From e700f02abb72d7f7df107928e373fd0b36161778 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 30 2011 09:21:28 +0000 Subject: - Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content() - Allow init to delete all pid sockets - Allow colord to read /proc/stat - Add label for /var/www/html/wordpress/wp-content/plugins directory - Allow pppd to search /var/lock dir - puppetmaster use nsswitch: #711804 - Update abrt to match rawhide policy - allow privoxy to read network data - support gecko mozilla browser plugin - Allow chrome_sandbox to execute content in nfs homedir - postfix_qmgr needs to read /var/spool/postfix/deferred - abrt_t needs fsetid --- diff --git a/policy-F15.patch b/policy-F15.patch index 7f7af25..733b71f 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1377,7 +1377,7 @@ index c633aea..c489eec 100644 optional_policy(` seutil_use_newrole_fds(gcc_config_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..4e0088d 100644 +index af55369..158637d 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -18,6 +18,7 @@ type prelink_cron_system_t; @@ -1427,16 +1427,18 @@ index af55369..4e0088d 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -99,6 +104,8 @@ libs_delete_lib_symlinks(prelink_t) +@@ -99,6 +104,10 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) +userdom_manage_user_home_content(prelink_t) +userdom_execmod_user_home_files(prelink_t) ++ ++term_use_all_inherited_terms(prelink_t) optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +116,14 @@ optional_policy(` +@@ -109,6 +118,14 @@ optional_policy(` ') optional_policy(` @@ -1451,7 +1453,7 @@ index af55369..4e0088d 100644 rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +144,7 @@ optional_policy(` +@@ -129,6 +146,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -1459,7 +1461,7 @@ index af55369..4e0088d 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +164,28 @@ optional_policy(` +@@ -148,17 +166,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -3039,10 +3041,10 @@ index 0000000..e921f24 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..0852151 +index 0000000..ee4cf03 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,107 @@ +@@ -0,0 +1,111 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3141,13 +3143,17 @@ index 0000000..0852151 + +tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(chrome_sandbox_t) -+ fs_read_inherited_nfs_files(chrome_sandbox_t) ++ fs_exec_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_files(chrome_sandbox_t) + fs_read_nfs_symlinks(chrome_sandbox_t) ++ fs_dontaudit_append_nfs_files(chrome_sandbox_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(chrome_sandbox_t) -+ fs_read_inherited_cifs_files(chrome_sandbox_t) ++ fs_exec_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_symlinks(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te @@ -5752,7 +5758,7 @@ index 93ac529..aafece7 100644 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..19de023 100644 +index 9a6d67d..8668188 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -5889,14 +5895,32 @@ index 9a6d67d..19de023 100644 ## Send and receive messages from ## mozilla over dbus. ## -@@ -204,3 +301,39 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -204,3 +301,57 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') + ++###################################### ++## ++## Read mozilla_plugin tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`mozilla_plugin_read_tmpfs_files',` ++ gen_require(` ++ type mozilla_plugin_tmpfs_t; ++ ') ++ ++ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; ++') ++ +######################################## +## -+## Delete mozilla_plugin tmpf files ++## Delete mozilla_plugin tmpfs files +## +## +## @@ -5909,7 +5933,7 @@ index 9a6d67d..19de023 100644 + type mozilla_plugin_tmpfs_t; + ') + -+ allow $1 mozilla_plugin_tmpfs_t:file unlink; ++ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; +') + +######################################## @@ -5930,7 +5954,7 @@ index 9a6d67d..19de023 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..1ddd82a 100644 +index 2a91fa8..f0ccd36 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -5950,7 +5974,7 @@ index 2a91fa8..1ddd82a 100644 userdom_user_home_content(mozilla_home_t) type mozilla_tmpfs_t; -@@ -33,6 +34,20 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_ +@@ -33,6 +34,21 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_ files_tmpfs_file(mozilla_tmpfs_t) ubac_constrained(mozilla_tmpfs_t) @@ -5963,6 +5987,7 @@ index 2a91fa8..1ddd82a 100644 +userdom_user_tmp_content(mozilla_plugin_tmp_t) + +type mozilla_plugin_tmpfs_t; ++userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t) +files_tmpfs_file(mozilla_plugin_tmpfs_t) +ubac_constrained(mozilla_plugin_tmpfs_t) + @@ -5971,7 +5996,7 @@ index 2a91fa8..1ddd82a 100644 ######################################## # # Local policy -@@ -89,16 +104,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t) +@@ -89,16 +105,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t) corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) @@ -5992,7 +6017,7 @@ index 2a91fa8..1ddd82a 100644 corenet_sendrecv_ftp_client_packets(mozilla_t) corenet_sendrecv_ipp_client_packets(mozilla_t) corenet_sendrecv_generic_client_packets(mozilla_t) -@@ -238,6 +257,7 @@ optional_policy(` +@@ -238,6 +258,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -6000,7 +6025,7 @@ index 2a91fa8..1ddd82a 100644 ') optional_policy(` -@@ -258,6 +278,11 @@ optional_policy(` +@@ -258,6 +279,11 @@ optional_policy(` ') optional_policy(` @@ -6012,7 +6037,7 @@ index 2a91fa8..1ddd82a 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,198 @@ optional_policy(` +@@ -266,3 +292,214 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -6033,6 +6058,7 @@ index 2a91fa8..1ddd82a 100644 +allow mozilla_plugin_t self:sem create_sem_perms; +allow mozilla_plugin_t self:shm create_shm_perms; +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; ++allow mozilla_plugin_t self:unix_dgram_socket sendto; +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +can_exec(mozilla_plugin_t, mozilla_home_t) @@ -6041,8 +6067,9 @@ index 2a91fa8..1ddd82a 100644 +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) ++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) + +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) @@ -6146,6 +6173,11 @@ index 2a91fa8..1ddd82a 100644 +') + +optional_policy(` ++ consolekit_dbus_chat(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ dbus_connect_session_bus(mozilla_plugin_t) + dbus_system_bus_client(mozilla_plugin_t) + dbus_session_bus_client(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) @@ -6185,6 +6217,7 @@ index 2a91fa8..1ddd82a 100644 + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) + pulseaudio_manage_home_files(mozilla_plugin_t) ++ pulseaudio_manage_home_symlinks(mozilla_plugin_t) +') + +optional_policy(` @@ -6192,6 +6225,14 @@ index 2a91fa8..1ddd82a 100644 +') + +optional_policy(` ++ rtkit_scheduled(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ udev_read_db(mozilla_plugin_t) ++') ++ ++optional_policy(` + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) @@ -7434,7 +7475,7 @@ index a2f6124..9d62060 100644 optional_policy(` diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if -index 2ba7787..9f12b51 100644 +index 2ba7787..18adcbd 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -17,7 +17,7 @@ @@ -7473,8 +7514,33 @@ index 2ba7787..9f12b51 100644 userdom_search_user_home_dirs($1) ') +@@ -256,3 +262,24 @@ interface(`pulseaudio_manage_home_files',` + manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + ') ++ ++######################################## ++## ++## Create, read, write, and delete pulseaudio ++## home directory symlinks. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pulseaudio_manage_home_symlinks',` ++ gen_require(` ++ type pulseaudio_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++') ++ diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index c2d20a2..df078e0 100644 +index c2d20a2..2971797 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -7508,10 +7574,15 @@ index c2d20a2..df078e0 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -131,6 +131,10 @@ optional_policy(` +@@ -131,6 +131,15 @@ optional_policy(` ') optional_policy(` ++ mozilla_plugin_delete_tmpfs_files(pulseaudio_t) ++ mozilla_plugin_read_tmpfs_files(pulseaudio_t) ++') ++ ++optional_policy(` + mpd_read_tmpfs_files(pulseaudio_t) +') + @@ -7519,7 +7590,7 @@ index c2d20a2..df078e0 100644 policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -148,3 +152,7 @@ optional_policy(` +@@ -148,3 +157,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -12369,7 +12440,7 @@ index 16108f6..a02d2cc 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..5631fb1 100644 +index 958ca84..cbbfe21 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -13006,12 +13077,13 @@ index 958ca84..5631fb1 100644 ## ## ## -@@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',` +@@ -4127,6 +4603,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) + delete_chr_files_pattern($1, tmpfile, tmpfile) + delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) + files_delete_isid_type_dirs($1) + files_delete_isid_type_files($1) + files_delete_isid_type_symlinks($1) @@ -13022,7 +13094,7 @@ index 958ca84..5631fb1 100644 ') ######################################## -@@ -4736,6 +5221,24 @@ interface(`files_read_var_files',` +@@ -4736,6 +5222,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -13047,7 +13119,7 @@ index 958ca84..5631fb1 100644 ## Read and write files in the /var directory. ## ## -@@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5575,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -13073,7 +13145,7 @@ index 958ca84..5631fb1 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5084,6 +5606,8 @@ interface(`files_search_locks',` +@@ -5084,6 +5607,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -13082,7 +13154,7 @@ index 958ca84..5631fb1 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5103,11 +5627,50 @@ interface(`files_dontaudit_search_locks',` +@@ -5103,11 +5628,50 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -13133,7 +13205,7 @@ index 958ca84..5631fb1 100644 ## Add and remove entries in the /var/lock ## directories. ## -@@ -5122,6 +5685,7 @@ interface(`files_rw_lock_dirs',` +@@ -5122,6 +5686,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -13141,7 +13213,7 @@ index 958ca84..5631fb1 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5140,7 +5704,7 @@ interface(`files_getattr_generic_locks',` +@@ -5140,7 +5705,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -13150,7 +13222,7 @@ index 958ca84..5631fb1 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5156,12 +5720,12 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5721,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -13167,7 +13239,7 @@ index 958ca84..5631fb1 100644 ') ######################################## -@@ -5180,7 +5744,7 @@ interface(`files_manage_generic_locks',` +@@ -5180,7 +5745,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -13176,7 +13248,7 @@ index 958ca84..5631fb1 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5207,6 +5771,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5772,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -13204,7 +13276,7 @@ index 958ca84..5631fb1 100644 ## Read all lock files. ## ## -@@ -5221,7 +5806,7 @@ interface(`files_read_all_locks',` +@@ -5221,7 +5807,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -13213,7 +13285,7 @@ index 958ca84..5631fb1 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5243,7 +5828,7 @@ interface(`files_manage_all_locks',` +@@ -5243,7 +5829,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -13222,7 +13294,7 @@ index 958ca84..5631fb1 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5275,7 +5860,7 @@ interface(`files_lock_filetrans',` +@@ -5275,7 +5861,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -13231,7 +13303,7 @@ index 958ca84..5631fb1 100644 filetrans_pattern($1, var_lock_t, $2, $3) ') -@@ -5332,9 +5917,47 @@ interface(`files_search_pids',` +@@ -5332,9 +5918,47 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -13279,7 +13351,7 @@ index 958ca84..5631fb1 100644 ######################################## ## ## Do not audit attempts to search -@@ -5410,6 +6033,24 @@ interface(`files_write_generic_pid_pipes',` +@@ -5410,6 +6034,24 @@ interface(`files_write_generic_pid_pipes',` allow $1 var_run_t:fifo_file write; ') @@ -13304,7 +13376,7 @@ index 958ca84..5631fb1 100644 ######################################## ## ## Create an object in the process ID directory, with a private type. -@@ -5542,6 +6183,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6184,80 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -13334,7 +13406,7 @@ index 958ca84..5631fb1 100644 +## +## +# -+interface(`files_unlink_all_pid_sockets',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') @@ -13344,6 +13416,24 @@ index 958ca84..5631fb1 100644 + +######################################## +## ++## Delete all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++') ++ ++######################################## ++## +## manage all pidfile directories +## in the /var/run directory. +## @@ -13367,7 +13457,7 @@ index 958ca84..5631fb1 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6256,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6275,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -13412,7 +13502,7 @@ index 958ca84..5631fb1 100644 ') ######################################## -@@ -5844,3 +6579,284 @@ interface(`files_unconfined',` +@@ -5844,3 +6598,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15148,10 +15238,38 @@ index 3994e57..a1923fe 100644 + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index f3acfee..3440a84 100644 +index f3acfee..c5b2825 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if -@@ -274,7 +274,6 @@ interface(`term_dontaudit_read_console',` +@@ -208,6 +208,27 @@ interface(`term_use_all_terms',` + + ######################################## + ## ++## Read and write the inherited console, all inherited ++## ttys and ptys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`term_use_all_inherited_terms',` ++ gen_require(` ++ attribute ttynode, ptynode; ++ type console_device_t, devpts_t, tty_device_t; ++ ') ++ ++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms; ++') ++ ++######################################## ++## + ## Write to the console. + ## + ## +@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',` ## Domain allowed access. ## ## @@ -15159,7 +15277,7 @@ index f3acfee..3440a84 100644 # interface(`term_use_console',` gen_require(` -@@ -299,9 +298,11 @@ interface(`term_use_console',` +@@ -299,9 +319,11 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; @@ -15172,7 +15290,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -341,7 +342,7 @@ interface(`term_relabel_console',` +@@ -341,7 +363,7 @@ interface(`term_relabel_console',` ') dev_list_all_dev_nodes($1) @@ -15181,7 +15299,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -462,6 +463,24 @@ interface(`term_list_ptys',` +@@ -462,6 +484,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -15206,7 +15324,7 @@ index f3acfee..3440a84 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -658,6 +677,25 @@ interface(`term_use_controlling_term',` +@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',` allow $1 devtty_t:chr_file { rw_term_perms lock append }; ') @@ -15232,7 +15350,7 @@ index f3acfee..3440a84 100644 ######################################## ## ## Do not audit attempts to get attributes -@@ -855,7 +893,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -855,7 +914,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -15241,7 +15359,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -1123,7 +1161,7 @@ interface(`term_relabel_unallocated_ttys',` +@@ -1123,7 +1182,7 @@ interface(`term_relabel_unallocated_ttys',` ') dev_list_all_dev_nodes($1) @@ -15250,7 +15368,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -1222,7 +1260,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1222,7 +1281,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -15259,7 +15377,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -1238,11 +1276,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1238,11 +1297,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -15273,7 +15391,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -1259,10 +1299,12 @@ interface(`term_getattr_all_ttys',` +@@ -1259,10 +1320,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -15286,7 +15404,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -1301,7 +1343,7 @@ interface(`term_relabel_all_ttys',` +@@ -1301,7 +1364,7 @@ interface(`term_relabel_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -15295,7 +15413,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -1359,7 +1401,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1359,7 +1422,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -15304,7 +15422,7 @@ index f3acfee..3440a84 100644 ') ######################################## -@@ -1475,3 +1517,22 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1475,3 +1538,22 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -17558,10 +17676,21 @@ index e88b95f..69ade9e 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..3b3ba64 100644 +index 1bd5812..7112560 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc -@@ -15,6 +15,7 @@ +@@ -3,8 +3,9 @@ + + /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + +-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + /usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + + /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) + +@@ -15,6 +16,21 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -17569,8 +17698,22 @@ index 1bd5812..3b3ba64 100644 /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++ ++# ABRT retrace server ++/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) ++/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) ++ ++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) ++/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) ++ ++# cjp: new version ++/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) ++/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) ++/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) ++ ++ diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..9a82e8d 100644 +index 0b827c5..7382308 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -17664,7 +17807,7 @@ index 0b827c5..9a82e8d 100644 ##################################### ## ## All of the rules required to administrate -@@ -286,18 +345,18 @@ interface(`abrt_admin',` +@@ -286,18 +345,98 @@ interface(`abrt_admin',` role_transition $2 abrt_initrc_exec_t system_r; allow $2 system_r; @@ -17688,8 +17831,88 @@ index 0b827c5..9a82e8d 100644 + files_list_tmp($1) admin_pattern($1, abrt_tmp_t) ') ++ ++#################################### ++## ++## Execute abrt-retrace in the abrt-retrace domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`abrt_domtrans_retrace_worker',` ++ gen_require(` ++ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t) ++') ++ ++###################################### ++## ++## Manage abrt retrace server cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_manage_spool_retrace',` ++ gen_require(` ++ type abrt_retrace_spool_t; ++ ') ++ ++ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++') ++ ++##################################### ++## ++## Read abrt retrace server cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_read_spool_retrace',` ++ gen_require(` ++ type abrt_retrace_spool_t; ++ ') ++ ++ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++') ++ ++ ++##################################### ++## ++## Read abrt retrace server cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_read_cache_retrace',` ++ gen_require(` ++ type abrt_retrace_cache_t; ++ ') ++ ++ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) ++ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) ++ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) ++') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..de61315 100644 +index 30861ec..28604d3 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -17707,19 +17930,47 @@ index 30861ec..de61315 100644 type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -48,9 +56,9 @@ ifdef(`enable_mcs',` +@@ -43,14 +51,37 @@ ifdef(`enable_mcs',` + init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) + ') + ++# ++# Support for ABRT retrace server ++# ++ ++type abrt_retrace_worker_t; ++type abrt_retrace_worker_exec_t; ++application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) ++role system_r types abrt_retrace_worker_t; ++ ++type abrt_retrace_coredump_t; ++type abrt_retrace_coredump_exec_t; ++application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) ++role system_r types abrt_retrace_coredump_t; ++ ++permissive abrt_retrace_worker_exec_t; ++permissive abrt_retrace_coredump_t; ++ ++type abrt_retrace_cache_t; ++files_type(abrt_retrace_cache_t) ++ ++type abrt_retrace_spool_t; ++files_type(abrt_retrace_spool_t) ++ + ######################################## + # # abrt local policy # -allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; -+allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override }; ++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { signal signull setsched getsched }; +allow abrt_t self:process { sigkill signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +67,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -17727,7 +17978,7 @@ index 30861ec..de61315 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +78,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -17735,7 +17986,7 @@ index 30861ec..de61315 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +92,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -17744,7 +17995,15 @@ index 30861ec..de61315 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -113,7 +123,8 @@ domain_read_all_domains_state(abrt_t) +@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t) + corenet_sendrecv_http_client_packets(abrt_t) + + dev_getattr_all_chr_files(abrt_t) ++dev_read_rand(abrt_t) + dev_read_urand(abrt_t) + dev_rw_sysfs(abrt_t) + dev_dontaudit_read_raw_memory(abrt_t) +@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -17754,7 +18013,7 @@ index 30861ec..de61315 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +132,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -17763,7 +18022,7 @@ index 30861ec..de61315 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +144,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -17772,7 +18031,7 @@ index 30861ec..de61315 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +153,15 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -17783,12 +18042,13 @@ index 30861ec..de61315 100644 +') + +optional_policy(` ++ apache_list_modules(abrt_t) + apache_read_modules(abrt_t) +') optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +172,11 @@ optional_policy(` +@@ -150,6 +197,11 @@ optional_policy(` ') optional_policy(` @@ -17800,7 +18060,7 @@ index 30861ec..de61315 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +194,7 @@ optional_policy(` +@@ -167,6 +219,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -17808,7 +18068,7 @@ index 30861ec..de61315 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +206,18 @@ optional_policy(` +@@ -178,12 +231,18 @@ optional_policy(` ') optional_policy(` @@ -17828,7 +18088,7 @@ index 30861ec..de61315 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -203,6 +237,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) domain_read_all_domains_state(abrt_helper_t) files_read_etc_files(abrt_helper_t) @@ -17836,7 +18096,7 @@ index 30861ec..de61315 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +251,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -17846,7 +18106,7 @@ index 30861ec..de61315 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +260,18 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -17864,6 +18124,88 @@ index 30861ec..de61315 100644 + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; ++') ++ ++####################################### ++# ++# abrt retrace coredump policy ++# ++ ++allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; ++ ++list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) ++read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) ++read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) ++ ++list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) ++read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) ++read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ ++kernel_read_system_state(abrt_retrace_coredump_t) ++ ++corecmd_exec_bin(abrt_retrace_coredump_t) ++corecmd_exec_shell(abrt_retrace_coredump_t) ++ ++dev_read_urand(abrt_retrace_coredump_t) ++ ++files_read_etc_files(abrt_retrace_coredump_t) ++files_read_usr_files(abrt_retrace_coredump_t) ++ ++logging_send_syslog_msg(abrt_retrace_coredump_t) ++ ++miscfiles_read_localization(abrt_retrace_coredump_t) ++ ++sysnet_dns_name_resolve(abrt_retrace_coredump_t) ++ ++# to install debuginfo packages ++optional_policy(` ++ rpm_exec(abrt_retrace_coredump_t) ++ rpm_dontaudit_manage_db(abrt_retrace_coredump_t) ++ rpm_manage_cache(abrt_retrace_coredump_t) ++ rpm_manage_log(abrt_retrace_coredump_t) ++ rpm_manage_pid_files(abrt_retrace_coredump_t) ++ rpm_read_db(abrt_retrace_coredump_t) ++ rpm_signull(abrt_retrace_coredump_t) ++') ++ ++####################################### ++# ++# abrt retrace worker policy ++# ++ ++allow abrt_retrace_worker_t self:capability { setuid }; ++ ++allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; ++ ++domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) ++allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl; ++ ++manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) ++manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) ++manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ ++allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms; ++ ++can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) ++ ++kernel_read_system_state(abrt_retrace_worker_t) ++ ++corecmd_exec_bin(abrt_retrace_worker_t) ++corecmd_exec_shell(abrt_retrace_worker_t) ++ ++dev_read_urand(abrt_retrace_worker_t) ++ ++files_read_etc_files(abrt_retrace_worker_t) ++files_read_usr_files(abrt_retrace_worker_t) ++ ++logging_send_syslog_msg(abrt_retrace_worker_t) ++ ++miscfiles_read_localization(abrt_retrace_worker_t) ++ ++sysnet_dns_name_resolve(abrt_retrace_worker_t) ++ ++optional_policy(` ++ mock_domtrans(abrt_retrace_worker_t) ') diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if index c0f858d..d639ae0 100644 @@ -18532,7 +18874,7 @@ index c3a1903..19fb14a 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..7ba3b11 100644 +index 9e39aa5..0119d45 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u @@ -18564,7 +18906,15 @@ index 9e39aa5..7ba3b11 100644 /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -74,7 +74,8 @@ ifdef(`distro_suse', ` +@@ -57,6 +57,7 @@ ifdef(`distro_suse', ` + /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html/wordpress/wp-content/plugins(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + + /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +@@ -74,7 +75,8 @@ ifdef(`distro_suse', ` /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -18574,15 +18924,16 @@ index 9e39aa5..7ba3b11 100644 /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -86,7 +87,6 @@ ifdef(`distro_suse', ` +@@ -86,7 +88,7 @@ ifdef(`distro_suse', ` /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -109,3 +109,22 @@ ifdef(`distro_debian', ` +@@ -109,3 +111,22 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -20608,10 +20959,10 @@ index 44a1e3d..7e9d2fb 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..a2bf2dc 100644 +index 4deca04..074b9bb 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te -@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0) +@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0) # ## @@ -20633,7 +20984,14 @@ index 4deca04..a2bf2dc 100644 ## gen_tunable(named_write_master_zones, false) -@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t) + # for DNSSEC key files + type dnssec_t; + files_security_file(dnssec_t) ++files_mountpoint(dnssec_t) + + type named_t; + type named_exec_t; +@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t) # A type for configuration files of named. type named_conf_t; @@ -20642,7 +21000,7 @@ index 4deca04..a2bf2dc 100644 files_mountpoint(named_conf_t) # for secondary zone files -@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) @@ -20654,7 +21012,7 @@ index 4deca04..a2bf2dc 100644 # read zone files allow named_t named_zone_t:dir list_dir_perms; -@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t) +@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) @@ -20665,7 +21023,7 @@ index 4deca04..a2bf2dc 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms; +@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms; allow ndc_t self:netlink_route_socket r_netlink_socket_perms; allow ndc_t dnssec_t:file read_file_perms; @@ -20680,7 +21038,7 @@ index 4deca04..a2bf2dc 100644 allow ndc_t named_zone_t:dir search_dir_perms; -@@ -244,7 +256,7 @@ term_dontaudit_use_console(ndc_t) +@@ -244,7 +257,7 @@ term_dontaudit_use_console(ndc_t) # for /etc/rndc.key ifdef(`distro_redhat',` @@ -23216,7 +23574,7 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..67db20a +index 0000000..22f0ffd --- /dev/null +++ b/policy/modules/services/colord.te @@ -0,0 +1,120 @@ @@ -23266,7 +23624,7 @@ index 0000000..67db20a +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) + -+kernel_getattr_proc_files(colord_t) ++kernel_read_system_state(colord_t) +kernel_read_device_sysctls(colord_t) +kernel_request_load_module(colord_t) + @@ -27148,12 +27506,11 @@ index 0000000..63f11d9 + diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te new file mode 100644 -index 0000000..1453c54 +index 0000000..3bca7b0 --- /dev/null +++ b/policy/modules/services/drbd.te -@@ -0,0 +1,55 @@ -+ -+policy_module(drbd,1.0.0) +@@ -0,0 +1,50 @@ ++policy_module(drbd, 1.0.0) + +######################################## +# @@ -27175,11 +27532,8 @@ index 0000000..1453c54 +# drbd local policy +# + -+allow drbd_t self:capability net_admin; -+ -+allow drbd_t self:capability { kill }; -+allow drbd_t self:process { fork }; -+ ++allow drbd_t self:capability { kill net_admin }; ++dontaudit drbd_t self:capability sys_tty_config; +allow drbd_t self:fifo_file rw_fifo_file_perms; +allow drbd_t self:unix_stream_socket create_stream_socket_perms; +allow drbd_t self:netlink_socket create_socket_perms; @@ -27206,7 +27560,6 @@ index 0000000..1453c54 +miscfiles_read_localization(drbd_t) + +sysnet_dns_name_resolve(drbd_t) -+ diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc index 298f066..c2570df 100644 --- a/policy/modules/services/exim.fc @@ -36723,7 +37076,7 @@ index 152af92..1594066 100644 type portreserve_var_run_t; files_pid_file(portreserve_var_run_t) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc -index 55e62d2..6082184 100644 +index 55e62d2..f2674e8 100644 --- a/policy/modules/services/postfix.fc +++ b/policy/modules/services/postfix.fc @@ -1,5 +1,6 @@ @@ -36747,7 +37100,7 @@ index 55e62d2..6082184 100644 /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -44,9 +43,9 @@ ifdef(`distro_redhat', ` +@@ -44,9 +43,10 @@ ifdef(`distro_redhat', ` /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -36756,11 +37109,12 @@ index 55e62d2..6082184 100644 -/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) +/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) ++/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..b90c902 100644 +index 46bee12..83cb270 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -36796,7 +37150,7 @@ index 46bee12..b90c902 100644 files_tmp_file(postfix_$1_tmp_t) - allow postfix_$1_t self:capability { setuid setgid dac_override }; -+ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override }; ++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override }; allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; @@ -37082,7 +37436,7 @@ index 46bee12..b90c902 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..fedaa96 100644 +index 06e37d4..e160aa1 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -37326,16 +37680,20 @@ index 06e37d4..fedaa96 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +567,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +567,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; ++ ++allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms; ++allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms; ++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +587,7 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +591,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -37344,7 +37702,7 @@ index 06e37d4..fedaa96 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -588,10 +636,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +640,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -37361,7 +37719,7 @@ index 06e37d4..fedaa96 100644 ') optional_policy(` -@@ -611,8 +665,8 @@ optional_policy(` +@@ -611,8 +669,8 @@ optional_policy(` # Postfix virtual local policy # @@ -37371,7 +37729,7 @@ index 06e37d4..fedaa96 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +684,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +688,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -37749,7 +38107,7 @@ index b524673..9d90fb3 100644 admin_pattern($1, pptp_var_run_t) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..802ec48 100644 +index 2af42e7..95f673b 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -37787,7 +38145,7 @@ index 2af42e7..802ec48 100644 allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms; -@@ -84,28 +84,28 @@ allow pppd_t self:packet_socket create_socket_perms; +@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms; domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) @@ -37806,6 +38164,7 @@ index 2af42e7..802ec48 100644 -allow pppd_t pppd_lock_t:file manage_file_perms; -files_lock_filetrans(pppd_t, pppd_lock_t, file) +manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) ++files_search_locks(pppd_t) -allow pppd_t pppd_log_t:file manage_file_perms; +manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) @@ -37822,7 +38181,7 @@ index 2af42e7..802ec48 100644 allow pppd_t pptp_t:process signal; -@@ -166,6 +166,8 @@ init_dontaudit_write_utmp(pppd_t) +@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) @@ -37831,7 +38190,7 @@ index 2af42e7..802ec48 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -194,6 +196,8 @@ optional_policy(` +@@ -194,6 +197,8 @@ optional_policy(` optional_policy(` mta_send_mail(pppd_t) @@ -37840,7 +38199,7 @@ index 2af42e7..802ec48 100644 ') optional_policy(` -@@ -243,9 +247,10 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -37979,7 +38338,7 @@ index b1bc02c..8f0b07e 100644 dev_read_rand(prelude_lml_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te -index 2dbf4d4..abb4475 100644 +index 2dbf4d4..b46ef7d 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0) @@ -37997,6 +38356,17 @@ index 2dbf4d4..abb4475 100644 ## gen_tunable(privoxy_connect_any, false) +@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file) + manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) + files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) + +-kernel_read_system_state(privoxy_t) + kernel_read_kernel_sysctls(privoxy_t) ++kernel_read_network_state(privoxy_t) ++kernel_read_system_state(privoxy_t) + + corenet_all_recvfrom_unlabeled(privoxy_t) + corenet_all_recvfrom_netlabel(privoxy_t) diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc index 1343621..4b36a13 100644 --- a/policy/modules/services/procmail.fc @@ -38306,7 +38676,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..eff13cc 100644 +index 64c5f95..3fdd4b4 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -38350,7 +38720,12 @@ index 64c5f95..eff13cc 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -176,24 +183,30 @@ allow puppetmaster_t self:udp_socket create_socket_perms; +@@ -171,29 +178,34 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; + allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; + allow puppetmaster_t self:socket create; + allow puppetmaster_t self:tcp_socket create_stream_socket_perms; +-allow puppetmaster_t self:udp_socket create_socket_perms; + list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) @@ -38383,18 +38758,20 @@ index 64c5f95..eff13cc 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -210,17 +223,38 @@ dev_read_rand(puppetmaster_t) +@@ -210,17 +222,37 @@ dev_read_rand(puppetmaster_t) dev_read_urand(puppetmaster_t) domain_read_all_domains_state(puppetmaster_t) +domain_obj_id_change_exemption(puppetmaster_t) - files_read_etc_files(puppetmaster_t) +-files_read_etc_files(puppetmaster_t) +-files_search_var_lib(puppetmaster_t) +files_read_usr_files(puppetmaster_t) - files_search_var_lib(puppetmaster_t) - ++ +selinux_validate_context(puppetmaster_t) + ++auth_use_nsswitch(puppetmaster_t) + logging_send_syslog_msg(puppetmaster_t) miscfiles_read_localization(puppetmaster_t) @@ -38402,7 +38779,7 @@ index 64c5f95..eff13cc 100644 + +seutil_read_file_contexts(puppetmaster_t) - sysnet_dns_name_resolve(puppetmaster_t) +-sysnet_dns_name_resolve(puppetmaster_t) sysnet_run_ifconfig(puppetmaster_t, system_r) +mta_send_mail(puppetmaster_t) @@ -38422,7 +38799,7 @@ index 64c5f95..eff13cc 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +265,9 @@ optional_policy(` +@@ -231,3 +263,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -49496,7 +49873,7 @@ index 2952cef..d845132 100644 /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 42b4f0f..7910be0 100644 +index 42b4f0f..0e6f84a 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -49796,10 +50173,21 @@ index 42b4f0f..7910be0 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -896,6 +1070,26 @@ interface(`auth_manage_var_auth',` +@@ -889,9 +1063,30 @@ interface(`auth_manage_var_auth',` + ') - ######################################## - ## + files_search_var($1) +- allow $1 var_auth_t:dir manage_dir_perms; +- allow $1 var_auth_t:file rw_file_perms; +- allow $1 var_auth_t:lnk_file rw_lnk_file_perms; ++ ++ manage_dirs_pattern($1, var_auth_t, var_auth_t) ++ manage_files_pattern($1, var_auth_t, var_auth_t) ++ manage_lnk_files_pattern($1, var_auth_t, var_auth_t) ++') ++ ++######################################## ++## +## Relabel all var auth files. Used by various other applications +## and pam applets etc. +## @@ -49816,14 +50204,10 @@ index 42b4f0f..7910be0 100644 + + files_search_var($1) + relabel_dirs_pattern($1, var_auth_t, var_auth_t) -+') -+ -+######################################## -+## - ## Read PAM PID files. - ## - ## -@@ -1093,6 +1287,24 @@ interface(`auth_delete_pam_console_data',` + ') + + ######################################## +@@ -1093,6 +1288,24 @@ interface(`auth_delete_pam_console_data',` ######################################## ## @@ -49848,7 +50232,7 @@ index 42b4f0f..7910be0 100644 ## Read all directories on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1326,6 +1538,25 @@ interface(`auth_setattr_login_records',` +@@ -1326,6 +1539,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -49874,7 +50258,7 @@ index 42b4f0f..7910be0 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1500,28 +1731,36 @@ interface(`auth_manage_login_records',` +@@ -1500,28 +1732,36 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -49918,7 +50302,7 @@ index 42b4f0f..7910be0 100644 optional_policy(` kerberos_use($1) ') -@@ -1531,7 +1770,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1771,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -50424,7 +50808,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..569ce8d 100644 +index cc83689..e33701e 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,41 @@ interface(`init_script_domain',` @@ -51042,7 +51426,7 @@ index cc83689..569ce8d 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2095,139 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2095,156 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -51182,8 +51566,25 @@ index cc83689..569ce8d 100644 + +') + ++######################################## ++## ++## Read init unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_read_pipes',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) ++') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..51b8e22 100644 +index ea29513..7cb9e99 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -51393,7 +51794,7 @@ index ea29513..51b8e22 100644 + files_manage_all_pid_dirs(init_t) + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) -+ files_unlink_all_pid_sockets(init_t) ++ files_delete_all_pid_sockets(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) + files_create_lock_dirs(init_t) @@ -56577,10 +56978,10 @@ index 0000000..4dfe28c +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..bdca6ab +index 0000000..e7b669f --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,194 @@ +@@ -0,0 +1,196 @@ + +policy_module(systemd, 1.0.0) + @@ -56649,8 +57050,9 @@ index 0000000..bdca6ab + +auth_use_nsswitch(systemd_passwd_agent_t) + -+init_read_utmp(systemd_passwd_agent_t) +init_create_pid_dirs(systemd_passwd_agent_t) ++init_read_pipes(systemd_passwd_agent_t) ++init_read_utmp(systemd_passwd_agent_t) +init_stream_connect(systemd_passwd_agent_t) + +miscfiles_read_localization(systemd_passwd_agent_t) @@ -56690,7 +57092,8 @@ index 0000000..bdca6ab +files_manage_all_pid_dirs(systemd_tmpfiles_t) +files_manage_all_locks(systemd_tmpfiles_t) +files_setattr_all_tmp_dirs(systemd_tmpfiles_t) -+files_unlink_all_pid_sockets(systemd_tmpfiles_t) ++files_delete_all_pid_sockets(systemd_tmpfiles_t) ++files_delete_all_pid_pipes(systemd_tmpfiles_t) +files_delete_boot_flag(systemd_tmpfiles_t) +files_purge_tmp(systemd_tmpfiles_t) +files_manage_generic_tmp_files(systemd_tmpfiles_t) @@ -57916,7 +58319,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..f12b86d 100644 +index 28b88de..6b7f9c7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -59209,7 +59612,7 @@ index 28b88de..f12b86d 100644 optional_policy(` aide_run($1,$2) ') -@@ -1279,11 +1562,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1562,60 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -59244,10 +59647,33 @@ index 28b88de..f12b86d 100644 + typeattribute $1 user_tmp_type; + + files_tmp_file($1) ++ ubac_constrained($1) ++') ++ ++####################################### ++## ++## Make the specified type usable in a ++## generic tmpfs_t directory. ++## ++## ++## ++## Type to be used as a file in the ++## generic temporary directory. ++## ++## ++# ++interface(`userdom_user_tmpfs_content',` ++ gen_require(` ++ attribute user_tmpfs_type; ++ ') ++ ++ typeattribute $1 user_tmpfs_type; ++ ++ files_tmpfs_file($1) ubac_constrained($1) ') -@@ -1395,6 +1704,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1727,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -59255,11 +59681,14 @@ index 28b88de..f12b86d 100644 files_search_home($1) ') -@@ -1441,6 +1751,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,10 +1774,18 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) -+ +-') + +-######################################## +-## + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') @@ -59267,10 +59696,14 @@ index 28b88de..f12b86d 100644 + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') - ') - - ######################################## -@@ -1456,9 +1774,11 @@ interface(`userdom_list_user_home_dirs',` ++') ++ ++######################################## ++## + ## Do not audit attempts to list user home subdirectories. + ## + ## +@@ -1456,9 +1797,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -59282,37 +59715,14 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -1515,10 +1835,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1858,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') + - ######################################## - ## --## Create directories in the home dir root with --## the user home directory type. -+## Relabel to user home files. - ## - ## - ## -@@ -1526,14 +1846,50 @@ interface(`userdom_relabelto_user_home_dirs',` - ## - ## - # --interface(`userdom_home_filetrans_user_home_dir',` -+interface(`userdom_relabelto_user_home_files',` - gen_require(` -- type user_home_dir_t; -+ type user_home_t; - ') - -- files_home_filetrans($1, user_home_dir_t, dir) -+ allow $1 user_home_t:file relabelto; - ') -- +######################################## +## -+## Relabel user home files. ++## Relabel to user home files. +## +## +## @@ -59320,18 +59730,16 @@ index 28b88de..f12b86d 100644 +## +## +# -+interface(`userdom_relabel_user_home_files',` ++interface(`userdom_relabelto_user_home_files',` + gen_require(` + type user_home_t; + ') + -+ allow $1 user_home_t:file relabel_file_perms; ++ allow $1 user_home_t:file relabelto; +') -+ +######################################## +## -+## Create directories in the home dir root with -+## the user home directory type. ++## Relabel user home files. +## +## +## @@ -59339,18 +59747,18 @@ index 28b88de..f12b86d 100644 +## +## +# -+interface(`userdom_home_filetrans_user_home_dir',` ++interface(`userdom_relabel_user_home_files',` + gen_require(` -+ type user_home_dir_t; ++ type user_home_t; + ') + -+ files_home_filetrans($1, user_home_dir_t, dir) ++ allow $1 user_home_t:file relabel_file_perms; +') + ######################################## ## - ## Do a domain transition to the specified -@@ -1589,6 +1945,8 @@ interface(`userdom_dontaudit_search_user_home_content',` + ## Create directories in the home dir root with +@@ -1589,6 +1968,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -59359,7 +59767,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -1603,10 +1961,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1984,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -59374,7 +59782,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -1649,6 +2009,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2032,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -59400,7 +59808,7 @@ index 28b88de..f12b86d 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2079,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2102,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -59433,7 +59841,7 @@ index 28b88de..f12b86d 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2115,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2138,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -59451,7 +59859,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -1779,6 +2181,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2204,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -59476,7 +59884,7 @@ index 28b88de..f12b86d 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2230,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2253,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -59486,7 +59894,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -1827,20 +2246,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2269,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -59511,7 +59919,7 @@ index 28b88de..f12b86d 100644 ######################################## ## -@@ -2008,7 +2421,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2444,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -59520,7 +59928,7 @@ index 28b88de..f12b86d 100644 files_search_home($1) ') -@@ -2182,7 +2595,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2618,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -59529,7 +59937,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -2435,13 +2848,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2871,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -59545,7 +59953,7 @@ index 28b88de..f12b86d 100644 ## ## ## -@@ -2462,26 +2876,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2899,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -59572,7 +59980,7 @@ index 28b88de..f12b86d 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2570,6 +2964,24 @@ interface(`userdom_use_user_ttys',` +@@ -2570,6 +2987,24 @@ interface(`userdom_use_user_ttys',` allow $1 user_tty_device_t:chr_file rw_term_perms; ') @@ -59597,7 +60005,7 @@ index 28b88de..f12b86d 100644 ######################################## ## ## Read and write a user domain pty. -@@ -2588,6 +3000,24 @@ interface(`userdom_use_user_ptys',` +@@ -2588,6 +3023,24 @@ interface(`userdom_use_user_ptys',` allow $1 user_devpts_t:chr_file rw_term_perms; ') @@ -59622,7 +60030,7 @@ index 28b88de..f12b86d 100644 ######################################## ## ## Read and write a user TTYs and PTYs. -@@ -2646,6 +3076,24 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2646,6 +3099,24 @@ interface(`userdom_dontaudit_use_user_terminals',` ######################################## ## @@ -59647,7 +60055,7 @@ index 28b88de..f12b86d 100644 ## Execute a shell in all user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -2815,7 +3263,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3286,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -59656,7 +60064,7 @@ index 28b88de..f12b86d 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3279,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3302,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -59672,7 +60080,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -2917,7 +3367,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3390,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -59681,7 +60089,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -2972,7 +3422,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3445,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -59728,7 +60136,7 @@ index 28b88de..f12b86d 100644 ') ######################################## -@@ -3009,6 +3497,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3520,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -59736,7 +60144,7 @@ index 28b88de..f12b86d 100644 kernel_search_proc($1) ') -@@ -3087,6 +3576,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3599,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -59761,7 +60169,7 @@ index 28b88de..f12b86d 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3646,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3669,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 0eb5397..0bea73d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 30%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,20 @@ exit 0 %endif %changelog +* Thu Jun 30 2011 Miroslav Grepl 3.9.16-31 +- Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content() +- Allow init to delete all pid sockets +- Allow colord to read /proc/stat +- Add label for /var/www/html/wordpress/wp-content/plugins directory +- Allow pppd to search /var/lock dir +- puppetmaster use nsswitch: #711804 +- Update abrt to match rawhide policy +- allow privoxy to read network data +- support gecko mozilla browser plugin +- Allow chrome_sandbox to execute content in nfs homedir +- postfix_qmgr needs to read /var/spool/postfix/deferred +- abrt_t needs fsetid + * Tue Jun 14 2011 Miroslav Grepl 3.9.16-30 - Fixes for zarafa policy - Other fixes for fail2ban