From ec5ae07194e9841e17e422c308be03dfd625a8b3 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jan 16 2015 01:30:40 +0000 Subject: * Fri Jan 16 2015 Lukas Vrabec 3.12.1-197 - allow mozilla plugins to connect to bluetooth devices - Allow system_mail_t to create content in /var/lib/munin - Allow prosody_t to execmem, since it is using loajit. - Allow mdadm_t to create fixed_disk_device_t on /tmp file systems - Allow rpcd_t to write to /proc - Additional access required by usbmuxd - Allow mdadm_t to getattr on init status files - Allow abrt to read udev database - Allow rabbitmq_t to deal with link files created with its content - Allow rabbitmq_t to run hostname - Allow canna go call getpw* - Fixed storage_tmp_filestrans_fixed_disk interface - userdom_dontaudit_search_user_home_content should not search through any homedirs and subdirs - Allow init_t to create gnome content in homedirs - Allow mdadm_t to create fixed_disk_device_t on /tmp file systems - Fix labels on /etc/kde/kdm - Allow texlive managers to relabelfrom --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 8e5e6d2..908cfb5 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -3452,7 +3452,7 @@ index 7590165..85186a9 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..ef87fdd 100644 +index 644d4d7..3656744 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3475,8 +3475,11 @@ index 644d4d7..ef87fdd 100644 /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -69,16 +71,25 @@ ifdef(`distro_redhat',` +@@ -67,18 +69,28 @@ ifdef(`distro_redhat',` + /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) + /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/kde/kdm(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3501,7 +3504,7 @@ index 644d4d7..ef87fdd 100644 /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -101,8 +112,6 @@ ifdef(`distro_redhat',` +@@ -101,8 +113,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -3510,7 +3513,7 @@ index 644d4d7..ef87fdd 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -116,6 +125,9 @@ ifdef(`distro_redhat',` +@@ -116,6 +126,9 @@ ifdef(`distro_redhat',` /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3520,7 +3523,7 @@ index 644d4d7..ef87fdd 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -134,10 +146,12 @@ ifdef(`distro_debian',` +@@ -134,10 +147,12 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -3534,7 +3537,7 @@ index 644d4d7..ef87fdd 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -148,10 +162,12 @@ ifdef(`distro_gentoo',` +@@ -148,10 +163,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3548,7 +3551,7 @@ index 644d4d7..ef87fdd 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -167,6 +183,7 @@ ifdef(`distro_gentoo',` +@@ -167,6 +184,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3556,7 +3559,7 @@ index 644d4d7..ef87fdd 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -178,33 +195,49 @@ ifdef(`distro_gentoo',` +@@ -178,33 +196,49 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3615,7 +3618,7 @@ index 644d4d7..ef87fdd 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -215,18 +248,31 @@ ifdef(`distro_gentoo',` +@@ -215,18 +249,31 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3654,7 +3657,7 @@ index 644d4d7..ef87fdd 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -241,26 +287,39 @@ ifdef(`distro_gentoo',` +@@ -241,26 +288,39 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3699,7 +3702,7 @@ index 644d4d7..ef87fdd 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -269,6 +328,7 @@ ifdef(`distro_gentoo',` +@@ -269,6 +329,7 @@ ifdef(`distro_gentoo',` /usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -3707,7 +3710,7 @@ index 644d4d7..ef87fdd 100644 /usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -276,10 +336,15 @@ ifdef(`distro_gentoo',` +@@ -276,10 +337,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3723,7 +3726,7 @@ index 644d4d7..ef87fdd 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -294,16 +359,22 @@ ifdef(`distro_gentoo',` +@@ -294,16 +360,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3748,7 +3751,7 @@ index 644d4d7..ef87fdd 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -321,20 +392,27 @@ ifdef(`distro_redhat', ` +@@ -321,20 +393,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3777,7 +3780,7 @@ index 644d4d7..ef87fdd 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -342,6 +420,7 @@ ifdef(`distro_redhat', ` +@@ -342,6 +421,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3785,7 +3788,7 @@ index 644d4d7..ef87fdd 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +462,16 @@ ifdef(`distro_suse', ` +@@ -383,11 +463,16 @@ ifdef(`distro_suse', ` # # /var # @@ -3803,7 +3806,7 @@ index 644d4d7..ef87fdd 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +481,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +482,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -17214,7 +17217,7 @@ index 54f1827..39faa3f 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..13caedd 100644 +index 1700ef2..ca6c727 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -17318,7 +17321,33 @@ index 1700ef2..13caedd 100644 ######################################## ## ## Create block devices in on a tmpfs filesystem with the -@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` +@@ -290,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` + + ######################################## + ## ++## Create block devices in on a tmp filesystem with the ++## fixed disk type via an automatic type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_tmp_filetrans_fixed_disk',` ++ gen_require(` ++ type fixed_disk_device_t; ++ ') ++ ++ files_tmp_filetrans($1, fixed_disk_device_t, blk_file) ++') ++ ++######################################## ++## + ## Relabel fixed disk device nodes. + ## + ## +@@ -711,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') @@ -17343,7 +17372,7 @@ index 1700ef2..13caedd 100644 ######################################## ## ## Allow the caller to directly read -@@ -808,3 +892,452 @@ interface(`storage_unconfined',` +@@ -808,3 +911,452 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -30036,7 +30065,7 @@ index 24e7804..6a39d34 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..0973a7f 100644 +index dd3be8d..3b2baa7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -30303,7 +30332,7 @@ index dd3be8d..0973a7f 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +304,232 @@ ifdef(`distro_gentoo',` +@@ -186,29 +304,233 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -30344,6 +30373,7 @@ index dd3be8d..0973a7f 100644 +optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) ++ gnome_manage_config(init_t) +') + +optional_policy(` @@ -30545,7 +30575,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -216,7 +537,30 @@ optional_policy(` +@@ -216,7 +538,30 @@ optional_policy(` ') optional_policy(` @@ -30576,7 +30606,7 @@ index dd3be8d..0973a7f 100644 ') ######################################## -@@ -225,8 +569,9 @@ optional_policy(` +@@ -225,8 +570,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30588,7 +30618,7 @@ index dd3be8d..0973a7f 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +602,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30605,7 +30635,7 @@ index dd3be8d..0973a7f 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +627,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30648,7 +30678,7 @@ index dd3be8d..0973a7f 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +664,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30660,7 +30690,7 @@ index dd3be8d..0973a7f 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +676,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +677,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30671,7 +30701,7 @@ index dd3be8d..0973a7f 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +687,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +688,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30681,7 +30711,7 @@ index dd3be8d..0973a7f 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +696,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +697,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30689,7 +30719,7 @@ index dd3be8d..0973a7f 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +703,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30697,7 +30727,7 @@ index dd3be8d..0973a7f 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +711,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +712,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30715,7 +30745,7 @@ index dd3be8d..0973a7f 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +729,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +730,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30729,7 +30759,7 @@ index dd3be8d..0973a7f 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +744,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +745,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30743,7 +30773,7 @@ index dd3be8d..0973a7f 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +757,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +758,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30751,7 +30781,7 @@ index dd3be8d..0973a7f 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +769,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +770,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30759,7 +30789,7 @@ index dd3be8d..0973a7f 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +788,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +789,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30783,7 +30813,7 @@ index dd3be8d..0973a7f 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +821,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +822,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30791,7 +30821,7 @@ index dd3be8d..0973a7f 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +855,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +856,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30802,7 +30832,7 @@ index dd3be8d..0973a7f 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +879,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +880,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30811,7 +30841,7 @@ index dd3be8d..0973a7f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +894,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +895,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30819,7 +30849,7 @@ index dd3be8d..0973a7f 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +915,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +916,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30827,7 +30857,7 @@ index dd3be8d..0973a7f 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +925,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +926,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30872,7 +30902,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -558,14 +970,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +971,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30904,7 +30934,7 @@ index dd3be8d..0973a7f 100644 ') ') -@@ -576,6 +1005,39 @@ ifdef(`distro_suse',` +@@ -576,6 +1006,39 @@ ifdef(`distro_suse',` ') ') @@ -30944,7 +30974,7 @@ index dd3be8d..0973a7f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1050,8 @@ optional_policy(` +@@ -588,6 +1051,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30953,7 +30983,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -609,6 +1073,7 @@ optional_policy(` +@@ -609,6 +1074,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30961,7 +30991,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -625,6 +1090,17 @@ optional_policy(` +@@ -625,6 +1091,17 @@ optional_policy(` ') optional_policy(` @@ -30979,7 +31009,7 @@ index dd3be8d..0973a7f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1117,13 @@ optional_policy(` +@@ -641,9 +1118,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30993,7 +31023,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -656,15 +1136,11 @@ optional_policy(` +@@ -656,15 +1137,11 @@ optional_policy(` ') optional_policy(` @@ -31011,7 +31041,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -685,6 +1161,15 @@ optional_policy(` +@@ -685,6 +1162,15 @@ optional_policy(` ') optional_policy(` @@ -31027,7 +31057,7 @@ index dd3be8d..0973a7f 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1210,7 @@ optional_policy(` +@@ -725,6 +1211,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -31035,7 +31065,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -742,7 +1228,13 @@ optional_policy(` +@@ -742,7 +1229,13 @@ optional_policy(` ') optional_policy(` @@ -31050,7 +31080,7 @@ index dd3be8d..0973a7f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1257,10 @@ optional_policy(` +@@ -765,6 +1258,10 @@ optional_policy(` ') optional_policy(` @@ -31061,7 +31091,7 @@ index dd3be8d..0973a7f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1270,20 @@ optional_policy(` +@@ -774,10 +1271,20 @@ optional_policy(` ') optional_policy(` @@ -31082,7 +31112,7 @@ index dd3be8d..0973a7f 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1292,10 @@ optional_policy(` +@@ -786,6 +1293,10 @@ optional_policy(` ') optional_policy(` @@ -31093,7 +31123,7 @@ index dd3be8d..0973a7f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1317,6 @@ optional_policy(` +@@ -807,8 +1318,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -31102,7 +31132,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -817,6 +1325,10 @@ optional_policy(` +@@ -817,6 +1326,10 @@ optional_policy(` ') optional_policy(` @@ -31113,7 +31143,7 @@ index dd3be8d..0973a7f 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1338,12 @@ optional_policy(` +@@ -826,10 +1339,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -31126,7 +31156,7 @@ index dd3be8d..0973a7f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1370,35 @@ optional_policy(` +@@ -856,12 +1371,35 @@ optional_policy(` ') optional_policy(` @@ -31163,7 +31193,7 @@ index dd3be8d..0973a7f 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1408,18 @@ optional_policy(` +@@ -871,6 +1409,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -31182,7 +31212,7 @@ index dd3be8d..0973a7f 100644 ') optional_policy(` -@@ -886,6 +1435,10 @@ optional_policy(` +@@ -886,6 +1436,10 @@ optional_policy(` ') optional_policy(` @@ -31193,7 +31223,7 @@ index dd3be8d..0973a7f 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1449,218 @@ optional_policy(` +@@ -896,3 +1450,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -42310,7 +42340,7 @@ index db75976..cb4a211 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..95b1263 100644 +index 3c5dba7..4ce3586 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44115,10 +44145,16 @@ index 3c5dba7..95b1263 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2255,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1707,10 +2251,12 @@ interface(`userdom_user_home_domtrans',` + # + interface(`userdom_dontaudit_search_user_home_content',` + gen_require(` +- type user_home_t; ++ attribute user_home_type; ') - dontaudit $1 user_home_t:dir search_dir_perms; +- dontaudit $1 user_home_t:dir search_dir_perms; ++ dontaudit $1 user_home_type:dir search_dir_perms; + fs_dontaudit_list_nfs($1) + fs_dontaudit_list_cifs($1) ') @@ -44965,7 +45001,7 @@ index 3c5dba7..95b1263 100644 ## ## ## -@@ -3130,17 +3946,17 @@ interface(`userdom_search_user_home_content',` +@@ -3130,35 +3946,17 @@ interface(`userdom_search_user_home_content',` ## ## # @@ -44982,14 +45018,13 @@ index 3c5dba7..95b1263 100644 ######################################## ## -## Send general signals to unprivileged user domains. -+## Inherit the file descriptors from unprivileged user domains. - ## - ## - ## -@@ -3148,25 +3964,7 @@ interface(`userdom_signull_unpriv_users',` - ## - ## - # +-## +-## +-## +-## Domain allowed access. +-## +-## +-# -interface(`userdom_signal_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; @@ -45001,18 +45036,10 @@ index 3c5dba7..95b1263 100644 -######################################## -## -## Inherit the file descriptors from unprivileged user domains. --## --## --## --## Domain allowed access. --## --## --# --interface(`userdom_use_unpriv_users_fds',` -+interface(`userdom_use_unpriv_users_fds',` - gen_require(` - attribute unpriv_userdomain; - ') ++## Inherit the file descriptors from unprivileged user domains. + ## + ## + ## @@ -3217,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -45235,7 +45262,7 @@ index 3c5dba7..95b1263 100644 ## Send a dbus message to all user domains. ## ## -@@ -3438,4 +4403,1663 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -45955,12 +45982,13 @@ index 3c5dba7..95b1263 100644 + ') + + userdom_search_user_home_dirs($1) -+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012") -+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013") -+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014") ++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012") ++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013") ++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014") + manage_dirs_pattern($1, texlive_home_t, texlive_home_t) + manage_files_pattern($1, texlive_home_t, texlive_home_t) -+ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t) ++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t) ++ allow $1 texlive_home_t:file relabelfrom; +') + +######################################## diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 943387d..8ce15bc 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -568,7 +568,7 @@ index 058d908..cf17e67 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..db6136e 100644 +index cc43d25..1dc58bb 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -913,7 +913,7 @@ index cc43d25..db6136e 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +304,17 @@ optional_policy(` +@@ -240,9 +304,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -925,6 +925,10 @@ index cc43d25..db6136e 100644 + xserver_read_log(abrt_t) +') + ++optional_policy(` ++ udev_read_db(abrt_t) ++') ++ ####################################### # -# Handle-event local policy @@ -932,7 +936,7 @@ index cc43d25..db6136e 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +325,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +329,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -947,7 +951,7 @@ index cc43d25..db6136e 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -955,7 +959,7 @@ index cc43d25..db6136e 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -976,7 +980,7 @@ index cc43d25..db6136e 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +374,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +378,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1003,7 +1007,7 @@ index cc43d25..db6136e 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1017,7 +1021,7 @@ index cc43d25..db6136e 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +428,11 @@ optional_policy(` +@@ -330,10 +432,11 @@ optional_policy(` ####################################### # @@ -1031,7 +1035,7 @@ index cc43d25..db6136e 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +451,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1101,7 +1105,7 @@ index cc43d25..db6136e 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +517,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -9367,7 +9371,7 @@ index 2b9c7f3..0086b95 100644 /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff --git a/bluetooth.if b/bluetooth.if -index c723a0a..3e8a553 100644 +index c723a0a..aa3283e 100644 --- a/bluetooth.if +++ b/bluetooth.if @@ -37,7 +37,12 @@ interface(`bluetooth_role',` @@ -9396,7 +9400,21 @@ index c723a0a..3e8a553 100644 ') ##################################### -@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',` +@@ -63,11 +70,13 @@ interface(`bluetooth_role',` + interface(`bluetooth_stream_connect',` + gen_require(` + type bluetooth_t, bluetooth_var_run_t; ++ type bluetooth_tmp_t; + ') + + files_search_pids($1) + allow $1 bluetooth_t:socket rw_socket_perms; + stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) ++ stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t) + ') + + ######################################## +@@ -130,6 +139,27 @@ interface(`bluetooth_dbus_chat',` ######################################## ## @@ -9424,7 +9442,7 @@ index c723a0a..3e8a553 100644 ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## -@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',` +@@ -190,6 +220,29 @@ interface(`bluetooth_dontaudit_read_helper_state',` ######################################## ## @@ -9454,7 +9472,7 @@ index c723a0a..3e8a553 100644 ## All of the rules required to ## administrate an bluetooth environment. ## -@@ -210,12 +261,16 @@ interface(`bluetooth_admin',` +@@ -210,12 +263,16 @@ interface(`bluetooth_admin',` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; type bluetooth_var_lib_t, bluetooth_var_run_t; type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; @@ -9473,7 +9491,7 @@ index c723a0a..3e8a553 100644 init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bluetooth_initrc_exec_t system_r; -@@ -235,4 +290,8 @@ interface(`bluetooth_admin',` +@@ -235,4 +292,8 @@ interface(`bluetooth_admin',` files_list_pids($1) admin_pattern($1, bluetooth_var_run_t) @@ -10803,7 +10821,7 @@ index 400db07..f416e22 100644 domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff --git a/canna.te b/canna.te -index 4ec0626..88e7e89 100644 +index 4ec0626..32b7796 100644 --- a/canna.te +++ b/canna.te @@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) @@ -10814,7 +10832,7 @@ index 4ec0626..88e7e89 100644 corenet_all_recvfrom_netlabel(canna_t) corenet_tcp_sendrecv_generic_if(canna_t) corenet_tcp_sendrecv_generic_node(canna_t) -@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t) +@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t) domain_use_interactive_fds(canna_t) @@ -10824,13 +10842,14 @@ index 4ec0626..88e7e89 100644 files_search_tmp(canna_t) files_dontaudit_read_root_files(canna_t) - logging_send_syslog_msg(canna_t) +-logging_send_syslog_msg(canna_t) ++auth_use_nsswitch(canna_t) -miscfiles_read_localization(canna_t) -- ++logging_send_syslog_msg(canna_t) + sysnet_read_config(canna_t) - userdom_dontaudit_use_unpriv_user_fds(canna_t) diff --git a/ccs.if b/ccs.if index 5ded72d..cb94e5e 100644 --- a/ccs.if @@ -15927,7 +15946,7 @@ index 83d6744..3f0c0dc 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index 503adab..1253764 100644 +index 503adab..726f653 100644 --- a/couchdb.te +++ b/couchdb.te @@ -27,6 +27,13 @@ files_type(couchdb_var_lib_t) @@ -15957,7 +15976,7 @@ index 503adab..1253764 100644 manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -@@ -56,11 +63,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) +@@ -56,11 +63,13 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) @@ -15968,10 +15987,11 @@ index 503adab..1253764 100644 kernel_read_system_state(couchdb_t) +kernel_read_fs_sysctls(couchdb_t) ++kernel_dgram_send(couchdb_t) corecmd_exec_bin(couchdb_t) corecmd_exec_shell(couchdb_t) -@@ -75,14 +83,32 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) +@@ -75,14 +84,32 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) corenet_tcp_bind_couchdb_port(couchdb_t) corenet_tcp_sendrecv_couchdb_port(couchdb_t) @@ -24026,14 +24046,16 @@ index ef36d73..fddd51f 100644 sysnet_etc_filetrans_config(dnssec_triggerd_t) diff --git a/docker.fc b/docker.fc new file mode 100644 -index 0000000..1c4ac02 +index 0000000..de72961 --- /dev/null +++ b/docker.fc -@@ -0,0 +1,17 @@ +@@ -0,0 +1,19 @@ +/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) + +/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) + ++/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0) ++ +/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) + +/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) @@ -24049,10 +24071,10 @@ index 0000000..1c4ac02 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..683dfdc +index 0000000..bc5142f --- /dev/null +++ b/docker.if -@@ -0,0 +1,363 @@ +@@ -0,0 +1,366 @@ + +## The open-source application container engine. + @@ -24390,11 +24412,14 @@ index 0000000..683dfdc + type docker_unit_file_t; + type docker_lock_t; + type docker_log_t; ++ type docker_config_t; + ') + + allow $1 docker_t:process { ptrace signal_perms }; + ps_process_pattern($1, docker_t) + ++ admin_pattern($1, docker_config_t) ++ + files_search_var_lib($1) + admin_pattern($1, docker_var_lib_t) + @@ -24418,10 +24443,10 @@ index 0000000..683dfdc +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..3ca773f +index 0000000..206c692 --- /dev/null +++ b/docker.te -@@ -0,0 +1,284 @@ +@@ -0,0 +1,290 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24453,6 +24478,9 @@ index 0000000..3ca773f +type docker_var_lib_t; +files_type(docker_var_lib_t) + ++type docker_config_t; ++files_config_file(docker_config_t) ++ +type docker_lock_t; +files_lock_file(docker_lock_t) + @@ -24489,6 +24517,9 @@ index 0000000..3ca773f +allow docker_t self:udp_socket create_socket_perms; +allow docker_t self:capability2 block_suspend; + ++ ++manage_dirs_pattern(docker_t, docker_config_t, docker_config_t) ++manage_files_pattern(docker_t, docker_config_t, docker_config_t) +manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) +manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) +files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc") @@ -29062,10 +29093,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..d964114 +index 0000000..e61eed9 --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,63 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -29115,6 +29146,10 @@ index 0000000..d964114 +sysnet_dns_name_resolve(geoclue_t) + +optional_policy(` ++ kerberos_use(geoclue_t) ++') ++ ++optional_policy(` + dbus_system_domain(geoclue_t, geoclue_exec_t) + + optional_policy(` @@ -40772,7 +40807,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..36ced41 100644 +index 7bab8e5..5c1e801 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,26 @@ @@ -41039,7 +41074,7 @@ index 7bab8e5..36ced41 100644 ') optional_policy(` -@@ -228,10 +271,21 @@ optional_policy(` +@@ -228,26 +271,43 @@ optional_policy(` ') optional_policy(` @@ -41061,7 +41096,11 @@ index 7bab8e5..36ced41 100644 su_exec(logrotate_t) ') -@@ -239,15 +293,17 @@ optional_policy(` + optional_policy(` ++ rpm_read_cache(logrotate_t) ++') ++ ++optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -46198,7 +46237,7 @@ index 6194b80..ecab2e6 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..80996ad 100644 +index 6a306ee..c4db163 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -46659,7 +46698,7 @@ index 6a306ee..80996ad 100644 ') optional_policy(` -@@ -300,259 +341,256 @@ optional_policy(` +@@ -300,259 +341,260 @@ optional_policy(` ######################################## # @@ -47001,27 +47040,30 @@ index 6a306ee..80996ad 100644 - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) +optional_policy(` -+ bumblebee_stream_connect(mozilla_plugin_t) ++ bluetooth_stream_connect(mozilla_plugin_t) ') optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) - alsa_read_home_files(mozilla_plugin_t) -+ cups_stream_connect(mozilla_plugin_t) ++ bumblebee_stream_connect(mozilla_plugin_t) ') optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) -+ dbus_system_bus_client(mozilla_plugin_t) -+ dbus_session_bus_client(mozilla_plugin_t) -+ dbus_connect_session_bus(mozilla_plugin_t) -+ dbus_read_lib_files(mozilla_plugin_t) ++ cups_stream_connect(mozilla_plugin_t) ') optional_policy(` - dbus_all_session_bus_client(mozilla_plugin_t) - dbus_connect_all_session_bus(mozilla_plugin_t) -- dbus_system_bus_client(mozilla_plugin_t) + dbus_system_bus_client(mozilla_plugin_t) ++ dbus_session_bus_client(mozilla_plugin_t) ++ dbus_connect_session_bus(mozilla_plugin_t) ++ dbus_read_lib_files(mozilla_plugin_t) ++') ++ ++optional_policy(` + gnome_manage_config(mozilla_plugin_t) + gnome_read_usr_config(mozilla_plugin_t) + gnome_filetrans_home_content(mozilla_plugin_t) @@ -47062,7 +47104,7 @@ index 6a306ee..80996ad 100644 ') optional_policy(` -@@ -560,7 +598,11 @@ optional_policy(` +@@ -560,7 +602,11 @@ optional_policy(` ') optional_policy(` @@ -47075,7 +47117,7 @@ index 6a306ee..80996ad 100644 ') optional_policy(` -@@ -568,108 +610,142 @@ optional_policy(` +@@ -568,108 +614,142 @@ optional_policy(` ') optional_policy(` @@ -47104,8 +47146,7 @@ index 6a306ee..80996ad 100644 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; @@ -47113,7 +47154,8 @@ index 6a306ee..80996ad 100644 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -- ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") @@ -47201,31 +47243,25 @@ index 6a306ee..80996ad 100644 +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t) +userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t) +userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t) - --userdom_use_user_ptys(mozilla_plugin_config_t) ++ +domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) - --mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) ++ +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(mozilla_plugin_config_t) +') --tunable_policy(`allow_execmem',` -- allow mozilla_plugin_config_t self:process execmem; +-userdom_use_user_ptys(mozilla_plugin_config_t) +optional_policy(` + gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) - ') ++') --tunable_policy(`mozilla_execstack',` -- allow mozilla_plugin_config_t self:process { execmem execstack }; +-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) +optional_policy(` + xserver_use_user_fonts(mozilla_plugin_config_t) - ') ++') --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mozilla_plugin_config_t) -- fs_manage_nfs_files(mozilla_plugin_config_t) -- fs_manage_nfs_symlinks(mozilla_plugin_config_t) +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_config_t self:process execmem; +ifdef(`distro_redhat',` + typealias mozilla_plugin_t alias nsplugin_t; + typealias mozilla_plugin_exec_t alias nsplugin_exec_t; @@ -47236,10 +47272,8 @@ index 6a306ee..80996ad 100644 + typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t; ') --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_plugin_config_t) -- fs_manage_cifs_files(mozilla_plugin_config_t) -- fs_manage_cifs_symlinks(mozilla_plugin_config_t) +-tunable_policy(`mozilla_execstack',` +- allow mozilla_plugin_config_t self:process { execmem execstack }; +#tunable_policy(`mozilla_plugin_enable_homedirs',` +# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) +#', ` @@ -47252,27 +47286,35 @@ index 6a306ee..80996ad 100644 + userdom_execmod_user_home_files(mozilla_plugin_t) ') --optional_policy(` -- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_plugin_config_t) +- fs_manage_nfs_files(mozilla_plugin_config_t) +- fs_manage_nfs_symlinks(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_spice',` + dev_rw_generic_usb_dev(mozilla_plugin_t) + dev_setattr_generic_usb_dev(mozilla_plugin_t) + corenet_tcp_bind_vnc_port(mozilla_plugin_t) ') --optional_policy(` -- xserver_use_user_fonts(mozilla_plugin_config_t) +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_plugin_config_t) +- fs_manage_cifs_files(mozilla_plugin_config_t) +- fs_manage_cifs_symlinks(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_gps',` + fs_manage_dos_dirs(mozilla_plugin_t) + fs_manage_dos_files(mozilla_plugin_t) -+') -+ + ') + +-optional_policy(` +- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_bluejeans',` + corenet_tcp_bind_unreserved_ports(mozilla_plugin_t) + corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t) + corenet_tcp_connect_commplex_main_port(mozilla_plugin_t) -+') -+ + ') + +-optional_policy(` +- xserver_use_user_fonts(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_bind_unreserved_ports',` + corenet_tcp_bind_unreserved_ports(mozilla_plugin_t) + corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t) @@ -48874,7 +48916,7 @@ index ed81cac..837a43a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..21904e5 100644 +index afd2fad..bff8488 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -49171,7 +49213,7 @@ index afd2fad..21904e5 100644 optional_policy(` + munin_dontaudit_leaks(system_mail_t) -+ munin_append_var_lib_files(system_mail_t) ++ munin_manage_var_lib_files(system_mail_t) +') + +optional_policy(` @@ -49643,7 +49685,7 @@ index eb4b72a..4968324 100644 +/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/munin.if b/munin.if -index b744fe3..17e2514 100644 +index b744fe3..e713bb6 100644 --- a/munin.if +++ b/munin.if @@ -1,12 +1,13 @@ @@ -49714,7 +49756,7 @@ index b744fe3..17e2514 100644 ## ## ## -@@ -80,15 +84,73 @@ interface(`munin_read_config',` +@@ -80,15 +84,92 @@ interface(`munin_read_config',` type munin_etc_t; ') @@ -49723,11 +49765,10 @@ index b744fe3..17e2514 100644 allow $1 munin_etc_t:file read_file_perms; allow $1 munin_etc_t:lnk_file read_lnk_file_perms; + files_search_etc($1) - ') - - ####################################### - ## --## Append munin log files. ++') ++ ++####################################### ++## +## Read munin library files. +## +## @@ -49748,6 +49789,25 @@ index b744fe3..17e2514 100644 + +####################################### +## ++## Manage munin library files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`munin_manage_var_lib_files',` ++ gen_require(` ++ type munin_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t) ++') ++ ++####################################### ++## +## Append munin library files. +## +## @@ -49782,15 +49842,16 @@ index b744fe3..17e2514 100644 + ') + + dontaudit $1 munin_t:tcp_socket { read write }; -+') -+ -+####################################### -+## + ') + + ####################################### + ## +-## Append munin log files. +## Append to the munin log. ## ## ## -@@ -147,8 +209,8 @@ interface(`munin_dontaudit_search_lib',` +@@ -147,8 +228,8 @@ interface(`munin_dontaudit_search_lib',` ######################################## ## @@ -49801,7 +49862,7 @@ index b744fe3..17e2514 100644 ## ## ## -@@ -157,7 +219,7 @@ interface(`munin_dontaudit_search_lib',` +@@ -157,7 +238,7 @@ interface(`munin_dontaudit_search_lib',` ## ## ## @@ -49810,7 +49871,7 @@ index b744fe3..17e2514 100644 ## ## ## -@@ -170,8 +232,12 @@ interface(`munin_admin',` +@@ -170,8 +251,12 @@ interface(`munin_admin',` type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ') @@ -59645,7 +59706,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..e148dc4 100644 +index 3270ff9..baf76c1 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -59748,7 +59809,7 @@ index 3270ff9..e148dc4 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -118,21 +144,30 @@ files_read_etc_runtime_files(openvpn_t) +@@ -118,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t) fs_getattr_all_fs(openvpn_t) fs_search_auto_mountpoints(openvpn_t) @@ -59769,6 +59830,7 @@ index 3270ff9..e148dc4 100644 -userdom_use_user_terminals(openvpn_t) +systemd_passwd_agent_domtrans(openvpn_t) ++systemd_manage_passwd_run(openvpn_t) + +userdom_use_inherited_user_terminals(openvpn_t) +userdom_read_home_certs(openvpn_t) @@ -59782,7 +59844,7 @@ index 3270ff9..e148dc4 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -143,11 +178,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` +@@ -143,11 +179,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(openvpn_t) ') @@ -59808,7 +59870,7 @@ index 3270ff9..e148dc4 100644 dbus_system_bus_client(openvpn_t) dbus_connect_system_bus(openvpn_t) -@@ -155,3 +204,27 @@ optional_policy(` +@@ -155,3 +205,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -68973,7 +69035,7 @@ index cd8b8b9..6c73980 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..96d835a 100644 +index b2b5dba..3ed75e7 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -69062,7 +69124,8 @@ index b2b5dba..96d835a 100644 +# PPPD Local policy # - allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; +-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; ++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice sys_chroot }; dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched setsched signal }; +dontaudit pppd_t self:capability2 block_suspend; @@ -70642,7 +70705,7 @@ index 0000000..19c35c1 +') diff --git a/prosody.te b/prosody.te new file mode 100644 -index 0000000..4f6badd +index 0000000..ad32ffe --- /dev/null +++ b/prosody.te @@ -0,0 +1,75 @@ @@ -70679,7 +70742,7 @@ index 0000000..4f6badd +# prosody local policy +# +allow prosody_t self:capability { setuid setgid }; -+allow prosody_t self:process signal_perms; ++allow prosody_t self:process { signal_perms execmem }; +allow prosody_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) @@ -75797,7 +75860,7 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..a844a8f 100644 +index 3698b51..f1b94dd 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0) @@ -75831,7 +75894,7 @@ index 3698b51..a844a8f 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -27,80 +31,86 @@ files_pid_file(rabbitmq_var_run_t) +@@ -27,80 +31,92 @@ files_pid_file(rabbitmq_var_run_t) ###################################### # @@ -75850,55 +75913,55 @@ index 3698b51..a844a8f 100644 -append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -- --manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) --manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +allow rabbitmq_t self:capability setuid; --can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) +-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +allow rabbitmq_t self:process { setsched signal signull }; +allow rabbitmq_t self:fifo_file rw_fifo_file_perms; +allow rabbitmq_t self:tcp_socket { accept listen }; --domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) +-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file }) --kernel_read_system_state(rabbitmq_beam_t) +-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file }) --corecmd_exec_bin(rabbitmq_beam_t) --corecmd_exec_shell(rabbitmq_beam_t) +-kernel_read_system_state(rabbitmq_beam_t) +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) +files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file) +-corecmd_exec_bin(rabbitmq_beam_t) +-corecmd_exec_shell(rabbitmq_beam_t) ++manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) ++manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) ++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) ++files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file }) + -corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) -corenet_all_recvfrom_netlabel(rabbitmq_beam_t) -corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) -corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) -corenet_tcp_bind_generic_node(rabbitmq_beam_t) -+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) -+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) -+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file }) ++kernel_read_system_state(rabbitmq_t) ++kernel_read_fs_sysctls(rabbitmq_t) -corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) -corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t) -+kernel_read_system_state(rabbitmq_t) -+kernel_read_fs_sysctls(rabbitmq_t) ++corecmd_exec_bin(rabbitmq_t) ++corecmd_exec_shell(rabbitmq_t) -corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) -corenet_tcp_connect_epmd_port(rabbitmq_beam_t) -corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) -+corecmd_exec_bin(rabbitmq_t) -+corecmd_exec_shell(rabbitmq_t) - --dev_read_sysfs(rabbitmq_beam_t) +corenet_tcp_bind_generic_node(rabbitmq_t) +corenet_udp_bind_generic_node(rabbitmq_t) +corenet_all_recvfrom_unlabeled(rabbitmq_t) @@ -75921,51 +75984,56 @@ index 3698b51..a844a8f 100644 +corenet_tcp_sendrecv_epmd_port(rabbitmq_t) +corenet_tcp_connect_http_port(rabbitmq_t) --files_read_etc_files(rabbitmq_beam_t) +-dev_read_sysfs(rabbitmq_beam_t) +domain_read_all_domains_state(rabbitmq_t) --miscfiles_read_localization(rabbitmq_beam_t) +-files_read_etc_files(rabbitmq_beam_t) +auth_read_passwd(rabbitmq_t) +auth_use_pam(rabbitmq_t) +-miscfiles_read_localization(rabbitmq_beam_t) ++files_getattr_all_mountpoints(rabbitmq_t) + -sysnet_dns_name_resolve(rabbitmq_beam_t) - -######################################## -# -# Epmd local policy -# -+files_getattr_all_mountpoints(rabbitmq_t) - +fs_getattr_all_fs(rabbitmq_t) +fs_getattr_all_dirs(rabbitmq_t) +fs_getattr_cgroup(rabbitmq_t) +fs_search_cgroup_dirs(rabbitmq_t) ++dev_read_sysfs(rabbitmq_t) ++dev_read_urand(rabbitmq_t) + -allow rabbitmq_epmd_t self:process signal; -allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; -allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; -+dev_read_sysfs(rabbitmq_t) -+dev_read_urand(rabbitmq_t) ++storage_getattr_fixed_disk_dev(rabbitmq_t) -allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; -+storage_getattr_fixed_disk_dev(rabbitmq_t) ++sysnet_dns_name_resolve(rabbitmq_t) -corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) -corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) -corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) -corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t) -corenet_tcp_bind_generic_node(rabbitmq_epmd_t) -+sysnet_dns_name_resolve(rabbitmq_t) ++logging_send_syslog_msg(rabbitmq_t) -corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) -corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) -corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) -+logging_send_syslog_msg(rabbitmq_t) ++optional_policy(` ++ dbus_system_bus_client(rabbitmq_t) ++') -files_read_etc_files(rabbitmq_epmd_t) +optional_policy(` -+ dbus_system_bus_client(rabbitmq_t) ++ hostname_exec(rabbitmq_t) +') -logging_send_syslog_msg(rabbitmq_epmd_t) @@ -76408,7 +76476,7 @@ index 951db7f..c0cabe8 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") ') diff --git a/raid.te b/raid.te -index 2c1730b..fe05f23 100644 +index 2c1730b..36acb6c 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t; @@ -76512,11 +76580,12 @@ index 2c1730b..fe05f23 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +111,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) +storage_raw_read_removable_device(mdadm_t) ++storage_tmp_filetrans_fixed_disk(mdadm_t) term_dontaudit_list_ptys(mdadm_t) term_dontaudit_use_unallocated_ttys(mdadm_t) @@ -76524,6 +76593,7 @@ index 2c1730b..fe05f23 100644 +auth_use_nsswitch(mdadm_t) + init_dontaudit_getattr_initctl(mdadm_t) ++init_getattr_script_status_files(mdadm_t) +logging_dontaudit_getattr_all_logs(mdadm_t) logging_send_syslog_msg(mdadm_t) @@ -76534,7 +76604,7 @@ index 2c1730b..fe05f23 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -89,17 +135,38 @@ optional_policy(` +@@ -89,17 +137,38 @@ optional_policy(` ') optional_policy(` @@ -79777,7 +79847,7 @@ index 56bc01f..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..a470f79 100644 +index 2c2de9a..a8f6097 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -80267,7 +80337,7 @@ index 2c2de9a..a470f79 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +582,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +582,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -80312,6 +80382,9 @@ index 2c2de9a..a470f79 100644 +corenet_tcp_connect_http_cache_port(haproxy_t) +corenet_tcp_connect_rtp_media_port(haproxy_t) + ++dev_read_rand(haproxy_t) ++dev_read_urand(haproxy_t) ++ +sysnet_dns_name_resolve(haproxy_t) + +tunable_policy(`haproxy_connect_any',` @@ -80324,7 +80397,7 @@ index 2c2de9a..a470f79 100644 ###################################### # # qdiskd local policy -@@ -321,6 +672,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -82482,7 +82555,7 @@ index 3bd6446..eec0a35 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..fa69f22 100644 +index e5212e6..fbbff71 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -82526,7 +82599,7 @@ index e5212e6..fa69f22 100644 type exports_t; files_config_file(exports_t) -@@ -36,110 +32,49 @@ files_tmp_file(gssd_tmp_t) +@@ -36,110 +32,50 @@ files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) @@ -82645,12 +82718,13 @@ index e5212e6..fa69f22 100644 can_exec(rpcd_t, rpcd_exec_t) +kernel_read_system_state(rpcd_t) ++kernel_write_proc_files(rpcd_t) kernel_read_network_state(rpcd_t) +# for rpc.rquotad kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) -@@ -160,13 +95,14 @@ fs_getattr_all_fs(rpcd_t) +@@ -160,13 +96,14 @@ fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) @@ -82668,7 +82742,7 @@ index e5212e6..fa69f22 100644 optional_policy(` automount_signal(rpcd_t) -@@ -174,19 +110,27 @@ optional_policy(` +@@ -174,19 +111,27 @@ optional_policy(` ') optional_policy(` @@ -82699,7 +82773,7 @@ index e5212e6..fa69f22 100644 ') ######################################## -@@ -195,41 +139,56 @@ optional_policy(` +@@ -195,41 +140,56 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -82764,7 +82838,7 @@ index e5212e6..fa69f22 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -82772,7 +82846,7 @@ index e5212e6..fa69f22 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -82787,7 +82861,7 @@ index e5212e6..fa69f22 100644 ') ######################################## -@@ -263,7 +221,7 @@ optional_policy(` +@@ -263,7 +222,7 @@ optional_policy(` # GSSD local policy # @@ -82796,7 +82870,7 @@ index e5212e6..fa69f22 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -82804,7 +82878,7 @@ index e5212e6..fa69f22 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -279,25 +238,30 @@ kernel_signal(gssd_t) +@@ -279,25 +239,30 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -82838,7 +82912,7 @@ index e5212e6..fa69f22 100644 ') optional_policy(` -@@ -306,8 +270,11 @@ optional_policy(` +@@ -306,8 +271,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -98774,10 +98848,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..7f7e7ff +index 0000000..dd6ba2c --- /dev/null +++ b/thumb.te -@@ -0,0 +1,159 @@ +@@ -0,0 +1,160 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -98808,6 +98882,7 @@ index 0000000..7f7e7ff + +allow thumb_t self:process { setsched signal signull setrlimit }; +dontaudit thumb_t self:capability sys_tty_config; ++dontaudit thumb_t self:process setfscreate; + +tunable_policy(`deny_execmem',`',` + allow thumb_t self:process execmem; @@ -100367,7 +100442,7 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 8840be6..041373e 100644 +index 8840be6..6a13ab8 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; @@ -100393,9 +100468,10 @@ index 8840be6..041373e 100644 # -allow usbmuxd_t self:capability { kill setgid setuid }; +-allow usbmuxd_t self:process { signal signull }; +allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid }; +dontaudit usbmuxd_t self:capability sys_resource; - allow usbmuxd_t self:process { signal signull }; ++allow usbmuxd_t self:process { signal_perms setrlimit }; allow usbmuxd_t self:fifo_file rw_fifo_file_perms; +allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow usbmuxd_t self:unix_stream_socket connectto; diff --git a/selinux-policy.spec b/selinux-policy.spec index e863167..a896c26 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 196%{?dist} +Release: 197%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -582,6 +582,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jan 16 2015 Lukas Vrabec 3.12.1-197 +- allow mozilla plugins to connect to bluetooth devices +- Allow system_mail_t to create content in /var/lib/munin +- Allow prosody_t to execmem, since it is using loajit. +- Allow mdadm_t to create fixed_disk_device_t on /tmp file systems +- Allow rpcd_t to write to /proc +- Additional access required by usbmuxd +- Allow mdadm_t to getattr on init status files +- Allow abrt to read udev database +- Allow rabbitmq_t to deal with link files created with its content +- Allow rabbitmq_t to run hostname +- Allow canna go call getpw* +- Fixed storage_tmp_filestrans_fixed_disk interface +- userdom_dontaudit_search_user_home_content should not search through any homedirs and subdirs +- Allow init_t to create gnome content in homedirs +- Allow mdadm_t to create fixed_disk_device_t on /tmp file systems +- Fix labels on /etc/kde/kdm +- Allow texlive managers to relabelfrom + * Tue Dec 02 2014 Lukas Vrabec 3.12.1-196 - Dontaudit couchdb to list /var - Couchdb policy fixes