From edc579ac09f764cb4b9d7213463b229320fa989b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 11 2011 22:11:58 +0000 Subject: - Need to allow apps that use locks to read /var/lock if it is a syml - Allow systemd to create tasks - Logwatch reads /etc/sysctl.conf and /proc/sys/net/ipv4/ip_forward - Fixes for foghorn policy - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_sy - Add label for matahari-broker.pid file - We want to remove untrustedmcsprocess from ability to read /proc/pi - Fixes for matahari policy --- diff --git a/policy-F15.patch b/policy-F15.patch index 61a9a7c..d6e37c0 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -218,10 +218,35 @@ index 4705ab6..262b5ba 100644 +gen_tunable(allow_console_login,false) + diff --git a/policy/mcs b/policy/mcs -index 358ce7c..0f1d444 100644 +index 358ce7c..e5dc022 100644 --- a/policy/mcs +++ b/policy/mcs -@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto } +@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats) + # - /proc/pid operations are not constrained. + + mlsconstrain file { read ioctl lock execute execute_no_trans } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + mlsconstrain file { write setattr append unlink link rename } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + mlsconstrain dir { search read ioctl lock } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + mlsconstrain dir { write setattr append unlink link rename add_name remove_name } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + # New filesystem object labels must be dominated by the relabeling subject + # clearance, also the objects are single-level. +@@ -86,10 +90,10 @@ mlsconstrain file { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); # new file labels must be dominated by the relabeling subject clearance @@ -234,7 +259,7 @@ index 358ce7c..0f1d444 100644 (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } -@@ -101,6 +101,9 @@ mlsconstrain process { ptrace } +@@ -101,6 +105,9 @@ mlsconstrain process { ptrace } mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); @@ -244,7 +269,7 @@ index 358ce7c..0f1d444 100644 # # MCS policy for SELinux-enabled databases # -@@ -144,4 +147,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -144,4 +151,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -833,7 +858,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te -index 75ce30f..68cb617 100644 +index 75ce30f..0e77aea 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t) @@ -856,7 +881,15 @@ index 75ce30f..68cb617 100644 kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -70,6 +76,8 @@ fs_getattr_all_fs(logwatch_t) +@@ -58,6 +64,7 @@ files_list_var(logwatch_t) + files_read_var_symlinks(logwatch_t) + files_read_etc_files(logwatch_t) + files_read_etc_runtime_files(logwatch_t) ++files_read_system_conf_files(logwatch_t) + files_read_usr_files(logwatch_t) + files_search_spool(logwatch_t) + files_search_mnt(logwatch_t) +@@ -70,6 +77,8 @@ fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) @@ -865,7 +898,7 @@ index 75ce30f..68cb617 100644 term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) -@@ -92,11 +100,21 @@ sysnet_dns_name_resolve(logwatch_t) +@@ -92,11 +101,21 @@ sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -10139,7 +10172,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..60437ca 100644 +index e9313fb..255c5bb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -10481,7 +10514,7 @@ index e9313fb..60437ca 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +4874,23 @@ interface(`dev_unconfined',` +@@ -4748,3 +4874,22 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -10504,7 +10537,6 @@ index e9313fb..60437ca 100644 + + dontaudit $1 { device_t device_node }:dir_file_class_set getattr; +') -+ diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 3ff4f60..89ffda6 100644 --- a/policy/modules/kernel/devices.te @@ -10525,7 +10557,7 @@ index 3ff4f60..89ffda6 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index aad8c52..edc8af9 100644 +index aad8c52..e957e76 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',` @@ -10622,10 +10654,17 @@ index aad8c52..edc8af9 100644 ## dontaudit checking for execute on all entry point files ## ## -@@ -1473,3 +1528,22 @@ interface(`domain_unconfined',` +@@ -1472,4 +1527,29 @@ interface(`domain_unconfined',` + typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; - ') ++ ++ mcs_file_read_all($1) ++ mcs_file_write_all($1) ++ mcs_killall($1) ++ mcs_ptrace_all($1) ++ mcs_socket_write_all_levels($1) ++') + +######################################## +## @@ -10644,7 +10683,7 @@ index aad8c52..edc8af9 100644 + ') + + dontaudit $1 domain:socket_class_set { read write }; -+') + ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index bc534c1..b70ea07 100644 --- a/policy/modules/kernel/domain.te @@ -10949,7 +10988,7 @@ index 16108f6..7307872 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..d46ed10 100644 +index 958ca84..0718ea9 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -11102,7 +11141,32 @@ index 958ca84..d46ed10 100644 ######################################## ## ## Read and write symbolic links -@@ -2453,6 +2560,24 @@ interface(`files_delete_etc_files',` +@@ -2300,6 +2407,24 @@ interface(`files_rw_etc_dirs',` + allow $1 etc_t:dir rw_dir_perms; + ') + ++####################################### ++## ++## Dontaudit remove dir /etc directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_remove_etc_dir',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ dontaudit $1 etc_t:dir rmdir; ++') ++ + ########################################## + ## + ## Manage generic directories in /etc +@@ -2453,6 +2578,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -11127,7 +11191,7 @@ index 958ca84..d46ed10 100644 ## Execute generic files in /etc. ## ## -@@ -2583,6 +2708,31 @@ interface(`files_create_boot_flag',` +@@ -2583,6 +2726,31 @@ interface(`files_create_boot_flag',` ######################################## ## @@ -11159,7 +11223,7 @@ index 958ca84..d46ed10 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2623,6 +2773,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2623,6 +2791,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -11184,7 +11248,7 @@ index 958ca84..d46ed10 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -3104,6 +3272,7 @@ interface(`files_getattr_home_dir',` +@@ -3104,6 +3290,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -11192,7 +11256,7 @@ index 958ca84..d46ed10 100644 ') ######################################## -@@ -3124,6 +3293,7 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3124,6 +3311,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -11200,7 +11264,7 @@ index 958ca84..d46ed10 100644 ') ######################################## -@@ -3287,6 +3457,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` +@@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` dontaudit $1 lost_found_t:dir getattr; ') @@ -11225,7 +11289,7 @@ index 958ca84..d46ed10 100644 ######################################## ## ## Create, read, write, and delete objects in -@@ -3365,6 +3553,43 @@ interface(`files_list_mnt',` +@@ -3365,6 +3571,43 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -11269,7 +11333,7 @@ index 958ca84..d46ed10 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3438,6 +3663,24 @@ interface(`files_read_mnt_files',` +@@ -3438,6 +3681,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -11294,7 +11358,7 @@ index 958ca84..d46ed10 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3729,6 +3972,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3990,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11394,7 +11458,7 @@ index 958ca84..d46ed10 100644 ######################################## ## ## Allow the specified type to associate -@@ -3914,6 +4250,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,6 +4268,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -11427,7 +11491,7 @@ index 958ca84..d46ed10 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3968,7 +4330,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,7 +4348,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -11436,7 +11500,7 @@ index 958ca84..d46ed10 100644 ## ## ## -@@ -3976,17 +4338,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3976,17 +4356,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -11458,7 +11522,7 @@ index 958ca84..d46ed10 100644 ## ## ## -@@ -3994,45 +4356,123 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -3994,22 +4374,100 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -11483,36 +11547,31 @@ index 958ca84..d46ed10 100644 ## -## Domain not to audit. +## Domain allowed access. - ## - ## ++## ++## +## - # --interface(`files_dontaudit_getattr_all_tmp_files',` ++# +interface(`files_relabel_all_tmp_dirs',` - gen_require(` - attribute tmpfile; ++ gen_require(` ++ attribute tmpfile; + type var_t; - ') - -- dontaudit $1 tmpfile:file getattr; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Allow attempts to get the attributes --## of all tmp files. ++') ++ ++######################################## ++## +## Relabel all tmp files. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_getattr_all_tmp_files',` ++# +interface(`files_relabel_all_tmp_files',` + gen_require(` + attribute tmpfile; @@ -11567,33 +11626,10 @@ index 958ca84..d46ed10 100644 +## +## +## Domain not to audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file getattr; -+') -+ -+######################################## -+## -+## Allow attempts to get the attributes -+## of all tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_all_tmp_files',` - gen_require(` - attribute tmpfile; - ') -@@ -4127,6 +4567,15 @@ interface(`files_purge_tmp',` + ## + ## + # +@@ -4127,6 +4585,15 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11609,7 +11645,7 @@ index 958ca84..d46ed10 100644 ') ######################################## -@@ -4736,6 +5185,24 @@ interface(`files_read_var_files',` +@@ -4736,6 +5203,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -11634,7 +11670,7 @@ index 958ca84..d46ed10 100644 ## Read and write files in the /var directory. ## ## -@@ -5071,6 +5538,25 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5556,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11651,7 +11687,7 @@ index 958ca84..d46ed10 100644 + type var_t, var_lock_t; + ') + -+ files_search_pids($1) ++ files_search_locks($1) + list_dirs_pattern($1, var_t, var_lock_t) +') + @@ -11660,15 +11696,22 @@ index 958ca84..d46ed10 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5084,6 +5570,7 @@ interface(`files_search_locks',` +@@ -5084,6 +5588,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') + files_search_pids($1) ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5108,6 +5595,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5103,11 +5609,32 @@ interface(`files_dontaudit_search_locks',` + type var_lock_t; + ') + ++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; + dontaudit $1 var_lock_t:dir search_dir_perms; + ') ######################################## ## @@ -11686,7 +11729,7 @@ index 958ca84..d46ed10 100644 + type var_t, var_lock_t; + ') + -+ allow $1 var_t:dir search_dir_perms; ++ files_search_locks($1) + allow $1 var_lock_t:dir create_dir_perms; +') + @@ -11695,23 +11738,24 @@ index 958ca84..d46ed10 100644 ## Add and remove entries in the /var/lock ## directories. ## -@@ -5122,6 +5629,7 @@ interface(`files_rw_lock_dirs',` +@@ -5122,6 +5649,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') -+ files_search_pids($1) ++ files_search_locks($1) rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5142,6 +5650,7 @@ interface(`files_getattr_generic_locks',` +@@ -5140,7 +5668,7 @@ interface(`files_getattr_generic_locks',` + type var_t, var_lock_t; + ') - allow $1 var_t:dir search_dir_perms; +- allow $1 var_t:dir search_dir_perms; ++ files_search_locks($1) allow $1 var_lock_t:dir list_dir_perms; -+ files_search_pids($1) getattr_files_pattern($1, var_lock_t, var_lock_t) ') - -@@ -5156,12 +5665,13 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5684,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11723,21 +11767,21 @@ index 958ca84..d46ed10 100644 - allow $1 var_t:dir search_dir_perms; - delete_files_pattern($1, var_lock_t, var_lock_t) -+ allow $1 var_t:dir search_dir_perms; -+ files_search_pids($1) ++ files_search_locks($1) + delete_files_pattern($1, var_lock_t, var_lock_t) ') ######################################## -@@ -5181,6 +5691,7 @@ interface(`files_manage_generic_locks',` +@@ -5180,7 +5708,7 @@ interface(`files_manage_generic_locks',` + type var_t, var_lock_t; ') - allow $1 var_t:dir search_dir_perms; -+ files_search_pids($1) +- allow $1 var_t:dir search_dir_perms; ++ files_search_locks($1) manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5207,6 +5718,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5735,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -11765,37 +11809,41 @@ index 958ca84..d46ed10 100644 ## Read all lock files. ## ## -@@ -5224,6 +5756,7 @@ interface(`files_read_all_locks',` - allow $1 { var_t var_lock_t }:dir search_dir_perms; +@@ -5221,7 +5770,7 @@ interface(`files_read_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) -+ files_search_pids($1) read_lnk_files_pattern($1, lockfile, lockfile) - ') - -@@ -5244,6 +5777,7 @@ interface(`files_manage_all_locks',` +@@ -5243,7 +5792,7 @@ interface(`files_manage_all_locks',` + type var_t, var_lock_t; ') - allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_pids($1) +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5276,6 +5810,7 @@ interface(`files_lock_filetrans',` +@@ -5275,7 +5824,7 @@ interface(`files_lock_filetrans',` + type var_t, var_lock_t; ') - allow $1 var_t:dir search_dir_perms; -+ files_search_pids($1) +- allow $1 var_t:dir search_dir_perms; ++ files_search_locks($1) filetrans_pattern($1, var_lock_t, $2, $3) ') -@@ -5333,6 +5868,44 @@ interface(`files_search_pids',` +@@ -5332,9 +5881,47 @@ interface(`files_search_pids',` + type var_t, var_run_t; ') ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_run_t) -+ read_lnk_files_pattern($1, var_t, var_run_t) -+') -+ + ') + +###################################### +## +## Add and remove entries from pid directories. @@ -11831,10 +11879,12 @@ index 958ca84..d46ed10 100644 + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir create_dir_perms; - ') - ++') ++ ######################################## -@@ -5542,6 +6115,62 @@ interface(`files_dontaudit_ioctl_all_pids',` + ## + ## Do not audit attempts to search +@@ -5542,6 +6129,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11897,7 +11947,7 @@ index 958ca84..d46ed10 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6188,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6202,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -11942,7 +11992,7 @@ index 958ca84..d46ed10 100644 ') ######################################## -@@ -5844,3 +6511,284 @@ interface(`files_unconfined',` +@@ -5844,3 +6525,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -12292,7 +12342,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..e6e4999 100644 +index dfe361a..79b4c0f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -12327,7 +12377,7 @@ index dfe361a..e6e4999 100644 ## list cgroup directories. ## ## -@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', ` +@@ -665,9 +685,29 @@ interface(`fs_list_cgroup_dirs', ` ') list_dirs_pattern($1, cgroup_t, cgroup_t) @@ -12335,7 +12385,29 @@ index dfe361a..e6e4999 100644 dev_search_sysfs($1) ') -@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', ` ++####################################### ++## ++## Dontaudit list cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_search_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ dontaudit $1 cgroup_t:dir search_dir_perms; ++ dev_dontaudit_search_sysfs($1) ++') ++ + ######################################## + ## + ## Delete cgroup directories. +@@ -684,6 +724,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) @@ -12343,7 +12415,7 @@ index dfe361a..e6e4999 100644 dev_search_sysfs($1) ') -@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',` +@@ -704,6 +745,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) @@ -12351,7 +12423,7 @@ index dfe361a..e6e4999 100644 dev_search_sysfs($1) ') -@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',` +@@ -724,6 +766,7 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) @@ -12359,7 +12431,7 @@ index dfe361a..e6e4999 100644 dev_search_sysfs($1) ') -@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', ` +@@ -743,6 +786,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) @@ -12367,7 +12439,7 @@ index dfe361a..e6e4999 100644 dev_search_sysfs($1) ') -@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',` +@@ -763,6 +807,7 @@ interface(`fs_rw_cgroup_files',` ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -12375,7 +12447,7 @@ index dfe361a..e6e4999 100644 dev_search_sysfs($1) ') -@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',` +@@ -803,6 +848,7 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -12383,7 +12455,7 @@ index dfe361a..e6e4999 100644 dev_search_sysfs($1) ') -@@ -1052,6 +1079,24 @@ interface(`fs_list_noxattr_fs',` +@@ -1052,6 +1098,24 @@ interface(`fs_list_noxattr_fs',` ######################################## ## @@ -12408,7 +12480,7 @@ index dfe361a..e6e4999 100644 ## Create, read, write, and delete all noxattrfs directories. ## ## -@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1088,6 +1152,42 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -12451,7 +12523,7 @@ index dfe361a..e6e4999 100644 ## Dont audit attempts to write to noxattrfs files. ## ## -@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1227,6 +1327,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -12494,7 +12566,7 @@ index dfe361a..e6e4999 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1241,7 +1377,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -12503,7 +12575,7 @@ index dfe361a..e6e4999 100644 ') ######################################## -@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1640,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -12529,7 +12601,7 @@ index dfe361a..e6e4999 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',` +@@ -1659,6 +1814,25 @@ interface(`fs_search_dos',` ######################################## ## @@ -12555,7 +12627,7 @@ index dfe361a..e6e4999 100644 ## Create, read, write, and delete dirs ## on a DOS filesystem. ## -@@ -1774,6 +1929,24 @@ interface(`fs_unmount_fusefs',` +@@ -1774,6 +1948,24 @@ interface(`fs_unmount_fusefs',` ######################################## ## @@ -12580,7 +12652,7 @@ index dfe361a..e6e4999 100644 ## Search directories ## on a FUSEFS filesystem. ## -@@ -1892,6 +2065,26 @@ interface(`fs_manage_fusefs_files',` +@@ -1892,6 +2084,26 @@ interface(`fs_manage_fusefs_files',` ######################################## ## @@ -12607,7 +12679,7 @@ index dfe361a..e6e4999 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. -@@ -1931,7 +2124,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +2143,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -12635,7 +12707,7 @@ index dfe361a..e6e4999 100644 ## ## ## -@@ -1946,6 +2158,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2177,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -12677,7 +12749,7 @@ index dfe361a..e6e4999 100644 ######################################## ## -@@ -1999,6 +2246,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2265,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -12685,7 +12757,7 @@ index dfe361a..e6e4999 100644 ') ######################################## -@@ -2331,6 +2579,7 @@ interface(`fs_read_nfs_files',` +@@ -2331,6 +2598,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -12693,7 +12765,7 @@ index dfe361a..e6e4999 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2369,6 +2618,7 @@ interface(`fs_write_nfs_files',` +@@ -2369,6 +2637,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -12701,7 +12773,7 @@ index dfe361a..e6e4999 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2395,6 +2645,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2664,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -12727,7 +12799,7 @@ index dfe361a..e6e4999 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2704,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2723,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -12770,7 +12842,7 @@ index dfe361a..e6e4999 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2754,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2773,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -12779,7 +12851,7 @@ index dfe361a..e6e4999 100644 ') ######################################## -@@ -2637,6 +2942,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -12804,7 +12876,7 @@ index dfe361a..e6e4999 100644 ## Read removable storage symbolic links. ## ## -@@ -2653,6 +2976,25 @@ interface(`fs_read_removable_symlinks',` +@@ -2653,6 +2995,25 @@ interface(`fs_read_removable_symlinks',` read_lnk_files_pattern($1, removable_t, removable_t) ') @@ -12830,7 +12902,7 @@ index dfe361a..e6e4999 100644 ######################################## ## ## Read and write block nodes on removable filesystems. -@@ -2779,6 +3121,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2779,6 +3140,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -12838,7 +12910,7 @@ index dfe361a..e6e4999 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +3162,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3181,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -12846,7 +12918,7 @@ index dfe361a..e6e4999 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3189,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3208,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -12855,7 +12927,7 @@ index dfe361a..e6e4999 100644 ## ## ## -@@ -2859,6 +3203,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3222,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -12863,7 +12935,7 @@ index dfe361a..e6e4999 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3772,6 +4117,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3772,6 +4136,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -12906,7 +12978,7 @@ index dfe361a..e6e4999 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -3989,6 +4370,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4389,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -12931,7 +13003,7 @@ index dfe361a..e6e4999 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4670,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4689,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -12940,7 +13012,7 @@ index dfe361a..e6e4999 100644 ') ######################################## -@@ -4681,3 +5082,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -15624,10 +15696,10 @@ index 0000000..805d0ea +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..10d03a3 100644 +index e5bfdd4..0e1c254 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,67 @@ role user_r; +@@ -12,15 +12,72 @@ role user_r; userdom_unpriv_user_template(user) @@ -15651,6 +15723,7 @@ index e5bfdd4..10d03a3 100644 + +optional_policy(` + gnome_role(user_r, user_t) ++ +') + +optional_policy(` @@ -15680,6 +15753,10 @@ index e5bfdd4..10d03a3 100644 +') + +optional_policy(` ++ ssh_role_template(user, user_r, user_t) ++') ++ ++optional_policy(` screen_role_template(user, user_r, user_t) ') @@ -15695,7 +15772,7 @@ index e5bfdd4..10d03a3 100644 vlock_run(user_t, user_r) ') -@@ -62,10 +114,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +119,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -15706,16 +15783,20 @@ index e5bfdd4..10d03a3 100644 gpg_role(user_r, user_t) ') -@@ -118,7 +166,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +171,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - spamassassin_role(user_r, user_t) +- ') +- +- optional_policy(` +- ssh_role_template(user, user_r, user_t) + spamassassin_role(user_r, user_t) ') optional_policy(` -@@ -157,3 +205,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +206,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -26791,10 +26872,11 @@ index 7382f85..8d10fc5 100644 +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc -index 462de63..aaa94fc 100644 +index 462de63..5df751b 100644 --- a/policy/modules/services/gnomeclock.fc +++ b/policy/modules/services/gnomeclock.fc -@@ -1,2 +1,5 @@ +@@ -1,2 +1,6 @@ ++ /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) @@ -26830,10 +26912,19 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..9939628 100644 +index 4fde46b..6ee7b93 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,22 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -9,24 +9,31 @@ type gnomeclock_t; + type gnomeclock_exec_t; + dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + ++systemd_systemctl_domain(gnomeclock) ++permissive gnomeclock_systemctl_t; ++ + ######################################## + # + # gnomeclock local policy # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -26859,7 +26950,7 @@ index 4fde46b..9939628 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +39,28 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,12 +42,50 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -26888,6 +26979,28 @@ index 4fde46b..9939628 100644 policykit_dbus_chat(gnomeclock_t) policykit_domtrans_auth(gnomeclock_t) policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) + ') ++ ++####################################### ++# ++# gnomeclock systemctl local policy ++# ++ ++files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t) ++files_manage_etc_symlinks(gnomeclock_systemctl_t) ++ ++fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t) ++ ++# needed by systemctl ++init_stream_connect(gnomeclock_systemctl_t) ++init_read_state(gnomeclock_systemctl_t) ++ ++systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t) ++ ++optional_policy(` ++ ntpd_read_unit_file(gnomeclock_systemctl_t) ++') diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index 7d97298..d6b2959 100644 --- a/policy/modules/services/gpm.if @@ -28865,7 +28978,7 @@ index af4d572..0fd2357 100644 +') diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc new file mode 100644 -index 0000000..8d13eb6 +index 0000000..bce824e --- /dev/null +++ b/policy/modules/services/matahari.fc @@ -0,0 +1,15 @@ @@ -28882,16 +28995,43 @@ index 0000000..8d13eb6 +/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) + +/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) -+/var/run/matahari.pid gen_context(system_u:object_r:matahari_var_run_t,s0) -+ ++/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) ++/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if new file mode 100644 -index 0000000..8e22c5e +index 0000000..9343f3f --- /dev/null +++ b/policy/modules/services/matahari.if -@@ -0,0 +1,220 @@ +@@ -0,0 +1,247 @@ +## policy for matahari + ++###################################### ++## ++## Creates types and rules for a basic ++## matahari init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`matahari_domain_template',` ++ gen_require(` ++ attribute matahari_domain; ++ ') ++ ++ ############################## ++ # ++ # Declarations ++ # ++ ++ type matahari_$1_t, matahari_domain; ++ type matahari_$1_exec_t; ++ init_daemon_domain(matahari_$1_t, matahari_$1_exec_t) ++ ++') ++ +######################################## +## +## Search matahari lib directories. @@ -29112,10 +29252,10 @@ index 0000000..8e22c5e +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..fbad798 +index 0000000..82f22a4 --- /dev/null +++ b/policy/modules/services/matahari.te -@@ -0,0 +1,116 @@ +@@ -0,0 +1,82 @@ +policy_module(matahari,1.0.0) + +######################################## @@ -29123,17 +29263,11 @@ index 0000000..fbad798 +# Declarations +# + -+type matahari_hostd_t; -+type matahari_hostd_exec_t; -+init_daemon_domain(matahari_hostd_t, matahari_hostd_exec_t) -+ -+type matahari_netd_t; -+type matahari_netd_exec_t; -+init_daemon_domain(matahari_netd_t, matahari_netd_exec_t) ++attribute matahari_domain; + -+type matahari_serviced_t; -+type matahari_serviced_exec_t; -+init_daemon_domain(matahari_serviced_t, matahari_serviced_exec_t) ++matahari_domain_template(hostd) ++matahari_domain_template(netd) ++matahari_domain_template(serviced) + +type matahari_initrc_exec_t; +init_script_file(matahari_initrc_exec_t) @@ -29152,32 +29286,17 @@ index 0000000..fbad798 +# +# matahari_hostd local policy +# -+allow matahari_hostd_t self:capability sys_ptrace; -+allow matahari_hostd_t self:process { signal }; + -+allow matahari_hostd_t self:fifo_file rw_fifo_file_perms; -+allow matahari_hostd_t self:unix_stream_socket create_stream_socket_perms; ++allow matahari_hostd_t self:capability sys_ptrace; + +kernel_read_network_state(matahari_hostd_t) -+kernel_read_system_state(matahari_hostd_t) -+ -+corenet_tcp_connect_matahari_port(matahari_hostd_t) + +dev_read_sysfs(matahari_hostd_t) -+dev_read_urand(matahari_hostd_t) +dev_rw_mtrr(matahari_hostd_t) + +domain_use_interactive_fds(matahari_hostd_t) +domain_read_all_domains_state(matahari_hostd_t) + -+files_read_etc_files(matahari_hostd_t) -+ -+logging_send_syslog_msg(matahari_hostd_t) -+ -+miscfiles_read_localization(matahari_hostd_t) -+ -+sysnet_dns_name_resolve(matahari_hostd_t) -+ +optional_policy(` + dbus_system_bus_client(matahari_hostd_t) +') @@ -29186,52 +29305,39 @@ index 0000000..fbad798 +# +# matahari_netd local policy +# -+allow matahari_netd_t self:process { signal }; -+ -+allow matahari_netd_t self:fifo_file rw_fifo_file_perms; -+allow matahari_netd_t self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_read_system_state(matahari_netd_t) -+ -+corenet_tcp_connect_matahari_port(matahari_netd_t) -+ -+dev_read_urand(matahari_netd_t) + +domain_use_interactive_fds(matahari_netd_t) + -+files_read_etc_files(matahari_netd_t) -+ -+logging_send_syslog_msg(matahari_netd_t) -+ -+miscfiles_read_localization(matahari_netd_t) -+ -+sysnet_dns_name_resolve(matahari_netd_t) -+ +######################################## +# +# matahari_serviced local policy +# -+allow matahari_serviced_t self:process { signal }; + -+allow matahari_serviced_t self:fifo_file rw_fifo_file_perms; -+allow matahari_serviced_t self:unix_stream_socket create_stream_socket_perms; ++domain_use_interactive_fds(matahari_serviced_t) + -+kernel_read_system_state(matahari_serviced_t) ++####################################### ++# ++# matahari domain local policy ++# + -+corenet_tcp_connect_matahari_port(matahari_serviced_t) ++allow matahari_domain self:process { signal }; + -+dev_read_urand(matahari_serviced_t) ++allow matahari_domain self:fifo_file rw_fifo_file_perms; ++allow matahari_domain self:unix_stream_socket create_stream_socket_perms; + -+domain_use_interactive_fds(matahari_serviced_t) ++kernel_read_system_state(matahari_domain) ++ ++corenet_tcp_connect_matahari_port(matahari_domain) + -+files_read_etc_files(matahari_serviced_t) ++dev_read_urand(matahari_domain) + -+logging_send_syslog_msg(matahari_serviced_t) ++files_read_etc_files(matahari_domain) + -+miscfiles_read_localization(matahari_serviced_t) ++logging_send_syslog_msg(matahari_domain) + -+sysnet_dns_name_resolve(matahari_serviced_t) ++miscfiles_read_localization(matahari_domain) + ++sysnet_dns_name_resolve(matahari_domain) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index db4fd6f..5008a6c 100644 --- a/policy/modules/services/memcached.if @@ -29760,10 +29866,10 @@ index 0000000..f60483e +') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te new file mode 100644 -index 0000000..891bb5a +index 0000000..194ab69 --- /dev/null +++ b/policy/modules/services/mock.te -@@ -0,0 +1,127 @@ +@@ -0,0 +1,128 @@ +policy_module(mock,1.0.0) + +## @@ -29841,6 +29947,7 @@ index 0000000..891bb5a + +corecmd_exec_bin(mock_t) +corecmd_exec_shell(mock_t) ++corecmd_dontaudit_exec_all_executables(mock_t) + +corenet_tcp_connect_http_port(mock_t) + @@ -32356,11 +32463,50 @@ index ded9fb6..9d1e60a 100644 manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) files_pid_filetrans(ntop_t, ntop_var_run_t, file) +diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc +index e79dccc..50202ef 100644 +--- a/policy/modules/services/ntp.fc ++++ b/policy/modules/services/ntp.fc +@@ -10,6 +10,8 @@ + + /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) + ++/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) ++ + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..694b002 100644 +index e80f8c0..be0d107 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if -@@ -140,11 +140,10 @@ interface(`ntp_rw_shm',` +@@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',` + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + ') + ++##################################### ++## ++## Allow domain to read ntpd systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntpd_read_unit_file',` ++ gen_require(` ++ type ntpd_unit_file_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 ntpd_unit_file_t:file read_file_perms; ++') ++ + ######################################## + ## + ## Read and write ntpd shared memory. +@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -32375,10 +32521,20 @@ index e80f8c0..694b002 100644 init_labeled_script_domtrans($1, ntpd_initrc_exec_t) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te -index c61adc8..b5b5992 100644 +index c61adc8..11909b0 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te -@@ -96,9 +96,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) +@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) + type ntpd_initrc_exec_t; + init_script_file(ntpd_initrc_exec_t) + ++type ntpd_unit_file_t; ++systemd_unit_file(ntpd_unit_file_t) ++ + type ntpd_key_t; + files_type(ntpd_key_t) + +@@ -96,9 +99,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) dev_read_sysfs(ntpd_t) # for SSP dev_read_urand(ntpd_t) @@ -37731,7 +37887,7 @@ index de37806..229a3c7 100644 + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te -index 93c896a..4930f2d 100644 +index 93c896a..64feaec 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0) @@ -37823,7 +37979,7 @@ index 93c896a..4930f2d 100644 ') optional_policy(` -@@ -114,13 +127,29 @@ optional_policy(` +@@ -114,13 +127,34 @@ optional_policy(` lvm_read_config(fenced_t) ') @@ -37833,8 +37989,12 @@ index 93c896a..4930f2d 100644 +# + +allow foghorn_t self:process { signal }; ++allow foghorn_t self:udp_socket create_socket_perms; ++ ++dev_read_urand(foghorn_t) + +files_read_etc_files(foghorn_t) ++files_read_usr_files(foghorn_t) + +optional_policy(` + dbus_connect_system_bus(foghorn_t) @@ -37842,6 +38002,7 @@ index 93c896a..4930f2d 100644 + +optional_policy(` + snmp_read_snmp_var_lib_files(foghorn_t) ++ snmp_stream_connect(foghorn_t) +') + ###################################### @@ -37854,7 +38015,7 @@ index 93c896a..4930f2d 100644 allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -139,10 +168,6 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -139,10 +173,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -37865,7 +38026,7 @@ index 93c896a..4930f2d 100644 lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -154,9 +179,10 @@ optional_policy(` +@@ -154,9 +184,10 @@ optional_policy(` allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -37877,7 +38038,7 @@ index 93c896a..4930f2d 100644 dev_list_sysfs(groupd_t) files_read_etc_files(groupd_t) -@@ -168,8 +194,7 @@ init_rw_script_tmp_files(groupd_t) +@@ -168,8 +199,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # @@ -37887,7 +38048,7 @@ index 93c896a..4930f2d 100644 allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -199,6 +224,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t) +@@ -199,6 +229,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t) files_dontaudit_getattr_all_pipes(qdiskd_t) files_read_etc_files(qdiskd_t) @@ -37896,7 +38057,7 @@ index 93c896a..4930f2d 100644 storage_raw_read_removable_device(qdiskd_t) storage_raw_write_removable_device(qdiskd_t) storage_raw_read_fixed_disk(qdiskd_t) -@@ -207,10 +234,6 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -207,10 +239,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -37907,7 +38068,7 @@ index 93c896a..4930f2d 100644 netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +246,28 @@ optional_policy(` +@@ -223,18 +251,28 @@ optional_policy(` # rhcs domains common policy # @@ -48608,7 +48769,7 @@ index cc83689..3388f34 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..e2a25f1 100644 +index ea29513..d6ca7e5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -48767,7 +48928,7 @@ index ea29513..e2a25f1 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +234,116 @@ tunable_policy(`init_upstart',` +@@ -186,12 +234,118 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -48824,6 +48985,7 @@ index ea29513..e2a25f1 100644 + files_relabel_all_lock_dirs(init_t) + + fs_manage_cgroup_dirs(init_t) ++ fs_manage_cgroup_files(init_t) + fs_manage_hugetlbfs_dirs(init_t) + fs_manage_tmpfs_dirs(init_t) + fs_relabel_tmpfs_dirs(init_t) @@ -48831,8 +48993,6 @@ index ea29513..e2a25f1 100644 + fs_mount_all_fs(init_t) + fs_remount_autofs(init_t) + fs_list_auto_mountpoints(init_t) -+ fs_read_cgroup_files(init_t) -+ fs_write_cgroup_files(init_t) + fs_relabel_cgroup_dirs(init_t) + fs_search_cgroup_dirs(daemon) + @@ -48851,6 +49011,9 @@ index ea29513..e2a25f1 100644 + + seutil_read_file_contexts(init_t) + ++ systemd_exec_systemctl(init_t) ++ systemd_read_unit_files(init_t) ++ + # needs to remain + logging_create_devlog_dev(init_t) + @@ -48884,7 +49047,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -199,10 +351,25 @@ optional_policy(` +@@ -199,10 +353,25 @@ optional_policy(` ') optional_policy(` @@ -48910,7 +49073,7 @@ index ea29513..e2a25f1 100644 unconfined_domain(init_t) ') -@@ -212,7 +379,7 @@ optional_policy(` +@@ -212,7 +381,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -48919,7 +49082,7 @@ index ea29513..e2a25f1 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +408,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +410,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -48935,7 +49098,7 @@ index ea29513..e2a25f1 100644 init_write_initctl(initrc_t) -@@ -258,20 +428,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +430,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -48972,7 +49135,7 @@ index ea29513..e2a25f1 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +461,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +463,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -48980,7 +49143,7 @@ index ea29513..e2a25f1 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +474,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +476,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -48988,7 +49151,7 @@ index ea29513..e2a25f1 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +482,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +484,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -49004,7 +49167,7 @@ index ea29513..e2a25f1 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +500,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +502,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -49012,7 +49175,7 @@ index ea29513..e2a25f1 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +508,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +510,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -49024,7 +49187,7 @@ index ea29513..e2a25f1 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +527,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +529,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -49038,7 +49201,7 @@ index ea29513..e2a25f1 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +542,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +544,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -49047,7 +49210,7 @@ index ea29513..e2a25f1 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +556,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +558,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -49055,7 +49218,7 @@ index ea29513..e2a25f1 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +568,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +570,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -49063,7 +49226,7 @@ index ea29513..e2a25f1 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +589,12 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +591,12 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -49079,7 +49242,7 @@ index ea29513..e2a25f1 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -458,6 +652,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +654,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -49090,7 +49253,7 @@ index ea29513..e2a25f1 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +676,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +678,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -49099,7 +49262,7 @@ index ea29513..e2a25f1 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +691,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +693,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -49107,7 +49270,7 @@ index ea29513..e2a25f1 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -524,6 +723,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +725,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -49131,7 +49294,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -531,10 +747,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +749,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -49149,7 +49312,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -549,6 +772,39 @@ ifdef(`distro_suse',` +@@ -549,6 +774,39 @@ ifdef(`distro_suse',` ') ') @@ -49189,7 +49352,7 @@ index ea29513..e2a25f1 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +817,8 @@ optional_policy(` +@@ -561,6 +819,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -49198,7 +49361,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -577,6 +835,7 @@ optional_policy(` +@@ -577,6 +837,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -49206,7 +49369,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -589,6 +848,11 @@ optional_policy(` +@@ -589,6 +850,11 @@ optional_policy(` ') optional_policy(` @@ -49218,7 +49381,7 @@ index ea29513..e2a25f1 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +869,13 @@ optional_policy(` +@@ -605,9 +871,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -49232,7 +49395,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -649,6 +917,11 @@ optional_policy(` +@@ -649,6 +919,11 @@ optional_policy(` ') optional_policy(` @@ -49244,7 +49407,7 @@ index ea29513..e2a25f1 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +979,13 @@ optional_policy(` +@@ -706,7 +981,13 @@ optional_policy(` ') optional_policy(` @@ -49258,7 +49421,7 @@ index ea29513..e2a25f1 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1008,10 @@ optional_policy(` +@@ -729,6 +1010,10 @@ optional_policy(` ') optional_policy(` @@ -49269,7 +49432,7 @@ index ea29513..e2a25f1 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1021,20 @@ optional_policy(` +@@ -738,10 +1023,20 @@ optional_policy(` ') optional_policy(` @@ -49290,7 +49453,7 @@ index ea29513..e2a25f1 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1043,10 @@ optional_policy(` +@@ -750,6 +1045,10 @@ optional_policy(` ') optional_policy(` @@ -49301,7 +49464,7 @@ index ea29513..e2a25f1 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1068,6 @@ optional_policy(` +@@ -771,8 +1070,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -49310,7 +49473,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -781,14 +1076,21 @@ optional_policy(` +@@ -781,14 +1078,21 @@ optional_policy(` ') optional_policy(` @@ -49332,7 +49495,7 @@ index ea29513..e2a25f1 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1102,6 @@ optional_policy(` +@@ -800,7 +1104,6 @@ optional_policy(` ') optional_policy(` @@ -49340,7 +49503,7 @@ index ea29513..e2a25f1 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1111,24 @@ optional_policy(` +@@ -810,11 +1113,24 @@ optional_policy(` ') optional_policy(` @@ -49366,7 +49529,7 @@ index ea29513..e2a25f1 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1138,25 @@ optional_policy(` +@@ -824,6 +1140,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -49392,7 +49555,7 @@ index ea29513..e2a25f1 100644 ') optional_policy(` -@@ -849,3 +1182,42 @@ optional_policy(` +@@ -849,3 +1184,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -50001,14 +50164,14 @@ index 1d1c399..b8f623a 100644 + tgtd_manage_semaphores(iscsid_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 9df8c4d..010ec0e 100644 +index 9df8c4d..55b1544 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -44,6 +44,7 @@ ifdef(`distro_redhat',` /lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:lib_t,s0) ++#/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:lib_t,s0) ifdef(`distro_debian',` /lib32 -l gen_context(system_u:object_r:lib_t,s0) @@ -53627,17 +53790,19 @@ index df32316..e8d03fb 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..266e9b0 +index 0000000..c7476cb --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,12 @@ +@@ -0,0 +1,14 @@ +/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) + ++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + +/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) + ++/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0) +/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + +/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0) @@ -53645,14 +53810,120 @@ index 0000000..266e9b0 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..aabfb0d +index 0000000..4dfe28c --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,140 @@ +@@ -0,0 +1,246 @@ +## SELinux policy for systemd components + +####################################### +## ++## Create a domain for processes which are started ++## exuting systemctl. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to be used as a domain. ++## ++## ++# ++interface(`systemd_systemctl_domain',` ++ gen_require(` ++ type systemd_systemctl_exec_t; ++ role system_r; ++ ') ++ ++ type $1_systemctl_t; ++ domain_type($1_systemctl_t) ++ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) ++ ++ role system_r types $1_systemctl_t; ++ ++ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) ++') ++ ++######################################## ++## ++## Execute systemctl in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_exec_systemctl',` ++ gen_require(` ++ type systemd_systemctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, systemd_systemctl_exec_t) ++') ++ ++####################################### ++## ++## Create a file type used for systemd unit files. ++## ++## ++## ++## Type to be used for an unit file. ++## ++## ++# ++interface(`systemd_unit_file',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ typeattribute $1 systemd_unit_file_type; ++ files_type($1) ++') ++ ++###################################### ++## ++## Allow domain to read all systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:file read_file_perms; ++') ++ ++##################################### ++## ++## Dontaudit domain to read all systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dontaudit_read_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ dontaudit $1 systemd_unit_file_type:file read_file_perms; ++') ++ ++####################################### ++## +## Execute a domain transition to run systemd-tmpfiles. +## +## @@ -53791,10 +54062,10 @@ index 0000000..aabfb0d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..80d1ba6 +index 0000000..a7fc66b --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,175 @@ +@@ -0,0 +1,185 @@ + +policy_module(systemd, 1.0.0) + @@ -53803,6 +54074,8 @@ index 0000000..80d1ba6 +# Declarations +# + ++attribute systemd_unit_file_type; ++ +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + @@ -53824,6 +54097,14 @@ index 0000000..80d1ba6 +permissive systemd_tmpfiles_t; +permissive systemd_notify_t; + ++# type for systemd unit files ++type systemd_unit_file_t; ++systemd_unit_file(systemd_unit_file_t) ++ ++# executable for systemctl ++type systemd_systemctl_exec_t; ++corecmd_executable_file(systemd_systemctl_exec_t) ++ +# +# Type for systemd pipes in /dev/.systemd/ directory +# @@ -55104,7 +55385,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..195c663 100644 +index 28b88de..4984747 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -56697,6 +56978,15 @@ index 28b88de..195c663 100644 ######################################## ## +@@ -2008,7 +2410,7 @@ interface(`userdom_user_home_dir_filetrans',` + type user_home_dir_t; + ') + +- filetrans_pattern($1, user_home_dir_t, $2, $3) ++ filetrans_pattern($1, user_home_dir_t, $2, $3, $4) + files_search_home($1) + ') + @@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -57241,7 +57531,7 @@ index 28b88de..195c663 100644 + type admin_home_t; + ') + -+ filetrans_pattern($1, admin_home_t, $2, $3) ++ filetrans_pattern($1, admin_home_t, $2, $3, $4) +') + +######################################## diff --git a/selinux-policy.spec b/selinux-policy.spec index 1a7d898..cda6f97 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,17 @@ exit 0 %endif %changelog +* Mon Apr 11 2011 Miroslav Grepl 3.9.16-14 +- Need to allow apps that use locks to read /var/lock if it is a symlink +- Allow systemd to create tasks +- Logwatch reads /etc/sysctl.conf and /proc/sys/net/ipv4/ip_forward +- Fixes for foghorn policy +- Add labeling for systemd unit files +- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added +- Add label for matahari-broker.pid file +- We want to remove untrustedmcsprocess from ability to read /proc/pid +- Fixes for matahari policy + * Thu Apr 7 2011 Miroslav Grepl 3.9.16-13 - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file