diff --git a/docker-selinux.tgz b/docker-selinux.tgz index e168dc6..311f744 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 9a9cb7e..2e07578 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -868,7 +868,7 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..2e137e6 100644 +index a94b169..d0a8a5b 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -879,7 +879,7 @@ index a94b169..2e137e6 100644 } -@@ -393,6 +394,13 @@ class system +@@ -393,6 +394,15 @@ class system syslog_mod syslog_console module_request @@ -890,10 +890,12 @@ index a94b169..2e137e6 100644 + enable + disable + reload ++ stop ++ start } # -@@ -443,10 +451,13 @@ class capability +@@ -443,10 +453,13 @@ class capability class capability2 { mac_override # unused by SELinux @@ -908,7 +910,7 @@ index a94b169..2e137e6 100644 } # -@@ -690,6 +701,8 @@ class nscd +@@ -690,6 +703,8 @@ class nscd shmemhost getserv shmemserv @@ -917,7 +919,7 @@ index a94b169..2e137e6 100644 } # Define the access vector interpretation for controlling -@@ -831,6 +844,38 @@ inherits socket +@@ -831,6 +846,38 @@ inherits socket attach_queue } @@ -956,7 +958,7 @@ index a94b169..2e137e6 100644 class x_pointer inherits x_device -@@ -865,3 +910,18 @@ inherits database +@@ -865,3 +912,18 @@ inherits database implement execute } @@ -6397,7 +6399,7 @@ index b31c054..50a45cf 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..3f6a351 100644 +index 76f285e..c542dd3 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7353,7 +7355,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -3144,6 +3686,60 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3686,61 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -7407,6 +7409,7 @@ index 76f285e..3f6a351 100644 + ') + + read_chr_files_pattern($1, device_t, nvme_device_t) ++ read_blk_files_pattern($1, device_t, nvme_device_t) +') + +######################################## @@ -7414,7 +7417,7 @@ index 76f285e..3f6a351 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3759,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3760,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -7439,7 +7442,7 @@ index 76f285e..3f6a351 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3868,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3869,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -7466,7 +7469,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -3262,12 +3894,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3895,13 @@ interface(`dev_rw_printer',` ## ## # @@ -7483,7 +7486,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -3399,7 +4032,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4033,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7492,7 +7495,7 @@ index 76f285e..3f6a351 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4046,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4047,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7501,7 +7504,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -3855,7 +4488,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4489,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7510,7 +7513,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -3863,91 +4496,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4497,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -7621,7 +7624,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -3955,68 +4586,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,68 +4587,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -7700,7 +7703,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4024,114 +4640,97 @@ interface(`dev_rw_sysfs',` +@@ -4024,114 +4641,97 @@ interface(`dev_rw_sysfs',` ## ## # @@ -7845,7 +7848,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4139,35 +4738,50 @@ interface(`dev_getattr_generic_usb_dev',` +@@ -4139,35 +4739,50 @@ interface(`dev_getattr_generic_usb_dev',` ## ## # @@ -7904,7 +7907,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4175,7 +4789,254 @@ interface(`dev_read_generic_usb_dev',` +@@ -4175,7 +4790,254 @@ interface(`dev_read_generic_usb_dev',` ## ## # @@ -8160,7 +8163,7 @@ index 76f285e..3f6a351 100644 gen_require(` type device_t, usb_device_t; ') -@@ -4330,28 +5191,180 @@ interface(`dev_search_usbfs',` +@@ -4330,28 +5192,180 @@ interface(`dev_search_usbfs',` ######################################## ## @@ -8350,7 +8353,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4359,19 +5372,17 @@ interface(`dev_list_usbfs',` +@@ -4359,19 +5373,17 @@ interface(`dev_list_usbfs',` ## ## # @@ -8374,7 +8377,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4379,19 +5390,17 @@ interface(`dev_setattr_usbfs_files',` +@@ -4379,19 +5391,17 @@ interface(`dev_setattr_usbfs_files',` ## ## # @@ -8398,7 +8401,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4399,37 +5408,36 @@ interface(`dev_read_usbfs',` +@@ -4399,37 +5409,36 @@ interface(`dev_read_usbfs',` ## ## # @@ -8447,7 +8450,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4437,18 +5445,18 @@ interface(`dev_getattr_video_dev',` +@@ -4437,18 +5446,18 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -8471,7 +8474,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4456,17 +5464,17 @@ interface(`dev_rw_userio_dev',` +@@ -4456,17 +5465,17 @@ interface(`dev_rw_userio_dev',` ## ## # @@ -8493,7 +8496,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4474,36 +5482,35 @@ interface(`dev_dontaudit_getattr_video_dev',` +@@ -4474,36 +5483,35 @@ interface(`dev_dontaudit_getattr_video_dev',` ## ## # @@ -8539,7 +8542,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4511,17 +5518,17 @@ interface(`dev_dontaudit_setattr_video_dev',` +@@ -4511,17 +5519,17 @@ interface(`dev_dontaudit_setattr_video_dev',` ## ## # @@ -8561,7 +8564,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4529,17 +5536,17 @@ interface(`dev_read_video_dev',` +@@ -4529,17 +5537,17 @@ interface(`dev_read_video_dev',` ## ## # @@ -8583,7 +8586,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4547,12 +5554,12 @@ interface(`dev_write_video_dev',` +@@ -4547,12 +5555,12 @@ interface(`dev_write_video_dev',` ## ## # @@ -8598,7 +8601,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -4630,6 +5637,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5638,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8623,7 +8626,7 @@ index 76f285e..3f6a351 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5787,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5788,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8668,7 +8671,7 @@ index 76f285e..3f6a351 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5914,1019 @@ interface(`dev_unconfined',` +@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -31042,7 +31045,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..436b1e0 100644 +index 8b40377..97bb1df 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -31636,7 +31639,7 @@ index 8b40377..436b1e0 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +643,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -31683,10 +31686,11 @@ index 8b40377..436b1e0 100644 +systemd_dbus_chat_localed(xdm_t) +systemd_dbus_chat_hostnamed(xdm_t) +systemd_start_power_services(xdm_t) ++systemd_status_power_services(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +691,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -31856,7 +31860,7 @@ index 8b40377..436b1e0 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +860,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -31888,7 +31892,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -518,8 +894,36 @@ optional_policy(` +@@ -518,8 +895,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -31926,7 +31930,7 @@ index 8b40377..436b1e0 100644 ') ') -@@ -530,6 +934,20 @@ optional_policy(` +@@ -530,6 +935,20 @@ optional_policy(` ') optional_policy(` @@ -31947,7 +31951,7 @@ index 8b40377..436b1e0 100644 hostname_exec(xdm_t) ') -@@ -547,28 +965,78 @@ optional_policy(` +@@ -547,28 +966,78 @@ optional_policy(` ') optional_policy(` @@ -32035,7 +32039,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -580,6 +1048,14 @@ optional_policy(` +@@ -580,6 +1049,14 @@ optional_policy(` ') optional_policy(` @@ -32050,7 +32054,7 @@ index 8b40377..436b1e0 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1070,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1071,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -32059,7 +32063,7 @@ index 8b40377..436b1e0 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1080,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1081,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -32072,7 +32076,7 @@ index 8b40377..436b1e0 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1097,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1098,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -32088,7 +32092,7 @@ index 8b40377..436b1e0 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1113,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1114,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -32099,7 +32103,7 @@ index 8b40377..436b1e0 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1129,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32136,7 +32140,7 @@ index 8b40377..436b1e0 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1175,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -32168,7 +32172,7 @@ index 8b40377..436b1e0 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1208,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32183,7 +32187,7 @@ index 8b40377..436b1e0 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1228,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1229,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32207,7 +32211,7 @@ index 8b40377..436b1e0 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1248,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -32216,7 +32220,7 @@ index 8b40377..436b1e0 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1291,54 @@ optional_policy(` +@@ -785,17 +1292,54 @@ optional_policy(` ') optional_policy(` @@ -32273,7 +32277,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -803,6 +1346,10 @@ optional_policy(` +@@ -803,6 +1347,10 @@ optional_policy(` ') optional_policy(` @@ -32284,7 +32288,7 @@ index 8b40377..436b1e0 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1366,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -32309,7 +32313,7 @@ index 8b40377..436b1e0 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1388,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1389,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -32344,7 +32348,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1454,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -32353,7 +32357,7 @@ index 8b40377..436b1e0 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1508,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -32385,7 +32389,7 @@ index 8b40377..436b1e0 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1554,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index 59479df..0a17576 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -3818,7 +3818,7 @@ index 7caefc3..754c30f 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..438bc20 100644 +index f6eb485..ce5dba7 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3834,15 +3834,18 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -13,118 +13,126 @@ +@@ -11,120 +11,233 @@ + ## + ## # - template(`apache_content_template',` +-template(`apache_content_template',` ++template(`apache_user_content_template',` gen_require(` - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; + attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t; -+ attribute httpd_script_type, httpd_content_type; ++ attribute httpd_script_type, httpd_user_content_type; ') - ######################################## @@ -3878,41 +3881,136 @@ index f6eb485..438bc20 100644 - type httpd_$1_rw_content_t, httpdcontent; # customizable - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) -- ++ #This type is for webpages ++ type $1_content_t; # customizable; ++ typeattribute $1_content_t httpd_user_content_type; ++ typealias $1_content_t alias httpd_$1_script_ro_t; ++ files_type($1_content_t) ++ ++ # This type is used for .htaccess files ++ type $1_htaccess_t, httpd_content_type; # customizable; ++ typeattribute $1_htaccess_t httpd_user_content_type; ++ files_type($1_htaccess_t) ++ ++ # Type that CGI scripts run as ++ type $1_script_t, httpd_script_type; ++ domain_type($1_script_t) ++ role system_r types $1_script_t; ++ ++ kernel_read_system_state($1_script_t) ++ ++ # This type is used for executable scripts files ++ type $1_script_exec_t, httpd_script_exec_type; # customizable; ++ typeattribute $1_script_exec_t httpd_user_content_type; ++ domain_entry_file($1_script_t, $1_script_exec_t) ++ ++ type $1_rw_content_t; # customizable ++ typeattribute $1_rw_content_t httpd_user_content_type; ++ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t }; ++ files_type($1_rw_content_t) ++ ++ type $1_ra_content_t, httpd_content_type; # customizable ++ typeattribute $1_ra_content_t httpd_user_content_type; ++ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t }; ++ files_type($1_ra_content_t) ++ ++ # Allow the script process to search the cgi directory, and users directory ++ allow $1_script_t $1_content_t:dir search_dir_perms; ++ ++ can_exec($1_script_t, $1_script_exec_t) ++ allow $1_script_t $1_script_exec_t:dir list_dir_perms; ++ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ ++ allow $1_script_t $1_content_t:dir list_dir_perms; ++ read_files_pattern($1_script_t, $1_content_t, $1_content_t) ++ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) ++ ++ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ ++ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write }; ++ ++ # Allow the web server to run scripts and serve pages ++ tunable_policy(`httpd_builtin_scripting',` ++ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) + - type httpd_$1_ra_content_t, httpdcontent; # customizable - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) -- ++ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; ++ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) + - ######################################## - # - # Policy - # -- ++ ') + - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -- ++ tunable_policy(`httpd_enable_cgi',` ++ allow $1_script_t $1_script_exec_t:file entrypoint; + - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; -- ++ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) + - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; -- ++ # privileged users run the script: ++ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) + - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) -- ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; + - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; - allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; -- ++ # apache runs the script: ++ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) ++ allow httpd_t $1_script_t:unix_dgram_socket sendto; ++ ') ++') + - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) -- ') -- ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`apache_content_template',` ++ gen_require(` ++ attribute httpd_exec_scripts, httpd_script_exec_type; ++ type httpd_t, httpd_suexec_t; ++ attribute httpd_script_type, httpd_content_type; + ') + + #This type is for webpages + type $1_content_t; # customizable; + typeattribute $1_content_t httpd_content_type; @@ -4013,11 +4111,11 @@ index f6eb485..438bc20 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) ++ ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) -+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; -+ + # apache runs the script: + domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) + allow httpd_t $1_script_t:unix_dgram_socket sendto; @@ -4056,7 +4154,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -133,47 +141,61 @@ template(`apache_content_template',` +@@ -133,47 +246,61 @@ template(`apache_content_template',` ## ## ## @@ -4147,7 +4245,7 @@ index f6eb485..438bc20 100644 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') -@@ -184,7 +206,7 @@ interface(`apache_role',` +@@ -184,7 +311,7 @@ interface(`apache_role',` ######################################## ## @@ -4156,7 +4254,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -204,7 +226,7 @@ interface(`apache_read_user_scripts',` +@@ -204,7 +331,7 @@ interface(`apache_read_user_scripts',` ######################################## ## @@ -4165,7 +4263,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -224,7 +246,7 @@ interface(`apache_read_user_content',` +@@ -224,7 +351,7 @@ interface(`apache_read_user_content',` ######################################## ## @@ -4174,7 +4272,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -241,27 +263,47 @@ interface(`apache_domtrans',` +@@ -241,27 +368,47 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -4229,7 +4327,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -279,7 +321,7 @@ interface(`apache_signal',` +@@ -279,7 +426,7 @@ interface(`apache_signal',` ######################################## ## @@ -4238,7 +4336,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -297,7 +339,7 @@ interface(`apache_signull',` +@@ -297,7 +444,7 @@ interface(`apache_signull',` ######################################## ## @@ -4247,7 +4345,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -315,8 +357,7 @@ interface(`apache_sigchld',` +@@ -315,8 +462,7 @@ interface(`apache_sigchld',` ######################################## ## @@ -4257,7 +4355,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -334,8 +375,8 @@ interface(`apache_use_fds',` +@@ -334,8 +480,8 @@ interface(`apache_use_fds',` ######################################## ## @@ -4268,18 +4366,16 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -348,13 +389,32 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +494,32 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unix domain stream sockets. ++') ++ ++######################################## ++## +## Allow attempts to read and write Apache +## unix domain stream sockets. +## @@ -4295,16 +4391,18 @@ index f6eb485..438bc20 100644 + ') + + allow $1 httpd_t:unix_stream_socket { getattr read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. +## Do not audit attempts to read and write Apache +## unix domain stream sockets. ## ## ## -@@ -367,13 +427,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -367,13 +532,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` type httpd_t; ') @@ -4321,7 +4419,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -391,8 +451,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +556,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -4331,7 +4429,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -417,7 +476,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +581,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -4341,7 +4439,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -435,7 +495,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +600,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -4351,7 +4449,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -453,7 +514,8 @@ interface(`apache_list_cache',` +@@ -453,7 +619,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -4361,7 +4459,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -471,7 +533,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +638,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -4371,7 +4469,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -489,7 +552,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +657,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -4381,7 +4479,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -507,49 +571,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +676,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -4444,7 +4542,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -570,8 +636,8 @@ interface(`apache_manage_config',` +@@ -570,8 +741,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -4455,7 +4553,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -608,16 +674,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +779,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -4497,7 +4595,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -639,7 +727,8 @@ interface(`apache_read_log',` +@@ -639,7 +832,8 @@ interface(`apache_read_log',` ######################################## ## @@ -4507,7 +4605,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -657,10 +746,29 @@ interface(`apache_append_log',` +@@ -657,10 +851,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -4539,7 +4637,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -678,8 +786,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +891,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -4550,7 +4648,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -687,20 +795,21 @@ interface(`apache_dontaudit_append_log',` +@@ -687,20 +900,21 @@ interface(`apache_dontaudit_append_log',` ## ## # @@ -4580,7 +4678,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -708,19 +817,21 @@ interface(`apache_manage_log',` +@@ -708,19 +922,21 @@ interface(`apache_manage_log',` ## ## # @@ -4606,7 +4704,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -738,7 +849,8 @@ interface(`apache_dontaudit_search_modules',` +@@ -738,7 +954,8 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -4616,7 +4714,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -746,17 +858,19 @@ interface(`apache_dontaudit_search_modules',` +@@ -746,17 +963,19 @@ interface(`apache_dontaudit_search_modules',` ## ## # @@ -4639,7 +4737,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -764,19 +878,19 @@ interface(`apache_list_modules',` +@@ -764,19 +983,19 @@ interface(`apache_list_modules',` ## ## # @@ -4663,7 +4761,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -784,19 +898,19 @@ interface(`apache_exec_modules',` +@@ -784,19 +1003,19 @@ interface(`apache_exec_modules',` ## ## # @@ -4688,7 +4786,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -809,13 +923,50 @@ interface(`apache_domtrans_rotatelogs',` +@@ -809,13 +1028,50 @@ interface(`apache_domtrans_rotatelogs',` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') @@ -4741,7 +4839,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -829,13 +980,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +1085,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4758,7 +4856,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -844,6 +996,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +1101,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4766,37 +4864,17 @@ index f6eb485..438bc20 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +1008,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +1113,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') -######################################## +###################################### -+## -+## Allow the specified domain to read -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_files',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### ## -## Create, read, write, and delete -## httpd system rw content. +## Allow the specified domain to read -+## apache system content rw dirs. ++## apache system content rw files. ## ## ## @@ -4806,12 +4884,32 @@ index f6eb485..438bc20 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_read_sys_content_rw_dirs',` ++interface(`apache_read_sys_content_rw_files',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to read ++## apache system content rw dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_dirs',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ + list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + @@ -4873,7 +4971,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -888,10 +1107,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1212,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4892,7 +4990,7 @@ index f6eb485..438bc20 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1127,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1232,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4904,7 +5002,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -916,7 +1141,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` +@@ -916,7 +1246,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` type httpd_sys_script_t; ') @@ -4913,7 +5011,7 @@ index f6eb485..438bc20 100644 ') ######################################## -@@ -941,7 +1166,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1271,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4922,7 +5020,7 @@ index f6eb485..438bc20 100644 ## to the specified role. ## ## -@@ -954,6 +1179,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1284,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4930,7 +5028,7 @@ index f6eb485..438bc20 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1192,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1297,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4940,7 +5038,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -979,12 +1206,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1311,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4956,7 +5054,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1002,7 +1230,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1335,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4965,7 +5063,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1015,13 +1243,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1348,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4980,7 +5078,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1041,7 +1268,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1373,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4989,7 +5087,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1059,8 +1286,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1391,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4999,7 +5097,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1071,18 +1297,21 @@ interface(`apache_search_sys_scripts',` +@@ -1071,18 +1402,21 @@ interface(`apache_search_sys_scripts',` # interface(`apache_manage_all_user_content',` gen_require(` @@ -5027,7 +5125,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1100,7 +1329,8 @@ interface(`apache_search_sys_script_state',` +@@ -1100,7 +1434,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -5037,7 +5135,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1117,10 +1347,29 @@ interface(`apache_read_tmp_files',` +@@ -1117,10 +1452,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -5069,7 +5167,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1133,7 +1382,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1133,7 +1487,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -5078,7 +5176,7 @@ index f6eb485..438bc20 100644 ') ######################################## -@@ -1142,6 +1391,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1142,6 +1496,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -5088,7 +5186,7 @@ index f6eb485..438bc20 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1171,8 +1423,31 @@ interface(`apache_cgi_domain',` +@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -5122,7 +5220,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1189,18 +1464,19 @@ interface(`apache_cgi_domain',` +@@ -1189,18 +1569,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -5151,7 +5249,7 @@ index f6eb485..438bc20 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1210,10 +1486,10 @@ interface(`apache_admin',` +@@ -1210,10 +1591,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -5165,7 +5263,7 @@ index f6eb485..438bc20 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1500,182 @@ interface(`apache_admin',` +@@ -1224,9 +1605,182 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5301,9 +5399,7 @@ index f6eb485..438bc20 100644 + type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; + type httpd_user_content_ra_t; + ') - -- apache_run_all_scripts($1, $2) -- apache_run_helper($1, $2) ++ + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") @@ -5311,7 +5407,9 @@ index f6eb485..438bc20 100644 + filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs") + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") +') -+ + +- apache_run_all_scripts($1, $2) +- apache_run_helper($1, $2) +######################################## +## +## Read apache pid files. @@ -5353,7 +5451,7 @@ index f6eb485..438bc20 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..1862dfb 100644 +index 6649962..4cb64e5 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -5926,7 +6024,7 @@ index 6649962..1862dfb 100644 files_tmpfs_file(httpd_tmpfs_t) -apache_content_template(user) -+apache_content_template(httpd_user) ++apache_user_content_template(httpd_user) ubac_constrained(httpd_user_script_t) + +typeattribute httpd_user_content_t httpdcontent; @@ -6137,7 +6235,7 @@ index 6649962..1862dfb 100644 fs_read_iso9660_files(httpd_t) -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) -+fs_read_hugetlbfs_files(httpd_t) ++fs_rw_hugetlbfs_files(httpd_t) + +auth_use_nsswitch(httpd_t) + @@ -7193,11 +7291,11 @@ index 6649962..1862dfb 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -- --append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +allow httpd_sys_script_t self:process getsched; +-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -7338,14 +7436,14 @@ index 6649962..1862dfb 100644 -# -# System script local policy -# -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -allow httpd_sys_script_t self:tcp_socket { accept listen }; - -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; @@ -7523,14 +7621,15 @@ index 6649962..1862dfb 100644 ') ######################################## -@@ -1330,49 +1628,38 @@ optional_policy(` +@@ -1330,49 +1628,40 @@ optional_policy(` # User content local policy # -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_user_script_t) -') -- ++auth_use_nsswitch(httpd_user_script_t) + -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_cifs_files(httpd_user_script_t) @@ -7539,13 +7638,6 @@ index 6649962..1862dfb 100644 - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_user_script_t) --') -+auth_use_nsswitch(httpd_user_script_t) - --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -- fs_list_auto_mountpoints(httpd_user_script_t) -- fs_read_nfs_files(httpd_user_script_t) -- fs_read_nfs_symlinks(httpd_user_script_t) +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) @@ -7554,13 +7646,20 @@ index 6649962..1862dfb 100644 + manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ') --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_user_script_t) +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +- fs_list_auto_mountpoints(httpd_user_script_t) +- fs_read_nfs_files(httpd_user_script_t) +- fs_read_nfs_symlinks(httpd_user_script_t) +-') +# allow accessing files/dirs below the users home dir +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) + +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_user_script_t) ++ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) ') tunable_policy(`httpd_read_user_content',` @@ -7588,7 +7687,7 @@ index 6649962..1862dfb 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1669,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -29471,7 +29570,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..8bfc879 100644 +index 36838c2..2812a63 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -29517,7 +29616,22 @@ index 36838c2..8bfc879 100644 ## ##

-@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) +@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false) + + ## + ##

+-## Determine whether ftpd can read and write +-## files in user home directories. +-##

+-## +-gen_tunable(ftp_home_dir, false) +- +-## +-##

+ ## Determine whether sftpd can modify + ## public files used for public file + ## transfer services. Directories/Files must +@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -29527,7 +29641,7 @@ index 36838c2..8bfc879 100644 type ftpd_keytab_t; files_type(ftpd_keytab_t) -@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; +@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -29537,7 +29651,7 @@ index 36838c2..8bfc879 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -29564,7 +29678,7 @@ index 36838c2..8bfc879 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -29578,7 +29692,7 @@ index 36838c2..8bfc879 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -29586,7 +29700,7 @@ index 36838c2..8bfc879 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t) +@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -29644,35 +29758,57 @@ index 36838c2..8bfc879 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',` +@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) - corenet_sendrecv_oracledb_client_packets(ftpd_t) - corenet_tcp_connect_oracledb_port(ftpd_t) - corenet_tcp_sendrecv_oracledb_port(ftpd_t) +-') +- +-tunable_policy(`ftp_home_dir',` +- allow ftpd_t self:capability { dac_override dac_read_search }; +- +- userdom_manage_user_home_content_dirs(ftpd_t) +- userdom_manage_user_home_content_files(ftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) +- userdom_manage_user_tmp_dirs(ftpd_t) +- userdom_manage_user_tmp_files(ftpd_t) +- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) +-',` +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) +- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + corenet_sendrecv_oracle_client_packets(ftpd_t) + corenet_tcp_connect_oracle_port(ftpd_t) + corenet_tcp_sendrecv_oracle_port(ftpd_t) ') - tunable_policy(`ftp_home_dir',` - allow ftpd_t self:capability { dac_override dac_read_search }; +-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` ++tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(ftpd_t) + fs_manage_nfs_files(ftpd_t) + fs_manage_nfs_symlinks(ftpd_t) + ') -- userdom_manage_user_home_content_dirs(ftpd_t) -- userdom_manage_user_home_content_files(ftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) -+ userdom_manage_all_user_home_type_dirs(ftpd_t) -+ userdom_manage_all_user_home_type_files(ftpd_t) - userdom_manage_user_tmp_dirs(ftpd_t) - userdom_manage_user_tmp_files(ftpd_t) -- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) - ',` -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) +-tunable_policy(`ftp_home_dir && use_samba_home_dirs',` ++tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(ftpd_t) + fs_manage_cifs_files(ftpd_t) + fs_manage_cifs_symlinks(ftpd_t) ') -@@ -363,9 +390,8 @@ optional_policy(` + optional_policy(` +- tunable_policy(`ftp_home_dir',` +- apache_search_sys_content(ftpd_t) +- ') +-') +- +-optional_policy(` + corecmd_exec_shell(ftpd_t) + + files_read_usr_files(ftpd_t) +@@ -363,9 +365,8 @@ optional_policy(` optional_policy(` selinux_validate_context(ftpd_t) @@ -29683,7 +29819,7 @@ index 36838c2..8bfc879 100644 kerberos_use(ftpd_t) ') -@@ -416,21 +442,20 @@ optional_policy(` +@@ -416,21 +417,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -29707,7 +29843,7 @@ index 36838c2..8bfc879 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -29748,7 +29884,7 @@ index 36838c2..8bfc879 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +517,8 @@ tunable_policy(`sftpd_anon_write',` +@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -49519,7 +49655,7 @@ index b1ac8b5..24782b3 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..6e2a403 100644 +index d15eb5b..7f3c31d 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -49561,6 +49697,14 @@ index d15eb5b..6e2a403 100644 logging_send_syslog_msg(modemmanager_t) +@@ -56,3 +63,7 @@ optional_policy(` + udev_read_db(modemmanager_t) + udev_manage_pid_files(modemmanager_t) + ') ++ ++optional_policy(` ++ systemd_dbus_chat_logind(modemmanager_t) ++') diff --git a/mojomojo.fc b/mojomojo.fc index 7b827ca..5ee8a0f 100644 --- a/mojomojo.fc @@ -49807,7 +49951,7 @@ index 6fcfc31..e9e6bc5 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..f19680b 100644 +index 169f236..eaaeb0d 100644 --- a/mongodb.te +++ b/mongodb.te @@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t) @@ -49853,7 +49997,7 @@ index 169f236..f19680b 100644 manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -@@ -41,21 +51,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +@@ -41,21 +51,46 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) @@ -49890,6 +50034,8 @@ index 169f236..f19680b 100644 -miscfiles_read_localization(mongod_t) +auth_use_nsswitch(mongod_t) + ++logging_send_syslog_msg(mongod_t) ++ +optional_policy(` + mysql_stream_connect(mongod_t) +') @@ -52622,10 +52768,10 @@ index 65a246a..fa86320 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..bd1eb52 100644 +index f42896c..2cf0c23 100644 --- a/mta.fc +++ b/mta.fc -@@ -1,34 +1,44 @@ +@@ -1,34 +1,41 @@ -HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) @@ -52637,10 +52783,8 @@ index f42896c..bd1eb52 100644 +HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) -/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - +- -/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) -+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+ +/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) @@ -60208,10 +60352,10 @@ index bcd7d0a..0188086 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/nsd.fc b/nsd.fc -index 4f2b1b6..adea830 100644 +index 4f2b1b6..6b300d5 100644 --- a/nsd.fc +++ b/nsd.fc -@@ -1,16 +1,17 @@ +@@ -1,16 +1,19 @@ -/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) @@ -60239,6 +60383,8 @@ index 4f2b1b6..adea830 100644 +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) ++ ++/var/log/nsd\.log -- gen_context(system_u:object_r:nsd_log_t,s0) diff --git a/nsd.if b/nsd.if index a9c60ff..ad4f14a 100644 --- a/nsd.if @@ -60329,7 +60475,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..17db1a1 100644 +index 47bb1d2..5cc2b26 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -60343,13 +60489,15 @@ index 47bb1d2..17db1a1 100644 type nsd_conf_t; files_type(nsd_conf_t) -@@ -20,32 +18,31 @@ domain_type(nsd_crond_t) +@@ -20,41 +18,50 @@ domain_type(nsd_crond_t) domain_entry_file(nsd_crond_t, nsd_exec_t) role system_r types nsd_crond_t; -type nsd_db_t; -files_type(nsd_db_t) -- ++type nsd_log_t; ++logging_log_file(nsd_log_t) + type nsd_var_run_t; files_pid_file(nsd_var_run_t) @@ -60387,7 +60535,12 @@ index 47bb1d2..17db1a1 100644 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) files_pid_filetrans(nsd_t, nsd_var_run_t, file) -@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + ++manage_files_pattern(nsd_t, nsd_log_t, nsd_log_t) ++logging_log_filetrans(nsd_t, nsd_log_t, file) ++ + manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) files_var_lib_filetrans(nsd_t, nsd_zone_t, dir) @@ -60398,7 +60551,7 @@ index 47bb1d2..17db1a1 100644 can_exec(nsd_t, nsd_exec_t) kernel_read_system_state(nsd_t) -@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t) +@@ -62,7 +69,6 @@ kernel_read_kernel_sysctls(nsd_t) corecmd_exec_bin(nsd_t) @@ -60406,7 +60559,7 @@ index 47bb1d2..17db1a1 100644 corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -@@ -72,16 +72,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t) +@@ -72,16 +78,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t) corenet_udp_sendrecv_all_ports(nsd_t) corenet_tcp_bind_generic_node(nsd_t) corenet_udp_bind_generic_node(nsd_t) @@ -60429,7 +60582,7 @@ index 47bb1d2..17db1a1 100644 fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) -@@ -90,8 +94,6 @@ auth_use_nsswitch(nsd_t) +@@ -90,8 +100,6 @@ auth_use_nsswitch(nsd_t) logging_send_syslog_msg(nsd_t) @@ -60438,7 +60591,7 @@ index 47bb1d2..17db1a1 100644 userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -105,23 +107,24 @@ optional_policy(` +@@ -105,23 +113,24 @@ optional_policy(` ######################################## # @@ -60471,7 +60624,7 @@ index 47bb1d2..17db1a1 100644 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -@@ -133,29 +136,33 @@ kernel_read_system_state(nsd_crond_t) +@@ -133,29 +142,33 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) @@ -65918,7 +66071,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..ede6e1c 100644 +index 44dbc99..370dd38 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -65950,9 +66103,9 @@ index 44dbc99..ede6e1c 100644 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; -+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource }; ++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid }; +allow openvswitch_t self:capability2 block_suspend; -+allow openvswitch_t self:process { fork setsched setrlimit signal }; ++allow openvswitch_t self:process { fork setsched setrlimit signal setcap }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; -allow openvswitch_t self:rawip_socket create_socket_perms; -allow openvswitch_t self:unix_stream_socket { accept connectto listen }; @@ -65984,12 +66137,15 @@ index 44dbc99..ede6e1c 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +69,49 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -63,35 +67,51 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) - --can_exec(openvswitch_t, openvswitch_exec_t) +-files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) - +-can_exec(openvswitch_t, openvswitch_exec_t) ++files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file }) + +kernel_load_module(openvswitch_t) kernel_read_network_state(openvswitch_t) kernel_read_system_state(openvswitch_t) @@ -107583,7 +107739,7 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..40e9303 100644 +index 5ceacde..9353adb 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) @@ -107610,7 +107766,16 @@ index 5ceacde..40e9303 100644 ######################################## # # Local policy -@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) +@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; + allow tor_t tor_etc_t:file read_file_perms; + allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; + ++dontaudit tor_t self:capability { net_admin }; ++ + manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) + manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) + manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) @@ -107618,7 +107783,7 @@ index 5ceacde..40e9303 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t) +@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) @@ -107626,7 +107791,7 @@ index 5ceacde..40e9303 100644 corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) -@@ -98,19 +108,22 @@ dev_read_urand(tor_t) +@@ -98,19 +110,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) @@ -111673,10 +111838,10 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..5e41cd6 100644 +index f03dcf5..5b78d90 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,395 @@ +@@ -1,451 +1,402 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -111831,6 +111996,13 @@ index f03dcf5..5e41cd6 100644 + +## +##

++## Allow confined virtual guests to use smartcards ++##

++## ++gen_tunable(virt_use_pcscd, false) ++ ++## ++##

+## Allow sandbox containers to send audit messages + +##

@@ -111843,15 +112015,15 @@ index f03dcf5..5e41cd6 100644 +##

+## +gen_tunable(virt_sandbox_use_netlink, false) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to use sys_admin system calls, for example mount +##

+## +gen_tunable(virt_sandbox_use_sys_admin, false) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow sandbox containers to use mknod system calls @@ -111890,11 +112062,11 @@ index f03dcf5..5e41cd6 100644 -virt_domain_template(svirt_prot_exec) +role system_r types svirt_t; +typealias svirt_t alias qemu_t; - --type virt_cache_t alias svirt_cache_t; ++ +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; -+ + +-type virt_cache_t alias svirt_cache_t; +type qemu_exec_t, virt_file_type; + +type virt_cache_t alias svirt_cache_t, virt_file_type; @@ -112259,24 +112431,24 @@ index f03dcf5..5e41cd6 100644 - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -+allow svirt_t self:process ptrace; - +- -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- ++allow svirt_t self:process ptrace; + -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) @@ -112382,7 +112554,7 @@ index f03dcf5..5e41cd6 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +399,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +406,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -112429,7 +112601,7 @@ index f03dcf5..5e41cd6 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +434,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +441,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -112462,7 +112634,7 @@ index f03dcf5..5e41cd6 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +459,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +466,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -112490,7 +112662,7 @@ index f03dcf5..5e41cd6 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +479,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +486,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -112521,7 +112693,7 @@ index f03dcf5..5e41cd6 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +531,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +538,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -112541,7 +112713,7 @@ index f03dcf5..5e41cd6 100644 selinux_validate_context(virtd_t) -@@ -620,18 +553,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +560,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -112578,7 +112750,7 @@ index f03dcf5..5e41cd6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +581,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +588,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -112587,7 +112759,7 @@ index f03dcf5..5e41cd6 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +606,12 @@ optional_policy(` +@@ -665,20 +613,12 @@ optional_policy(` ') optional_policy(` @@ -112608,7 +112780,7 @@ index f03dcf5..5e41cd6 100644 ') optional_policy(` -@@ -691,20 +624,26 @@ optional_policy(` +@@ -691,20 +631,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -112619,11 +112791,12 @@ index f03dcf5..5e41cd6 100644 ') optional_policy(` +- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` - iptables_domtrans(virtd_t) ++ iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -112639,7 +112812,7 @@ index f03dcf5..5e41cd6 100644 ') optional_policy(` -@@ -712,11 +651,18 @@ optional_policy(` +@@ -712,11 +658,18 @@ optional_policy(` ') optional_policy(` @@ -112658,7 +112831,7 @@ index f03dcf5..5e41cd6 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +673,18 @@ optional_policy(` +@@ -727,10 +680,18 @@ optional_policy(` ') optional_policy(` @@ -112677,7 +112850,7 @@ index f03dcf5..5e41cd6 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +700,321 @@ optional_policy(` +@@ -746,44 +707,327 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -112767,7 +112940,7 @@ index f03dcf5..5e41cd6 100644 +read_files_pattern(virt_domain, virt_content_t, virt_content_t) +dontaudit virt_domain virt_content_t:file write_file_perms; +dontaudit virt_domain virt_content_t:dir write; - ++ +kernel_read_net_sysctls(virt_domain) +kernel_read_network_state(virt_domain) + @@ -112822,7 +112995,7 @@ index f03dcf5..5e41cd6 100644 +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -112953,6 +113126,12 @@ index f03dcf5..5e41cd6 100644 +') + +optional_policy(` ++ tunable_policy(`virt_use_pcscd',` ++ pcscd_stream_connect(virt_domain) ++ ') ++') ++ ++optional_policy(` + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + ') @@ -113021,7 +113200,7 @@ index f03dcf5..5e41cd6 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1025,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1038,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -113048,7 +113227,7 @@ index f03dcf5..5e41cd6 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1045,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1058,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -113065,10 +113244,10 @@ index f03dcf5..5e41cd6 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -113082,7 +113261,7 @@ index f03dcf5..5e41cd6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1082,20 @@ optional_policy(` +@@ -856,14 +1095,20 @@ optional_policy(` ') optional_policy(` @@ -113104,7 +113283,7 @@ index f03dcf5..5e41cd6 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1120,66 @@ optional_policy(` +@@ -888,49 +1133,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -113189,7 +113368,7 @@ index f03dcf5..5e41cd6 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1191,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1204,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -113209,7 +113388,7 @@ index f03dcf5..5e41cd6 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1212,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1225,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -113233,7 +113412,7 @@ index f03dcf5..5e41cd6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -113302,7 +113481,89 @@ index f03dcf5..5e41cd6 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -113399,8 +113660,9 @@ index f03dcf5..5e41cd6 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') @@ -113416,95 +113678,12 @@ index f03dcf5..5e41cd6 100644 +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -113676,15 +113855,15 @@ index f03dcf5..5e41cd6 100644 + +term_use_generic_ptys(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) + +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) @@ -113729,7 +113908,7 @@ index f03dcf5..5e41cd6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -113744,7 +113923,7 @@ index f03dcf5..5e41cd6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1615,7 @@ optional_policy(` +@@ -1192,7 +1628,7 @@ optional_policy(` ######################################## # @@ -113753,7 +113932,7 @@ index f03dcf5..5e41cd6 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -116835,7 +117014,7 @@ index 0928c5d..d270a72 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..fe078eb 100644 +index a64aad3..d923154 100644 --- a/xguest.te +++ b/xguest.te @@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0) @@ -116904,7 +117083,7 @@ index a64aad3..fe078eb 100644 storage_raw_read_removable_device(xguest_t) storage_raw_write_removable_device(xguest_t) ',` -@@ -54,9 +55,22 @@ ifndef(`enable_mls',` +@@ -54,9 +55,25 @@ ifndef(`enable_mls',` ') optional_policy(` @@ -116915,6 +117094,9 @@ index a64aad3..fe078eb 100644 +kernel_dontaudit_request_load_module(xguest_t) +kernel_read_software_raid_state(xguest_t) + ++#GDM runs the X server as the unprivileged user. ++dev_rw_input_dev(xguest_t) ++ +tunable_policy(`selinuxuser_execstack',` + allow xguest_t self:process execstack; +') @@ -116928,7 +117110,7 @@ index a64aad3..fe078eb 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -65,10 +79,9 @@ optional_policy(` +@@ -65,10 +82,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -116940,7 +117122,7 @@ index a64aad3..fe078eb 100644 ') ') -@@ -84,12 +97,25 @@ optional_policy(` +@@ -84,12 +100,25 @@ optional_policy(` ') ') @@ -116952,23 +117134,23 @@ index a64aad3..fe078eb 100644 + +optional_policy(` + colord_dbus_chat(xguest_t) + ') + + optional_policy(` +- gnomeclock_dontaudit_dbus_chat(xguest_t) ++ chrome_role(xguest_r, xguest_t) +') + +optional_policy(` -+ chrome_role(xguest_r, xguest_t) ++ thumb_role(xguest_r, xguest_t) +') + +optional_policy(` -+ thumb_role(xguest_r, xguest_t) - ') - - optional_policy(` -- gnomeclock_dontaudit_dbus_chat(xguest_t) + dbus_dontaudit_chat_system_bus(xguest_t) ') optional_policy(` -@@ -97,75 +123,78 @@ optional_policy(` +@@ -97,75 +126,78 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index e75a885..b6182f9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 182%{?dist} +Release: 183%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -651,6 +651,23 @@ exit 0 %endif %changelog +* Wed Apr 27 2016 Lukas Vrabec 3.13.1-183 +- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. +- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895) +- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. +- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224) +- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448 +- Make virt_use_pcscd boolean off by default. +- Create boolean to allow virtual machine use smartcards. rhbz#1029297 +- Allow mongod log to syslog. +- Allow nsd daemon to create log file in /var/log as nsd_log_t +- Allow modemmanager to talk to logind +- Dontaudit tor daemon needs net_admin capability. rhbz#1311788 +- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 +- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970) +- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909 +- Add new permissions stop/start to class system. rhbz#1324453 + * Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 - By default container domains should not be allowed to create devices - rename several contrib modules according to their filenames