From dbf4ab85b0bb90b8ecb0a452668c38e572d9aee1 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 13 2014 06:13:43 +0000 Subject: - Added iotop policy. Thanks William Brown - Allow spamc to read .pyzor located in /var/spool/spampd - Allow spamc to create home content with correct labeling - Allow logwatch_mail_t to create dead.letter with correct labelign - Add labeling for min-cloud-agent - Allow geoclue to read unix in proc. - Add support for /usr/local/Brother labeling. We removed /usr/local equiv. - add support for min-cloud-agent - Allow ulogd to request the kernel to load a module - remove unconfined_domain for openwsman_t - Add openwsman_tmp_t rules - Allow openwsman to execute chkpwd and make this domain as unconfined for F20. - Allow nova-scheduler to read passwd file - Allow neutron execute arping in neutron_t - Dontaudit logrotate executing systemctl command attempting to net_admin - Allow mozilla plugins to use /dev/sr0 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file - Any app that executes systemctl will attempt a net_admin - Fix path to mmap_min_addr --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 04c0ead..b42061d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8587,7 +8587,7 @@ index 0b1a871..2844021 100644 +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint }; +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint }; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..84e8030 100644 +index 6a1e4d1..1b9b0b5 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -8705,6 +8705,24 @@ index 6a1e4d1..84e8030 100644 ## Relabel to and from all entry point ## file types. ## +@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',` + ## + ## Ability to mmap a low area of the address + ## space conditionally, as configured by +-## /proc/sys/kernel/mmap_min_addr. ++## /proc/sys/vm/mmap_min_addr. + ## Preventing such mappings helps protect against + ## exploiting null deref bugs in the kernel. + ## +@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',` + ## + ## Ability to mmap a low area of the address + ## space unconditionally, as configured +-## by /proc/sys/kernel/mmap_min_addr. ++## by /proc/sys/vm/mmap_min_addr. + ## Preventing such mappings helps protect against + ## exploiting null deref bugs in the kernel. + ## @@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',` ######################################## @@ -8795,10 +8813,10 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..71f4c33 100644 +index cf04cb5..b9da2b3 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te -@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) +@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) # # Declarations # @@ -8828,7 +8846,12 @@ index cf04cb5..71f4c33 100644 ## ##

-@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false) + ## Control the ability to mmap a low area of the address space, +-## as configured by /proc/sys/kernel/mmap_min_addr. ++## as configured by /proc/sys/vm/mmap_min_addr. + ##

+ ## + gen_tunable(mmap_low_allowed, false) # Mark process types as domains attribute domain; @@ -9534,7 +9557,7 @@ index b876c48..bbd0e79 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..ec9e64a 100644 +index f962f76..002283d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10304,7 +10327,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -1946,6 +2425,24 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2425,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10326,10 +10349,28 @@ index f962f76..ec9e64a 100644 + +######################################## +## ++## Mount a filesystem on the root file system ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_mounton_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ dontaudit $1 root_t:dir mounton; ++') ++ ++######################################## ++## ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2678,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2696,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10354,7 +10395,7 @@ index f962f76..ec9e64a 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3160,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3178,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10379,7 +10420,7 @@ index f962f76..ec9e64a 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3249,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3267,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10387,7 +10428,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -2724,7 +3258,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3276,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10396,7 +10437,7 @@ index f962f76..ec9e64a 100644 ## ## # -@@ -2780,6 +3314,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3332,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10422,7 +10463,7 @@ index f962f76..ec9e64a 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3351,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3369,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10447,7 +10488,7 @@ index f962f76..ec9e64a 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3534,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3552,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10472,7 +10513,7 @@ index f962f76..ec9e64a 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3574,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3592,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -10483,7 +10524,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -3031,18 +3582,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3600,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10505,24 +10546,20 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -3060,23 +3610,44 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3628,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## --## Read and write files in /etc that are dynamically +## Do not audit attempts to read files +## in /etc that are dynamically - ## created on boot, such as mtab. - ## - ## - ## --## Domain allowed access. ++## created on boot, such as mtab. ++## ++## ++## +## Domain to not audit. - ## - ## --## - # --interface(`files_rw_etc_runtime_files',` ++## ++## ++# +interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` + type etc_runtime_t; @@ -10533,20 +10570,10 @@ index f962f76..ec9e64a 100644 + +######################################## +## -+## Read and write files in /etc that are dynamically -+## created on boot, such as mtab. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_rw_etc_runtime_files',` - gen_require(` - type etc_t, etc_runtime_t; - ') + ## Read and write files in /etc that are dynamically + ## created on boot, such as mtab. + ## +@@ -3077,6 +3665,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10554,7 +10581,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3098,6 +3669,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3687,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10562,7 +10589,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3142,10 +3714,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3732,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -10613,7 +10640,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3161,10 +3771,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3789,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -10626,7 +10653,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3180,10 +3790,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3808,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -10639,7 +10666,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3199,10 +3809,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3827,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -10652,7 +10679,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3218,10 +3828,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3846,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -10721,7 +10748,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3237,10 +3903,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +3921,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -10734,7 +10761,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3256,10 +3922,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +3940,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -10766,7 +10793,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3275,10 +3960,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +3978,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -10779,7 +10806,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3294,10 +3979,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +3997,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -10792,7 +10819,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3313,10 +3998,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4016,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -10805,7 +10832,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3332,10 +4017,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4035,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -10818,7 +10845,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3351,10 +4036,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4054,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -10831,7 +10858,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3370,10 +4055,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4073,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -10844,7 +10871,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3389,10 +4074,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4092,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -10857,7 +10884,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3408,10 +4093,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4111,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -10870,7 +10897,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3427,10 +4112,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4130,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -10883,7 +10910,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3446,10 +4131,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4149,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -10896,15 +10923,14 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3465,10 +4150,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4168,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` - type file_t; + type unlabeled_t; - ') - -- allow $1 file_t:blk_file rw_blk_file_perms; ++ ') ++ + allow $1 unlabeled_t:blk_file rw_blk_file_perms; +') + @@ -10922,13 +10948,14 @@ index f962f76..ec9e64a 100644 +interface(`files_rw_inherited_isid_type_files',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- allow $1 file_t:blk_file rw_blk_file_perms; + allow $1 unlabeled_t:file rw_inherited_file_perms; ') ######################################## -@@ -3484,10 +4188,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4206,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -10941,7 +10968,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3503,10 +4207,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4225,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -10954,7 +10981,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -3814,20 +4518,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4536,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10998,7 +11025,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -4217,6 +4939,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +4957,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11171,7 +11198,7 @@ index f962f76..ec9e64a 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5127,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5145,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -11198,7 +11225,7 @@ index f962f76..ec9e64a 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5160,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5178,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -11237,7 +11264,7 @@ index f962f76..ec9e64a 100644 ## ## # -@@ -4289,6 +5217,7 @@ interface(`files_search_tmp',` +@@ -4289,6 +5235,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -11245,7 +11272,7 @@ index f962f76..ec9e64a 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5254,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5272,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -11253,7 +11280,7 @@ index f962f76..ec9e64a 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5264,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5282,7 @@ interface(`files_list_tmp',` ## ## ## @@ -11262,19 +11289,15 @@ index f962f76..ec9e64a 100644 ## ## # -@@ -4346,13 +5276,32 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,6 +5294,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') --######################################## +####################################### - ## --## Remove entries from the tmp directory. ++## +## Allow read and write to the tmp directory (/tmp). - ## - ## --## --## Domain allowed access. ++## ++## +## +## Domain not to audit. +## @@ -11289,17 +11312,10 @@ index f962f76..ec9e64a 100644 + allow $1 tmp_t:dir rw_dir_perms; +') + -+######################################## -+## -+## Remove entries from the tmp directory. -+## -+## -+## -+## Domain allowed access. - ## - ## - # -@@ -4361,6 +5310,7 @@ interface(`files_delete_tmp_dir_entry',` + ######################################## + ## + ## Remove entries from the tmp directory. +@@ -4361,6 +5328,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -11307,7 +11323,7 @@ index f962f76..ec9e64a 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5352,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5370,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -11340,7 +11356,7 @@ index f962f76..ec9e64a 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5432,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5450,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -11383,7 +11399,7 @@ index f962f76..ec9e64a 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5486,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5504,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -11444,7 +11460,7 @@ index f962f76..ec9e64a 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5585,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5603,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11453,7 +11469,7 @@ index f962f76..ec9e64a 100644 ## ## # -@@ -4579,7 +5645,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5663,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -11462,7 +11478,7 @@ index f962f76..ec9e64a 100644 ## ## # -@@ -4611,6 +5677,44 @@ interface(`files_read_all_tmp_files',` +@@ -4611,6 +5695,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11507,7 +11523,7 @@ index f962f76..ec9e64a 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5768,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5786,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11524,7 +11540,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -5112,6 +6226,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6244,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -11549,7 +11565,7 @@ index f962f76..ec9e64a 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6373,24 @@ interface(`files_list_var',` +@@ -5241,6 +6391,24 @@ interface(`files_list_var',` ######################################## ## @@ -11574,7 +11590,7 @@ index f962f76..ec9e64a 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6478,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6496,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -11583,7 +11599,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -5527,6 +6677,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6695,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -11609,7 +11625,7 @@ index f962f76..ec9e64a 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6765,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6783,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11635,7 +11651,7 @@ index f962f76..ec9e64a 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6829,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6847,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11644,7 +11660,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -5649,12 +6837,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6855,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11660,7 +11676,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -5672,6 +6861,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6879,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11668,7 +11684,7 @@ index f962f76..ec9e64a 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6888,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6906,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11696,7 +11712,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -5706,13 +6915,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6933,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11713,7 +11729,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -5731,7 +6939,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6957,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11722,7 +11738,7 @@ index f962f76..ec9e64a 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6972,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6990,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11730,7 +11746,7 @@ index f962f76..ec9e64a 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6986,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7004,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11739,7 +11755,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -5787,13 +6994,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7012,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11774,7 +11790,7 @@ index f962f76..ec9e64a 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7036,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7054,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11792,7 +11808,7 @@ index f962f76..ec9e64a 100644 ') ######################################## -@@ -5834,9 +7060,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7078,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11803,7 +11819,7 @@ index f962f76..ec9e64a 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7102,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7120,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11813,7 +11829,7 @@ index f962f76..ec9e64a 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7124,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7142,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11823,7 +11839,7 @@ index f962f76..ec9e64a 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7161,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7179,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11833,7 +11849,7 @@ index f962f76..ec9e64a 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7200,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7218,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11842,7 +11858,7 @@ index f962f76..ec9e64a 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7220,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7238,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11891,7 +11907,7 @@ index f962f76..ec9e64a 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7284,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7302,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11917,7 +11933,7 @@ index f962f76..ec9e64a 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7317,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7335,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11926,7 +11942,7 @@ index f962f76..ec9e64a 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7336,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7354,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11935,7 +11951,7 @@ index f962f76..ec9e64a 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7356,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7374,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11944,7 +11960,7 @@ index f962f76..ec9e64a 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7418,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7436,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11952,7 +11968,7 @@ index f962f76..ec9e64a 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7446,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7464,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11977,7 +11993,7 @@ index f962f76..ec9e64a 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7477,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7495,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11986,7 +12002,7 @@ index f962f76..ec9e64a 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7544,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7562,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -12049,7 +12065,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6305,42 +7588,35 @@ interface(`files_delete_all_pids',` +@@ -6305,42 +7606,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -12099,7 +12115,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6348,18 +7624,18 @@ interface(`files_manage_all_pids',` +@@ -6348,18 +7642,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -12123,7 +12139,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6367,37 +7643,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,37 +7661,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -12175,7 +12191,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6405,18 +7684,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6405,18 +7702,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -12198,7 +12214,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6424,18 +7702,18 @@ interface(`files_list_spool',` +@@ -6424,18 +7720,18 @@ interface(`files_list_spool',` ## ## # @@ -12222,7 +12238,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6443,19 +7721,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6443,19 +7739,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -12247,7 +12263,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6463,55 +7740,43 @@ interface(`files_read_generic_spool',` +@@ -6463,55 +7758,43 @@ interface(`files_read_generic_spool',` ## ## # @@ -12318,7 +12334,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6519,53 +7784,68 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +7802,68 @@ interface(`files_spool_filetrans',` ## ## # @@ -12425,7 +12441,7 @@ index f962f76..ec9e64a 100644 ## ## ## -@@ -6573,10 +7853,784 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7871,784 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -15030,7 +15046,7 @@ index 7be4ddf..d5ef507 100644 +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) +/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..98dc4c1 100644 +index e100d88..fb8a1f1 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -15219,7 +15235,33 @@ index e100d88..98dc4c1 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1750,16 +1856,9 @@ interface(`kernel_rw_unix_sysctls',` +@@ -1672,7 +1778,7 @@ interface(`kernel_read_net_sysctls',` + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) +- ++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + +@@ -1693,7 +1799,7 @@ interface(`kernel_rw_net_sysctls',` + ') + + rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) +- ++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + +@@ -1715,7 +1821,6 @@ interface(`kernel_read_unix_sysctls',` + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) +- + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + +@@ -1750,16 +1855,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## ## @@ -15237,7 +15279,7 @@ index e100d88..98dc4c1 100644 ') ######################################## -@@ -1771,16 +1870,9 @@ interface(`kernel_read_hotplug_sysctls',` +@@ -1771,16 +1869,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -15255,7 +15297,7 @@ index e100d88..98dc4c1 100644 ') ######################################## -@@ -1792,16 +1884,9 @@ interface(`kernel_rw_hotplug_sysctls',` +@@ -1792,16 +1883,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -15273,7 +15315,7 @@ index e100d88..98dc4c1 100644 ') ######################################## -@@ -1813,16 +1898,9 @@ interface(`kernel_read_modprobe_sysctls',` +@@ -1813,16 +1897,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. ## ## @@ -15291,7 +15333,7 @@ index e100d88..98dc4c1 100644 ') ######################################## -@@ -2085,7 +2163,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2162,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -15300,7 +15342,7 @@ index e100d88..98dc4c1 100644 ') ######################################## -@@ -2282,6 +2360,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2359,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -15326,7 +15368,7 @@ index e100d88..98dc4c1 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2403,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2402,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -15335,7 +15377,7 @@ index e100d88..98dc4c1 100644 ## ## # -@@ -2488,6 +2585,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2584,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -15360,7 +15402,7 @@ index e100d88..98dc4c1 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2640,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2639,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -15385,7 +15427,7 @@ index e100d88..98dc4c1 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2800,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2799,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -15410,7 +15452,7 @@ index e100d88..98dc4c1 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2845,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +2844,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -15436,7 +15478,7 @@ index e100d88..98dc4c1 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +2973,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +2972,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -15470,7 +15512,7 @@ index e100d88..98dc4c1 100644 ######################################## ## -@@ -2958,6 +3155,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3154,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -15495,7 +15537,7 @@ index e100d88..98dc4c1 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3187,565 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3186,565 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -38519,10 +38561,10 @@ index 0000000..916c8ed +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..24b2af3 +index 0000000..d2a8fc7 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1458 @@ +@@ -0,0 +1,1460 @@ +## SELinux policy for systemd components + +###################################### @@ -38621,6 +38663,8 @@ index 0000000..24b2af3 + systemd_login_list_pid_dirs($1) + systemd_login_read_pid_files($1) + systemd_passwd_agent_exec($1) ++ ++ dontaudit $1 self:capability net_admin; +') + +####################################### diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 89479f4..617cd04 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12652,14 +12652,15 @@ index 4a5b3d1..cd146bd 100644 ') diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..d0501e3 +index 0000000..53f5265 --- /dev/null +++ b/cloudform.fc -@@ -0,0 +1,19 @@ +@@ -0,0 +1,21 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) + +/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0) ++/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) +/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) + @@ -12668,6 +12669,7 @@ index 0000000..d0501e3 +/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) + +/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0) ++/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0) +/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0) +/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) + @@ -18437,10 +18439,10 @@ index 001b502..3ceae52 100644 optional_policy(` diff --git a/cups.fc b/cups.fc -index 949011e..afe482b 100644 +index 949011e..9437dbe 100644 --- a/cups.fc +++ b/cups.fc -@@ -1,77 +1,87 @@ +@@ -1,77 +1,91 @@ -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) @@ -18538,23 +18540,23 @@ index 949011e..afe482b 100644 /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) -+ -+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) -+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) ++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) ++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++ +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) @@ -18568,10 +18570,14 @@ index 949011e..afe482b 100644 +/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + ++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) +/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + @@ -28271,10 +28277,10 @@ index 0000000..04e159f +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..75d7bc3 +index 0000000..781c76d --- /dev/null +++ b/gear.te -@@ -0,0 +1,121 @@ +@@ -0,0 +1,122 @@ +policy_module(gear, 1.0.0) + +######################################## @@ -28393,6 +28399,7 @@ index 0000000..75d7bc3 +') + +optional_policy(` ++ openshift_manage_lib_dirs(gear_t) + openshift_manage_lib_files(gear_t) + openshift_relabelfrom_lib(gear_t) +') @@ -28572,10 +28579,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..7106428 +index 0000000..351f145 --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,51 @@ +@@ -0,0 +1,53 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -28608,6 +28615,8 @@ index 0000000..7106428 +manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t) +files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file }) + ++kernel_read_network_state(geoclue_t) ++ +auth_read_passwd(geoclue_t) + +corenet_tcp_connect_http_port(geoclue_t) @@ -34333,6 +34342,108 @@ index d443fee..6cbbf7d 100644 logging_send_syslog_msg(iodined_t) +diff --git a/iotop.fc b/iotop.fc +new file mode 100644 +index 0000000..c8d2dea +--- /dev/null ++++ b/iotop.fc +@@ -0,0 +1 @@ ++/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0) +diff --git a/iotop.if b/iotop.if +new file mode 100644 +index 0000000..7fc3464 +--- /dev/null ++++ b/iotop.if +@@ -0,0 +1,46 @@ ++## Simple top-like I/O monitor ++ ++######################################## ++## ++## Allow execution of iotop in the iotop domain from the target domain. ++## ++## ++## ++## Domain allowed to transition to iotop. ++## ++## ++# ++interface(`iotop_domtrans',` ++ gen_require(` ++ type iotop_t, iotop_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, iotop_exec_t, iotop_t) ++') ++ ++######################################## ++## ++## Execute iotop in the iotop domain, and ++## allow the specified role to access the iotop domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed into the iotop domain. ++## ++## ++# ++interface(`iotop_run',` ++ gen_require(` ++ type iotop_t; ++ attribute_role iotop_roles; ++ ') ++ ++ iotop_domtrans($1) ++ roleattribute $2 iotop_roles; ++') +diff --git a/iotop.te b/iotop.te +new file mode 100644 +index 0000000..51d7e34 +--- /dev/null ++++ b/iotop.te +@@ -0,0 +1,37 @@ ++policy_module(iotop, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++attribute_role iotop_roles; ++roleattribute system_r iotop_roles; ++ ++type iotop_t; ++type iotop_exec_t; ++application_domain(iotop_t, iotop_exec_t) ++ ++role iotop_roles types iotop_t; ++ ++######################################## ++# ++# iotop local policy ++# ++ ++allow iotop_t self:capability net_admin; ++allow iotop_t self:netlink_route_socket r_netlink_socket_perms; ++ ++kernel_read_system_state(iotop_t) ++ ++auth_use_nsswitch(iotop_t) ++ ++dev_read_urand(iotop_t) ++ ++domain_getsched_all_domains(iotop_t) ++domain_read_all_domains_state(iotop_t) ++ ++corecmd_exec_bin(iotop_t) ++ ++miscfiles_read_localization(iotop_t) ++ ++userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 index 0000000..48d7322 @@ -40137,7 +40248,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..1859690 100644 +index be0ab84..9321951 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -40183,7 +40294,7 @@ index be0ab84..1859690 100644 -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; +# Change ownership on log files. +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; -+dontaudit logrotate_t self:capability sys_resource; ++dontaudit logrotate_t self:capability { sys_resource net_admin }; + +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + @@ -40418,7 +40529,7 @@ index be0ab84..1859690 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab65034..c76dbda 100644 +index ab65034..28f63b5 100644 --- a/logwatch.te +++ b/logwatch.te @@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false) @@ -40503,11 +40614,13 @@ index ab65034..c76dbda 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t) +@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) +mta_read_home(logwatch_mail_t) ++mta_filetrans_home_content(logwatch_mail_t) ++mta_filetrans_admin_home_content(logwatch_mail_t) + optional_policy(` cron_use_system_job_fds(logwatch_mail_t) @@ -45601,7 +45714,7 @@ index 6194b80..cafb2b0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..7bb38c6 100644 +index 11ac8e4..633063d 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -46039,7 +46152,7 @@ index 11ac8e4..7bb38c6 100644 ') optional_policy(` -@@ -300,259 +324,248 @@ optional_policy(` +@@ -300,259 +324,252 @@ optional_policy(` ######################################## # @@ -46272,14 +46385,17 @@ index 11ac8e4..7bb38c6 100644 fs_getattr_all_fs(mozilla_plugin_t) -# fs_read_hugetlbfs_files(mozilla_plugin_t) -fs_search_auto_mountpoints(mozilla_plugin_t) -- --term_getattr_all_ttys(mozilla_plugin_t) --term_getattr_all_ptys(mozilla_plugin_t) +fs_list_dos(mozilla_plugin_t) +fs_read_noxattr_fs_files(mozilla_plugin_t) +fs_read_hugetlbfs_files(mozilla_plugin_t) +fs_exec_hugetlbfs_files(mozilla_plugin_t) +-term_getattr_all_ttys(mozilla_plugin_t) +-term_getattr_all_ptys(mozilla_plugin_t) ++storage_raw_read_removable_device(mozilla_plugin_t) ++fs_read_removable_files(mozilla_plugin_t) ++fs_read_removable_symlinks(mozilla_plugin_t) + application_exec(mozilla_plugin_t) +application_dontaudit_signull(mozilla_plugin_t) @@ -46435,7 +46551,7 @@ index 11ac8e4..7bb38c6 100644 ') optional_policy(` -@@ -560,7 +573,11 @@ optional_policy(` +@@ -560,7 +577,11 @@ optional_policy(` ') optional_policy(` @@ -46448,7 +46564,7 @@ index 11ac8e4..7bb38c6 100644 ') optional_policy(` -@@ -568,108 +585,131 @@ optional_policy(` +@@ -568,108 +589,131 @@ optional_policy(` ') optional_policy(` @@ -53019,10 +53135,10 @@ index 0000000..28936b4 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..f429163 +index 0000000..f691a30 --- /dev/null +++ b/nova.te -@@ -0,0 +1,311 @@ +@@ -0,0 +1,310 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -53302,7 +53418,6 @@ index 0000000..f429163 +# nova vncproxy local policy +# + -+ +####################################### +# +# nova volume local policy @@ -59264,10 +59379,10 @@ index 0000000..42ed4ba +') diff --git a/openwsman.te b/openwsman.te new file mode 100644 -index 0000000..49dc5ef +index 0000000..a0161d5 --- /dev/null +++ b/openwsman.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,56 @@ +policy_module(openwsman, 1.0.0) + +######################################## @@ -59279,6 +59394,9 @@ index 0000000..49dc5ef +type openwsman_exec_t; +init_daemon_domain(openwsman_t, openwsman_exec_t) + ++type openwsman_tmp_t; ++files_tmp_file(openwsman_tmp_t) ++ +type openwsman_log_t; +logging_log_file(openwsman_log_t) + @@ -59292,10 +59410,17 @@ index 0000000..49dc5ef +# +# openwsman local policy +# ++ ++allow openwsman_t self:capability setuid; ++ +allow openwsman_t self:process { fork }; +allow openwsman_t self:fifo_file rw_fifo_file_perms; +allow openwsman_t self:unix_stream_socket create_stream_socket_perms; -+allow openwsman_t self:tcp_socket { create_socket_perms listen }; ++allow openwsman_t self:tcp_socket { create_socket_perms accept listen }; ++ ++manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) ++manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) ++files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file }) + +manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t) +logging_log_filetrans(openwsman_t, openwsman_log_t, { file }) @@ -59304,12 +59429,15 @@ index 0000000..49dc5ef +files_pid_filetrans(openwsman_t, openwsman_run_t, { file }) + +auth_use_nsswitch(openwsman_t) ++auth_domtrans_chkpwd(openwsman_t) + ++corenet_tcp_connect_pegasus_https_port(openwsman_t) +corenet_tcp_bind_vnc_port(openwsman_t) + +dev_read_urand(openwsman_t) + +logging_send_syslog_msg(openwsman_t) ++logging_send_audit_msgs(openwsman_t) + diff --git a/oracleasm.fc b/oracleasm.fc new file mode 100644 @@ -73504,10 +73632,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..d76fab5 100644 +index 8644d8b..9494e23 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,132 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -73554,7 +73682,7 @@ index 8644d8b..d76fab5 100644 -allow quantum_t self:unix_stream_socket { accept listen }; +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; -+allow neutron_t self:process { setsched setrlimit signal_perms }; ++allow neutron_t self:process { setsched setrlimit setcap signal_perms }; + +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; @@ -73562,46 +73690,45 @@ index 8644d8b..d76fab5 100644 +allow neutron_t self:unix_stream_socket { accept listen }; +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; +allow neutron_t self:rawip_socket create_socket_perms; ++allow neutron_t self:packet_socket create_socket_perms; + +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +logging_log_filetrans(neutron_t, neutron_log_t, dir) ++ ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) - --manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) --files_tmp_filetrans(quantum_t, quantum_tmp_t, file) +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) +-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) +-files_tmp_filetrans(quantum_t, quantum_tmp_t, file) ++can_exec(neutron_t, neutron_tmp_t) + -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) -+can_exec(neutron_t, neutron_tmp_t) - --can_exec(quantum_t, quantum_tmp_t) +kernel_rw_kernel_sysctl(neutron_t) +kernel_rw_net_sysctls(neutron_t) +kernel_read_system_state(neutron_t) +kernel_read_network_state(neutron_t) +kernel_request_load_module(neutron_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-can_exec(quantum_t, quantum_tmp_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -73609,83 +73736,88 @@ index 8644d8b..d76fab5 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --corenet_all_recvfrom_unlabeled(quantum_t) --corenet_all_recvfrom_netlabel(quantum_t) --corenet_tcp_sendrecv_generic_if(quantum_t) --corenet_tcp_sendrecv_generic_node(quantum_t) --corenet_tcp_sendrecv_all_ports(quantum_t) --corenet_tcp_bind_generic_node(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_tcp_bind_neutron_port(neutron_t) +corenet_tcp_connect_keystone_port(neutron_t) +corenet_tcp_connect_amqp_port(neutron_t) +corenet_tcp_connect_mysqld_port(neutron_t) +corenet_tcp_connect_osapi_compute_port(neutron_t) --dev_list_sysfs(quantum_t) --dev_read_urand(quantum_t) +-corenet_all_recvfrom_unlabeled(quantum_t) +-corenet_all_recvfrom_netlabel(quantum_t) +-corenet_tcp_sendrecv_generic_if(quantum_t) +-corenet_tcp_sendrecv_generic_node(quantum_t) +-corenet_tcp_sendrecv_all_ports(quantum_t) +-corenet_tcp_bind_generic_node(quantum_t) +domain_read_all_domains_state(neutron_t) +domain_named_filetrans(neutron_t) --files_read_usr_files(quantum_t) +-dev_list_sysfs(quantum_t) +-dev_read_urand(quantum_t) +dev_read_sysfs(neutron_t) +dev_read_urand(neutron_t) +dev_mounton_sysfs(neutron_t) +dev_mount_sysfs_fs(neutron_t) +dev_unmount_sysfs_fs(neutron_t) --auth_use_nsswitch(quantum_t) +-files_read_usr_files(quantum_t) +files_mounton_non_security(neutron_t) --libs_exec_ldconfig(quantum_t) +-auth_use_nsswitch(quantum_t) +auth_use_nsswitch(neutron_t) --logging_send_audit_msgs(quantum_t) --logging_send_syslog_msg(quantum_t) +-libs_exec_ldconfig(quantum_t) +libs_exec_ldconfig(neutron_t) --miscfiles_read_localization(quantum_t) +-logging_send_audit_msgs(quantum_t) +-logging_send_syslog_msg(quantum_t) +logging_send_audit_msgs(neutron_t) +logging_send_syslog_msg(neutron_t) +-miscfiles_read_localization(quantum_t) ++netutils_exec(neutron_t) + -sysnet_domtrans_ifconfig(quantum_t) ++# need to stay in neutron +sysnet_exec_ifconfig(neutron_t) +sysnet_manage_ifconfig_run(neutron_t) +sysnet_filetrans_named_content_ifconfig(neutron_t) -+ -+optional_policy(` -+ brctl_domtrans(neutron_t) -+') optional_policy(` - brctl_domtrans(quantum_t) -+ dnsmasq_domtrans(neutron_t) -+ dnsmasq_signal(neutron_t) -+ dnsmasq_read_state(neutron_t) ++ brctl_domtrans(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ iptables_domtrans(neutron_t) ++ dnsmasq_domtrans(neutron_t) ++ dnsmasq_signal(neutron_t) ++ dnsmasq_read_state(neutron_t) +') - mysql_tcp_connect(quantum_t) +optional_policy(` -+ mysql_stream_connect(neutron_t) -+ mysql_read_db_lnk_files(neutron_t) -+ mysql_read_config(neutron_t) -+ mysql_tcp_connect(neutron_t) ++ iptables_domtrans(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_db_lnk_files(neutron_t) ++ mysql_read_config(neutron_t) ++ mysql_tcp_connect(neutron_t) ++') + +- postgresql_tcp_connect(quantum_t) ++optional_policy(` + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + postgresql_tcp_connect(neutron_t) +') - -- postgresql_tcp_connect(quantum_t) ++ +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) @@ -91614,7 +91746,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..4f35a1b 100644 +index cc58e35..de9c4d9 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -91918,7 +92050,7 @@ index cc58e35..4f35a1b 100644 ') ######################################## -@@ -167,72 +248,85 @@ optional_policy(` +@@ -167,72 +248,90 @@ optional_policy(` # Client local policy # @@ -91958,6 +92090,8 @@ index cc58e35..4f35a1b 100644 +manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +userdom_append_user_home_content_files(spamc_t) ++spamassassin_filetrans_home_content(spamc_t) ++spamassassin_filetrans_admin_home_content(spamc_t) +# for /root/.pyzor +allow spamc_t self:capability dac_override; @@ -91965,6 +92099,9 @@ index cc58e35..4f35a1b 100644 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) ++read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t) ++list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t) ++ +# Allow connecting to a local spamd +allow spamc_t spamd_t:unix_stream_socket connectto; +allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; @@ -92035,7 +92172,7 @@ index cc58e35..4f35a1b 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +337,7 @@ optional_policy(` +@@ -243,6 +342,7 @@ optional_policy(` ') optional_policy(` @@ -92043,7 +92180,7 @@ index cc58e35..4f35a1b 100644 evolution_stream_connect(spamc_t) ') -@@ -251,10 +346,16 @@ optional_policy(` +@@ -251,10 +351,16 @@ optional_policy(` ') optional_policy(` @@ -92061,7 +92198,7 @@ index cc58e35..4f35a1b 100644 sendmail_stub(spamc_t) ') -@@ -267,36 +368,38 @@ optional_policy(` +@@ -267,36 +373,38 @@ optional_policy(` ######################################## # @@ -92088,17 +92225,17 @@ index cc58e35..4f35a1b 100644 allow spamd_t self:unix_dgram_socket sendto; -allow spamd_t self:unix_stream_socket { accept connectto listen }; -allow spamd_t self:tcp_socket { accept listen }; -+allow spamd_t self:unix_stream_socket connectto; -+allow spamd_t self:tcp_socket create_stream_socket_perms; -+allow spamd_t self:udp_socket create_socket_perms; - +- -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") -- ++allow spamd_t self:unix_stream_socket connectto; ++allow spamd_t self:tcp_socket create_stream_socket_perms; ++allow spamd_t self:udp_socket create_socket_perms; + -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) @@ -92117,7 +92254,7 @@ index cc58e35..4f35a1b 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -92127,7 +92264,7 @@ index cc58e35..4f35a1b 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -92143,7 +92280,7 @@ index cc58e35..4f35a1b 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -92247,7 +92384,7 @@ index cc58e35..4f35a1b 100644 ') optional_policy(` -@@ -421,21 +507,13 @@ optional_policy(` +@@ -421,21 +512,13 @@ optional_policy(` ') optional_policy(` @@ -92271,7 +92408,7 @@ index cc58e35..4f35a1b 100644 ') optional_policy(` -@@ -443,8 +521,8 @@ optional_policy(` +@@ -443,8 +526,8 @@ optional_policy(` ') optional_policy(` @@ -92281,7 +92418,7 @@ index cc58e35..4f35a1b 100644 ') optional_policy(` -@@ -455,7 +533,17 @@ optional_policy(` +@@ -455,7 +538,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -92300,7 +92437,7 @@ index cc58e35..4f35a1b 100644 ') optional_policy(` -@@ -463,9 +551,9 @@ optional_policy(` +@@ -463,9 +556,9 @@ optional_policy(` ') optional_policy(` @@ -92311,7 +92448,7 @@ index cc58e35..4f35a1b 100644 ') optional_policy(` -@@ -474,32 +562,32 @@ optional_policy(` +@@ -474,32 +567,32 @@ optional_policy(` ######################################## # @@ -92354,7 +92491,7 @@ index cc58e35..4f35a1b 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -97873,7 +98010,7 @@ index 9b95c3e..a892845 100644 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te -index de35e5f..436d24c 100644 +index de35e5f..51f2763 100644 --- a/ulogd.te +++ b/ulogd.te @@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t) @@ -97894,8 +98031,9 @@ index de35e5f..436d24c 100644 -files_read_etc_files(ulogd_t) -files_read_usr_files(ulogd_t) - +- -miscfiles_read_localization(ulogd_t) ++kernel_request_load_module(ulogd_t) sysnet_dns_name_resolve(ulogd_t) @@ -101214,7 +101352,7 @@ index facdee8..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..a26950d 100644 +index f03dcf5..0b4a6fa 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,212 @@ @@ -102678,7 +102816,7 @@ index f03dcf5..a26950d 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1133,299 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1133,303 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -102912,21 +103050,25 @@ index f03dcf5..a26950d 100644 +') + +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ gear_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` -+ ssh_use_ptys(svirt_sandbox_domain) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ udev_read_pid_files(svirt_sandbox_domain) ++ ssh_use_ptys(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) ++ udev_read_pid_files(svirt_sandbox_domain) ++') ++ ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -102991,12 +103133,12 @@ index f03dcf5..a26950d 100644 +', ` + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') ++ ++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; -+ +kernel_read_irq_sysctls(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) @@ -103073,7 +103215,8 @@ index f03dcf5..a26950d 100644 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) @@ -103085,8 +103228,7 @@ index f03dcf5..a26950d 100644 +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +term_pty(svirt_sandbox_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) @@ -103115,7 +103257,7 @@ index f03dcf5..a26950d 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1438,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1442,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -103130,7 +103272,7 @@ index f03dcf5..a26950d 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1456,8 @@ optional_policy(` +@@ -1192,9 +1460,8 @@ optional_policy(` ######################################## # @@ -103141,7 +103283,7 @@ index f03dcf5..a26950d 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1470,218 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1474,216 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -103360,8 +103502,6 @@ index f03dcf5..a26950d 100644 +optional_policy(` + systemd_dbus_chat_logind(sandbox_net_domain) +') -+ -+ diff --git a/vlock.te b/vlock.te index 6b72968..de409cc 100644 --- a/vlock.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 6e5a903..c7e40ed 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -590,6 +590,25 @@ SELinux Reference policy mls base module. %changelog * Wed May 7 2014 Miroslav Grepl 3.13.1-52 - More rules for gears and openshift +- Added iotop policy. Thanks William Brown +- Allow spamc to read .pyzor located in /var/spool/spampd +- Allow spamc to create home content with correct labeling +- Allow logwatch_mail_t to create dead.letter with correct labelign +- Add labeling for min-cloud-agent +- Allow geoclue to read unix in proc. +- Add support for /usr/local/Brother labeling. We removed /usr/local equiv. +- add support for min-cloud-agent +- Allow ulogd to request the kernel to load a module +- remove unconfined_domain for openwsman_t +- Add openwsman_tmp_t rules +- Allow openwsman to execute chkpwd and make this domain as unconfined for F20. +- Allow nova-scheduler to read passwd file +- Allow neutron execute arping in neutron_t +- Dontaudit logrotate executing systemctl command attempting to net_admin +- Allow mozilla plugins to use /dev/sr0 +- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files +- Any app that executes systemctl will attempt a net_admin +- Fix path to mmap_min_addr * Wed May 7 2014 Miroslav Grepl 3.13.1-51 - Add gear fixes from dwalsh