diff --git a/policy-f20-base.patch b/policy-f20-base.patch index f921776..e81ace6 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -9626,7 +9626,7 @@ index c2c6e05..2282452 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..a47b644 100644 +index 64ff4d7..d2cb90d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10257,7 +10257,32 @@ index 64ff4d7..a47b644 100644 ## Set the attributes of all mount points. ## ## -@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',` + + ######################################## + ## ++## Set the attributes of all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelto_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir relabelto; ++') ++ ++######################################## ++## + ## Do not audit attempts to set the attributes on all mount points. + ## + ## +@@ -1673,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -10282,7 +10307,7 @@ index 64ff4d7..a47b644 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1691,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1691,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -10325,7 +10350,7 @@ index 64ff4d7..a47b644 100644 ## List the contents of the root directory. ## ## -@@ -1707,6 +2131,23 @@ interface(`files_list_root',` +@@ -1707,6 +2149,23 @@ interface(`files_list_root',` allow $1 root_t:dir list_dir_perms; allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ') @@ -10349,7 +10374,7 @@ index 64ff4d7..a47b644 100644 ######################################## ## -@@ -1747,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',` +@@ -1747,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',` ######################################## ## @@ -10376,7 +10401,7 @@ index 64ff4d7..a47b644 100644 ## Create an object in the root directory, with a private ## type using a type transition. ## -@@ -1874,25 +2335,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1874,25 +2353,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -10408,7 +10433,7 @@ index 64ff4d7..a47b644 100644 ## ## ## -@@ -1905,7 +2366,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2384,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -10417,7 +10442,7 @@ index 64ff4d7..a47b644 100644 ') ######################################## -@@ -1928,6 +2389,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2407,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10442,7 +10467,7 @@ index 64ff4d7..a47b644 100644 ## Get attributes of the /boot directory. ## ## -@@ -2163,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2163,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10467,7 +10492,7 @@ index 64ff4d7..a47b644 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2627,6 +3124,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +3142,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10492,7 +10517,7 @@ index 64ff4d7..a47b644 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +3213,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3231,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10500,7 +10525,7 @@ index 64ff4d7..a47b644 100644 ') ######################################## -@@ -2706,7 +3222,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3240,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10509,7 +10534,7 @@ index 64ff4d7..a47b644 100644 ## ## # -@@ -2762,6 +3278,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3296,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10535,7 +10560,7 @@ index 64ff4d7..a47b644 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +3315,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3333,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10560,7 +10585,7 @@ index 64ff4d7..a47b644 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3498,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,26 +3516,8 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10582,10 +10607,14 @@ index 64ff4d7..a47b644 100644 - -######################################## -## - ## Read files in /etc that are dynamically - ## created on boot, such as mtab. +-## Read files in /etc that are dynamically +-## created on boot, such as mtab. ++## Read files in /etc that are dynamically ++## created on boot, such as mtab. ## -@@ -3003,9 +3538,7 @@ interface(`files_read_etc_runtime_files',` + ## + ##

+@@ -3003,9 +3556,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ##

@@ -10596,7 +10625,7 @@ index 64ff4d7..a47b644 100644 ## ## ## -@@ -3013,18 +3546,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3564,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10618,22 +10647,19 @@ index 64ff4d7..a47b644 100644 ## ## ## -@@ -3042,15 +3574,35 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3592,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## --## Read and write files in /etc that are dynamically +## Do not audit attempts to read files +## in /etc that are dynamically - ## created on boot, such as mtab. - ## - ## - ## --## Domain allowed access. ++## created on boot, such as mtab. ++## ++## ++## +## Domain to not audit. - ## - ## --## ++## ++## +# +interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` @@ -10645,19 +10671,10 @@ index 64ff4d7..a47b644 100644 + +######################################## +## -+## Read and write files in /etc that are dynamically -+## created on boot, such as mtab. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## - # - interface(`files_rw_etc_runtime_files',` - gen_require(` -@@ -3059,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',` + ## Read and write files in /etc that are dynamically + ## created on boot, such as mtab. + ## +@@ -3059,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10665,7 +10682,7 @@ index 64ff4d7..a47b644 100644 ') ######################################## -@@ -3080,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10673,7 +10690,7 @@ index 64ff4d7..a47b644 100644 ') ######################################## -@@ -3132,6 +3686,44 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3704,44 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -10718,7 +10735,7 @@ index 64ff4d7..a47b644 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3205,6 +3797,62 @@ interface(`files_delete_isid_type_dirs',` +@@ -3205,6 +3815,62 @@ interface(`files_delete_isid_type_dirs',` delete_dirs_pattern($1, file_t, file_t) ') @@ -10781,7 +10798,7 @@ index 64ff4d7..a47b644 100644 ######################################## ## -@@ -3246,6 +3894,25 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3246,6 +3912,25 @@ interface(`files_mounton_isid_type_dirs',` ######################################## ## @@ -10807,7 +10824,7 @@ index 64ff4d7..a47b644 100644 ## Read files on new filesystems ## that have not yet been labeled. ## -@@ -3455,6 +4122,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +4140,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -10833,7 +10850,7 @@ index 64ff4d7..a47b644 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4482,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4500,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10877,64 +10894,98 @@ index 64ff4d7..a47b644 100644 ') ######################################## -@@ -4199,6 +4903,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,192 +4921,215 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') +-######################################## +####################################### -+## + ## +-## Allow the specified type to associate +-## to a filesystem with the type of the +-## temporary directory (/tmp). +## Read manageable system configuration files in /etc -+## + ## +-## +-## +-## Type of the file to associate. +-## +## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_associate_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Get the attributes of the tmp directory (/tmp). +## Manage manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Do not audit attempts to get the +-## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- dontaudit $1 tmp_t:dir getattr; + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -10952,162 +11003,253 @@ index 64ff4d7..a47b644 100644 + filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- allow $1 tmp_t:dir search_dir_perms; + relabelto_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain to not audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +################################### -+## + ## +-## Read the tmp directory (/tmp). +## Create files in /etc with the type used for +## the manageable system config files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## The type of the process performing this action. +## -+## -+# + ## + # +-interface(`files_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir list_dir_perms; + filetrans_pattern($1, etc_t, system_conf_t, file) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit listing of the tmp directory (/tmp). +## Manage manageable system db files in /var/lib. -+## -+## + ## + ## +-## +-## Domain not to audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') -+ + +- dontaudit $1 tmp_t:dir list_dir_perms; + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Remove entries from the tmp directory. +## File name transition for system db files in /var/lib. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_delete_tmp_dir_entry',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_db_named_files',` + gen_require(` + type var_lib_t, system_db_t; + ') -+ + +- allow $1 tmp_t:dir del_entry_dir_perms; + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") -+') -+ - ######################################## - ## - ## Allow the specified type to associate -@@ -4221,6 +5091,26 @@ interface(`files_associate_tmp',` + ') ######################################## ## +-## Read files in the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the -+## / file system -+## ++## temporary directory (/tmp). + ## +-## +## -+## + ## +-## Domain allowed access. +## Type of the file to associate. -+## -+## -+# -+interface(`files_associate_rootfs',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ allow $1 root_t:filesystem associate; -+') -+ -+######################################## -+## - ## Get the attributes of the tmp directory (/tmp). - ## - ## -@@ -4234,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',` + ## + ## + # +-interface(`files_read_generic_tmp_files',` ++interface(`files_associate_tmp',` + gen_require(` type tmp_t; ') -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir getattr; +- read_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:filesystem associate; ') ######################################## ## -+## Do not audit attempts to check the -+## access on tmp files -+## -+## -+## +-## Manage temporary directories in /tmp. ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## / file system + ## +-## ++## + ## +-## Domain allowed access. ++## Type of the file to associate. + ## + ## + # +-interface(`files_manage_generic_tmp_dirs',` ++interface(`files_associate_rootfs',` + gen_require(` +- type tmp_t; ++ type root_t; + ') + +- manage_dirs_pattern($1, tmp_t, tmp_t) ++ allow $1 root_t:filesystem associate; + ') + + ######################################## + ## +-## Manage temporary files and directories in /tmp. ++## Get the attributes of the tmp directory (/tmp). + ## + ## + ## +@@ -4392,53 +5137,56 @@ interface(`files_manage_generic_tmp_dirs',` + ## + ## + # +-interface(`files_manage_generic_tmp_files',` ++interface(`files_getattr_tmp_dirs',` + gen_require(` + type tmp_t; + ') + +- manage_files_pattern($1, tmp_t, tmp_t) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:dir getattr; + ') + + ######################################## + ## +-## Read symbolic links in the tmp directory (/tmp). ++## Do not audit attempts to check the ++## access on tmp files + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_access_check_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + type etc_t; -+ ') -+ + ') + +- read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the - ## attributes of the tmp directory (/tmp). + ') + + ######################################## + ## +-## Read and write generic named sockets in the tmp directory (/tmp). ++## Do not audit attempts to get the ++## attributes of the tmp directory (/tmp). ## ## ## @@ -11116,23 +11258,94 @@ index 64ff4d7..a47b644 100644 ## ## # -@@ -4271,6 +5181,7 @@ interface(`files_search_tmp',` +-interface(`files_rw_generic_tmp_sockets',` ++interface(`files_dontaudit_getattr_tmp_dirs',` + gen_require(` type tmp_t; ') +- rw_sock_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir getattr; + ') + + ######################################## + ## +-## Set the attributes of all tmp directories. ++## Search the tmp directory (/tmp). + ## + ## + ## +@@ -4446,77 +5194,92 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_search_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir { search_dir_perms setattr }; + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir search_dir_perms; ++ allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +5218,7 @@ interface(`files_list_tmp',` - type tmp_t; + ######################################## + ## +-## List all tmp directories. ++## Do not audit attempts to search the tmp directory (/tmp). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_dontaudit_search_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ dontaudit $1 tmp_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## directory types. ++## Read the tmp directory (/tmp). + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` ++interface(`files_list_tmp',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; ') +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir list_dir_perms; ++ allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +5228,7 @@ interface(`files_list_tmp',` + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. ++## Do not audit listing of the tmp directory (/tmp). ## ## ## @@ -11141,11 +11354,17 @@ index 64ff4d7..a47b644 100644 ## ## # -@@ -4328,7 +5240,26 @@ interface(`files_dontaudit_list_tmp',` - dontaudit $1 tmp_t:dir list_dir_perms; - ') +-interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_dontaudit_list_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') --######################################## +- dontaudit $1 tmpfile:file getattr; ++ dontaudit $1 tmp_t:dir list_dir_perms; ++') ++ +####################################### +## +## Allow read and write to the tmp directory (/tmp). @@ -11163,26 +11382,87 @@ index 64ff4d7..a47b644 100644 + + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; -+') -+ -+######################################## + ') + + ######################################## ## - ## Remove entries from the tmp directory. +-## Allow attempts to get the attributes +-## of all tmp files. ++## Remove entries from the tmp directory. ## -@@ -4343,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',` - type tmp_t; + ## + ## +@@ -4524,110 +5287,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` + ## + ## + # +-interface(`files_getattr_all_tmp_files',` ++interface(`files_delete_tmp_dir_entry',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; ') +- allow $1 tmpfile:file getattr; + files_search_tmp($1) - allow $1 tmp_t:dir del_entry_dir_perms; ++ allow $1 tmp_t:dir del_entry_dir_perms; + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## file types. ++## Read files in the tmp directory (/tmp). + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_read_generic_tmp_files',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ read_files_pattern($1, tmp_t, tmp_t) ') -@@ -4384,6 +5316,32 @@ interface(`files_manage_generic_tmp_dirs',` + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Manage temporary directories in /tmp. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_manage_generic_tmp_dirs',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ manage_dirs_pattern($1, tmp_t, tmp_t) + ') ######################################## ## +-## Read all tmp files. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -11191,840 +11471,733 @@ index 64ff4d7..a47b644 100644 +## This is added to support java policy. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`files_read_all_tmp_files',` +interface(`files_execmod_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ + gen_require(` + attribute tmpfile; + ') + +- read_files_pattern($1, tmpfile, tmpfile) + allow $1 tmpfile:file execmod; -+') -+ -+######################################## -+## - ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4438,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',` + ') ######################################## ## -+## Relabel a dir from the type used in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabelfrom_tmp_dirs',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## -+## Relabel a file from the type used in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabelfrom_tmp_files',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## - ## Set the attributes of all tmp directories. +-## Create an object in the tmp directories, with a private +-## type using a type transition. ++## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_tmp_filetrans',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` + type tmp_t; + ') + +- filetrans_pattern($1, tmp_t, $2, $3, $4) ++ manage_files_pattern($1, tmp_t, tmp_t) + ') ######################################## ## -+## Allow caller to read inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_inherited_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file { append read_inherited_file_perms }; -+') -+ -+######################################## -+## -+## Allow caller to append inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_append_inherited_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file append_inherited_file_perms; -+') -+ -+######################################## -+## -+## Allow caller to read and write inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_tmp_file',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## List all tmp directories. - ## - ## -@@ -4501,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',` +-## Delete the contents of /tmp. ++## Read symbolic links in the tmp directory (/tmp). ## ## ## --## Domain not to audit. -+## Domain to not audit. +@@ -4635,22 +5386,17 @@ interface(`files_tmp_filetrans',` ## ## # -@@ -4561,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',` +-interface(`files_purge_tmp',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; +- delete_dirs_pattern($1, tmpfile, tmpfile) +- delete_files_pattern($1, tmpfile, tmpfile) +- delete_lnk_files_pattern($1, tmpfile, tmpfile) +- delete_fifo_files_pattern($1, tmpfile, tmpfile) +- delete_sock_files_pattern($1, tmpfile, tmpfile) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Set the attributes of the /usr directory. ++## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## --## Domain not to audit. -+## Domain to not audit. +@@ -4658,17 +5404,17 @@ interface(`files_purge_tmp',` ## ## # -@@ -4593,6 +5641,44 @@ interface(`files_read_all_tmp_files',` +-interface(`files_setattr_usr_dirs',` ++interface(`files_rw_generic_tmp_sockets',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') - ######################################## - ## -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_tmp_file_leaks',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do allow attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_rw_tmp_file_leaks',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create an object in the tmp directories, with a private - ## type using a type transition. - ## -@@ -4646,6 +5732,16 @@ interface(`files_purge_tmp',` - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) +- allow $1 usr_t:dir setattr; ++ rw_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## -@@ -5094,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',` - - ######################################## ## -+## Dontaudit getattr attempts on the system.map file -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaduit_getattr_kernel_symbol_table',` -+ gen_require(` -+ type system_map_t; -+ ') -+ -+ dontaudit $1 system_map_t:file getattr; -+') -+ -+######################################## -+## - ## Read system.map in the /boot directory. +-## Search the content of /usr. ++## Relabel a dir from the type used in /tmp. ## ## -@@ -5223,6 +6337,24 @@ interface(`files_list_var',` - - ######################################## - ## -+## Do not audit listing of the var directory (/var). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_list_var',` -+ gen_require(` -+ type var_t; -+ ') -+ -+ dontaudit $1 var_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete directories - ## in the /var directory. - ## -@@ -5310,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',` - type var_t; + ## +@@ -4676,18 +5422,17 @@ interface(`files_setattr_usr_dirs',` + ## + ## + # +-interface(`files_search_usr',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` +- type usr_t; ++ type tmp_t; ') -- dontaudit $1 var_t:file rw_file_perms; -+ dontaudit $1 var_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -5507,6 +6639,23 @@ interface(`files_rw_var_lib_dirs',` - rw_dirs_pattern($1, var_lib_t, var_lib_t) +- allow $1 usr_t:dir search_dir_perms; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') -+####################################### -+## -+## Create directories in /var/lib -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_lib_dirs',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ allow $1 var_lib_t:dir { create rw_dir_perms }; -+') -+ ######################################## ## - ## Create objects in the /var/lib directory -@@ -5578,6 +6727,25 @@ interface(`files_read_var_lib_symlinks',` - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - -+######################################## -+## -+## manage generic symbolic links -+## in the /var/lib directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_var_lib_symlinks',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. +-## List the contents of generic +-## directories in /usr. ++## Relabel a file from the type used in /tmp. + ## + ## + ## +@@ -4695,35 +5440,35 @@ interface(`files_search_usr',` + ## + ## + # +-interface(`files_list_usr',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') -@@ -5623,7 +6791,7 @@ interface(`files_manage_mounttab',` +- allow $1 usr_t:dir list_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') ######################################## ## --## Set the attributes of the generic lock directories. -+## List generic lock directories. +-## Do not audit write of /usr dirs ++## Set the attributes of all tmp directories. ## ## ## -@@ -5631,12 +6799,13 @@ interface(`files_manage_mounttab',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_setattr_lock_dirs',` -+interface(`files_list_locks',` +-interface(`files_dontaudit_write_usr_dirs',` ++interface(`files_setattr_all_tmp_dirs',` gen_require(` - type var_t, var_lock_t; +- type usr_t; ++ attribute tmpfile; ') -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) +- dontaudit $1 usr_t:dir write; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## -@@ -5654,6 +6823,7 @@ interface(`files_search_locks',` - type var_t, var_lock_t; + ## +-## Add and remove entries from /usr directories. ++## Allow caller to read inherited tmp files. + ## + ## + ## +@@ -4731,36 +5476,35 @@ interface(`files_dontaudit_write_usr_dirs',` + ## + ## + # +-interface(`files_rw_usr_dirs',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -+ files_search_pids($1) - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) +- allow $1 usr_t:dir rw_dir_perms; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; ') -@@ -5680,7 +6850,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## --## List generic lock directories. -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. +-## Do not audit attempts to add and remove +-## entries from /usr directories. ++## Allow caller to append inherited tmp files. ## ## ## -@@ -5688,13 +6877,12 @@ interface(`files_dontaudit_search_locks',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_list_locks',` -+interface(`files_setattr_lock_dirs',` +-interface(`files_dontaudit_rw_usr_dirs',` ++interface(`files_append_inherited_tmp_files',` gen_require(` -- type var_t, var_lock_t; -+ type var_lock_t; +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_lock_t:dir setattr; +- dontaudit $1 usr_t:dir rw_dir_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## -@@ -5713,7 +6901,7 @@ interface(`files_rw_lock_dirs',` - type var_t, var_lock_t; + ## +-## Delete generic directories in /usr in the caller domain. ++## Allow caller to read and write inherited tmp files. + ## + ## + ## +@@ -4768,17 +5512,17 @@ interface(`files_dontaudit_rw_usr_dirs',` + ## + ## + # +-interface(`files_delete_usr_dirs',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - rw_dirs_pattern($1, var_t, var_lock_t) +- delete_dirs_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file rw_inherited_file_perms; ') -@@ -5746,7 +6934,6 @@ interface(`files_create_lock_dirs',` - ## Domain allowed access. + ######################################## + ## +-## Delete generic files in /usr in the caller domain. ++## List all tmp directories. + ## + ## + ## +@@ -4786,73 +5530,59 @@ interface(`files_delete_usr_dirs',` ## ## --## # - interface(`files_relabel_all_lock_dirs',` +-interface(`files_delete_usr_files',` ++interface(`files_list_all_tmp',` gen_require(` -@@ -5761,7 +6948,7 @@ interface(`files_relabel_all_lock_dirs',` +- type usr_t; ++ attribute tmpfile; + ') + +- delete_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:dir list_dir_perms; + ') ######################################## ## --## Get the attributes of generic lock files. -+## Relabel to and from all lock file types. +-## Get the attributes of files in /usr. ++## Relabel to and from all temporary ++## directory types. ## ## ## -@@ -5769,13 +6956,33 @@ interface(`files_relabel_all_lock_dirs',` + ## Domain allowed access. ## ## ++## # --interface(`files_getattr_generic_locks',` -+interface(`files_relabel_all_lock_files',` +-interface(`files_getattr_usr_files',` ++interface(`files_relabel_all_tmp_dirs',` gen_require(` -+ attribute lockfile; - type var_t, var_lock_t; +- type usr_t; ++ attribute tmpfile; ++ type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Get the attributes of generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) +- getattr_files_pattern($1, usr_t, usr_t) ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) ') -@@ -5791,13 +6998,12 @@ interface(`files_getattr_generic_locks',` + + ######################################## + ## +-## Read generic files in /usr. ++## Do not audit attempts to get the attributes ++## of all tmp files. + ## +-## +-##

+-## Allow the specified domain to read generic +-## files in /usr. These files are various program +-## files that do not have more specific SELinux types. +-## Some examples of these files are: +-##

+-##
    +-##
  • /usr/include/*
    • +-##
  • /usr/share/doc/*
    • +-##
  • /usr/share/info/*
    • +-##
+-##

+-## Generally, it is safe for many domains to have +-## this access. +-##

+-## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## ## +-## # - interface(`files_delete_generic_locks',` -- gen_require(` -+ gen_require(` - type var_t, var_lock_t; -- ') -+ ') +-interface(`files_read_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) +- allow $1 usr_t:dir list_dir_perms; +- read_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file getattr; ') ######################################## -@@ -5816,9 +7022,7 @@ interface(`files_manage_generic_locks',` - type var_t, var_lock_t; + ## +-## Execute generic programs in /usr in the caller domain. ++## Allow attempts to get the attributes ++## of all tmp files. + ## + ## + ## +@@ -4860,55 +5590,58 @@ interface(`files_read_usr_files',` + ## + ## + # +-interface(`files_exec_usr_files',` ++interface(`files_getattr_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) - manage_files_pattern($1, var_lock_t, var_lock_t) +- allow $1 usr_t:dir list_dir_perms; +- exec_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file getattr; ') -@@ -5860,8 +7064,7 @@ interface(`files_read_all_locks',` - type var_t, var_lock_t; + ######################################## + ## +-## dontaudit write of /usr files ++## Relabel to and from all temporary ++## file types. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_write_usr_files',` ++interface(`files_relabel_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +7086,7 @@ interface(`files_manage_all_locks',` - type var_t, var_lock_t; - ') +- dontaudit $1 usr_t:file write; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) + ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +7123,7 @@ interface(`files_lock_filetrans',` - type var_t, var_lock_t; + ######################################## + ## +-## Create, read, write, and delete files in the /usr directory. ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - filetrans_pattern($1, var_lock_t, $2, $3, $4) +- manage_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:sock_file getattr; ') -@@ -5961,7 +7162,7 @@ interface(`files_setattr_pid_dirs',` - type var_run_t; + ######################################## + ## +-## Relabel a file to the type used in /usr. ++## Read all tmp files. + ## + ## + ## +@@ -4916,67 +5649,70 @@ interface(`files_manage_usr_files',` + ## + ## + # +-interface(`files_relabelto_usr_files',` ++interface(`files_read_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:dir setattr; +- relabelto_files_pattern($1, usr_t, usr_t) ++ read_files_pattern($1, tmpfile, tmpfile) ') -@@ -5981,18 +7182,56 @@ interface(`files_search_pids',` - type var_t, var_run_t; + ######################################## + ## +-## Relabel a file from the type used in /usr. ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_relabelfrom_usr_files',` ++interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -+ allow $1 var_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) +- relabelfrom_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; ') --######################################## -+###################################### + ######################################## ## --## Do not audit attempts to search --## the /var/run directory. -+## Add and remove entries from pid directories. +-## Read symbolic links in /usr. ++## Do allow attempts to read or write ++## all leaked tmpfiles files. ## ## --## --## Domain to not audit. -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:dir rw_dir_perms; -+') -+ -+####################################### -+## -+## Create generic pid directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search -+## the /var/run directory. -+## -+## -+## + ## +-## Domain allowed access. +## Domain to not audit. ## ## # -@@ -6007,6 +7246,25 @@ interface(`files_dontaudit_search_pids',` +-interface(`files_read_usr_symlinks',` ++interface(`files_rw_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file rw_inherited_file_perms; + ') ######################################## ## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). +-## Create objects in the /usr directory ++## Create an object in the tmp directories, with a private ++## type using a type transition. ## -@@ -6021,7 +7279,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - ') - -@@ -6040,7 +7298,7 @@ interface(`files_read_generic_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) - ') -@@ -6060,7 +7318,7 @@ interface(`files_write_generic_pid_pipes',` - type var_run_t; + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + ## +-## The type of the object to be created ++## The type of the object to be created. + ## + ## +-## ++## + ## +-## The object class. ++## The object class of the object being created. + ## + ## + ## +@@ -4985,35 +5721,50 @@ interface(`files_read_usr_symlinks',` + ## + ## + # +-interface(`files_usr_filetrans',` ++interface(`files_tmp_filetrans',` + gen_require(` +- type usr_t; ++ type tmp_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:fifo_file write; +- filetrans_pattern($1, usr_t, $2, $3, $4) ++ filetrans_pattern($1, tmp_t, $2, $3, $4) ') -@@ -6122,7 +7380,6 @@ interface(`files_pid_filetrans',` + ######################################## + ## +-## Do not audit attempts to search /usr/src. ++## Delete the contents of /tmp. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_src',` ++interface(`files_purge_tmp',` + gen_require(` +- type src_t; ++ attribute tmpfile; ') - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) +- dontaudit $1 src_t:dir search_dir_perms; ++ allow $1 tmpfile:dir list_dir_perms; ++ delete_dirs_pattern($1, tmpfile, tmpfile) ++ delete_files_pattern($1, tmpfile, tmpfile) ++ delete_lnk_files_pattern($1, tmpfile, tmpfile) ++ delete_fifo_files_pattern($1, tmpfile, tmpfile) ++ delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) ') -@@ -6151,6 +7408,24 @@ interface(`files_pid_filetrans_lock_dir',` - ######################################## ## -+## rw generic pid files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Read and write generic process ID files. +-## Get the attributes of files in /usr/src. ++## Set the attributes of the /usr directory. ## ## -@@ -6164,7 +7439,7 @@ interface(`files_rw_generic_pids',` - type var_t, var_run_t; + ## +@@ -5021,20 +5772,17 @@ interface(`files_dontaudit_search_src',` + ## + ## + # +-interface(`files_getattr_usr_src_files',` ++interface(`files_setattr_usr_dirs',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) ++ allow $1 usr_t:dir setattr; ') -@@ -6231,55 +7506,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read all process ID files. -+## Relable all pid directories +-## Read files in /usr/src. ++## Search the content of /usr. ## ## ## - ## Domain allowed access. +@@ -5042,20 +5790,18 @@ interface(`files_getattr_usr_src_files',` ## ## --## # --interface(`files_read_all_pids',` -+interface(`files_relabel_all_pid_dirs',` +-interface(`files_read_usr_src_files',` ++interface(`files_search_usr',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type usr_t, src_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) -+ relabel_dirs_pattern($1, pidfile, pidfile) + allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; ') ######################################## ## --## Delete all process IDs. -+## Delete all pid sockets +-## Execute programs in /usr/src in the caller domain. ++## List the contents of generic ++## directories in /usr. ## ## ## - ## Domain allowed access. +@@ -5063,38 +5809,35 @@ interface(`files_read_usr_src_files',` ## ## --## # --interface(`files_delete_all_pids',` -+interface(`files_delete_all_pid_sockets',` +-interface(`files_exec_usr_src_files',` ++interface(`files_list_usr',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type usr_t, src_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+ allow $1 pidfile:sock_file delete_sock_file_perms; +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) ++ allow $1 usr_t:dir list_dir_perms; ') ######################################## ## --## Delete all process ID directories. -+## Create all pid sockets +-## Install a system.map into the /boot directory. ++## Do not audit write of /usr dirs ## ## ## -@@ -6287,42 +7550,35 @@ interface(`files_delete_all_pids',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_delete_all_pid_dirs',` -+interface(`files_create_all_pid_sockets',` +-interface(`files_create_kernel_symbol_table',` ++interface(`files_dontaudit_write_usr_dirs',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:sock_file create_sock_file_perms; +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ dontaudit $1 usr_t:dir write; ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content -+## Create all pid named pipes +-## Read system.map in the /boot directory. ++## Add and remove entries from /usr directories. ## ## ## --## Domain alloed access. -+## Domain allowed access. +@@ -5102,37 +5845,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # --interface(`files_manage_all_pids',` -+interface(`files_create_all_pid_pipes',` +-interface(`files_read_kernel_symbol_table',` ++interface(`files_rw_usr_dirs',` gen_require(` - attribute pidfile; +- type boot_t, system_map_t; ++ type usr_t; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:fifo_file create_fifo_file_perms; +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) ++ allow $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all pid named pipes +-## Delete a system.map in the /boot directory. ++## Do not audit attempts to add and remove ++## entries from /usr directories. ## ## ## -@@ -6330,18 +7586,18 @@ interface(`files_manage_all_pids',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_pid_pipes',` +-interface(`files_delete_kernel_symbol_table',` ++interface(`files_dontaudit_rw_usr_dirs',` gen_require(` -- attribute polymember; -+ attribute pidfile; +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 polymember:dir mounton; -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) ++ dontaudit $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Search the contents of generic spool --## directories (/var/spool). -+## manage all pidfile directories -+## in the /var/run directory. +-## Search the contents of /var. ++## Delete generic directories in /usr in the caller domain. ## ## ## -@@ -6349,37 +7605,40 @@ interface(`files_mounton_all_poly_members',` +@@ -5140,35 +5882,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # --interface(`files_search_spool',` -+interface(`files_manage_all_pid_dirs',` +-interface(`files_search_var',` ++interface(`files_delete_usr_dirs',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- search_dirs_pattern($1, var_t, var_spool_t) -+ manage_dirs_pattern($1,pidfile,pidfile) +- allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, usr_t, usr_t) ') -+ ######################################## ## --## Do not audit attempts to search generic --## spool directories. -+## Read all process ID files. +-## Do not audit attempts to write to /var. ++## Delete generic files in /usr in the caller domain. ## ## ## @@ -12032,138 +12205,326 @@ index 64ff4d7..a47b644 100644 +## Domain allowed access. ## ## -+## # --interface(`files_dontaudit_search_spool',` -+interface(`files_read_all_pids',` +-interface(`files_dontaudit_write_var_dirs',` ++interface(`files_delete_usr_files',` gen_require(` -- type var_spool_t; -+ attribute pidfile; -+ type var_t; +- type var_t; ++ type usr_t; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) +- dontaudit $1 var_t:dir write; ++ delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## List the contents of generic spool --## (/var/spool) directories. -+## Relable all pid files +-## Allow attempts to write to /var.dirs ++## Get the attributes of files in /usr. ## ## ## -@@ -6387,18 +7646,17 @@ interface(`files_dontaudit_search_spool',` +@@ -5176,36 +5918,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # --interface(`files_list_spool',` -+interface(`files_relabel_all_pid_files',` +-interface(`files_write_var_dirs',` ++interface(`files_getattr_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -+ relabel_files_pattern($1, pidfile, pidfile) +- allow $1 var_t:dir write; ++ getattr_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete generic --## spool directories (/var/spool). -+## Execute generic programs in /var/run in the caller domain. +-## Do not audit attempts to search +-## the contents of /var. ++## Read generic files in /usr. ## ++## ++##

++## Allow the specified domain to read generic ++## files in /usr. These files are various program ++## files that do not have more specific SELinux types. ++## Some examples of these files are: ++##

++##
    ++##
  • /usr/include/*
    • ++##
  • /usr/share/doc/*
    • ++##
  • /usr/share/info/*
    • ++##
++##

++## Generally, it is safe for many domains to have ++## this access. ++##

++## ## ## -@@ -6406,18 +7664,18 @@ interface(`files_list_spool',` +-## Domain to not audit. ++## Domain allowed access. ## ## ++## # --interface(`files_manage_generic_spool_dirs',` -+interface(`files_exec_generic_pid_files',` +-interface(`files_dontaudit_search_var',` ++interface(`files_read_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ type var_run_t; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) -+ exec_files_pattern($1, var_run_t, var_run_t) +- dontaudit $1 var_t:dir search_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ read_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Read generic spool files. -+## manage all pidfiles -+## in the /var/run directory. +-## List the contents of /var. ++## Execute generic programs in /usr in the caller domain. ## ## ## -@@ -6425,19 +7683,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -5213,36 +5974,37 @@ interface(`files_dontaudit_search_var',` ## ## # --interface(`files_read_generic_spool',` -+interface(`files_manage_all_pids',` +-interface(`files_list_var',` ++interface(`files_exec_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) -+ manage_files_pattern($1,pidfile,pidfile) +- allow $1 var_t:dir list_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ exec_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete generic --## spool files. -+## Mount filesystems on all polyinstantiation -+## member directories. +-## Create, read, write, and delete directories +-## in the /var directory. ++## dontaudit write of /usr files ## ## ## -@@ -6445,55 +7702,43 @@ interface(`files_read_generic_spool',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_manage_generic_spool',` -+interface(`files_mounton_all_poly_members',` +-interface(`files_manage_var_dirs',` ++interface(`files_dontaudit_write_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute polymember; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) -+ allow $1 polymember:dir mounton; +- allow $1 var_t:dir manage_dir_perms; ++ dontaudit $1 usr_t:file write; ') ######################################## ## --## Create objects in the spool directory --## with a private type with a type transition. -+## Delete all process IDs. +-## Read files in the /var directory. ++## Create, read, write, and delete files in the /usr directory. + ## + ## + ## +@@ -5250,17 +6012,17 @@ interface(`files_manage_var_dirs',` + ## + ## + # +-interface(`files_read_var_files',` ++interface(`files_manage_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- read_files_pattern($1, var_t, var_t) ++ manage_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Append files in the /var directory. ++## Relabel a file to the type used in /usr. + ## + ## + ## +@@ -5268,17 +6030,17 @@ interface(`files_read_var_files',` + ## + ## + # +-interface(`files_append_var_files',` ++interface(`files_relabelto_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- append_files_pattern($1, var_t, var_t) ++ relabelto_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Read and write files in the /var directory. ++## Relabel a file from the type used in /usr. + ## + ## + ## +@@ -5286,73 +6048,86 @@ interface(`files_append_var_files',` + ## + ## + # +-interface(`files_rw_var_files',` ++interface(`files_relabelfrom_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- rw_files_pattern($1, var_t, var_t) ++ relabelfrom_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Do not audit attempts to read and write +-## files in the /var directory. ++## Read symbolic links in /usr. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_rw_var_files',` ++interface(`files_read_usr_symlinks',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- dontaudit $1 var_t:file rw_file_perms; ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Create, read, write, and delete files in the /var directory. ++## Create objects in the /usr directory ## ## ## ## Domain allowed access. ## ## --## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_var_files',` ++interface(`files_usr_filetrans',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- manage_files_pattern($1, var_t, var_t) ++ filetrans_pattern($1, usr_t, $2, $3, $4) + ') + + ######################################## + ## +-## Read symbolic links in the /var directory. ++## Do not audit attempts to search /usr/src. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_var_symlinks',` ++interface(`files_dontaudit_search_src',` + gen_require(` +- type var_t; ++ type src_t; + ') + +- read_lnk_files_pattern($1, var_t, var_t) ++ dontaudit $1 src_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete symbolic +-## links in the /var directory. ++## Get the attributes of files in /usr/src. + ## + ## + ## +@@ -5360,50 +6135,41 @@ interface(`files_read_var_symlinks',` + ## + ## + # +-interface(`files_manage_var_symlinks',` ++interface(`files_getattr_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_lnk_files_pattern($1, var_t, var_t) ++ getattr_files_pattern($1, src_t, src_t) ++ ++ # /usr/src/linux symlink: ++ read_lnk_files_pattern($1, usr_t, src_t) + ') + + ######################################## + ## +-## Create objects in the /var directory ++## Read files in /usr/src. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## -## --## Type to which the created node will be transitioned. +-## The type of the object to be created -## -## --## +-## -## --## Object class(es) (single or set including {}) for which this --## the transition will occur. +-## The object class. -## -## -## @@ -12171,86 +12532,1867 @@ index 64ff4d7..a47b644 100644 -## The name of the object being created. -## -## -+## # --interface(`files_spool_filetrans',` -+interface(`files_delete_all_pids',` +-interface(`files_var_filetrans',` ++interface(`files_read_usr_src_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; -+ type var_t, var_run_t; +- type var_t; ++ type usr_t, src_t; + ') + +- filetrans_pattern($1, var_t, $2, $3, $4) ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Get the attributes of the /var/lib directory. ++## Execute programs in /usr/src in the caller domain. + ## + ## + ## +@@ -5411,69 +6177,56 @@ interface(`files_var_filetrans',` + ## + ## + # +-interface(`files_getattr_var_lib_dirs',` ++interface(`files_exec_usr_src_files',` + gen_require(` +- type var_t, var_lib_t; ++ type usr_t, src_t; + ') + +- getattr_dirs_pattern($1, var_t, var_lib_t) ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) + ') + + ######################################## + ## +-## Search the /var/lib directory. ++## Install a system.map into the /boot directory. + ## +-## +-##

+-## Search the /var/lib directory. This is +-## necessary to access files or directories under +-## /var/lib that have a private type. For example, a +-## domain accessing a private library file in the +-## /var/lib directory: +-##

+-##

+-## allow mydomain_t mylibfile_t:file read_file_perms; +-## files_search_var_lib(mydomain_t) +-##

+-## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_search_var_lib',` ++interface(`files_create_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- search_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## contents of /var/lib. ++## Dontaudit getattr attempts on the system.map file + ## + ## + ## + ## Domain to not audit. + ## + ## +-## + # +-interface(`files_dontaudit_search_var_lib',` ++interface(`files_dontaduit_getattr_kernel_symbol_table',` + gen_require(` +- type var_lib_t; ++ type system_map_t; + ') + +- dontaudit $1 var_lib_t:dir search_dir_perms; ++ dontaudit $1 system_map_t:file getattr; + ') + + ######################################## + ## +-## List the contents of the /var/lib directory. ++## Read system.map in the /boot directory. + ## + ## + ## +@@ -5481,17 +6234,18 @@ interface(`files_dontaudit_search_var_lib',` + ## + ## + # +-interface(`files_list_var_lib',` ++interface(`files_read_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- list_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) + ') + +-########################################### ++######################################## + ## +-## Read-write /var/lib directories ++## Delete a system.map in the /boot directory. + ## + ## + ## +@@ -5499,70 +6253,54 @@ interface(`files_list_var_lib',` + ## + ## + # +-interface(`files_rw_var_lib_dirs',` ++interface(`files_delete_kernel_symbol_table',` + gen_require(` +- type var_lib_t; ++ type boot_t, system_map_t; + ') + +- rw_dirs_pattern($1, var_lib_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) + ') + + ######################################## + ## +-## Create objects in the /var/lib directory ++## Search the contents of /var. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_var_lib_filetrans',` ++interface(`files_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; ') -+ files_search_pids($1) allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +- filetrans_pattern($1, var_lib_t, $2, $3, $4) ') ######################################## ## --## Allow access to manage all polyinstantiated --## directories on the system. -+## Delete all process ID directories. +-## Read generic files in /var/lib. ++## Do not audit attempts to write to /var. ## ## ## -@@ -6501,53 +7746,68 @@ interface(`files_spool_filetrans',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_polyinstantiate_all',` -+interface(`files_delete_all_pid_dirs',` +-interface(`files_read_var_lib_files',` ++interface(`files_dontaudit_write_var_dirs',` gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; -+ attribute pidfile; -+ type var_t, var_run_t; +- type var_t, var_lib_t; ++ type var_t; ') -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) +- allow $1 var_lib_t:dir list_dir_perms; +- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ dontaudit $1 var_t:dir write; + ') + + ######################################## + ## +-## Read generic symbolic links in /var/lib ++## Allow attempts to write to /var.dirs + ## + ## + ## +@@ -5570,41 +6308,36 @@ interface(`files_read_var_lib_files',` + ## + ## + # +-interface(`files_read_var_lib_symlinks',` ++interface(`files_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ allow $1 var_t:dir write; + ') + +-# cjp: the next two interfaces really need to be fixed +-# in some way. They really neeed their own types. - -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) + ######################################## + ## +-## Create, read, write, and delete the +-## pseudorandom number generator seed. ++## Do not audit attempts to search ++## the contents of /var. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_urandom_seed',` ++interface(`files_dontaudit_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ dontaudit $1 var_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Allow domain to manage mount tables +-## necessary for rpcd, nfsd, etc. ++## List the contents of /var. + ## + ## + ## +@@ -5612,36 +6345,36 @@ interface(`files_manage_urandom_seed',` + ## + ## + # +-interface(`files_manage_mounttab',` ++interface(`files_list_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ allow $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Set the attributes of the generic lock directories. ++## Do not audit listing of the var directory (/var). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_setattr_lock_dirs',` ++interface(`files_dontaudit_list_var',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ dontaudit $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Search the locks directory (/var/lock). ++## Create, read, write, and delete directories ++## in the /var directory. + ## + ## + ## +@@ -5649,38 +6382,35 @@ interface(`files_setattr_lock_dirs',` + ## + ## + # +-interface(`files_search_locks',` ++interface(`files_manage_var_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_t:dir manage_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## locks directory (/var/lock). ++## Read files in the /var directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_locks',` ++interface(`files_read_var_files',` + gen_require(` +- type var_lock_t; ++ type var_t; + ') + +- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_lock_t:dir search_dir_perms; ++ read_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## List generic lock directories. ++## Append files in the /var directory. + ## + ## + ## +@@ -5688,19 +6418,17 @@ interface(`files_dontaudit_search_locks',` + ## + ## + # +-interface(`files_list_locks',` ++interface(`files_append_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ append_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Add and remove entries in the /var/lock +-## directories. ++## Read and write files in the /var directory. + ## + ## + ## +@@ -5708,60 +6436,54 @@ interface(`files_list_locks',` + ## + ## + # +-interface(`files_rw_lock_dirs',` ++interface(`files_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- rw_dirs_pattern($1, var_t, var_lock_t) ++ rw_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create lock directories ++## Do not audit attempts to read and write ++## files in the /var directory. + ## + ## +-## +-## Domain allowed access ++## ++## Domain to not audit. + ## + ## + # +-interface(`files_create_lock_dirs',` ++interface(`files_dontaudit_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- create_dirs_pattern($1, var_lock_t, var_lock_t) ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Relabel to and from all lock directory types. ++## Create, read, write, and delete files in the /var directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_lock_dirs',` ++interface(`files_manage_var_files',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- relabel_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Read symbolic links in the /var directory. + ## + ## + ## +@@ -5769,20 +6491,18 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_read_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) ++ read_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Delete generic lock files. ++## Create, read, write, and delete symbolic ++## links in the /var directory. + ## + ## + ## +@@ -5790,185 +6510,207 @@ interface(`files_getattr_generic_locks',` + ## + ## + # +-interface(`files_delete_generic_locks',` ++interface(`files_manage_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ manage_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## lock files. ++## Create objects in the /var directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_generic_locks',` ++interface(`files_var_filetrans',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) ++ filetrans_pattern($1, var_t, $2, $3, $4) + ') + + ######################################## + ## +-## Delete all lock files. ++## Get the attributes of the /var/lib directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_locks',` ++interface(`files_getattr_var_lib_dirs',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, lockfile, lockfile) ++ getattr_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Read all lock files. ++## Search the /var/lib directory. + ## ++## ++##

++## Search the /var/lib directory. This is ++## necessary to access files or directories under ++## /var/lib that have a private type. For example, a ++## domain accessing a private library file in the ++## /var/lib directory: ++##

++##

++## allow mydomain_t mylibfile_t:file read_file_perms; ++## files_search_var_lib(mydomain_t) ++##

++## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_read_all_locks',` ++interface(`files_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) ++ search_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## manage all lock files. ++## Do not audit attempts to search the ++## contents of /var/lib. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## ++## + # +-interface(`files_manage_all_locks',` ++interface(`files_dontaudit_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) ++ dontaudit $1 var_lib_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create an object in the locks directory, with a private +-## type using a type transition. ++## List the contents of the /var/lib directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_lock_filetrans',` ++interface(`files_list_var_lib',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) ++ list_dirs_pattern($1, var_t, var_lib_t) + ') + +-######################################## ++########################################### + ## +-## Do not audit attempts to get the attributes +-## of the /var/run directory. ++## Read-write /var/lib directories + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_pid_dirs',` ++interface(`files_rw_var_lib_dirs',` + gen_require(` +- type var_run_t; ++ type var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; ++ rw_dirs_pattern($1, var_lib_t, var_lib_t) ++') ++ ++####################################### ++## ++## Create directories in /var/lib ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ allow $1 var_lib_t:dir { create rw_dir_perms }; + ') + + ######################################## + ## +-## Set the attributes of the /var/run directory. ++## Create objects in the /var/lib directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_setattr_pid_dirs',` ++interface(`files_var_lib_filetrans',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## + ## +-## Search the contents of runtime process +-## ID directories (/var/run). ++## Read generic files in /var/lib. + ## + ## + ## +@@ -5976,39 +6718,37 @@ interface(`files_setattr_pid_dirs',` + ## + ## + # +-interface(`files_search_pids',` ++interface(`files_read_var_lib_files',` + gen_require(` +- type var_t, var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_run_t) ++ allow $1 var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## Do not audit attempts to search +-## the /var/run directory. ++## Read generic symbolic links in /var/lib + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_pids',` ++interface(`files_read_var_lib_symlinks',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; ++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). ++## manage generic symbolic links ++## in the /var/lib directory. + ## + ## + ## +@@ -6016,18 +6756,21 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_manage_var_lib_symlinks',` + gen_require(` +- type var_t, var_run_t; ++ type var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) + ') + ++# cjp: the next two interfaces really need to be fixed ++# in some way. They really neeed their own types. ++ + ######################################## + ## +-## Read generic process ID files. ++## Create, read, write, and delete the ++## pseudorandom number generator seed. + ## + ## + ## +@@ -6035,19 +6778,19 @@ interface(`files_list_pids',` + ## + ## + # +-interface(`files_read_generic_pids',` ++interface(`files_manage_urandom_seed',` + gen_require(` +- type var_t, var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) + ') + + ######################################## + ## +-## Write named generic process ID pipes ++## Allow domain to manage mount tables ++## necessary for rpcd, nfsd, etc. + ## + ## + ## +@@ -6055,58 +6798,1223 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` ++interface(`files_manage_mounttab',` ++ gen_require(` ++ type var_t, var_lib_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++######################################## ++## ++## List generic lock directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Search the locks directory (/var/lock). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the ++## locks directory (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_lock_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/lock directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_lock_dirs',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ allow $1 var_lock_t:dir setattr; ++') ++ ++######################################## ++## ++## Add and remove entries in the /var/lock ++## directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ rw_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Create lock directories ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_create_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ create_dirs_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Relabel to and from all lock directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_lock_dirs',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_dirs_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Relabel to and from all lock file types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_lock_files',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Get the attributes of generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 var_lock_t:dir list_dir_perms; ++ getattr_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Delete generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Delete all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_delete_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ delete_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Read all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 lockfile:dir list_dir_perms; ++ read_files_pattern($1, lockfile, lockfile) ++ read_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## manage all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, lockfile, lockfile) ++ manage_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Create an object in the locks directory, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_lock_filetrans',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ filetrans_pattern($1, var_lock_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir getattr; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_run_t:dir setattr; ++') ++ ++######################################## ++## ++## Search the contents of runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_run_t) ++') ++ ++###################################### ++## ++## Add and remove entries from pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:dir rw_dir_perms; ++') ++ ++####################################### ++## ++## Create generic pid directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search ++## the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_pids',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search ++## the all /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of the runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++') ++ ++######################################## ++## ++## Read generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ read_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Write named generic process ID pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_pipes',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_run_t:fifo_file write; ++') ++ ++######################################## ++## ++## Create an object in the process ID directory, with a private type. ++## ++## ++##

++## Create an object in the process ID directory (e.g., /var/run) ++## with a private type. Typically this is used for creating ++## private PID files in /var/run with the private type instead ++## of the general PID file type. To accomplish this goal, ++## either the program must be SELinux-aware, or use this interface. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_pid_file()
    • ++##
++##

++## Example usage with a domain that can create and ++## write its PID file with a private PID file type in the ++## /var/run directory: ++##

++##

++## type mypidfile_t; ++## files_pid_file(mypidfile_t) ++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ++## files_pid_filetrans(mydomain_t, mypidfile_t, file) ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++## ++# ++interface(`files_pid_filetrans',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_run_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Create a generic lock directory within the run directories ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_pid_filetrans_lock_dir',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ files_pid_filetrans($1, var_lock_t, dir, $2) ++') ++ ++######################################## ++## ++## rw generic pid files inherited from another process ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read and write generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ rw_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of ++## daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to write to daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file write; ++') ++ ++######################################## ++## ++## Do not audit attempts to ioctl daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_ioctl_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file ioctl; ++') ++ ++######################################## ++## ++## Relable all pid directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Delete all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ++') ++ ++######################################## ++## ++## Delete all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++') ++ ++######################################## ++## ++## manage all pidfile directories ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_dirs_pattern($1,pidfile,pidfile) ++') ++ ++ ++######################################## ++## ++## Read all process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_read_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Relable all pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_files',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Execute generic programs in /var/run in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_exec_generic_pid_files',` + gen_require(` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; ++ exec_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## manage all pidfiles ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_files_pattern($1,pidfile,pidfile) ++') ++ ++######################################## ++## ++## Mount filesystems on all polyinstantiation ++## member directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_all_poly_members',` ++ gen_require(` ++ attribute polymember; ++ ') ++ ++ allow $1 polymember:dir mounton; ++') ++ ++######################################## ++## ++## Delete all process IDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_delete_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') - -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) ++ +######################################## +## +## Make the specified type a file @@ -12293,31 +14435,27 @@ index 64ff4d7..a47b644 100644 +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; - ') ++ ') + + files_type($1) + typeattribute $1 spoolfile; - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Create all spool sockets - ## - ## - ## -@@ -6555,10 +7815,785 @@ interface(`files_polyinstantiate_all',` - ## - ## - # --interface(`files_unconfined',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_create_all_spool_sockets',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + attribute spoolfile; - ') - -- typeattribute $1 files_unconfined_type; ++ ') ++ + allow $1 spoolfile:sock_file create_sock_file_perms; +') + @@ -12377,10 +14515,11 @@ index 64ff4d7..a47b644 100644 + ') + + search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Do not audit attempts to search generic +## spool directories. +## @@ -12402,12 +14541,39 @@ index 64ff4d7..a47b644 100644 +## +## List the contents of generic spool +## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## +-## +-##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

+-##

+-## Related interfaces: +-##

+-##
    +-##
  • files_pid_file()
    • +-##
+-##

+-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

+-##

+-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +-##

+-## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`files_list_spool',` + gen_require(` @@ -12423,10 +14589,12 @@ index 64ff4d7..a47b644 100644 +## spool directories (/var/spool). +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`files_manage_generic_spool_dirs',` + gen_require(` @@ -12442,7 +14610,8 @@ index 64ff4d7..a47b644 100644 +## Read generic spool files. +## +## -+## + ## +-## The object class of the object being created. +## Domain allowed access. +## +## @@ -12495,14 +14664,19 @@ index 64ff4d7..a47b644 100644 +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# + ## + ## + ## +@@ -6114,44 +8022,165 @@ interface(`files_write_generic_pid_pipes',` + ## The name of the object being created. + ## + ## +-## + # +-interface(`files_pid_filetrans',` +- gen_require(` +- type var_t, var_run_t; +- ') +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; @@ -12629,296 +14803,401 @@ index 64ff4d7..a47b644 100644 + gen_require(` + type default_t; + ') -+ + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_run_t, $2, $3, $4) + allow $1 default_t:dir create; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create a generic lock directory within the run directories +## Create, default_t objects with an automatic +## type transition. -+## -+## + ## + ## +-## +-## Domain allowed access +## +## Domain allowed access. -+## -+## + ## + ## +-## +## -+## + ## +-## The name of the object being created. +## The class of the object being created. -+## -+## -+# + ## + ## + # +-interface(`files_pid_filetrans_lock_dir',` +- gen_require(` +- type var_lock_t; +- ') +interface(`files_root_filetrans_default',` + gen_require(` + type root_t, default_t; + ') -+ + +- files_pid_filetrans($1, var_lock_t, dir, $2) + filetrans_pattern($1, root_t, default_t, $2) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write generic process ID files. +## manage generic symbolic links +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6159,20 +8188,18 @@ interface(`files_pid_filetrans_lock_dir',` + ## + ## + # +-interface(`files_rw_generic_pids',` +interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) + manage_lnk_files_pattern($1,var_run_t,var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. +## Do not audit attempts to getattr +## all tmpfs files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6180,19 +8207,17 @@ interface(`files_rw_generic_pids',` + ## + ## + # +-interface(`files_dontaudit_getattr_all_pids',` +interface(`files_dontaudit_getattr_tmpfs_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute tmpfsfile; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file getattr; + allow $1 tmpfsfile:file getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to write to daemon runtime data files. +## Allow read write all tmpfs files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6200,18 +8225,17 @@ interface(`files_dontaudit_getattr_all_pids',` + ## + ## + # +-interface(`files_dontaudit_write_all_pids',` +interface(`files_rw_tmpfs_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute tmpfsfile; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file write; + allow $1 tmpfsfile:file { read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to ioctl daemon runtime data files. +## Do not audit attempts to read security files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6219,41 +8243,43 @@ interface(`files_dontaudit_write_all_pids',` + ## + ## + # +-interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_read_security_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute security_file_type; -+ ') -+ -+ dontaudit $1 security_file_type:file read_file_perms; -+') -+ -+######################################## -+## + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file ioctl; ++ dontaudit $1 security_file_type:file read_file_perms; + ') + + ######################################## + ## +-## Read all process ID files. +## rw any files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +## +## Object type. +## +## -+# + # +-interface(`files_read_all_pids',` +interface(`files_rw_all_inherited_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## Allow any file point to be the entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# + ## + ## + ## +@@ -6262,67 +8288,55 @@ interface(`files_read_all_pids',` + ## + ## + # +-interface(`files_delete_all_pids',` +interface(`files_entrypoint_all_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 file_type:file entrypoint; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Do not audit attempts to rw inherited file perms +## of non security files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_dontaudit_all_non_security_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Do not audit attempts to read or write +## all leaked files. -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_dontaudit_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute file_type; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Allow domain to create_file_ass all types -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6330,37 +8344,37 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_create_as_is_all_files',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute file_type; + class kernel_service create_files_as; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 file_type:kernel_service create_files_as; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## Do not audit attempts to check the +## access on all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_search_spool',` +interface(`files_dontaudit_all_access_check',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute file_type; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set audit_access; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. +## Do not audit attempts to write to all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6368,132 +8382,207 @@ interface(`files_search_spool',` + ## + ## + # +-interface(`files_dontaudit_search_spool',` +interface(`files_dontaudit_write_all_files',` -+ gen_require(` + gen_require(` +- type var_spool_t; + attribute file_type; -+ ') -+ + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; + dontaudit $1 file_type:dir_file_class_set write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Allow domain to delete to all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_list_spool',` +interface(`files_delete_all_non_security_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Allow domain to delete to all dirs -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_delete_all_non_security_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Transition named content in the var_run_t directory -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type etc_t; + type mnt_t; + type usr_t; @@ -12927,8 +15206,10 @@ index 64ff4d7..a47b644 100644 + type var_run_t; + type var_lock_t; + type tmp_t; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -12966,13 +15247,16 @@ index 64ff4d7..a47b644 100644 + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Make the specified type a +## base file. -+## + ## +-## +## +##

+## Identify file type as base file type. Tools will use this attribute, @@ -12980,35 +15264,51 @@ index 64ff4d7..a47b644 100644 +##

+## +## -+## + ## +-## Domain allowed access. +## Type to be used as a base files. -+## -+## + ## + ## +## -+# + # +-interface(`files_manage_generic_spool',` +interface(`files_base_file',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + files_type($1) + typeattribute $1 base_file_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Make the specified type a +## base read only file. -+## + ## +-## +-## +-## Domain allowed access. +-## +-## +-## +## +##

+## Make the specified type readable for all domains. +##

+## +## -+## + ## +-## Type to which the created node will be transitioned. +## Type to be used as a base read only files. -+## -+## + ## + ## +-## +## +# +interface(`files_ro_base_file',` @@ -13024,10 +15324,13 @@ index 64ff4d7..a47b644 100644 +## Read all ro base files. +## +## -+## + ## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +## Domain allowed access. -+## -+## + ## + ## +-## +## +# +interface(`files_read_all_base_ro_files',` @@ -13045,54 +15348,104 @@ index 64ff4d7..a47b644 100644 +## Execute all base ro files. +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## + ## + ## +## -+# + # +-interface(`files_spool_filetrans',` +interface(`files_exec_all_base_ro_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_ro_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + can_exec($1, base_ro_file_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Allow the specified domain to modify the systemd configuration of +## any file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6501,53 +8590,17 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` +interface(`files_config_all_files',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute file_type; -+ ') -+ + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') + allow $1 file_type:service all_service_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Get the status of etc_t files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6555,10 +8608,10 @@ interface(`files_polyinstantiate_all',` + ## + ## + # +-interface(`files_unconfined',` +interface(`files_status_etc',` -+ gen_require(` + gen_require(` +- attribute files_unconfined_type; + type etc_t; -+ ') -+ + ') + +- typeattribute $1 files_unconfined_type; + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 57f52be..9e1d01a 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -89010,15 +89010,16 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..77ae4f3 +index 0000000..660fcd2 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0) + +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) + +/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) ++/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) + +/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/snapper.if b/snapper.if @@ -89071,10 +89072,10 @@ index 0000000..94105ee +') diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..5fad225 +index 0000000..3591c8e --- /dev/null +++ b/snapper.te -@@ -0,0 +1,73 @@ +@@ -0,0 +1,81 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -89126,6 +89127,10 @@ index 0000000..5fad225 +corecmd_exec_shell(snapperd_t) +corecmd_exec_bin(snapperd_t) + ++files_write_all_dirs(snapperd_t) ++files_setattr_all_mountpoints(snapperd_t) ++files_relabelto_all_mountpoints(snapperd_t) ++files_relabelfrom_isid_type(snapperd_t) +files_read_all_files(snapperd_t) +files_list_all(snapperd_t) + @@ -89148,6 +89153,10 @@ index 0000000..5fad225 +optional_policy(` + lvm_domtrans(snapperd_t) +') ++ ++optional_policy(` ++ unconfined_domain(snapperd_t) ++') diff --git a/snmp.fc b/snmp.fc index c73fa24..50d80f4 100644 --- a/snmp.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 91ea267..9c1e89f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 127%{?dist} +Release: 128%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Feb 26 2014 Miroslav Grepl 3.12.1-128 +- Make snapperd as unconfined domain and add additional fixes for it +- Remove nsplugin.pp module on upgrade + * Tue Feb 25 2014 Miroslav Grepl 3.12.1-127 - Add snapperd_home_t for HOME_DIR/.snapshots directory - Make sosreport as unconfined domain