 100644 + ') + + optional_policy(` ++ ntp_filetrans_named_content(initrc_t) ++ ') ++ ++ optional_policy(` + pulseaudio_stream_connect(initrc_t) ') optional_policy(` -@@ -558,14 +873,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +880,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -228075,7 +228138,7 @@ index dd3be8d..aab0c5a 100644 ') ') -@@ -576,6 +908,39 @@ ifdef(`distro_suse',` +@@ -576,6 +915,39 @@ ifdef(`distro_suse',` ') ') @@ -228115,7 +228178,7 @@ index dd3be8d..aab0c5a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +953,8 @@ optional_policy(` +@@ -588,6 +960,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -228124,7 +228187,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -609,6 +976,7 @@ optional_policy(` +@@ -609,6 +983,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -228132,7 +228195,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -625,6 +993,17 @@ optional_policy(` +@@ -625,6 +1000,17 @@ optional_policy(` ') optional_policy(` @@ -228150,7 +228213,7 @@ index dd3be8d..aab0c5a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1020,13 @@ optional_policy(` +@@ -641,9 +1027,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -228164,7 +228227,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -656,15 +1039,11 @@ optional_policy(` +@@ -656,15 +1046,11 @@ optional_policy(` ') optional_policy(` @@ -228182,7 +228245,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -685,6 +1064,15 @@ optional_policy(` +@@ -685,6 +1071,15 @@ optional_policy(` ') optional_policy(` @@ -228198,7 +228261,7 @@ index dd3be8d..aab0c5a 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1113,7 @@ optional_policy(` +@@ -725,6 +1120,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -228206,7 +228269,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -742,7 +1131,14 @@ optional_policy(` +@@ -742,7 +1138,14 @@ optional_policy(` ') optional_policy(` @@ -228221,7 +228284,7 @@ index dd3be8d..aab0c5a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1161,10 @@ optional_policy(` +@@ -765,6 +1168,10 @@ optional_policy(` ') optional_policy(` @@ -228232,7 +228295,7 @@ index dd3be8d..aab0c5a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1174,20 @@ optional_policy(` +@@ -774,10 +1181,20 @@ optional_policy(` ') optional_policy(` @@ -228253,7 +228316,7 @@ index dd3be8d..aab0c5a 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1196,10 @@ optional_policy(` +@@ -786,6 +1203,10 @@ optional_policy(` ') optional_policy(` @@ -228264,7 +228327,7 @@ index dd3be8d..aab0c5a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1221,6 @@ optional_policy(` +@@ -807,8 +1228,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -228273,7 +228336,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -817,6 +1229,10 @@ optional_policy(` +@@ -817,6 +1236,10 @@ optional_policy(` ') optional_policy(` @@ -228284,7 +228347,7 @@ index dd3be8d..aab0c5a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1242,12 @@ optional_policy(` +@@ -826,10 +1249,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -228297,7 +228360,7 @@ index dd3be8d..aab0c5a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1274,27 @@ optional_policy(` +@@ -856,12 +1281,27 @@ optional_policy(` ') optional_policy(` @@ -228326,7 +228389,7 @@ index dd3be8d..aab0c5a 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1304,18 @@ optional_policy(` +@@ -871,6 +1311,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -228345,7 +228408,7 @@ index dd3be8d..aab0c5a 100644 ') optional_policy(` -@@ -886,6 +1331,10 @@ optional_policy(` +@@ -886,6 +1338,10 @@ optional_policy(` ') optional_policy(` @@ -228356,7 +228419,7 @@ index dd3be8d..aab0c5a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1345,185 @@ optional_policy(` +@@ -896,3 +1352,185 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -230379,7 +230442,7 @@ index 4e94884..23894f4 100644 + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..d9a4b9b 100644 +index 39ea221..9437d6f 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -230657,7 +230720,7 @@ index 39ea221..d9a4b9b 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +507,18 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +507,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -230666,6 +230729,7 @@ index 39ea221..d9a4b9b 100644 +fs_search_cgroup_dirs(syslogd_t) mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories ++mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram term_write_console(syslogd_t) # Allow syslog to a terminal @@ -230676,7 +230740,7 @@ index 39ea221..d9a4b9b 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +530,11 @@ init_use_fds(syslogd_t) +@@ -461,11 +531,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -230690,7 +230754,7 @@ index 39ea221..d9a4b9b 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +571,36 @@ optional_policy(` +@@ -502,15 +572,36 @@ optional_policy(` ') optional_policy(` @@ -230727,7 +230791,7 @@ index 39ea221..d9a4b9b 100644 ') optional_policy(` -@@ -521,3 +611,24 @@ optional_policy(` +@@ -521,3 +612,24 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -234038,10 +234102,10 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 346a7cc..1285089 100644 +index 346a7cc..2fa1253 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -17,10 +17,10 @@ ifdef(`distro_debian',` +@@ -17,14 +17,15 @@ ifdef(`distro_debian',` /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -234055,7 +234119,12 @@ index 346a7cc..1285089 100644 /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -@@ -55,6 +55,20 @@ ifdef(`distro_redhat',` + /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) + + /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) +@@ -55,6 +56,20 @@ ifdef(`distro_redhat',` # # /usr # @@ -234076,14 +234145,14 @@ index 346a7cc..1285089 100644 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # -@@ -72,3 +86,5 @@ ifdef(`distro_redhat',` +@@ -72,3 +87,5 @@ ifdef(`distro_redhat',` ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..729dc8c 100644 +index 6944526..ec17624 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -234309,7 +234378,7 @@ index 6944526..729dc8c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +883,73 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +883,74 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -234382,6 +234451,7 @@ index 6944526..729dc8c 100644 + files_etc_filetrans($1, net_conf_t, file, "hosts.deny") + files_etc_filetrans($1, net_conf_t, file, "ethers") + files_etc_filetrans($1, net_conf_t, file, "yp.conf") ++ files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index b7686d5..7f2928d 100644 @@ -234702,10 +234772,10 @@ index b7686d5..7f2928d 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..4c08b36 +index 0000000..4221a94 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,37 @@ +@@ -0,0 +1,38 @@ +/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) +/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) @@ -234726,6 +234796,7 @@ index 0000000..4c08b36 +/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) ++/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) +/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) +/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0) @@ -235792,10 +235863,10 @@ index 0000000..a4b0917 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..26a2c8a +index 0000000..9b74225 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,590 @@ +@@ -0,0 +1,612 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -235871,6 +235942,10 @@ index 0000000..26a2c8a +type systemd_timedated_exec_t; +init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t) + ++type systemd_sysctl_t; ++type systemd_sysctl_exec_t; ++init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t) ++ +####################################### +# +# Systemd_logind local policy @@ -236045,8 +236120,8 @@ index 0000000..26a2c8a +logging_send_syslog_msg(systemd_passwd_agent_t) +logging_stream_connect_syslog(systemd_passwd_agent_t) + -+ +userdom_use_user_ptys(systemd_passwd_agent_t) ++userdom_use_inherited_user_ttys(systemd_passwd_agent_t) + +optional_policy(` + lvm_signull(systemd_passwd_agent_t) @@ -236386,6 +236461,24 @@ index 0000000..26a2c8a + policykit_read_lib(systemd_timedated_t) + policykit_read_reload(systemd_timedated_t) +') ++ ++######################################## ++# ++# systemd_sysctl domains local policy ++# ++allow systemd_sysctl_t self:capability net_admin; ++allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; ++ ++kernel_dgram_send(systemd_sysctl_t) ++kernel_rw_all_sysctls(systemd_sysctl_t) ++ ++files_read_system_conf_files(systemd_sysctl_t) ++ ++domain_use_interactive_fds(systemd_sysctl_t) ++ ++files_read_etc_files(systemd_sysctl_t) ++ ++logging_stream_connect_syslog(systemd_sysctl_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 40928d8..49fd32e 100644 --- a/policy/modules/system/udev.fc @@ -237757,7 +237850,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..f2fe86e 100644 +index 3c5dba7..a598a86 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -238943,7 +239036,7 @@ index 3c5dba7..f2fe86e 100644 ') optional_policy(` -@@ -951,12 +1213,26 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1213,30 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -238968,10 +239061,14 @@ index 3c5dba7..f2fe86e 100644 + optional_policy(` + udev_read_db($1_usertype) + ') ++ ++ optional_policy(` ++ xserver_xdm_ioctl_log($1_t) ++ ') ') ####################################### -@@ -990,27 +1266,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1270,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -239009,7 +239106,7 @@ index 3c5dba7..f2fe86e 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1303,57 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1307,57 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -239054,15 +239151,15 @@ index 3c5dba7..f2fe86e 100644 + optional_policy(` + systemd_dbus_chat_timedated($1_t) + systemd_dbus_chat_hostnamed($1_t) -+ ') -+ -+ optional_policy(` -+ gpm_stream_connect($1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) ++ gpm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) + ') @@ -239077,7 +239174,7 @@ index 3c5dba7..f2fe86e 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1362,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1366,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -239088,7 +239185,7 @@ index 3c5dba7..f2fe86e 100644 ') ') -@@ -1082,7 +1400,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1404,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -239097,7 +239194,7 @@ index 3c5dba7..f2fe86e 100644 ') ############################## -@@ -1109,6 +1427,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1431,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -239105,7 +239202,7 @@ index 3c5dba7..f2fe86e 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1436,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1440,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -239115,7 +239212,7 @@ index 3c5dba7..f2fe86e 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1453,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1457,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -239123,7 +239220,7 @@ index 3c5dba7..f2fe86e 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1471,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1475,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -239138,7 +239235,7 @@ index 3c5dba7..f2fe86e 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1489,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1493,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -239181,7 +239278,7 @@ index 3c5dba7..f2fe86e 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1530,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1534,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -239190,7 +239287,7 @@ index 3c5dba7..f2fe86e 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1539,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1543,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -239209,7 +239306,7 @@ index 3c5dba7..f2fe86e 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1595,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1599,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -239218,7 +239315,7 @@ index 3c5dba7..f2fe86e 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1609,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1613,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -239230,7 +239327,7 @@ index 3c5dba7..f2fe86e 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,35 +1623,37 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1627,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -239259,29 +239356,21 @@ index 3c5dba7..f2fe86e 100644 - optional_policy(` - dmesg_exec($1) +- ') +- +- optional_policy(` +- ipsec_run_setkey($1, $2) + optional_policy(` + ipsec_run_setkey($1,$2) ') optional_policy(` -- ipsec_run_setkey($1, $2) +- netlabel_run_mgmt($1, $2) + netlabel_run_mgmt($1,$2) ') optional_policy(` -- netlabel_run_mgmt($1, $2) -+ samhain_run($1, $2) - ') -- -- optional_policy(` -- samhain_run($1, $2) -- ') --') -+') - - ######################################## - ## -@@ -1360,14 +1708,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1712,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -239300,7 +239389,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -1408,6 +1759,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1763,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -239352,7 +239441,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1908,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1912,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -239384,7 +239473,7 @@ index 3c5dba7..f2fe86e 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1974,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1978,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -239399,7 +239488,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -1573,9 +1997,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2001,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -239411,7 +239500,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -1632,6 +2058,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2062,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -239454,7 +239543,7 @@ index 3c5dba7..f2fe86e 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2173,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2177,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -239463,7 +239552,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -1744,10 +2208,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2212,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -239478,7 +239567,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -1772,7 +2238,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2242,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -239487,7 +239576,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -1780,19 +2246,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2250,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -239511,7 +239600,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -1800,31 +2264,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2268,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -239551,7 +239640,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -1848,6 +2312,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2316,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -239577,7 +239666,7 @@ index 3c5dba7..f2fe86e 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2361,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2365,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -239615,7 +239704,7 @@ index 3c5dba7..f2fe86e 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2401,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2405,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -239633,7 +239722,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -1941,7 +2449,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2453,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -239660,7 +239749,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -1951,17 +2477,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2481,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -239681,7 +239770,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -1969,12 +2493,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2497,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -239732,7 +239821,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -2010,8 +2570,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2574,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -239742,7 +239831,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -2027,20 +2586,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2590,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -239767,7 +239856,7 @@ index 3c5dba7..f2fe86e 100644 ######################################## ## -@@ -2123,7 +2676,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2680,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -239776,7 +239865,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -2131,19 +2684,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2688,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -239800,7 +239889,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -2151,12 +2702,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2706,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -239816,7 +239905,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -2393,11 +2944,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2948,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -239831,7 +239920,7 @@ index 3c5dba7..f2fe86e 100644 files_search_tmp($1) ') -@@ -2417,7 +2968,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2972,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -239840,7 +239929,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -2664,6 +3215,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3219,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -239866,7 +239955,7 @@ index 3c5dba7..f2fe86e 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3250,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3254,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -239882,7 +239971,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -2707,7 +3278,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3282,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -239891,7 +239980,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -2715,19 +3286,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3290,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -239905,78 +239994,28 @@ index 3c5dba7..f2fe86e 100644 - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmpfs_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Get the attributes of a user domain tty. ++') ++ ++######################################## ++## +## Execute user tmpfs files. - ## - ## - ## -@@ -2735,35 +3304,53 @@ interface(`userdom_manage_user_tmpfs_files',` - ## - ## - # --interface(`userdom_getattr_user_ttys',` -+interface(`userdom_execute_user_tmpfs_files',` - gen_require(` -- type user_tty_device_t; -+ type user_tmpfs_t; - ') - -- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; -+ allow $1 user_tmpfs_t:file execute; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of a user domain tty. -+## Get the attributes of a user domain tty. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`userdom_dontaudit_getattr_user_ttys',` -+interface(`userdom_getattr_user_ttys',` - gen_require(` - type user_tty_device_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; -+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; - ') - - ######################################## - ## --## Set the attributes of a user domain tty. -+## Do not audit attempts to get the attributes of a user domain tty. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`userdom_dontaudit_getattr_user_ttys',` ++interface(`userdom_execute_user_tmpfs_files',` + gen_require(` -+ type user_tty_device_t; ++ type user_tmpfs_t; + ') + -+ dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of a user domain tty. - ## - ## - ## -@@ -2817,6 +3404,24 @@ interface(`userdom_use_user_ttys',` ++ allow $1 user_tmpfs_t:file execute; + ') + + ######################################## +@@ -2817,6 +3408,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -240001,7 +240040,7 @@ index 3c5dba7..f2fe86e 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3440,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3444,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -240044,7 +240083,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -2859,14 +3476,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3480,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -240082,7 +240121,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -2885,8 +3521,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3525,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -240112,7 +240151,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -2958,69 +3613,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3617,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -240213,7 +240252,7 @@ index 3c5dba7..f2fe86e 100644 ## ## ## -@@ -3028,12 +3682,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3686,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -240228,7 +240267,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -3097,7 +3751,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3755,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -240237,7 +240276,7 @@ index 3c5dba7..f2fe86e 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3767,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3771,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -240271,7 +240310,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -3217,7 +3855,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3859,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -240280,7 +240319,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -3272,7 +3910,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3914,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -240346,7 +240385,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -3290,7 +3985,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3989,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -240355,7 +240394,7 @@ index 3c5dba7..f2fe86e 100644 ') ######################################## -@@ -3309,6 +4004,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4008,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -240363,7 +240402,7 @@ index 3c5dba7..f2fe86e 100644 kernel_search_proc($1) ') -@@ -3385,6 +4081,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4085,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -240406,7 +240445,7 @@ index 3c5dba7..f2fe86e 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4137,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4141,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -240431,7 +240470,7 @@ index 3c5dba7..f2fe86e 100644 ## Create keys for all user domains. ## ## -@@ -3439,3 +4189,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4193,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index fe2816c..eadbfcc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12581,10 +12581,36 @@ index da39f0f..6a96733 100644 /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) diff --git a/corosync.if b/corosync.if -index 694a037..283cf03 100644 +index 694a037..b836c07 100644 --- a/corosync.if +++ b/corosync.if -@@ -91,29 +91,54 @@ interface(`corosync_read_log',` +@@ -77,6 +77,25 @@ interface(`corosync_read_log',` + read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) + ') + ++####################################### ++## ++## Setattr corosync log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corosync_setattr_log',` ++ gen_require(` ++ type corosync_var_log_t; ++ ') ++ ++ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t) ++') ++ ++ + ##################################### + ## + ## Connect to corosync over a unix +@@ -91,29 +110,54 @@ interface(`corosync_read_log',` interface(`corosync_stream_connect',` gen_require(` type corosync_t, corosync_var_run_t; @@ -12645,7 +12671,7 @@ index 694a037..283cf03 100644 ') ###################################### -@@ -160,12 +185,17 @@ interface(`corosync_admin',` +@@ -160,12 +204,17 @@ interface(`corosync_admin',` type corosync_t, corosync_var_lib_t, corosync_var_log_t; type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; type corosync_initrc_exec_t; @@ -12665,7 +12691,7 @@ index 694a037..283cf03 100644 domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; allow $2 system_r; -@@ -183,4 +213,8 @@ interface(`corosync_admin',` +@@ -183,4 +232,8 @@ interface(`corosync_admin',` files_list_pids($1) admin_pattern($1, corosync_var_run_t) @@ -14303,7 +14329,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..69722fa 100644 +index 28e1b86..5f68577 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -14706,7 +14732,7 @@ index 28e1b86..69722fa 100644 ') optional_policy(` -@@ -353,102 +292,135 @@ optional_policy(` +@@ -353,102 +292,136 @@ optional_policy(` ') optional_policy(` @@ -14854,10 +14880,13 @@ index 28e1b86..69722fa 100644 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) +# write temporary files ++manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) - filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) - files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) +-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) +-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) ++filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file }) ++files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file }) +# var/lib files for system_crond +files_search_var_lib(system_cronjob_t) @@ -14871,7 +14900,7 @@ index 28e1b86..69722fa 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -457,11 +429,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -457,11 +430,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -14884,7 +14913,7 @@ index 28e1b86..69722fa 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -481,6 +453,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -481,6 +454,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -14892,7 +14921,7 @@ index 28e1b86..69722fa 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -491,15 +464,19 @@ files_getattr_all_files(system_cronjob_t) +@@ -491,15 +465,19 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -14915,7 +14944,7 @@ index 28e1b86..69722fa 100644 init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) -@@ -511,20 +488,23 @@ logging_read_generic_logs(system_cronjob_t) +@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -14942,7 +14971,7 @@ index 28e1b86..69722fa 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -534,10 +514,17 @@ tunable_policy(`cron_can_relabel',` +@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -14960,7 +14989,7 @@ index 28e1b86..69722fa 100644 ') optional_policy(` -@@ -546,10 +533,6 @@ optional_policy(` +@@ -546,10 +534,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -14971,7 +15000,7 @@ index 28e1b86..69722fa 100644 ') optional_policy(` -@@ -581,6 +564,7 @@ optional_policy(` +@@ -581,6 +565,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -14979,7 +15008,7 @@ index 28e1b86..69722fa 100644 ') optional_policy(` -@@ -588,15 +572,19 @@ optional_policy(` +@@ -588,15 +573,19 @@ optional_policy(` ') optional_policy(` @@ -15001,7 +15030,7 @@ index 28e1b86..69722fa 100644 ') optional_policy(` -@@ -606,6 +594,7 @@ optional_policy(` +@@ -606,6 +595,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -15009,7 +15038,7 @@ index 28e1b86..69722fa 100644 ') optional_policy(` -@@ -613,12 +602,24 @@ optional_policy(` +@@ -613,12 +603,24 @@ optional_policy(` ') optional_policy(` @@ -15035,7 +15064,7 @@ index 28e1b86..69722fa 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +627,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -15069,7 +15098,7 @@ index 28e1b86..69722fa 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +660,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +661,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -15550,7 +15579,7 @@ index 6ce66e7..1d0337a 100644 optional_policy(` diff --git a/cups.fc b/cups.fc -index 949011e..f3c8888 100644 +index 949011e..85b210b 100644 --- a/cups.fc +++ b/cups.fc @@ -1,77 +1,85 @@ @@ -15583,7 +15612,7 @@ index 949011e..f3c8888 100644 -/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - -/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) ++/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -15607,26 +15636,27 @@ index 949011e..f3c8888 100644 -/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) @@ -15637,7 +15667,7 @@ index 949011e..f3c8888 100644 -/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -15650,7 +15680,7 @@ index 949011e..f3c8888 100644 /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) + -+/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) ++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) +/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) @@ -15659,16 +15689,18 @@ index 949011e..f3c8888 100644 -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0) ++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) +-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) - /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) ++/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) @@ -15686,7 +15718,7 @@ index 949011e..f3c8888 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 06da9a0..f0f1da3 100644 +index 06da9a0..ca832e1 100644 --- a/cups.if +++ b/cups.if @@ -15,6 +15,11 @@ @@ -15746,27 +15778,29 @@ index 06da9a0..f0f1da3 100644 ## All of the rules required to ## administrate an cups environment. ## -@@ -330,13 +361,18 @@ interface(`cups_admin',` +@@ -329,13 +360,18 @@ interface(`cups_admin',` + type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; - type hplip_t, ptal_t; +- type hplip_t, ptal_t; ++ type ptal_t; + type cupsd_unit_file_t; ') - allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; - allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; + allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms }; -+ allow $1 { cups_pdf_t hplip_t ptal_t }:process { signal_perms }; ++ allow $1 { cups_pdf_t ptal_t }:process { signal_perms }; ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) - ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) - +- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) ++ ps_process_pattern($1, { cups_pdf_t ptal_t }) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace; + ') -+ + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; @@ -353,8 +389,61 @@ interface(`cups_admin',` files_list_tmp($1) @@ -15832,30 +15866,146 @@ index 06da9a0..f0f1da3 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..c7a0a97 100644 +index 9f34c2e..f3e4a3e 100644 --- a/cups.te +++ b/cups.te -@@ -62,6 +62,9 @@ files_pid_file(cupsd_var_run_t) +@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) + # Declarations + # + +-type cupsd_config_t; ++attribute cups_domain; ++ ++type cupsd_config_t, cups_domain; + type cupsd_config_exec_t; + init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) + + type cupsd_config_var_run_t; + files_pid_file(cupsd_config_var_run_t) + +-type cupsd_t; ++type cupsd_t, cups_domain; + type cupsd_exec_t; ++typealias cupsd_t alias hplip_t; ++typealias cupsd_exec_t alias hplip_exec_t; + init_daemon_domain(cupsd_t, cupsd_exec_t) + mls_trusted_object(cupsd_t) + + type cupsd_etc_t; ++typealias cupsd_etc_t alias hplip_etc_t; + files_config_file(cupsd_etc_t) + + type cupsd_initrc_exec_t; +@@ -33,9 +38,13 @@ type cupsd_lock_t; + files_lock_file(cupsd_lock_t) + + type cupsd_log_t; ++typealias cupsd_log_t alias hplip_var_log_t; + logging_log_file(cupsd_log_t) + +-type cupsd_lpd_t; ++type cupsd_var_lib_t; ++files_type(cupsd_var_lib_t) ++ ++type cupsd_lpd_t, cups_domain; + type cupsd_lpd_exec_t; + domain_type(cupsd_lpd_t) + domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) +@@ -47,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t) + type cupsd_lpd_var_run_t; + files_pid_file(cupsd_lpd_var_run_t) + +-type cups_pdf_t; ++type cups_pdf_t, cups_domain; + type cups_pdf_exec_t; + cups_backend(cups_pdf_t, cups_pdf_exec_t) + +@@ -55,29 +64,17 @@ type cups_pdf_tmp_t; + files_tmp_file(cups_pdf_tmp_t) + + type cupsd_tmp_t; ++typealias cupsd_tmp_t alias hplip_tmp_t; + files_tmp_file(cupsd_tmp_t) + + type cupsd_var_run_t; ++typealias cupsd_var_run_t alias hplip_var_run_t; + files_pid_file(cupsd_var_run_t) init_daemon_run_dir(cupsd_var_run_t, "cups") mls_trusted_object(cupsd_var_run_t) +-type hplip_t; +-type hplip_exec_t; +-init_daemon_domain(hplip_t, hplip_exec_t) +-cups_backend(hplip_t, hplip_exec_t) +- +-type hplip_etc_t; +-files_config_file(hplip_etc_t) +- +-type hplip_tmp_t; +-files_tmp_file(hplip_tmp_t) +- +-type hplip_var_lib_t; +-files_type(hplip_var_lib_t) +- +-type hplip_var_run_t; +-files_pid_file(hplip_var_run_t) +type cupsd_unit_file_t; +systemd_unit_file(cupsd_unit_file_t) -+ - type hplip_t; - type hplip_exec_t; - init_daemon_domain(hplip_t, hplip_exec_t) -@@ -76,6 +79,9 @@ files_tmp_file(hplip_tmp_t) - type hplip_var_lib_t; - files_type(hplip_var_lib_t) -+type hplip_var_log_t; -+logging_log_file(hplip_var_log_t) + type ptal_t; + type ptal_exec_t; +@@ -97,21 +94,46 @@ ifdef(`enable_mls',` + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) + ') + ++####################################### ++# ++# Cups general local policy ++# ++ ++allow cups_domain self:capability { setuid setgid }; ++allow cups_domain self:process signal_perms; ++allow cups_domain self:fifo_file rw_fifo_file_perms; ++allow cups_domain self:tcp_socket { accept listen }; ++ ++kernel_read_kernel_sysctls(cups_domain) ++kernel_read_network_state(cups_domain) + - type hplip_var_run_t; - files_pid_file(hplip_var_run_t) ++corecmd_exec_bin(cups_domain) ++corecmd_exec_shell(cups_domain) ++ ++dev_read_urand(cups_domain) ++dev_read_rand(cups_domain) ++dev_read_sysfs(cups_domain) ++ ++miscfiles_read_fonts(cups_domain) ++miscfiles_setattr_fonts_cache_dirs(cups_domain) ++ ++optional_policy(` ++ lpd_manage_spool(cups_domain) ++') ++ + ######################################## + # + # Cups local policy + # -@@ -120,6 +126,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; ++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; + dontaudit cupsd_t self:capability { sys_tty_config net_admin }; + allow cupsd_t self:capability2 block_suspend; +-allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; +-allow cupsd_t self:fifo_file rw_fifo_file_perms; ++allow cupsd_t self:process { getpgid setpgid setsched }; + allow cupsd_t self:unix_stream_socket { accept connectto listen }; + allow cupsd_t self:netlink_selinux_socket create_socket_perms; + allow cupsd_t self:shm create_shm_perms; + allow cupsd_t self:sem create_sem_perms; +-allow cupsd_t self:tcp_socket { accept listen }; + allow cupsd_t self:appletalk_socket create_socket_perms; + + allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; +@@ -120,6 +142,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -15863,7 +16013,15 @@ index 9f34c2e..c7a0a97 100644 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -144,6 +151,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -139,22 +162,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) + setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) + logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) + ++manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) ++manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) ++ + manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) @@ -15871,7 +16029,23 @@ index 9f34c2e..c7a0a97 100644 manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -@@ -166,7 +174,6 @@ kernel_read_network_state(cupsd_t) + manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) + +-allow cupsd_t hplip_t:process { signal sigkill }; +- +-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) ++allow cupsd_t cupsd_unit_file_t:file read_file_perms; + +-allow cupsd_t hplip_var_run_t:file read_file_perms; + + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) + allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +186,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; + can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) + + kernel_read_system_state(cupsd_t) +-kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) kernel_request_load_module(cupsd_t) @@ -15879,7 +16053,32 @@ index 9f34c2e..c7a0a97 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -206,7 +213,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -189,12 +211,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) + corenet_tcp_bind_all_rpc_ports(cupsd_t) + corenet_tcp_connect_all_ports(cupsd_t) + +-corecmd_exec_bin(cupsd_t) +-corecmd_exec_shell(cupsd_t) ++corenet_sendrecv_hplip_client_packets(cupsd_t) ++corenet_receive_hplip_server_packets(cupsd_t) ++corenet_tcp_bind_hplip_port(cupsd_t) ++corenet_tcp_connect_hplip_port(cupsd_t) ++corenet_tcp_bind_glance_port(cupsd_t) ++corenet_tcp_connect_glance_port(cupsd_t) ++ ++corenet_sendrecv_ipp_client_packets(cupsd_t) ++corenet_tcp_connect_ipp_port(cupsd_t) ++ ++corenet_sendrecv_howl_server_packets(cupsd_t) ++corenet_udp_bind_howl_port(cupsd_t) + + dev_rw_printer(cupsd_t) +-dev_read_urand(cupsd_t) +-dev_read_sysfs(cupsd_t) + dev_rw_input_dev(cupsd_t) + dev_rw_generic_usb_dev(cupsd_t) + dev_rw_usbfs(cupsd_t) +@@ -206,7 +236,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -15887,7 +16086,7 @@ index 9f34c2e..c7a0a97 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,7 +221,6 @@ files_read_world_readable_files(cupsd_t) +@@ -215,16 +244,17 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -15895,7 +16094,26 @@ index 9f34c2e..c7a0a97 100644 files_dontaudit_getattr_all_tmp_files(cupsd_t) files_dontaudit_list_home(cupsd_t) # for /etc/printcap -@@ -247,13 +252,11 @@ auth_dontaudit_read_pam_pid(cupsd_t) + files_dontaudit_write_etc_files(cupsd_t) ++files_dontaudit_write_usr_dirs(cupsd_t) + + fs_getattr_all_fs(cupsd_t) + fs_search_auto_mountpoints(cupsd_t) + fs_search_fusefs(cupsd_t) + fs_read_anon_inodefs_files(cupsd_t) ++fs_rw_anon_inodefs_files(cupsd_t) + + mls_fd_use_all_levels(cupsd_t) + mls_file_downgrade(cupsd_t) +@@ -235,6 +265,7 @@ mls_socket_write_all_levels(cupsd_t) + + term_search_ptys(cupsd_t) + term_use_unallocated_ttys(cupsd_t) ++term_use_ptmx(cupsd_t) + + selinux_compute_access_vector(cupsd_t) + selinux_validate_context(cupsd_t) +@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -15906,10 +16124,22 @@ index 9f34c2e..c7a0a97 100644 logging_send_syslog_msg(cupsd_t) -miscfiles_read_localization(cupsd_t) - miscfiles_read_fonts(cupsd_t) - miscfiles_setattr_fonts_cache_dirs(cupsd_t) +-miscfiles_read_fonts(cupsd_t) +-miscfiles_setattr_fonts_cache_dirs(cupsd_t) +- + seutil_read_config(cupsd_t) + + sysnet_exec_ifconfig(cupsd_t) ++sysnet_dns_name_resolve(cupsd_t) -@@ -275,6 +278,8 @@ optional_policy(` + userdom_dontaudit_use_unpriv_user_fds(cupsd_t) ++userdom_dontaudit_search_user_home_dirs(cupsd_t) ++userdom_dontaudit_search_user_home_content(cupsd_t) ++userdom_dontaudit_use_unpriv_user_fds(cupsd_t) + userdom_dontaudit_search_user_home_content(cupsd_t) + + optional_policy(` +@@ -275,6 +305,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -15918,7 +16148,7 @@ index 9f34c2e..c7a0a97 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +290,10 @@ optional_policy(` +@@ -285,8 +317,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -15929,7 +16159,7 @@ index 9f34c2e..c7a0a97 100644 ') ') -@@ -299,8 +306,8 @@ optional_policy(` +@@ -299,8 +333,8 @@ optional_policy(` ') optional_policy(` @@ -15939,7 +16169,15 @@ index 9f34c2e..c7a0a97 100644 ') optional_policy(` -@@ -337,7 +344,7 @@ optional_policy(` +@@ -309,7 +343,6 @@ optional_policy(` + + optional_policy(` + lpd_exec_lpr(cupsd_t) +- lpd_manage_spool(cupsd_t) + lpd_read_config(cupsd_t) + lpd_relabel_spool(cupsd_t) + ') +@@ -337,7 +370,7 @@ optional_policy(` ') optional_policy(` @@ -15948,7 +16186,33 @@ index 9f34c2e..c7a0a97 100644 ') ######################################## -@@ -386,7 +393,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) +@@ -345,11 +378,9 @@ optional_policy(` + # Configuration daemon local policy + # + +-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; ++allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; +-allow cupsd_config_t self:process { getsched signal_perms }; +-allow cupsd_config_t self:fifo_file rw_fifo_file_perms; +-allow cupsd_config_t self:tcp_socket { accept listen }; ++allow cupsd_config_t self:process { getsched }; + + allow cupsd_config_t cupsd_t:process signal; + ps_process_pattern(cupsd_config_t, cupsd_t) +@@ -375,18 +406,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run + manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) + files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) + +-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) ++read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) + + stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + + can_exec(cupsd_config_t, cupsd_config_exec_t) + +-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) +- kernel_read_system_state(cupsd_config_t) kernel_read_all_sysctls(cupsd_config_t) @@ -15956,7 +16220,16 @@ index 9f34c2e..c7a0a97 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -404,7 +410,6 @@ dev_read_rand(cupsd_config_t) +@@ -395,16 +423,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) + corenet_sendrecv_all_client_packets(cupsd_config_t) + corenet_tcp_connect_all_ports(cupsd_config_t) + +-corecmd_exec_bin(cupsd_config_t) +-corecmd_exec_shell(cupsd_config_t) +- +-dev_read_sysfs(cupsd_config_t) +-dev_read_urand(cupsd_config_t) +-dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) files_read_etc_runtime_files(cupsd_config_t) @@ -15964,19 +16237,19 @@ index 9f34c2e..c7a0a97 100644 files_read_var_symlinks(cupsd_config_t) files_search_all_mountpoints(cupsd_config_t) -@@ -420,11 +425,8 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +441,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) -miscfiles_read_localization(cupsd_config_t) - miscfiles_read_hwdata(cupsd_config_t) - +-miscfiles_read_hwdata(cupsd_config_t) +- -seutil_dontaudit_search_config(cupsd_config_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,6 +454,10 @@ optional_policy(` +@@ -452,9 +468,12 @@ optional_policy(` ') optional_policy(` @@ -15986,10 +16259,26 @@ index 9f34c2e..c7a0a97 100644 +optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) - hal_dontaudit_use_fds(hplip_t) -@@ -513,13 +519,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) +- hal_dontaudit_use_fds(hplip_t) + ') + + optional_policy(` +@@ -490,10 +509,6 @@ optional_policy(` + # Lpd local policy + # + +-allow cupsd_lpd_t self:capability { setuid setgid }; +-allow cupsd_lpd_t self:process signal_perms; +-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; +-allow cupsd_lpd_t self:tcp_socket { accept listen }; + allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + + allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; +@@ -511,20 +526,16 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + + kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) - kernel_read_network_state(cupsd_lpd_t) +-kernel_read_network_state(cupsd_lpd_t) -corenet_all_recvfrom_unlabeled(cupsd_lpd_t) corenet_all_recvfrom_netlabel(cupsd_lpd_t) @@ -16001,102 +16290,180 @@ index 9f34c2e..c7a0a97 100644 +corenet_tcp_connect_printer_port(cupsd_lpd_t) corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) - dev_read_urand(cupsd_lpd_t) -@@ -533,7 +539,6 @@ auth_use_nsswitch(cupsd_lpd_t) +-dev_read_urand(cupsd_lpd_t) +-dev_read_rand(cupsd_lpd_t) +- + fs_getattr_xattr_fs(cupsd_lpd_t) + + files_search_home(cupsd_lpd_t) +@@ -533,9 +544,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) -miscfiles_read_localization(cupsd_lpd_t) - miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) - +-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) +- optional_policy(` -@@ -562,14 +567,12 @@ fs_search_auto_mountpoints(cups_pdf_t) + inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) + ') +@@ -546,7 +554,6 @@ optional_policy(` + # - kernel_read_system_state(cups_pdf_t) + allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; +-allow cups_pdf_t self:fifo_file rw_fifo_file_perms; + allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; --files_read_usr_files(cups_pdf_t) + append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t) - corecmd_exec_bin(cups_pdf_t) - corecmd_exec_shell(cups_pdf_t) + kernel_read_system_state(cups_pdf_t) +-files_read_usr_files(cups_pdf_t) +- +-corecmd_exec_bin(cups_pdf_t) +-corecmd_exec_shell(cups_pdf_t) +- auth_use_nsswitch(cups_pdf_t) -miscfiles_read_localization(cups_pdf_t) - miscfiles_read_fonts(cups_pdf_t) - miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) - -@@ -582,9 +585,10 @@ tunable_policy(`use_nfs_home_dirs',` +-miscfiles_read_fonts(cups_pdf_t) +-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) +- + userdom_manage_user_home_content_dirs(cups_pdf_t) + userdom_manage_user_home_content_files(cups_pdf_t) + userdom_home_filetrans_user_home_dir(cups_pdf_t) +@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(cups_pdf_t) ') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) +-') +userdom_home_manager(cups_pdf_t) -+ -+optional_policy(` -+ gnome_read_config(cups_pdf_t) - ') optional_policy(` -@@ -613,9 +617,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms; - allow hplip_t hplip_etc_t:file read_file_perms; - allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; - -+allow hplip_t cupsd_unit_file_t:file read_file_perms; -+ - manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - -+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file }) -+ - manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) - files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) - -@@ -627,7 +638,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - kernel_read_system_state(hplip_t) - kernel_read_kernel_sysctls(hplip_t) +- lpd_manage_spool(cups_pdf_t) ++ gnome_read_config(cups_pdf_t) + ') +-######################################## +-# +-# HPLIP local policy +-# +- +-allow hplip_t self:capability { dac_override dac_read_search net_raw }; +-dontaudit hplip_t self:capability sys_tty_config; +-allow hplip_t self:fifo_file rw_fifo_file_perms; +-allow hplip_t self:process signal_perms; +-allow hplip_t self:tcp_socket { accept listen }; +-allow hplip_t self:rawip_socket create_socket_perms; +- +-allow hplip_t cupsd_etc_t:dir search_dir_perms; +- +-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file }) +- +-allow hplip_t hplip_etc_t:dir list_dir_perms; +-allow hplip_t hplip_etc_t:file read_file_perms; +-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; +- +-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +- +-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) +-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) +- +-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) +-files_pid_filetrans(hplip_t, hplip_var_run_t, file) +- +-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +- +-kernel_read_system_state(hplip_t) +-kernel_read_kernel_sysctls(hplip_t) +- -corenet_all_recvfrom_unlabeled(hplip_t) - corenet_all_recvfrom_netlabel(hplip_t) - corenet_tcp_sendrecv_generic_if(hplip_t) - corenet_udp_sendrecv_generic_if(hplip_t) -@@ -644,6 +654,8 @@ corenet_sendrecv_hplip_client_packets(hplip_t) - corenet_receive_hplip_server_packets(hplip_t) - corenet_tcp_bind_hplip_port(hplip_t) - corenet_tcp_connect_hplip_port(hplip_t) -+corenet_tcp_bind_glance_port(hplip_t) -+corenet_tcp_connect_glance_port(hplip_t) - - corenet_sendrecv_ipp_client_packets(hplip_t) - corenet_tcp_connect_ipp_port(hplip_t) -@@ -662,17 +674,18 @@ dev_rw_usbfs(hplip_t) - - domain_use_interactive_fds(hplip_t) - +-corenet_all_recvfrom_netlabel(hplip_t) +-corenet_tcp_sendrecv_generic_if(hplip_t) +-corenet_udp_sendrecv_generic_if(hplip_t) +-corenet_raw_sendrecv_generic_if(hplip_t) +-corenet_tcp_sendrecv_generic_node(hplip_t) +-corenet_udp_sendrecv_generic_node(hplip_t) +-corenet_raw_sendrecv_generic_node(hplip_t) +-corenet_tcp_sendrecv_all_ports(hplip_t) +-corenet_udp_sendrecv_all_ports(hplip_t) +-corenet_tcp_bind_generic_node(hplip_t) +-corenet_udp_bind_generic_node(hplip_t) +- +-corenet_sendrecv_hplip_client_packets(hplip_t) +-corenet_receive_hplip_server_packets(hplip_t) +-corenet_tcp_bind_hplip_port(hplip_t) +-corenet_tcp_connect_hplip_port(hplip_t) +- +-corenet_sendrecv_ipp_client_packets(hplip_t) +-corenet_tcp_connect_ipp_port(hplip_t) +- +-corenet_sendrecv_howl_server_packets(hplip_t) +-corenet_udp_bind_howl_port(hplip_t) +- +-corecmd_exec_bin(hplip_t) +- +-dev_read_sysfs(hplip_t) +-dev_rw_printer(hplip_t) +-dev_read_urand(hplip_t) +-dev_read_rand(hplip_t) +-dev_rw_generic_usb_dev(hplip_t) +-dev_rw_usbfs(hplip_t) +- +-domain_use_interactive_fds(hplip_t) +- -files_read_etc_files(hplip_t) - files_read_etc_runtime_files(hplip_t) +-files_read_etc_runtime_files(hplip_t) -files_read_usr_files(hplip_t) -+files_dontaudit_write_usr_dirs(hplip_t) - - fs_getattr_all_fs(hplip_t) - fs_search_auto_mountpoints(hplip_t) - fs_rw_anon_inodefs_files(hplip_t) - +- +-fs_getattr_all_fs(hplip_t) +-fs_search_auto_mountpoints(hplip_t) +-fs_rw_anon_inodefs_files(hplip_t) +- -logging_send_syslog_msg(hplip_t) -+term_use_ptmx(hplip_t) - +- -miscfiles_read_localization(hplip_t) -+auth_read_passwd(hplip_t) -+ -+logging_send_syslog_msg(hplip_t) - - sysnet_dns_name_resolve(hplip_t) +- +-sysnet_dns_name_resolve(hplip_t) +- +-userdom_dontaudit_use_unpriv_user_fds(hplip_t) +-userdom_dontaudit_search_user_home_dirs(hplip_t) +-userdom_dontaudit_search_user_home_content(hplip_t) +- +-optional_policy(` +- dbus_system_bus_client(hplip_t) +- +- optional_policy(` +- userdom_dbus_send_all_users(hplip_t) +- ') +-') +- +-optional_policy(` +- lpd_read_config(hplip_t) +- lpd_manage_spool(hplip_t) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(hplip_t) +-') +- +-optional_policy(` +- snmp_read_snmp_var_lib_files(hplip_t) +-') +- +-optional_policy(` +- udev_read_db(hplip_t) +-') -@@ -731,7 +744,6 @@ kernel_read_kernel_sysctls(ptal_t) + ######################################## + # +@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -16104,7 +16471,13 @@ index 9f34c2e..c7a0a97 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -747,7 +759,6 @@ dev_rw_printer(ptal_t) +@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) + corenet_tcp_bind_ptal_port(ptal_t) + corenet_tcp_sendrecv_ptal_port(ptal_t) + +-dev_read_sysfs(ptal_t) + dev_read_usbfs(ptal_t) + dev_rw_printer(ptal_t) domain_use_interactive_fds(ptal_t) @@ -16112,7 +16485,7 @@ index 9f34c2e..c7a0a97 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +766,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -19430,6 +19803,36 @@ index 5818418..674367b 100644 /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) +diff --git a/dmidecode.if b/dmidecode.if +index 41c3f67..653a1ec 100644 +--- a/dmidecode.if ++++ b/dmidecode.if +@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',` + domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) + ') + ++###################################### ++## ++## Execute dmidecode in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dmidecode_exec',` ++ gen_require(` ++ type dmidecode_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, dmidecode_exec_t) ++') ++ + ######################################## + ## + ## Execute dmidecode in the dmidecode diff --git a/dmidecode.te b/dmidecode.te index c947c2c..441d3f4 100644 --- a/dmidecode.te @@ -19652,7 +20055,7 @@ index 19aa0b8..b303b37 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index ba14bcf..363af2a 100644 +index ba14bcf..12a8962 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -19682,7 +20085,7 @@ index ba14bcf..363af2a 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -98,11 +98,16 @@ optional_policy(` +@@ -98,11 +98,20 @@ optional_policy(` ') optional_policy(` @@ -19695,11 +20098,15 @@ index ba14bcf..363af2a 100644 ') optional_policy(` ++ dnsmasq_domtrans(dnsmasq_t) ++') ++ ++optional_policy(` + networkmanager_read_conf(dnsmasq_t) networkmanager_read_pid_files(dnsmasq_t) ') -@@ -124,6 +129,7 @@ optional_policy(` +@@ -124,6 +133,7 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -20141,7 +20548,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..c482695 100644 +index a7bfaf0..412f08d 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -20482,7 +20889,7 @@ index a7bfaf0..c482695 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,31 +299,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +299,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -20515,6 +20922,8 @@ index a7bfaf0..c482695 100644 - fs_manage_nfs_symlinks(dovecot_deliver_t) -') +fs_getattr_all_fs(dovecot_deliver_t) ++fs_dontaudit_getattr_all_fs(dovecot_deliver_t) ++fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t) + +userdom_manage_user_home_content_dirs(dovecot_deliver_t) +userdom_manage_user_home_content_files(dovecot_deliver_t) @@ -20534,7 +20943,12 @@ index a7bfaf0..c482695 100644 ') optional_policy(` -@@ -326,5 +339,6 @@ optional_policy(` + mta_mailserver_delivery(dovecot_deliver_t) ++ mta_manage_spool(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) + ') + +@@ -326,5 +342,6 @@ optional_policy(` ') optional_policy(` @@ -31172,9 +31586,18 @@ index 73e2803..562d25b 100644 files_search_pids($1) admin_pattern($1, l2tpd_var_run_t) diff --git a/l2tp.te b/l2tp.te -index 19f2b97..17f1883 100644 +index 19f2b97..23321e4 100644 --- a/l2tp.te +++ b/l2tp.te +@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) + # + + allow l2tpd_t self:capability net_admin; +-allow l2tpd_t self:process signal; ++allow l2tpd_t self:process signal_perms; + allow l2tpd_t self:fifo_file rw_fifo_file_perms; + allow l2tpd_t self:netlink_socket create_socket_perms; + allow l2tpd_t self:rawip_socket create_socket_perms; @@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t) dev_read_urand(l2tpd_t) @@ -32263,7 +32686,7 @@ index 7bab8e5..5c6ac99 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..8023bf3 100644 +index 4256a4c..0311d82 100644 --- a/logwatch.te +++ b/logwatch.te @@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6) @@ -32304,10 +32727,11 @@ index 4256a4c..8023bf3 100644 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) -@@ -137,6 +138,10 @@ optional_policy(` +@@ -137,6 +138,11 @@ optional_policy(` ') optional_policy(` ++ raid_domtrans_mdadm(logwatch_t) + raid_access_check_mdadm(logwatch_t) +') + @@ -32315,7 +32739,7 @@ index 4256a4c..8023bf3 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -164,6 +169,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -164,6 +170,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -35923,7 +36347,7 @@ index 6194b80..60bb004 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..c4829d1 100644 +index 6a306ee..5f21325 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -36356,7 +36780,7 @@ index 6a306ee..c4829d1 100644 ') optional_policy(` -@@ -300,63 +316,53 @@ optional_policy(` +@@ -300,63 +316,54 @@ optional_policy(` ######################################## # @@ -36367,7 +36791,8 @@ index 6a306ee..c4829d1 100644 -dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; -allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -+dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_tty_config }; ++dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config }; ++dontaudit mozilla_plugin_t self:capability2 block_suspend; + +allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; @@ -36438,18 +36863,18 @@ index 6a306ee..c4829d1 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) kernel_read_all_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) -@@ -366,155 +372,111 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) +@@ -366,155 +373,113 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -36569,6 +36994,7 @@ index 6a306ee..c4829d1 100644 +files_list_mnt(mozilla_plugin_t) +files_exec_usr_files(mozilla_plugin_t) +fs_rw_inherited_tmpfs_files(mozilla_plugin_t) ++files_dontaudit_all_access_check(mozilla_plugin_t) fs_getattr_all_fs(mozilla_plugin_t) -# fs_read_hugetlbfs_files(mozilla_plugin_t) @@ -36596,6 +37022,7 @@ index 6a306ee..c4829d1 100644 -miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) miscfiles_read_generic_certs(mozilla_plugin_t) ++miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) @@ -36665,7 +37092,7 @@ index 6a306ee..c4829d1 100644 ') optional_policy(` -@@ -523,36 +485,43 @@ optional_policy(` +@@ -523,36 +488,43 @@ optional_policy(` ') optional_policy(` @@ -36703,18 +37130,18 @@ index 6a306ee..c4829d1 100644 optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) + lpd_run_lpr(mozilla_plugin_t, mozilla_roles) ++') ++ ++optional_policy(` ++ mplayer_exec(mozilla_plugin_t) ++ mplayer_manage_generic_home_content(mozilla_plugin_t) ++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ') optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_manage_generic_home_content(mozilla_plugin_t) - mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") -+ mplayer_exec(mozilla_plugin_t) -+ mplayer_manage_generic_home_content(mozilla_plugin_t) -+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") -+') -+ -+optional_policy(` + pulseaudio_exec(mozilla_plugin_t) + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) @@ -36723,7 +37150,7 @@ index 6a306ee..c4829d1 100644 ') optional_policy(` -@@ -560,7 +529,7 @@ optional_policy(` +@@ -560,7 +532,7 @@ optional_policy(` ') optional_policy(` @@ -36732,7 +37159,7 @@ index 6a306ee..c4829d1 100644 ') optional_policy(` -@@ -568,108 +537,104 @@ optional_policy(` +@@ -568,108 +540,104 @@ optional_policy(` ') optional_policy(` @@ -36760,12 +37187,12 @@ index 6a306ee..c4829d1 100644 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -- ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) @@ -36788,7 +37215,7 @@ index 6a306ee..c4829d1 100644 +ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) -filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") -+dev_search_sysfs(mozilla_plugin_config_t) ++dev_read_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) +dev_dontaudit_rw_dri(mozilla_plugin_config_t) @@ -44779,7 +45206,7 @@ index af3c91e..6882a3f 100644 /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/ntp.if b/ntp.if -index b59196f..d60b451 100644 +index b59196f..017b36f 100644 --- a/ntp.if +++ b/ntp.if @@ -1,4 +1,4 @@ @@ -44944,7 +45371,7 @@ index b59196f..d60b451 100644 logging_list_logs($1) admin_pattern($1, ntpd_log_t) -@@ -164,5 +246,7 @@ interface(`ntp_admin',` +@@ -164,5 +246,28 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -44952,6 +45379,27 @@ index b59196f..d60b451 100644 + ntp_systemctl($1) + admin_pattern($1, ntpd_unit_file_t) + allow $1 ntpd_unit_file_t:service all_service_perms; ++ ++ ntp_filetrans_named_content($1) ++') ++ ++######################################## ++## ++## Transition content labels to ntp named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_filetrans_named_content',` ++ gen_require(` ++ type ntp_conf_t; ++ ') ++ ++ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") ++ files_etc_filetrans($1, ntp_conf_t, dir, "ntp") ') diff --git a/ntp.te b/ntp.te index b90e343..71042cd 100644 @@ -46420,13 +46868,15 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..c9a5f74 +index 0000000..e108d48 --- /dev/null +++ b/openshift.fc -@@ -0,0 +1,24 @@ +@@ -0,0 +1,26 @@ +/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + ++/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0) ++ +/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) +/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) @@ -46450,10 +46900,10 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..98ce2c3 +index 0000000..1a26cd5 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,644 @@ +@@ -0,0 +1,664 @@ + +## policy for openshift + @@ -46476,6 +46926,26 @@ index 0000000..98ce2c3 + domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t) +') + ++####################################### ++## ++## Execute openshift server in the openshift domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`openshift_initrc_run',` ++ gen_require(` ++ type openshift_initrc_t; ++ type openshift_initrc_exec_t; ++ ') ++ ++ openshift_initrc_domtrans($1) ++ role $2 types openshift_initrc_t; ++') ++ +######################################## +## +## Send a null signal to openshift init scripts. @@ -47100,10 +47570,10 @@ index 0000000..98ce2c3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..c69ca3f +index 0000000..4bc6574 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,378 @@ +@@ -0,0 +1,463 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -47135,7 +47605,6 @@ index 0000000..c69ca3f + oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh) +') + -+ +type openshift_initrc_tmp_t; +files_tmp_file(openshift_initrc_tmp_t) + @@ -47171,6 +47640,19 @@ index 0000000..c69ca3f +type openshift_cgroup_read_exec_t; +application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t) + ++type openshift_cron_t; ++type openshift_cron_exec_t; ++domain_type(openshift_cron_t) ++domain_entry_file(openshift_cron_t, openshift_cron_exec_t) ++role system_r types openshift_cron_t; ++ ++optional_policy(` ++ cron_system_entry(openshift_cron_t, openshift_cron_exec_t) ++') ++ ++type openshift_cron_tmp_t, openshift_file_type; ++files_tmp_file(openshift_cron_tmp_t) ++ +######################################## +# +# Template to create openshift_t and openshift_app_t @@ -47290,6 +47772,7 @@ index 0000000..c69ca3f +dev_dontaudit_write_urand(openshift_domain) +dev_dontaudit_getattr_all_blk_files(openshift_domain) +dev_dontaudit_getattr_all_chr_files(openshift_domain) ++dev_dontaudit_all_access_check(openshift_domain) + +domain_use_interactive_fds(openshift_domain) +domain_dontaudit_read_all_domains_state(openshift_domain) @@ -47482,6 +47965,78 @@ index 0000000..c69ca3f + +allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms; +read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t) ++ ++######################################## ++# ++# openshift_cron local policy ++# ++allow openshift_cron_t self:capability net_admin; ++allow openshift_cron_t self:process signal_perms; ++allow openshift_cron_t self:tcp_socket create_stream_socket_perms; ++allow openshift_cron_t self:udp_socket create_socket_perms; ++allow openshift_cron_t self:unix_dgram_socket create_socket_perms; ++allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms; ++ ++manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file }) ++ ++openshift_manage_lib_dirs(openshift_cron_t) ++openshift_manage_lib_files(openshift_cron_t) ++ ++kernel_search_network_sysctl(openshift_cron_t) ++kernel_read_network_state(openshift_cron_t) ++kernel_read_system_state(openshift_cron_t) ++ ++corecmd_exec_bin(openshift_cron_t) ++corecmd_exec_shell(openshift_cron_t) ++ ++dev_read_raw_memory(openshift_cron_t) ++dev_read_urand(openshift_cron_t) ++ ++corenet_udp_bind_generic_node(openshift_cron_t) ++corenet_udp_bind_generic_port(openshift_cron_t) ++ ++dev_getattr_fs(openshift_cron_t) ++dev_list_sysfs(openshift_cron_t) ++dev_read_sysfs(openshift_cron_t) ++ ++files_getattr_home_dir(openshift_cron_t) ++files_manage_etc_files(openshift_cron_t) ++ ++fs_getattr_tmpfs_dirs(openshift_cron_t) ++fs_getattr_all_fs(openshift_cron_t) ++fs_list_hugetlbfs(openshift_cron_t) ++fs_search_cgroup_dirs(openshift_cron_t) ++ ++seutil_domtrans_setfiles(openshift_cron_t) ++ ++term_getattr_pty_fs(openshift_cron_t) ++term_search_ptys(openshift_cron_t) ++ ++auth_use_nsswitch(openshift_cron_t) ++ ++miscfiles_read_generic_certs(openshift_cron_t) ++miscfiles_read_hwdata(openshift_cron_t) ++ ++sysnet_exec_ifconfig(openshift_cron_t) ++sysnet_read_config(openshift_cron_t) ++ ++optional_policy(` ++ dmidecode_exec(openshift_cron_t) ++') ++ ++optional_policy(` ++ hostname_exec(openshift_cron_t) ++') ++ ++optional_policy(` ++ ssh_exec_keygen(openshift_cron_t) ++ ssh_dontaudit_read_server_keys(openshift_cron_t) ++') diff --git a/openvpn.if b/openvpn.if index 6837e9a..af8f9d0 100644 --- a/openvpn.if @@ -47874,7 +48429,7 @@ index 9b15730..14f29e4 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..4068f7f 100644 +index 508fedf..3e42ef8 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -47943,7 +48498,7 @@ index 508fedf..4068f7f 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -57,15 +58,9 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -57,33 +58,33 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -47960,7 +48515,8 @@ index 508fedf..4068f7f 100644 corecmd_exec_bin(openvswitch_t) -@@ -73,17 +68,22 @@ dev_read_urand(openvswitch_t) ++dev_read_rand(openvswitch_t) + dev_read_urand(openvswitch_t) domain_use_interactive_fds(openvswitch_t) @@ -48206,10 +48762,24 @@ index 9682d9a..d47f913 100644 + ') ') diff --git a/pacemaker.te b/pacemaker.te -index 3dd8ada..8b8d292 100644 +index 3dd8ada..9683812 100644 --- a/pacemaker.te +++ b/pacemaker.te -@@ -12,17 +12,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) +@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2) + # Declarations + # + ++## ++##

++## Allow pacemaker memcheck-amd64- to use executable memory ++##

++## ++gen_tunable(pacemaker_use_execmem, false) ++ + type pacemaker_t; + type pacemaker_exec_t; + init_daemon_domain(pacemaker_t, pacemaker_exec_t) +@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) type pacemaker_initrc_exec_t; init_script_file(pacemaker_initrc_exec_t) @@ -48235,7 +48805,24 @@ index 3dd8ada..8b8d292 100644 ######################################## # -@@ -60,13 +63,13 @@ kernel_read_system_state(pacemaker_t) +@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t) + # + + allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; ++allow pacemaker_t self:capability2 block_suspend; + allow pacemaker_t self:process { setrlimit signal setpgid }; + allow pacemaker_t self:fifo_file rw_fifo_file_perms; + allow pacemaker_t self:unix_stream_socket { connectto accept listen }; + + manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) + manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) +-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) ++manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) ++files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir }) + + manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) + manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) +@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t) corecmd_exec_bin(pacemaker_t) corecmd_exec_shell(pacemaker_t) @@ -48252,14 +48839,20 @@ index 3dd8ada..8b8d292 100644 files_read_kernel_symbol_table(pacemaker_t) fs_getattr_all_fs(pacemaker_t) -@@ -75,9 +78,9 @@ auth_use_nsswitch(pacemaker_t) +@@ -75,9 +87,16 @@ auth_use_nsswitch(pacemaker_t) logging_send_syslog_msg(pacemaker_t) -miscfiles_read_localization(pacemaker_t) -- ++sysnet_domtrans_ifconfig(pacemaker_t) ++ ++tunable_policy(`pacemaker_use_execmem',` ++ allow pacemaker_t self:process { execmem }; ++') + optional_policy(` corosync_read_log(pacemaker_t) ++ corosync_setattr_log(pacemaker_t) corosync_stream_connect(pacemaker_t) + corosync_rw_tmpfs(pacemaker_t) ') @@ -59924,15 +60517,24 @@ index 76f5b39..599b6cd 100644 ') + diff --git a/quantum.fc b/quantum.fc -index 70ab68b..9ac57eb 100644 +index 70ab68b..e97da31 100644 --- a/quantum.fc +++ b/quantum.fc -@@ -1,3 +1,5 @@ +@@ -1,9 +1,14 @@ +/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0) + /etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) /usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) + /usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) + /usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) + /usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) ++/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) ++/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) ++/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:quantum_exec_t,s0) + + /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) + diff --git a/quantum.if b/quantum.if index afc0068..7616aa4 100644 --- a/quantum.if @@ -65557,10 +66159,10 @@ index c49828c..a323332 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..9e96a5c 100644 +index ebe91fc..db87bca 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,66 @@ +@@ -1,61 +1,67 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -65580,6 +66182,7 @@ index ebe91fc..9e96a5c 100644 +/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) + ++/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -65672,7 +66275,7 @@ index ebe91fc..9e96a5c 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..bedc8ae 100644 +index 0628d50..dbe00f4 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -65738,7 +66341,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -74,23 +74,31 @@ interface(`rpm_domtrans_script',` +@@ -74,23 +74,28 @@ interface(`rpm_domtrans_script',` ## ## ## @@ -65752,19 +66355,16 @@ index 0628d50..bedc8ae 100644 gen_require(` - attribute_role rpm_roles; + type rpm_t, rpm_script_t; ++ attribute_role rpm_script_roles; ') rpm_domtrans($1) - roleattribute $2 rpm_roles; -+ role $2 types { rpm_t rpm_script_t }; ++ roleattribute $2 rpm_script_roles; + + domain_system_change_exemption($1) + role_transition $2 rpm_exec_t system_r; + allow $2 system_r; -+ -+ seutil_run_loadpolicy(rpm_script_t, $2) -+ seutil_run_semanage(rpm_script_t, $2) -+ seutil_run_setfiles(rpm_script_t, $2) ') ######################################## @@ -65774,7 +66374,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -109,7 +117,7 @@ interface(`rpm_exec',` +@@ -109,7 +114,7 @@ interface(`rpm_exec',` ######################################## ## @@ -65783,7 +66383,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -127,7 +135,7 @@ interface(`rpm_signull',` +@@ -127,7 +132,7 @@ interface(`rpm_signull',` ######################################## ## @@ -65792,7 +66392,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -145,7 +153,7 @@ interface(`rpm_use_fds',` +@@ -145,7 +150,7 @@ interface(`rpm_use_fds',` ######################################## ## @@ -65801,7 +66401,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -163,7 +171,7 @@ interface(`rpm_read_pipes',` +@@ -163,7 +168,7 @@ interface(`rpm_read_pipes',` ######################################## ## @@ -65810,7 +66410,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -181,6 +189,42 @@ interface(`rpm_rw_pipes',` +@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',` ######################################## ## @@ -65853,7 +66453,7 @@ index 0628d50..bedc8ae 100644 ## Send and receive messages from ## rpm over dbus. ## -@@ -224,7 +268,7 @@ interface(`rpm_dontaudit_dbus_chat',` +@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',` ######################################## ## ## Send and receive messages from @@ -65862,7 +66462,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -244,7 +288,7 @@ interface(`rpm_script_dbus_chat',` +@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',` ######################################## ## @@ -65871,7 +66471,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -263,7 +307,8 @@ interface(`rpm_search_log',` +@@ -263,7 +304,8 @@ interface(`rpm_search_log',` ##################################### ## @@ -65881,7 +66481,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -276,14 +321,12 @@ interface(`rpm_append_log',` +@@ -276,14 +318,12 @@ interface(`rpm_append_log',` type rpm_log_t; ') @@ -65898,7 +66498,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -302,7 +345,7 @@ interface(`rpm_manage_log',` +@@ -302,7 +342,7 @@ interface(`rpm_manage_log',` ######################################## ## @@ -65907,7 +66507,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -320,8 +363,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +360,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -65918,7 +66518,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -335,12 +378,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +375,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -65935,7 +66535,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -353,14 +399,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +396,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -65953,7 +66553,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -374,12 +419,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +416,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -65969,7 +66569,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -399,7 +446,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +443,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -65978,7 +66578,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -420,8 +467,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +464,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -65988,7 +66588,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -442,7 +488,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +485,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -65997,7 +66597,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -459,11 +505,12 @@ interface(`rpm_read_db',` +@@ -459,11 +502,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -66011,7 +66611,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -482,8 +529,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +526,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -66021,7 +66621,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -504,7 +550,7 @@ interface(`rpm_manage_db',` +@@ -504,7 +547,7 @@ interface(`rpm_manage_db',` ######################################## ## ## Do not audit attempts to create, read, @@ -66030,7 +66630,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -517,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +560,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -66039,7 +66639,7 @@ index 0628d50..bedc8ae 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +589,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +586,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -66049,7 +66649,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -563,8 +608,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +605,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -66059,7 +66659,7 @@ index 0628d50..bedc8ae 100644 ## ## ## -@@ -573,94 +617,72 @@ interface(`rpm_manage_pid_files',` +@@ -573,94 +614,72 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -66191,14 +66791,16 @@ index 0628d50..bedc8ae 100644 + allow rpm_script_t $1:process sigchld; ') diff --git a/rpm.te b/rpm.te -index 5cbe81c..a29e4d0 100644 +index 5cbe81c..decdd95 100644 --- a/rpm.te +++ b/rpm.te -@@ -1,15 +1,11 @@ +@@ -1,15 +1,13 @@ -policy_module(rpm, 1.15.3) +policy_module(rpm, 1.15.0) + +attribute rpm_transition_domain; ++attribute_role rpm_script_roles; ++roleattribute system_r rpm_script_roles; ######################################## # @@ -66213,12 +66815,12 @@ index 5cbe81c..a29e4d0 100644 type rpm_t; type rpm_exec_t; init_system_domain(rpm_t, rpm_exec_t) -@@ -17,10 +13,10 @@ domain_obj_id_change_exemption(rpm_t) +@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t) domain_role_change_exemption(rpm_t) domain_system_change_exemption(rpm_t) domain_interactive_fd(rpm_t) -role rpm_roles types rpm_t; -+role system_r types rpm_t; ++role rpm_script_roles types rpm_t; -type rpm_initrc_exec_t; -init_script_file(rpm_initrc_exec_t) @@ -66227,7 +66829,7 @@ index 5cbe81c..a29e4d0 100644 type rpm_file_t; files_type(rpm_file_t) -@@ -31,9 +27,6 @@ files_tmp_file(rpm_tmp_t) +@@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t) type rpm_tmpfs_t; files_tmpfs_file(rpm_tmpfs_t) @@ -66237,15 +66839,17 @@ index 5cbe81c..a29e4d0 100644 type rpm_log_t; logging_log_file(rpm_log_t) -@@ -56,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t) +@@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) -role rpm_roles types rpm_script_t; - role system_r types rpm_script_t; +-role system_r types rpm_script_t; ++role rpm_script_roles types rpm_script_t; type rpm_script_tmp_t; -@@ -75,23 +67,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec + files_tmp_file(rpm_script_tmp_t) +@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; @@ -66279,7 +66883,7 @@ index 5cbe81c..a29e4d0 100644 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -@@ -99,23 +96,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -66307,7 +66911,7 @@ index 5cbe81c..a29e4d0 100644 kernel_read_crypto_sysctls(rpm_t) kernel_read_network_state(rpm_t) -@@ -126,41 +119,34 @@ kernel_rw_irq_sysctls(rpm_t) +@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t) corecmd_exec_all_executables(rpm_t) @@ -66363,7 +66967,7 @@ index 5cbe81c..a29e4d0 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -183,29 +169,49 @@ selinux_compute_relabel_context(rpm_t) +@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t) selinux_compute_user_contexts(rpm_t) storage_raw_write_fixed_disk(rpm_t) @@ -66415,7 +67019,7 @@ index 5cbe81c..a29e4d0 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -224,13 +230,17 @@ optional_policy(` +@@ -224,13 +232,17 @@ optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -66437,7 +67041,7 @@ index 5cbe81c..a29e4d0 100644 ') ######################################## -@@ -239,19 +249,20 @@ optional_policy(` +@@ -239,19 +251,20 @@ optional_policy(` # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; @@ -66461,7 +67065,7 @@ index 5cbe81c..a29e4d0 100644 allow rpm_script_t rpm_tmp_t:file read_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; -@@ -267,8 +278,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -66472,7 +67076,7 @@ index 5cbe81c..a29e4d0 100644 kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) -@@ -277,45 +289,27 @@ kernel_read_network_state(rpm_script_t) +@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t) kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) @@ -66522,7 +67126,7 @@ index 5cbe81c..a29e4d0 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,30 +325,48 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -66562,25 +67166,25 @@ index 5cbe81c..a29e4d0 100644 logging_send_syslog_msg(rpm_script_t) -miscfiles_read_localization(rpm_script_t) -- --modutils_run_depmod(rpm_script_t, rpm_roles) --modutils_run_insmod(rpm_script_t, rpm_roles) +miscfiles_filetrans_named_content(rpm_script_t) +-modutils_run_depmod(rpm_script_t, rpm_roles) +-modutils_run_insmod(rpm_script_t, rpm_roles) +- -seutil_run_loadpolicy(rpm_script_t, rpm_roles) -seutil_run_setfiles(rpm_script_t, rpm_roles) -seutil_run_semanage(rpm_script_t, rpm_roles) -+seutil_domtrans_loadpolicy(rpm_script_t) -+seutil_domtrans_setfiles(rpm_script_t) -+seutil_domtrans_semanage(rpm_script_t) -+seutil_domtrans_setsebool(rpm_script_t) ++seutil_run_loadpolicy(rpm_script_t, rpm_script_roles) ++seutil_run_setfiles(rpm_script_t, rpm_script_roles) ++seutil_run_semanage(rpm_script_t, rpm_script_roles) ++seutil_run_setsebool(rpm_script_t, rpm_script_roles) userdom_use_all_users_fds(rpm_script_t) +userdom_exec_admin_home_files(rpm_script_t) ifdef(`distro_redhat',` optional_policy(` -@@ -363,24 +375,28 @@ ifdef(`distro_redhat',` +@@ -363,40 +377,54 @@ ifdef(`distro_redhat',` ') ') @@ -66591,52 +67195,53 @@ index 5cbe81c..a29e4d0 100644 optional_policy(` - bootloader_run(rpm_script_t, rpm_roles) -+ bootloader_domtrans(rpm_script_t) ++ bootloader_run(rpm_script_t, rpm_script_roles) ++') ++ ++optional_policy(` ++ certmonger_dbus_chat(rpm_script_t) ++') ++ ++optional_policy(` ++ cups_filetrans_named_content(rpm_script_t) ') optional_policy(` -- dbus_system_bus_client(rpm_script_t) -+ certmonger_dbus_chat(rpm_script_t) + dbus_system_bus_client(rpm_script_t) +') - optional_policy(` - unconfined_dbus_chat(rpm_script_t) - ') +optional_policy(` -+ cups_filetrans_named_content(rpm_script_t) ++ lvm_domtrans(rpm_script_t, rpm_script_roles) +') + +optional_policy(` -+ dbus_system_bus_client(rpm_script_t) ++ ntp_run(rpm_script_t, rpm_script_roles) ') optional_policy(` - lvm_run(rpm_script_t, rpm_roles) -+ lvm_domtrans(rpm_script_t) ++ modutils_run_depmod(rpm_script_t, rpm_script_roles) ++ modutils_run_insmod(rpm_script_t, rpm_script_roles) ') optional_policy(` -@@ -388,8 +404,17 @@ optional_policy(` +- ntp_domtrans(rpm_script_t) ++ openshift_initrc_run(rpm_script_t, rpm_script_roles) ') optional_policy(` - tzdata_run(rpm_t, rpm_roles) - tzdata_run(rpm_script_t, rpm_roles) -+ modutils_domtrans_depmod(rpm_script_t) -+ modutils_domtrans_insmod(rpm_script_t) -+') -+ -+optional_policy(` -+ openshift_initrc_domtrans(rpm_script_t) -+') -+ -+optional_policy(` + tzdata_domtrans(rpm_t) -+ tzdata_domtrans(rpm_script_t) ++ tzdata_run(rpm_script_t, rpm_script_roles) ') optional_policy(` -@@ -397,6 +422,7 @@ optional_policy(` +- udev_domtrans(rpm_script_t) ++ udev_run(rpm_script_t, rpm_script_roles) ') optional_policy(` @@ -66644,14 +67249,14 @@ index 5cbe81c..a29e4d0 100644 unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -409,6 +435,6 @@ optional_policy(` +@@ -409,6 +437,6 @@ optional_policy(` ') optional_policy(` - usermanage_run_groupadd(rpm_script_t, rpm_roles) - usermanage_run_useradd(rpm_script_t, rpm_roles) -+ usermanage_domtrans_groupadd(rpm_script_t) -+ usermanage_domtrans_useradd(rpm_script_t) ++ usermanage_run_groupadd(rpm_script_t, rpm_script_roles) ++ usermanage_run_useradd(rpm_script_t, rpm_script_roles) ') diff --git a/rshd.fc b/rshd.fc index 9ad0d58..6a4db03 100644 @@ -66824,7 +67429,7 @@ index d25301b..2d77839 100644 /var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) diff --git a/rsync.if b/rsync.if -index f1140ef..6bde558 100644 +index f1140ef..c5bd83a 100644 --- a/rsync.if +++ b/rsync.if @@ -1,16 +1,16 @@ @@ -66946,7 +67551,7 @@ index f1140ef..6bde558 100644 can_exec($1, rsync_exec_t) ') -@@ -165,18 +119,18 @@ interface(`rsync_read_config',` +@@ -165,13 +119,13 @@ interface(`rsync_read_config',` type rsync_etc_t; ') @@ -66958,96 +67563,114 @@ index f1140ef..6bde558 100644 ######################################## ## -## Write rsync config files. -+## Write to rsync config files. ++## Read rsync data files. ## ## --## -+## - ## Domain allowed access. --## -+## + ## +@@ -179,19 +133,18 @@ interface(`rsync_read_config',` + ## ## # - interface(`rsync_write_config',` -@@ -184,14 +138,13 @@ interface(`rsync_write_config',` - type rsync_etc_t; +-interface(`rsync_write_config',` ++interface(`rsync_read_data',` + gen_require(` +- type rsync_etc_t; ++ type rsync_data_t; ') -+ write_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) +- files_search_etc($1) - allow $1 rsync_etc_t:file write_file_perms; ++ read_files_pattern($1, rsync_data_t, rsync_data_t) ') ++ ######################################## ## -## Create, read, write, and delete -## rsync config files. -+## Manage rsync config files. ++## Write to rsync config files. ## ## ## -@@ -199,18 +152,18 @@ interface(`rsync_write_config',` +@@ -199,83 +152,54 @@ interface(`rsync_write_config',` ## ## # -interface(`rsync_manage_config_files',` -+interface(`rsync_manage_config',` ++interface(`rsync_write_config',` gen_require(` type rsync_etc_t; ') -- files_search_etc($1) - manage_files_pattern($1, rsync_etc_t, rsync_etc_t) -+ files_search_etc($1) ++ write_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +- manage_files_pattern($1, rsync_etc_t, rsync_etc_t) ') ######################################## ## -## Create specified objects in etc directories -+## Create objects in etc directories - ## with rsync etc type. +-## with rsync etc type. ++## Manage rsync config files. ## ## -@@ -223,11 +176,6 @@ interface(`rsync_manage_config_files',` - ## Class of the object being created. - ## - ## --## + ## +-## Domain allowed to transition. +-## +-## +-## -## --## The name of the object being created. +-## Class of the object being created. -## -## +-## +-## +-## The name of the object being created. ++## Domain allowed access. + ## + ## # - interface(`rsync_etc_filetrans_config',` +-interface(`rsync_etc_filetrans_config',` ++interface(`rsync_manage_config',` gen_require(` -@@ -236,46 +184,3 @@ interface(`rsync_etc_filetrans_config',` + type rsync_etc_t; + ') - files_etc_filetrans($1, rsync_etc_t, $2, $3) +- files_etc_filetrans($1, rsync_etc_t, $2, $3) ++ manage_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ') -- --######################################## --## + + ######################################## + ## -## All of the rules required to -## administrate an rsync environment. --## --## --## ++## Create objects in etc directories ++## with rsync etc type. + ## + ## + ## -## Domain allowed access. --## --## ++## Domain allowed to transition. + ## + ## -## --## ++## + ## -## Role allowed access. --## --## ++## Class of the object being created. + ## + ## -## --# + # -interface(`rsync_admin',` -- gen_require(` ++interface(`rsync_etc_filetrans_config',` + gen_require(` - type rsync_t, rsync_etc_t, rsync_data_t; - type rsync_log_t, rsync_tmp_t. rsync_var_run_t; -- ') -- ++ type rsync_etc_t; + ') + - allow $1 rsync_t:process { ptrace signal_perms }; - ps_process_pattern($1, rsync_t) - @@ -67066,9 +67689,10 @@ index f1140ef..6bde558 100644 - admin_pattern($1, rsync_var_run_t) - - rsync_run($1, $2) --') ++ files_etc_filetrans($1, rsync_etc_t, $2, $3) + ') diff --git a/rsync.te b/rsync.te -index e3e7c96..ad3e416 100644 +index e3e7c96..2574954 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -67172,7 +67796,7 @@ index e3e7c96..ad3e416 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +79,23 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +79,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -67195,13 +67819,15 @@ index e3e7c96..ad3e416 100644 +read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +allow rsync_t rsync_data_t:dir_file_class_set getattr; ++allow rsync_t rsync_data_t:socket_class_set getattr; ++allow rsync_t rsync_data_t:sock_file setattr; -allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +109,76 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +111,76 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -75763,7 +76389,7 @@ index dbb005a..45291bb 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..6c2da43 100644 +index a240455..54c5c1f 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -76018,7 +76644,7 @@ index a240455..6c2da43 100644 ## ## ## -@@ -317,8 +352,26 @@ interface(`sssd_stream_connect',` +@@ -317,8 +352,27 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -76034,10 +76660,11 @@ index a240455..6c2da43 100644 +# +interface(`sssd_dontaudit_stream_connect',` + gen_require(` -+ type sssd_t; ++ type sssd_t, sssd_var_lib_t; + ') + + dontaudit $1 sssd_t:unix_stream_socket connectto; ++ dontaudit $1 sssd_var_lib_t:sock_file write; +') + +######################################## @@ -76047,7 +76674,7 @@ index a240455..6c2da43 100644 ## ## ## -@@ -327,7 +380,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +381,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -76056,7 +76683,7 @@ index a240455..6c2da43 100644 ## ## ## -@@ -335,27 +388,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +389,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -76719,6 +77346,181 @@ index c6aaac7..dc3f167 100644 -miscfiles_read_localization(svnserve_t) - sysnet_dns_name_resolve(svnserve_t) +diff --git a/swift.fc b/swift.fc +new file mode 100644 +index 0000000..7917018 +--- /dev/null ++++ b/swift.fc +@@ -0,0 +1,9 @@ ++/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0) ++ ++/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) ++ ++/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0) +diff --git a/swift.if b/swift.if +new file mode 100644 +index 0000000..4ec3f4d +--- /dev/null ++++ b/swift.if +@@ -0,0 +1,103 @@ ++ ++## policy for swift ++ ++######################################## ++## ++## Execute TEMPLATE in the swift domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`swift_domtrans',` ++ gen_require(` ++ type swift_t, swift_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, swift_exec_t, swift_t) ++') ++######################################## ++## ++## Read swift PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_read_pid_files',` ++ gen_require(` ++ type swift_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, swift_var_run_t, swift_var_run_t) ++') ++ ++######################################## ++## ++## Execute swift server in the swift domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`swift_systemctl',` ++ gen_require(` ++ type swift_t; ++ type swift_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 swift_unit_file_t:file read_file_perms; ++ allow $1 swift_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, swift_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an swift environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`swift_admin',` ++ gen_require(` ++ type swift_t; ++ type swift_var_run_t; ++ type swift_unit_file_t; ++ ') ++ ++ allow $1 swift_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, swift_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, swift_var_run_t) ++ ++ swift_systemctl($1) ++ admin_pattern($1, swift_unit_file_t) ++ allow $1 swift_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/swift.te b/swift.te +new file mode 100644 +index 0000000..e3eab32 +--- /dev/null ++++ b/swift.te +@@ -0,0 +1,45 @@ ++policy_module(swift, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type swift_t; ++type swift_exec_t; ++init_daemon_domain(swift_t, swift_exec_t) ++ ++type swift_var_run_t; ++files_pid_file(swift_var_run_t) ++ ++type swift_unit_file_t; ++systemd_unit_file(swift_unit_file_t) ++ ++######################################## ++# ++# swift local policy ++# ++ ++allow swift_t self:fifo_file rw_fifo_file_perms; ++allow swift_t self:unix_stream_socket create_stream_socket_perms; ++allow swift_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t) ++manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) ++manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) ++files_pid_filetrans(swift_t, swift_var_run_t, { dir }) ++ ++kernel_dgram_send(swift_t) ++kernel_read_system_state(swift_t) ++ ++corecmd_exec_shell(swift_t) ++ ++dev_read_urand(swift_t) ++ ++domain_use_interactive_fds(swift_t) ++ ++auth_use_nsswitch(swift_t) ++ ++libs_exec_ldconfig(swift_t) ++ ++logging_send_syslog_msg(swift_t) diff --git a/sxid.te b/sxid.te index c9824cb..1973f71 100644 --- a/sxid.te @@ -76750,7 +77552,7 @@ index c9824cb..1973f71 100644 userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te -index c8b80b2..c6580e4 100644 +index c8b80b2..e6b8ab8 100644 --- a/sysstat.te +++ b/sysstat.te @@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t) @@ -76761,16 +77563,19 @@ index c8b80b2..c6580e4 100644 corecmd_exec_bin(sysstat_t) dev_read_sysfs(sysstat_t) -@@ -50,7 +51,7 @@ fs_getattr_xattr_fs(sysstat_t) +@@ -49,8 +50,10 @@ files_read_etc_runtime_files(sysstat_t) + fs_getattr_xattr_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) ++storage_getattr_fixed_disk_dev(sysstat_t) ++ term_use_console(sysstat_t) -term_use_all_terms(sysstat_t) +term_use_all_inherited_terms(sysstat_t) auth_use_nsswitch(sysstat_t) -@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t) +@@ -60,10 +63,9 @@ locallogin_use_fds(sysstat_t) logging_send_syslog_msg(sysstat_t) @@ -80380,7 +81185,7 @@ index c416a83..cd83b89 100644 +/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index cf118fd..3b93d32 100644 +index cf118fd..cd80e83 100644 --- a/userhelper.if +++ b/userhelper.if @@ -1,4 +1,4 @@ @@ -80573,75 +81378,58 @@ index cf118fd..3b93d32 100644 ## ## ## -@@ -136,8 +195,7 @@ interface(`userhelper_dontaudit_search_config',` +@@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',` ######################################## ## -## Send and receive messages from -## consolehelper over dbus. -+## Allow domain to use userhelper file descriptor. ++## Do not audit attempts to write ++## the userhelper configuration files. ## ## ## -@@ -145,19 +203,17 @@ interface(`userhelper_dontaudit_search_config',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`userhelper_dbus_chat_all_consolehelper',` -+interface(`userhelper_use_fd',` ++interface(`userhelper_dontaudit_write_config',` gen_require(` - attribute consolehelper_type; - class dbus send_msg; -+ attribute userhelper_type; ++ type userhelper_conf_t; ') - allow $1 consolehelper_type:dbus send_msg; - allow consolehelper_type $1:dbus send_msg; -+ allow $1 userhelper_type:fd use; ++ dontaudit $1 userhelper_conf_t:file write; ') ######################################## ## -## Use userhelper all userhelper file descriptors. -+## Allow domain to send sigchld to userhelper. ++## Allow domain to use userhelper file descriptor. ## ## ## -@@ -165,17 +221,17 @@ interface(`userhelper_dbus_chat_all_consolehelper',` - ## - ## - # --interface(`userhelper_use_fd',` -+interface(`userhelper_sigchld',` - gen_require(` - attribute userhelper_type; - ') - -- allow $1 userhelper_type:fd use; -+ allow $1 userhelper_type:process sigchld; - ') +@@ -175,7 +232,7 @@ interface(`userhelper_use_fd',` ######################################## ## -## Send child terminated signals to all userhelper. -+## Execute the userhelper program in the caller domain. ++## Allow domain to send sigchld to userhelper. ## ## ## -@@ -183,17 +239,87 @@ interface(`userhelper_use_fd',` - ## - ## - # --interface(`userhelper_sigchld',` -+interface(`userhelper_exec',` - gen_require(` -- attribute userhelper_type; -+ type userhelper_exec_t; +@@ -206,6 +263,93 @@ interface(`userhelper_exec',` + type userhelper_exec_t; ') -- allow $1 userhelper_type:process sigchld; -+ can_exec($1, userhelper_exec_t) -+') +- corecmd_search_bin($1) + can_exec($1, userhelper_exec_t) + ') + +####################################### +## @@ -80711,35 +81499,30 @@ index cf118fd..3b93d32 100644 + xserver_run_xauth($1_consolehelper_t, $2) + xserver_read_xdm_pid($1_consolehelper_t) + ') - ') - - ######################################## - ## --## Execute the userhelper program in the caller domain. ++') ++ ++######################################## ++## +## Execute the consolehelper program in the caller domain. - ## - ## - ## -@@ -201,11 +327,10 @@ interface(`userhelper_sigchld',` - ## - ## - # --interface(`userhelper_exec',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userhelper_exec_console',` - gen_require(` -- type userhelper_exec_t; ++ gen_require(` + type consolehelper_exec_t; - ') - -- corecmd_search_bin($1) -- can_exec($1, userhelper_exec_t) ++ ') ++ + can_exec($1, consolehelper_exec_t) - ') ++') diff --git a/userhelper.te b/userhelper.te -index 274ed9c..23b8929 100644 +index 274ed9c..4d8adf9 100644 --- a/userhelper.te +++ b/userhelper.te -@@ -1,18 +1,15 @@ +@@ -1,15 +1,12 @@ -policy_module(userhelper, 1.7.3) +policy_module(userhelper, 1.7.0) @@ -80756,11 +81539,7 @@ index 274ed9c..23b8929 100644 +attribute consolehelper_domain; type userhelper_conf_t; --files_config_file(userhelper_conf_t) -+files_type(userhelper_conf_t) - - type userhelper_exec_t; - application_executable_file(userhelper_exec_t) + files_config_file(userhelper_conf_t) @@ -22,141 +19,67 @@ application_executable_file(consolehelper_exec_t) ######################################## @@ -83153,7 +83932,7 @@ index 9dec06c..d8a2b54 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..f704c9a 100644 +index 1f22fba..def6a6b 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -83504,9 +84283,7 @@ index 1f22fba..f704c9a 100644 - -storage_raw_write_removable_device(virt_domain) -storage_raw_read_removable_device(virt_domain) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -term_use_all_terms(virt_domain) -term_getattr_pty_fs(virt_domain) -term_use_generic_ptys(virt_domain) @@ -83569,17 +84346,15 @@ index 1f22fba..f704c9a 100644 - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') -- --optional_policy(` -- dbus_read_lib_files(virt_domain) --') +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) @@ -83589,20 +84364,24 @@ index 1f22fba..f704c9a 100644 +corenet_tcp_connect_all_ports(svirt_t) -optional_policy(` -- nscd_use(virt_domain) +- dbus_read_lib_files(virt_domain) -') +miscfiles_read_generic_certs(svirt_t) optional_policy(` -- samba_domtrans_smbd(virt_domain) +- nscd_use(virt_domain) + xen_rw_image_files(svirt_t) ') optional_policy(` -- xen_rw_image_files(virt_domain) +- samba_domtrans_smbd(virt_domain) + nscd_use(svirt_t) ') +-optional_policy(` +- xen_rw_image_files(virt_domain) +-') +- -######################################## +####################################### # @@ -83615,7 +84394,9 @@ index 1f22fba..f704c9a 100644 - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) @@ -83624,9 +84405,7 @@ index 1f22fba..f704c9a 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) @@ -84308,12 +85087,12 @@ index 1f22fba..f704c9a 100644 -dontaudit virsh_t virt_var_lib_t:file read_file_perms; - -allow virsh_t svirt_lxc_domain:process transition; -- --can_exec(virsh_t, virsh_exec_t) +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) +-can_exec(virsh_t, virsh_exec_t) +- -virt_domtrans(virsh_t) -virt_manage_images(virsh_t) -virt_manage_config(virsh_t) @@ -84635,7 +85414,7 @@ index 1f22fba..f704c9a 100644 optional_policy(` udev_read_pid_files(svirt_lxc_domain) -@@ -1078,81 +1115,63 @@ optional_policy(` +@@ -1078,81 +1115,67 @@ optional_policy(` apache_read_sys_content(svirt_lxc_domain) ') @@ -84643,6 +85422,10 @@ index 1f22fba..f704c9a 100644 -# -# Lxc net local policy -# ++optional_policy(` ++ userhelper_dontaudit_write_config(svirt_lxc_domain) ++') ++ +virt_lxc_domain_template(svirt_lxc_net) -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; @@ -84702,30 +85485,29 @@ index 1f22fba..f704c9a 100644 fs_mount_cgroup(svirt_lxc_net_t) fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) -- --auth_use_nsswitch(svirt_lxc_net_t) +fs_manage_cgroup_files(svirt_lxc_net_t) - --logging_send_audit_msgs(svirt_lxc_net_t) ++ +term_pty(svirt_lxc_file_t) --userdom_use_user_ptys(svirt_lxc_net_t) -+auth_use_nsswitch(svirt_lxc_net_t) + auth_use_nsswitch(svirt_lxc_net_t) + ++rpm_read_db(svirt_lxc_net_t) ++ + logging_send_audit_msgs(svirt_lxc_net_t) + + userdom_use_user_ptys(svirt_lxc_net_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -') -+rpm_read_db(svirt_lxc_net_t) - +- -####################################### -# -# Prot exec local policy -# -+logging_send_audit_msgs(svirt_lxc_net_t) - +- -allow svirt_prot_exec_t self:process { execmem execstack }; -+userdom_use_inherited_user_ptys(svirt_lxc_net_t) - +- ######################################## # -# Qmf local policy @@ -84740,7 +85522,7 @@ index 1f22fba..f704c9a 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1184,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1188,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -84755,7 +85537,7 @@ index 1f22fba..f704c9a 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1202,8 @@ optional_policy(` +@@ -1183,9 +1206,8 @@ optional_policy(` ######################################## # @@ -84766,7 +85548,7 @@ index 1f22fba..f704c9a 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1216,65 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1220,65 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 00cba9a..bdab254 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,56 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jan 5 2013 Miroslav Grepl 3.12.1-10 +- Fix smartmontools +- Fix userdom_restricted_xwindows_user_template() interface +- Add xserver_xdm_ioctl_log() interface +- Allow Xusers to ioctl lxdm.log to make lxdm working +- Add MLS fixes to make MLS boot/log-in working +- Add mls_socket_write_all_levels() also for syslogd +- fsck.xfs needs to read passwd +- Fix ntp_filetrans_named_content calling in init.te +- Allow postgresql to create pg_log dir +- Allow sshd to read rsync_data_t to make rsync working +- Change ntp.conf to be labeled net_conf_t +- Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it +- Allow xdm_t to execute gstreamer home content +- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp +- New policy for openstack swift domains +- More access required for openshift_cron_t +- Use cupsd_log_t instead of cupsd_var_log_t +- rpm_script_roles should be used in rpm_run +- Fix rpm_run() interface +- Fix openshift_initrc_run() +- Fix sssd_dontaudit_stream_connect() interface +- Fix sssd_dontaudit_stream_connect() interface +- Allow LDA's job to deliver mail to the mailbox +- dontaudit block_suspend for mozilla_plugin_t +- Allow l2tpd_t to all signal perms +- Allow uuidgen to read /dev/random +- Allow mozilla-plugin-config to read power_supply info +- Implement cups_domain attribute for cups domains +- We now need access to user terminals since we start by executing a command outside the tty +- We now need access to user terminals since we start by executing a command outside the tty +- svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen +- Add containment of openshift cron jobs +- Allow system cron jobs to create tmp directories +- Make userhelp_conf_t a config file +- Change rpm to use rpm_script_roles +- More fixes for rsync to make rsync wokring +- Allow logwatch to domtrans to mdadm +- Allow pacemaker to domtrans to ifconfig +- Allow pacemaker to setattr on corosync.log +- Add pacemaker_use_execmem for memcheck-amd64 command +- Allow block_suspend capability +- Allow create fifo_file in /tmp with pacemaker_tmp_t +- Allow systat to getattr on fixed disk +- Relabel /etc/ntp.conf to be net_conf_t +- ntp_admin should create files in /etc with the correct label +- Add interface to create ntp_conf_t files in /etc +- Add additional labeling for quantum +- Allow quantum to execute dnsmasq with transition + * Wed Jan 30 2013 Miroslav Grepl 3.12.1-9 - boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin