diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 6debbcb..4497b28 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -668,7 +668,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..943c42e 100644 +index 28802c5..ee01d6e 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -679,7 +679,7 @@ index 28802c5..943c42e 100644 } -@@ -393,6 +394,10 @@ class system +@@ -393,6 +394,13 @@ class system syslog_mod syslog_console module_request @@ -687,10 +687,13 @@ index 28802c5..943c42e 100644 + reboot + status + undefined ++ enable ++ disable ++ reload } # -@@ -443,10 +448,12 @@ class capability +@@ -443,10 +451,12 @@ class capability class capability2 { mac_override # unused by SELinux @@ -704,7 +707,7 @@ index 28802c5..943c42e 100644 } # -@@ -827,6 +834,9 @@ class kernel_service +@@ -827,6 +837,9 @@ class kernel_service class tun_socket inherits socket @@ -714,7 +717,7 @@ index 28802c5..943c42e 100644 class x_pointer inherits x_device -@@ -862,3 +872,20 @@ inherits database +@@ -862,3 +875,20 @@ inherits database implement execute } @@ -2376,7 +2379,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..9365051 100644 +index d555767..68f6887 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2724,7 +2727,7 @@ index d555767..9365051 100644 # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource }; ++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -5171,7 +5174,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..8fd1cbb 100644 +index 4edc40d..6f8cc7f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5257,7 +5260,7 @@ index 4edc40d..8fd1cbb 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -96,6 +118,7 @@ network_port(boinc, tcp,31416,s0) +@@ -96,18 +118,18 @@ network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -5265,7 +5268,12 @@ index 4edc40d..8fd1cbb 100644 network_port(chronyd, udp,323,s0) network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) -@@ -107,7 +130,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0) + network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) + network_port(cma, tcp,1050,s0, udp,1050,s0) + network_port(cobbler, tcp,25151,s0) +-network_port(commplex_link, tcp,5001,s0, udp,5001,s0) ++network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0) + network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) network_port(couchdb, tcp,5984,s0, udp,5984,s0) @@ -5273,7 +5281,7 @@ index 4edc40d..8fd1cbb 100644 network_port(ctdb, tcp,4379,s0, udp,4397,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -119,19 +141,25 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, +@@ -119,19 +141,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5288,6 +5296,7 @@ index 4edc40d..8fd1cbb 100644 network_port(epmd, tcp,4369,s0, udp,4369,s0) network_port(fingerd, tcp,79,s0) -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) ++network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) +network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) @@ -5301,7 +5310,7 @@ index 4edc40d..8fd1cbb 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +167,51 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +168,51 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5367,7 +5376,7 @@ index 4edc40d..8fd1cbb 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,24 +219,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,24 +220,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5403,7 +5412,7 @@ index 4edc40d..8fd1cbb 100644 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) -@@ -214,38 +256,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5429,8 +5438,10 @@ index 4edc40d..8fd1cbb 100644 network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) -network_port(rtsp, tcp,554,s0, udp,554,s0) ++network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0) +network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0) network_port(rwho, udp,513,s0) ++network_port(salt, tcp,4505,s0, tcp,4506,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) +network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0) network_port(servistaitsm, tcp,3636,s0, udp,3636,s0) @@ -5454,7 +5465,7 @@ index 4edc40d..8fd1cbb 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +304,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +307,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5465,7 +5476,7 @@ index 4edc40d..8fd1cbb 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +316,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +319,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5478,7 +5489,7 @@ index 4edc40d..8fd1cbb 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -292,12 +340,16 @@ network_port(zope, tcp,8021,s0) +@@ -292,12 +343,16 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -5497,7 +5508,7 @@ index 4edc40d..8fd1cbb 100644 ######################################## # -@@ -330,6 +382,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +385,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5506,7 +5517,7 @@ index 4edc40d..8fd1cbb 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +396,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +399,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -8408,7 +8419,7 @@ index 6a1e4d1..c691385 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..d02fa9e 100644 +index cf04cb5..e8e2506 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8536,7 +8547,7 @@ index cf04cb5..d02fa9e 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,292 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +229,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8569,6 +8580,9 @@ index cf04cb5..d02fa9e 100644 +term_filetrans_all_named_dev(unconfined_domain_type) + +optional_policy(` ++ init_disable_services(unconfined_domain_type) ++ init_enable_services(unconfined_domain_type) ++ init_reload_services(unconfined_domain_type) + init_status(unconfined_domain_type) + init_reboot(unconfined_domain_type) + init_halt(unconfined_domain_type) @@ -16685,7 +16699,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..1a2de40 100644 +index 5da7870..28cfc6a 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,68 @@ policy_module(staff, 2.3.1) @@ -16757,7 +16771,7 @@ index 5da7870..1a2de40 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +79,102 @@ optional_policy(` +@@ -23,11 +79,106 @@ optional_policy(` ') optional_policy(` @@ -16858,10 +16872,14 @@ index 5da7870..1a2de40 100644 + polipo_role(staff_r, staff_t) + polipo_named_filetrans_cache_home_dirs(staff_t) + polipo_named_filetrans_config_home_files(staff_t) ++') ++ ++optional_policy(` ++ openvpn_exec(staff_t) ') optional_policy(` -@@ -35,15 +182,31 @@ optional_policy(` +@@ -35,15 +186,31 @@ optional_policy(` ') optional_policy(` @@ -16895,7 +16913,7 @@ index 5da7870..1a2de40 100644 ') optional_policy(` -@@ -52,10 +215,55 @@ optional_policy(` +@@ -52,10 +219,55 @@ optional_policy(` ') optional_policy(` @@ -16951,7 +16969,7 @@ index 5da7870..1a2de40 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +273,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +277,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16962,7 +16980,7 @@ index 5da7870..1a2de40 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +282,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +286,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -16973,7 +16991,7 @@ index 5da7870..1a2de40 100644 ') optional_policy(` -@@ -101,10 +301,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +305,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16984,7 +17002,7 @@ index 5da7870..1a2de40 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +321,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +325,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16995,7 +17013,7 @@ index 5da7870..1a2de40 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +333,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +337,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17006,7 +17024,7 @@ index 5da7870..1a2de40 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +364,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +368,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -17058,10 +17076,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..e7c0869 100644 +index 88d0028..0459d20 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,82 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -17117,6 +17135,9 @@ index 88d0028..e7c0869 100644 +application_exec(sysadm_t) + +init_filetrans_named_content(sysadm_t) ++init_disable_services(sysadm_t) ++init_enable_services(sysadm_t) ++init_reload_services(sysadm_t) init_exec(sysadm_t) +init_exec_script_files(sysadm_t) +init_dbus_chat(sysadm_t) @@ -17155,7 +17176,7 @@ index 88d0028..e7c0869 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +98,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -17170,7 +17191,7 @@ index 88d0028..e7c0869 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +108,9 @@ optional_policy(` +@@ -71,9 +111,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -17181,7 +17202,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -87,6 +124,7 @@ optional_policy(` +@@ -87,6 +127,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -17189,7 +17210,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -110,11 +148,17 @@ optional_policy(` +@@ -110,11 +151,17 @@ optional_policy(` ') optional_policy(` @@ -17207,7 +17228,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -122,11 +166,19 @@ optional_policy(` +@@ -122,11 +169,19 @@ optional_policy(` ') optional_policy(` @@ -17229,7 +17250,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -140,6 +192,10 @@ optional_policy(` +@@ -140,6 +195,10 @@ optional_policy(` ') optional_policy(` @@ -17240,7 +17261,7 @@ index 88d0028..e7c0869 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +212,11 @@ optional_policy(` +@@ -156,11 +215,11 @@ optional_policy(` ') optional_policy(` @@ -17254,7 +17275,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -179,6 +235,13 @@ optional_policy(` +@@ -179,6 +238,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -17268,7 +17289,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -186,15 +249,20 @@ optional_policy(` +@@ -186,15 +252,20 @@ optional_policy(` ') optional_policy(` @@ -17292,7 +17313,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -214,22 +282,20 @@ optional_policy(` +@@ -214,22 +285,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -17321,7 +17342,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -241,14 +307,27 @@ optional_policy(` +@@ -241,14 +310,27 @@ optional_policy(` ') optional_policy(` @@ -17349,7 +17370,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -256,10 +335,20 @@ optional_policy(` +@@ -256,10 +338,20 @@ optional_policy(` ') optional_policy(` @@ -17370,7 +17391,7 @@ index 88d0028..e7c0869 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +359,36 @@ optional_policy(` +@@ -270,31 +362,36 @@ optional_policy(` ') optional_policy(` @@ -17414,7 +17435,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -319,12 +413,18 @@ optional_policy(` +@@ -319,12 +416,18 @@ optional_policy(` ') optional_policy(` @@ -17434,7 +17455,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -349,7 +449,18 @@ optional_policy(` +@@ -349,7 +452,18 @@ optional_policy(` ') optional_policy(` @@ -17454,7 +17475,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -360,19 +471,15 @@ optional_policy(` +@@ -360,19 +474,15 @@ optional_policy(` ') optional_policy(` @@ -17476,7 +17497,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -384,10 +491,6 @@ optional_policy(` +@@ -384,10 +494,6 @@ optional_policy(` ') optional_policy(` @@ -17487,7 +17508,7 @@ index 88d0028..e7c0869 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +498,9 @@ optional_policy(` +@@ -395,6 +501,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -17497,7 +17518,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -402,31 +508,34 @@ optional_policy(` +@@ -402,31 +511,34 @@ optional_policy(` ') optional_policy(` @@ -17538,7 +17559,7 @@ index 88d0028..e7c0869 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +548,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +551,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17549,7 +17570,7 @@ index 88d0028..e7c0869 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +568,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +571,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22453,7 +22474,7 @@ index 6bf0ecc..266289c 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..fcf58c6 100644 +index 2696452..7e081fb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22798,7 +22819,7 @@ index 2696452..fcf58c6 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +408,106 @@ optional_policy(` +@@ -299,64 +408,107 @@ optional_policy(` # XDM Local policy # @@ -22890,6 +22911,7 @@ index 2696452..fcf58c6 100644 manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) ++manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) @@ -22915,7 +22937,7 @@ index 2696452..fcf58c6 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -22945,7 +22967,7 @@ index 2696452..fcf58c6 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -22998,7 +23020,7 @@ index 2696452..fcf58c6 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +598,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +599,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23027,7 +23049,7 @@ index 2696452..fcf58c6 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +629,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23074,7 +23096,7 @@ index 2696452..fcf58c6 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +673,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +674,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23225,7 +23247,7 @@ index 2696452..fcf58c6 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +824,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +825,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23252,7 +23274,7 @@ index 2696452..fcf58c6 100644 ') optional_policy(` -@@ -514,12 +851,72 @@ optional_policy(` +@@ -514,12 +852,72 @@ optional_policy(` ') optional_policy(` @@ -23325,7 +23347,7 @@ index 2696452..fcf58c6 100644 hostname_exec(xdm_t) ') -@@ -537,28 +934,78 @@ optional_policy(` +@@ -537,28 +935,78 @@ optional_policy(` ') optional_policy(` @@ -23413,7 +23435,7 @@ index 2696452..fcf58c6 100644 ') optional_policy(` -@@ -570,6 +1017,14 @@ optional_policy(` +@@ -570,6 +1018,14 @@ optional_policy(` ') optional_policy(` @@ -23428,7 +23450,7 @@ index 2696452..fcf58c6 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23441,7 +23463,7 @@ index 2696452..fcf58c6 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23457,7 +23479,7 @@ index 2696452..fcf58c6 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23468,7 +23490,7 @@ index 2696452..fcf58c6 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23490,7 +23512,7 @@ index 2696452..fcf58c6 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23504,7 +23526,7 @@ index 2696452..fcf58c6 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23536,7 +23558,7 @@ index 2696452..fcf58c6 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23554,7 +23576,7 @@ index 2696452..fcf58c6 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1198,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1199,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23578,7 +23600,7 @@ index 2696452..fcf58c6 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23587,7 +23609,7 @@ index 2696452..fcf58c6 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1261,44 @@ optional_policy(` +@@ -775,16 +1262,44 @@ optional_policy(` ') optional_policy(` @@ -23633,7 +23655,7 @@ index 2696452..fcf58c6 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1307,10 @@ optional_policy(` +@@ -793,6 +1308,10 @@ optional_policy(` ') optional_policy(` @@ -23644,7 +23666,7 @@ index 2696452..fcf58c6 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23658,7 +23680,7 @@ index 2696452..fcf58c6 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23667,7 +23689,7 @@ index 2696452..fcf58c6 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1350,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1351,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23702,7 +23724,7 @@ index 2696452..fcf58c6 100644 ') optional_policy(` -@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23711,7 +23733,7 @@ index 2696452..fcf58c6 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23743,7 +23765,7 @@ index 2696452..fcf58c6 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -25995,7 +26017,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..d0780a9 100644 +index 24e7804..c4155c7 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -26880,7 +26902,7 @@ index 24e7804..d0780a9 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2284,360 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -27131,6 +27153,60 @@ index 24e7804..d0780a9 100644 + +######################################## +## ++## Tell init to enable the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_enable_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system enable; ++') ++ ++######################################## ++## ++## Tell init to disable the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_disable_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system disable; ++') ++ ++######################################## ++## ++## Tell init to reload the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_reload_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system reload; ++') ++ ++######################################## ++## +## Tell init to halt the system. +## +## @@ -28690,7 +28766,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..9a068f6 100644 +index 9e54bf9..a0ba260 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28703,24 +28779,37 @@ index 9e54bf9..9a068f6 100644 type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) -@@ -73,13 +76,15 @@ role system_r types setkey_t; +@@ -72,14 +75,18 @@ role system_r types setkey_t; + # ipsec Local policy # - allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; ++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid }; +dontaudit ipsec_t self:capability sys_tty_config; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; ++allow ipsec_t self:packet_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; +allow ipsec_t self:netlink_selinux_socket create_socket_perms; +allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write }; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -128,20 +133,21 @@ corecmd_exec_shell(ipsec_t) +@@ -113,7 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; + allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; + + kernel_read_kernel_sysctls(ipsec_t) +-kernel_read_net_sysctls(ipsec_t) ++kernel_rw_net_sysctls(ipsec_t) + kernel_list_proc(ipsec_t) + kernel_read_proc_symlinks(ipsec_t) + # allow pluto to access /proc/net/ipsec_eroute; +@@ -128,20 +135,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -28742,6 +28831,7 @@ index 9e54bf9..9a068f6 100644 corenet_tcp_bind_isakmp_port(ipsec_t) corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) ++corenet_udp_bind_dhcpc_port(ipsec_t) corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) +corenet_tcp_connect_http_port(ipsec_t) @@ -28749,7 +28839,7 @@ index 9e54bf9..9a068f6 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,6 +163,8 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,6 +166,8 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -28758,7 +28848,7 @@ index 9e54bf9..9a068f6 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -165,11 +173,13 @@ auth_use_nsswitch(ipsec_t) +@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -28773,7 +28863,7 @@ index 9e54bf9..9a068f6 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -187,10 +197,10 @@ optional_policy(` +@@ -187,10 +200,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -28788,7 +28878,7 @@ index 9e54bf9..9a068f6 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -210,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; +@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -28796,7 +28886,7 @@ index 9e54bf9..9a068f6 100644 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -@@ -246,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -28813,7 +28903,7 @@ index 9e54bf9..9a068f6 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -28822,7 +28912,7 @@ index 9e54bf9..9a068f6 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -28834,7 +28924,7 @@ index 9e54bf9..9a068f6 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -28858,7 +28948,7 @@ index 9e54bf9..9a068f6 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +349,10 @@ optional_policy(` +@@ -322,6 +352,10 @@ optional_policy(` ') optional_policy(` @@ -28869,7 +28959,16 @@ index 9e54bf9..9a068f6 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t) +@@ -335,7 +369,7 @@ optional_policy(` + # + + allow racoon_t self:capability { net_admin net_bind_service }; +-allow racoon_t self:netlink_route_socket create_netlink_socket_perms; ++allow racoon_t self:netlink_route_socket { create_netlink_socket_perms }; + allow racoon_t self:unix_dgram_socket { connect create ioctl write }; + allow racoon_t self:netlink_selinux_socket { bind create read }; + allow racoon_t self:udp_socket create_socket_perms; +@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -28889,7 +28988,7 @@ index 9e54bf9..9a068f6 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -28902,7 +29001,7 @@ index 9e54bf9..9a068f6 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -29619,7 +29718,7 @@ index 808ba93..9d8f729 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 23a645e..1982e9c 100644 +index 23a645e..f0cbd38 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -29694,17 +29793,19 @@ index 23a645e..1982e9c 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +126,9 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',` ') ') + dev_dontaudit_rw_lvm_control(ldconfig_t) ++ dev_dontaudit_read_all_chr_files(ldconfig_t) ++ dev_dontaudit_read_all_blk_files(ldconfig_t) + term_dontaudit_use_unallocated_ttys(ldconfig_t) + optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +146,14 @@ optional_policy(` +@@ -131,6 +148,14 @@ optional_policy(` ') optional_policy(` @@ -29719,7 +29820,7 @@ index 23a645e..1982e9c 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +164,3 @@ optional_policy(` +@@ -141,6 +166,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -29804,7 +29905,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index c04ac46..799d194 100644 +index c04ac46..ed59137 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -29928,7 +30029,7 @@ index c04ac46..799d194 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -29950,6 +30051,7 @@ index c04ac46..799d194 100644 +auth_use_nsswitch(sulogin_t) init_getpgid_script(sulogin_t) ++init_getpgid(sulogin_t) logging_send_syslog_msg(sulogin_t) @@ -29986,7 +30088,7 @@ index c04ac46..799d194 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -30496,7 +30598,7 @@ index 4e94884..55d2481 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..7094526 100644 +index 39ea221..692b00d 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -30591,13 +30693,12 @@ index 39ea221..7094526 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +204,16 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) -miscfiles_read_localization(auditd_t) +auth_use_nsswitch(auditd_t) -+ mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory @@ -30608,11 +30709,13 @@ index 39ea221..7094526 100644 sysnet_dns_name_resolve(auditd_t) -userdom_use_user_terminals(auditd_t) ++systemd_start_systemd_services(auditd_t) ++ +userdom_use_inherited_user_terminals(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +258,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -30643,7 +30746,7 @@ index 39ea221..7094526 100644 ') ######################################## -@@ -268,7 +299,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) @@ -30651,7 +30754,7 @@ index 39ea221..7094526 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +310,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -30671,7 +30774,7 @@ index 39ea221..7094526 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +364,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -30679,7 +30782,7 @@ index 39ea221..7094526 100644 mls_file_read_all_levels(klogd_t) -@@ -354,12 +391,12 @@ optional_policy(` +@@ -354,12 +392,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -30695,7 +30798,7 @@ index 39ea221..7094526 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,6 +406,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -30703,7 +30806,7 @@ index 39ea221..7094526 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -377,6 +415,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -30711,7 +30814,7 @@ index 39ea221..7094526 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,22 +425,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -30746,7 +30849,7 @@ index 39ea221..7094526 100644 corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) corenet_udp_sendrecv_generic_node(syslogd_t) -@@ -427,9 +475,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -30774,7 +30877,7 @@ index 39ea221..7094526 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +507,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -30794,7 +30897,7 @@ index 39ea221..7094526 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +531,10 @@ init_use_fds(syslogd_t) +@@ -461,11 +532,10 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -30808,7 +30911,7 @@ index 39ea221..7094526 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +571,36 @@ optional_policy(` +@@ -502,15 +572,36 @@ optional_policy(` ') optional_policy(` @@ -30845,7 +30948,7 @@ index 39ea221..7094526 100644 ') optional_policy(` -@@ -521,3 +611,26 @@ optional_policy(` +@@ -521,3 +612,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -35097,10 +35200,10 @@ index 0000000..2cd29ba +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..6862d53 +index 0000000..1a254f8 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1231 @@ +@@ -0,0 +1,1286 @@ +## SELinux policy for systemd components + +###################################### @@ -35906,6 +36009,61 @@ index 0000000..6862d53 + init_config_all_script_files($1) +') + ++######################################## ++## ++## Allow the specified domain to start systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_start_systemd_services',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service start; ++') ++ ++####################################### ++## ++## Allow the specified domain to reload all systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_reload_systemd_services',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service reload; ++') ++ ++######################################## ++## ++## Allow the specified domain to modify the systemd configuration of ++## all systemd services ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_config_systemd_services',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service all_service_perms; ++ init_config_all_script_files($1) ++') + +######################################## +## @@ -36334,10 +36492,10 @@ index 0000000..6862d53 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b43a6c1 +index 0000000..13712f9 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,654 @@ +@@ -0,0 +1,661 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -36720,6 +36878,7 @@ index 0000000..b43a6c1 +') + +optional_policy(` ++ lpd_manage_spool(systemd_tmpfiles_t) + lpd_relabel_spool(systemd_tmpfiles_t) +') + @@ -36747,6 +36906,7 @@ index 0000000..b43a6c1 + +allow systemd_notify_t self:fifo_file rw_fifo_file_perms; +allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_notify_t self:unix_dgram_socket create_socket_perms; + +domain_use_interactive_fds(systemd_notify_t) + @@ -36757,6 +36917,10 @@ index 0000000..b43a6c1 +init_rw_stream_sockets(systemd_notify_t) + +optional_policy(` ++ rhcs_read_log_cluster(systemd_notify_t) ++') ++ ++optional_policy(` + readahead_manage_pid_files(systemd_notify_t) +') + @@ -36972,6 +37136,8 @@ index 0000000..b43a6c1 + +init_stream_connect(systemd_sysctl_t) + ++logging_send_syslog_msg(systemd_sysctl_t) ++ +######################################## +# +# Common rules for systemd domains @@ -36991,7 +37157,6 @@ index 0000000..b43a6c1 +optional_policy(` + policykit_dbus_chat(systemd_domain) +') -+ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 40928d8..49fd32e 100644 --- a/policy/modules/system/udev.fc diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 7e02bb9..da225f8 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 4b28ab3..6e8746f 100644 +index 4b28ab3..f781a7a 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1479,16 +1479,21 @@ index 4b28ab3..6e8746f 100644 role aide_roles types aide_t; type aide_log_t; -@@ -23,7 +24,7 @@ files_type(aide_db_t) +@@ -23,22 +24,30 @@ files_type(aide_db_t) # Local policy # -allow aide_t self:capability { dac_override fowner }; -+allow aide_t self:capability { dac_override fowner ipc_lock }; ++allow aide_t self:capability { dac_override fowner ipc_lock sys_admin }; manage_files_pattern(aide_t, aide_db_t, aide_db_t) ++files_var_lib_filetrans(aide_t, aide_db_t, { dir file }) -@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file) +-create_files_pattern(aide_t, aide_log_t, aide_log_t) +-append_files_pattern(aide_t, aide_log_t, aide_log_t) +-setattr_files_pattern(aide_t, aide_log_t, aide_log_t) ++manage_files_pattern(aide_t, aide_log_t, aide_log_t) + logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) files_read_all_symlinks(aide_t) @@ -4528,7 +4533,7 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..ffff859 100644 +index 1a82e29..a68bd53 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5216,7 +5221,7 @@ index 1a82e29..ffff859 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5298,6 +5303,7 @@ index 1a82e29..ffff859 100644 -files_read_usr_files(httpd_t) +files_exec_usr_files(httpd_t) files_list_mnt(httpd_t) ++files_read_mnt_symlinks(httpd_t) files_search_spool(httpd_t) files_read_var_symlinks(httpd_t) files_read_var_lib_files(httpd_t) @@ -5445,7 +5451,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5505,7 +5511,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5590,7 +5596,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5671,7 +5677,7 @@ index 1a82e29..ffff859 100644 ') optional_policy(` -@@ -743,14 +863,6 @@ optional_policy(` +@@ -743,14 +864,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5686,7 +5692,7 @@ index 1a82e29..ffff859 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +877,23 @@ optional_policy(` +@@ -765,6 +878,23 @@ optional_policy(` ') optional_policy(` @@ -5710,7 +5716,7 @@ index 1a82e29..ffff859 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +910,42 @@ optional_policy(` +@@ -781,34 +911,42 @@ optional_policy(` ') optional_policy(` @@ -5764,7 +5770,7 @@ index 1a82e29..ffff859 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +953,18 @@ optional_policy(` +@@ -816,8 +954,18 @@ optional_policy(` ') optional_policy(` @@ -5783,7 +5789,7 @@ index 1a82e29..ffff859 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +973,7 @@ optional_policy(` +@@ -826,6 +974,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5791,7 +5797,7 @@ index 1a82e29..ffff859 100644 ') optional_policy(` -@@ -836,20 +984,39 @@ optional_policy(` +@@ -836,20 +985,39 @@ optional_policy(` ') optional_policy(` @@ -5837,7 +5843,7 @@ index 1a82e29..ffff859 100644 ') optional_policy(` -@@ -857,19 +1024,35 @@ optional_policy(` +@@ -857,19 +1025,35 @@ optional_policy(` ') optional_policy(` @@ -5873,7 +5879,7 @@ index 1a82e29..ffff859 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1060,170 @@ optional_policy(` +@@ -877,65 +1061,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6066,7 +6072,7 @@ index 1a82e29..ffff859 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1232,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6221,7 +6227,7 @@ index 1a82e29..ffff859 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1316,104 @@ optional_policy(` +@@ -1077,172 +1317,104 @@ optional_policy(` ') ') @@ -6457,7 +6463,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1421,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6554,7 +6560,7 @@ index 1a82e29..ffff859 100644 ######################################## # -@@ -1315,8 +1496,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6571,7 +6577,7 @@ index 1a82e29..ffff859 100644 ') ######################################## -@@ -1324,49 +1512,36 @@ optional_policy(` +@@ -1324,49 +1513,36 @@ optional_policy(` # User content local policy # @@ -6635,7 +6641,7 @@ index 1a82e29..ffff859 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1551,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -12297,7 +12303,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..ace40ae 100644 +index 6471fa8..b2709d1 100644 --- a/collectd.te +++ b/collectd.te @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) @@ -12357,7 +12363,16 @@ index 6471fa8..ace40ae 100644 logging_send_syslog_msg(collectd_t) -@@ -80,11 +90,17 @@ optional_policy(` +@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',` + ') + + optional_policy(` ++ netutils_domtrans_ping(collectd_t) ++') ++ ++optional_policy(` + virt_read_config(collectd_t) + ') ######################################## # @@ -24110,7 +24125,7 @@ index d062080..97fb494 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..d9dca45 100644 +index e50f33c..6edd471 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -24140,7 +24155,7 @@ index e50f33c..d9dca45 100644 + +## +##

-+## Allow samba to export ntfs/fusefs volumes. ++## Allow ftpd to use ntfs/fusefs volumes. +##

+## +gen_tunable(ftpd_use_fusefs, false) @@ -25003,10 +25018,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..6ceb963 +index 0000000..cbe51a9 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,160 @@ +@@ -0,0 +1,164 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25065,7 +25080,8 @@ index 0000000..6ceb963 +# + +allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid }; -+allow glusterd_t self:process { getcap setcap setrlimit signal }; ++allow glusterd_t self:capability2 block_suspend; ++allow glusterd_t self:process { getcap setcap setrlimit signal_perms }; +allow glusterd_t self:fifo_file rw_fifo_file_perms; +allow glusterd_t self:tcp_socket { accept listen }; +allow glusterd_t self:unix_stream_socket { accept listen connectto }; @@ -25096,6 +25112,9 @@ index 0000000..6ceb963 +can_exec(glusterd_t, glusterd_exec_t) + +kernel_read_system_state(glusterd_t) ++kernel_read_network_state(glusterd_t) ++kernel_read_net_sysctls(glusterd_t) ++kernel_request_load_module(glusterd_t) + +corecmd_exec_bin(glusterd_t) +corecmd_exec_shell(glusterd_t) @@ -25447,10 +25466,10 @@ index e39de43..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..26023f7 100644 +index d03fd43..567f963 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,123 +1,154 @@ +@@ -1,123 +1,155 @@ -## GNU network object model environment. +## GNU network object model environment (GNOME) @@ -25641,6 +25660,7 @@ index d03fd43..26023f7 100644 + + optional_policy(` + telepathy_mission_control_read_state($1_gkeyringd_t) ++ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) + ') + ') +') @@ -25682,7 +25702,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -125,18 +156,18 @@ template(`gnome_role_template',` +@@ -125,18 +157,18 @@ template(`gnome_role_template',` ## ## # @@ -25706,7 +25726,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -144,119 +175,114 @@ interface(`gnome_exec_gconf',` +@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -25863,7 +25883,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -264,15 +290,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -25890,7 +25910,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -280,57 +312,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -25998,7 +26018,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -338,15 +402,18 @@ interface(`gnome_read_generic_home_content',` +@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -26022,7 +26042,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -354,22 +421,18 @@ interface(`gnome_manage_config',` +@@ -354,22 +422,18 @@ interface(`gnome_manage_config',` ## ## # @@ -26050,7 +26070,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -377,53 +440,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -26112,7 +26132,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -431,17 +478,18 @@ interface(`gnome_home_filetrans',` +@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -26135,7 +26155,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -449,23 +497,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -26163,7 +26183,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -473,82 +516,72 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -473,82 +517,72 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -26269,7 +26289,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -557,52 +590,76 @@ interface(`gnome_home_filetrans_gconf_home',` +@@ -557,52 +591,76 @@ interface(`gnome_home_filetrans_gconf_home',` ## ## # @@ -26367,7 +26387,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -610,93 +667,126 @@ interface(`gnome_gconf_home_filetrans',` +@@ -610,93 +668,126 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -26528,7 +26548,7 @@ index d03fd43..26023f7 100644 ## ## ## -@@ -704,12 +794,811 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +795,811 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -31543,7 +31563,7 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index e7f5c81..8ff6f51 100644 +index e7f5c81..1a8d69e 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -1,4 +1,4 @@ @@ -31601,7 +31621,7 @@ index e7f5c81..8ff6f51 100644 files_etc_filetrans_etc_runtime(kdumpgui_t, file) -files_read_usr_files(kdumpgui_t) -+fs_read_dos_files(kdumpgui_t) ++fs_manage_dos_files(kdumpgui_t) fs_getattr_all_fs(kdumpgui_t) fs_list_hugetlbfs(kdumpgui_t) -fs_read_dos_files(kdumpgui_t) @@ -33762,7 +33782,7 @@ index bc25c95..6692d91 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index ee0c7cc..446c507 100644 +index ee0c7cc..c54e3d2 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -33804,10 +33824,9 @@ index ee0c7cc..446c507 100644 + + init_labeled_script_domtrans($1, slapd_initrc_exec_t) +') - - ######################################## - ## --## List ldap database directories. ++ ++######################################## ++## +## Execute slapd server in the slapd domain. +## +## @@ -33828,9 +33847,10 @@ index ee0c7cc..446c507 100644 + + ps_process_pattern($1, slapd_t) +') -+ -+######################################## -+## + + ######################################## + ## +-## List ldap database directories. +## Read the contents of the OpenLDAP +## database directories. ## @@ -33870,41 +33890,82 @@ index ee0c7cc..446c507 100644 ## ## ## -@@ -55,8 +133,7 @@ interface(`ldap_use',` +@@ -41,22 +119,27 @@ interface(`ldap_read_config',` + + ######################################## + ## +-## Use LDAP over TCP connection. (Deprecated) ++## Read the OpenLDAP cert files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`ldap_use',` +- refpolicywarn(`$0($*) has been deprecated.') ++interface(`ldap_read_certs',` ++ gen_require(` ++ type slapd_cert_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, slapd_cert_t, slapd_cert_t) + ') ######################################## ## -## Connect to slapd over an unix -## stream socket. -+## Connect to slapd over an unix stream socket. ++## Use LDAP over TCP connection. (Deprecated) ## ## ## -@@ -75,29 +152,8 @@ interface(`ldap_stream_connect',` +@@ -64,18 +147,13 @@ interface(`ldap_use',` + ## + ## + # +-interface(`ldap_stream_connect',` +- gen_require(` +- type slapd_t, slapd_var_run_t; +- ') +- +- files_search_pids($1) +- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) ++interface(`ldap_use',` ++ refpolicywarn(`$0($*) has been deprecated.') + ') ######################################## ## -## Connect to ldap over the network. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to slapd over an unix stream socket. + ## + ## + ## +@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',` + ## + ## + # -interface(`ldap_tcp_connect',` -- gen_require(` ++interface(`ldap_stream_connect',` + gen_require(` - type slapd_t; -- ') -- ++ type slapd_t, slapd_var_run_t; + ') + - corenet_sendrecv_ldap_client_packets($1) - corenet_tcp_connect_ldap_port($1) - corenet_tcp_recvfrom_labeled($1, slapd_t) - corenet_tcp_sendrecv_ldap_port($1) --') -- --######################################## --## ++ files_search_pids($1) ++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) + ') + + ######################################## + ## -## All of the rules required to -## administrate an ldap environment. +## All of the rules required to administrate @@ -33912,7 +33973,7 @@ index ee0c7cc..446c507 100644 ## ## ## -@@ -106,7 +162,7 @@ interface(`ldap_tcp_connect',` +@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',` ## ## ## @@ -33921,7 +33982,7 @@ index ee0c7cc..446c507 100644 ## ## ## -@@ -115,28 +171,28 @@ interface(`ldap_admin',` +@@ -115,28 +191,28 @@ interface(`ldap_admin',` gen_require(` type slapd_t, slapd_tmp_t, slapd_replog_t; type slapd_lock_t, slapd_etc_t, slapd_var_run_t; @@ -33959,7 +34020,7 @@ index ee0c7cc..446c507 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -144,4 +200,8 @@ interface(`ldap_admin',` +@@ -144,4 +220,8 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -36731,14 +36792,15 @@ index 4926208..293e577 100644 -miscfiles_read_localization(memcached_t) diff --git a/milter.fc b/milter.fc -index 89409eb..64ac6f0 100644 +index 89409eb..67e42f6 100644 --- a/milter.fc +++ b/milter.fc -@@ -1,18 +1,26 @@ +@@ -1,18 +1,29 @@ +/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) +/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) ++/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) @@ -36756,6 +36818,7 @@ index 89409eb..64ac6f0 100644 -/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) @@ -36771,6 +36834,7 @@ index 89409eb..64ac6f0 100644 +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/milter.if b/milter.if index cba62db..562833a 100644 --- a/milter.if @@ -38048,7 +38112,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..f54f1e8 100644 +index 6194b80..97e35b2 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38364,7 +38428,7 @@ index 6194b80..f54f1e8 100644 ') ######################################## -@@ -303,102 +195,98 @@ interface(`mozilla_domtrans',` +@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',` type mozilla_t, mozilla_exec_t; ') @@ -38398,6 +38462,7 @@ index 6194b80..f54f1e8 100644 + domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) + allow mozilla_plugin_t $1:process signull; + dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms; ++ dontaudit mozilla_plugin_t $1:process signal; + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; + allow $1 mozilla_plugin_t:fd use; + @@ -38514,7 +38579,7 @@ index 6194b80..f54f1e8 100644 ') ######################################## -@@ -424,8 +312,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -38524,7 +38589,7 @@ index 6194b80..f54f1e8 100644 ## ## ## -@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -38662,7 +38727,7 @@ index 6194b80..f54f1e8 100644 ## ## ## -@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -38687,7 +38752,7 @@ index 6194b80..f54f1e8 100644 ## ## ## -@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -39842,7 +39907,7 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..97f2b6f 100644 +index 7c8afcc..2f41af9 100644 --- a/mpd.te +++ b/mpd.te @@ -62,6 +62,9 @@ files_type(mpd_var_lib_t) @@ -39905,6 +39970,15 @@ index 7c8afcc..97f2b6f 100644 tunable_policy(`mpd_enable_homedirs',` userdom_search_user_home_dirs(mpd_t) +@@ -191,7 +202,7 @@ optional_policy(` + ') + + optional_policy(` +- pulseaudio_domtrans(mpd_t) ++ pulseaudio_exec(mpd_t) + ') + + optional_policy(` @@ -199,6 +210,16 @@ optional_policy(` ') @@ -42150,7 +42224,7 @@ index b744fe3..4c1b6a8 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index 97370e4..27d3100 100644 +index 97370e4..92138ca 100644 --- a/munin.te +++ b/munin.te @@ -40,12 +40,15 @@ munin_plugin_template(services) @@ -42250,7 +42324,13 @@ index 97370e4..27d3100 100644 ') optional_policy(` -@@ -246,17 +232,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) +@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; + + rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + ++kernel_read_fs_sysctls(disk_munin_plugin_t) ++ + corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) @@ -42262,7 +42342,7 @@ index 97370e4..27d3100 100644 dev_read_urand(disk_munin_plugin_t) - -files_read_etc_runtime_files(disk_munin_plugin_t) -+dev_read_all_blk_files(munin_disk_plugin_t) ++dev_read_all_blk_files(disk_munin_plugin_t) fs_getattr_all_fs(disk_munin_plugin_t) fs_getattr_all_dirs(disk_munin_plugin_t) @@ -42272,7 +42352,18 @@ index 97370e4..27d3100 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -275,27 +261,36 @@ optional_policy(` +@@ -268,6 +256,10 @@ optional_policy(` + fstools_exec(disk_munin_plugin_t) + ') + ++optional_policy(` ++ rpc_search_nfs_state_data(disk_munin_plugin_t) ++') ++ + #################################### + # + # Mail local policy +@@ -275,27 +267,36 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; @@ -42313,7 +42404,16 @@ index 97370e4..27d3100 100644 ') optional_policy(` -@@ -353,7 +348,11 @@ optional_policy(` +@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t) + sysnet_read_config(services_munin_plugin_t) + + optional_policy(` +- bind_read_config(munin_services_plugin_t) ++ bind_read_config(services_munin_plugin_t) + ') + + optional_policy(` +@@ -353,7 +354,11 @@ optional_policy(` ') optional_policy(` @@ -42326,7 +42426,7 @@ index 97370e4..27d3100 100644 ') optional_policy(` -@@ -385,6 +384,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -42334,7 +42434,7 @@ index 97370e4..27d3100 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -413,3 +413,31 @@ optional_policy(` +@@ -413,3 +419,31 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -44798,7 +44898,7 @@ index 0e8508c..0b68b86 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..c71f8e5 100644 +index 0b48a30..2de59df 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -44829,7 +44929,7 @@ index 0b48a30..c71f8e5 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -44874,14 +44974,16 @@ index 0b48a30..c71f8e5 100644 +can_exec(NetworkManager_t, NetworkManager_exec_t) +#wicd +can_exec(NetworkManager_t, wpa_cli_exec_t) -+ + +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) - ++ ++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ + filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) +@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -44889,7 +44991,7 @@ index 0b48a30..c71f8e5 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,9 +104,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -44899,7 +45001,7 @@ index 0b48a30..c71f8e5 100644 kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) -@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t) +@@ -91,7 +111,6 @@ kernel_request_load_module(NetworkManager_t) kernel_read_debugfs(NetworkManager_t) kernel_rw_net_sysctls(NetworkManager_t) @@ -44907,7 +45009,7 @@ index 0b48a30..c71f8e5 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +121,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -44933,7 +45035,7 @@ index 0b48a30..c71f8e5 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +137,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -44947,7 +45049,7 @@ index 0b48a30..c71f8e5 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +145,17 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -44965,7 +45067,7 @@ index 0b48a30..c71f8e5 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +164,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -44978,7 +45080,7 @@ index 0b48a30..c71f8e5 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +183,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -45015,7 +45117,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -196,10 +223,6 @@ optional_policy(` +@@ -196,10 +224,6 @@ optional_policy(` ') optional_policy(` @@ -45026,7 +45128,7 @@ index 0b48a30..c71f8e5 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +233,11 @@ optional_policy(` +@@ -210,16 +234,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -45045,7 +45147,7 @@ index 0b48a30..c71f8e5 100644 ') ') -@@ -231,18 +249,19 @@ optional_policy(` +@@ -231,18 +250,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -45068,7 +45170,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -250,6 +269,10 @@ optional_policy(` +@@ -250,6 +270,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -45079,7 +45181,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -257,11 +280,10 @@ optional_policy(` +@@ -257,11 +281,10 @@ optional_policy(` ') optional_policy(` @@ -45095,7 +45197,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -274,10 +296,17 @@ optional_policy(` +@@ -274,10 +297,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -45113,7 +45215,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -289,6 +318,7 @@ optional_policy(` +@@ -289,6 +319,7 @@ optional_policy(` ') optional_policy(` @@ -45121,7 +45223,7 @@ index 0b48a30..c71f8e5 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +326,7 @@ optional_policy(` +@@ -296,7 +327,7 @@ optional_policy(` ') optional_policy(` @@ -45130,7 +45232,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -307,6 +337,7 @@ optional_policy(` +@@ -307,6 +338,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -45138,7 +45240,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -320,13 +351,19 @@ optional_policy(` +@@ -320,13 +352,19 @@ optional_policy(` ') optional_policy(` @@ -45162,7 +45264,7 @@ index 0b48a30..c71f8e5 100644 ') optional_policy(` -@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +394,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -51062,20 +51164,54 @@ index 0000000..c1eed44 + ssh_dontaudit_read_server_keys(openshift_cron_t) +') diff --git a/openvpn.fc b/openvpn.fc -index 300213f..6f0d2e4 100644 +index 300213f..4cdfe09 100644 --- a/openvpn.fc +++ b/openvpn.fc -@@ -1,4 +1,5 @@ +@@ -1,10 +1,13 @@ /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0) /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) + + /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) + ++/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0) ++ + /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) + /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + diff --git a/openvpn.if b/openvpn.if -index 6837e9a..af8f9d0 100644 +index 6837e9a..21e6dae 100644 --- a/openvpn.if +++ b/openvpn.if -@@ -147,9 +147,13 @@ interface(`openvpn_admin',` +@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',` + ######################################## + ## + ## Execute openvpn clients in the ++## caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openvpn_exec',` ++ gen_require(` ++ type openvpn_exec_t; ++ ') ++ ++ can_exec($1, openvpn_exec_t) ++') ++ ++######################################## ++## ++## Execute openvpn clients in the + ## openvpn domain, and allow the + ## specified role the openvpn domain. + ## +@@ -147,9 +166,13 @@ interface(`openvpn_admin',` type openvpn_status_t; ') @@ -51091,7 +51227,7 @@ index 6837e9a..af8f9d0 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..8e252e4 100644 +index 3270ff9..8a6fbc2 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -51108,7 +51244,7 @@ index 3270ff9..8e252e4 100644 ##

## Determine whether openvpn can ## read generic user home content files. -@@ -26,6 +33,9 @@ files_config_file(openvpn_etc_t) +@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -51118,7 +51254,16 @@ index 3270ff9..8e252e4 100644 type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -43,7 +53,7 @@ files_pid_file(openvpn_var_run_t) + type openvpn_status_t; + logging_log_file(openvpn_status_t) + ++type openvpn_var_lib_t; ++files_type(openvpn_var_lib_t) ++ + type openvpn_var_log_t; + logging_log_file(openvpn_var_log_t) + +@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # @@ -51127,17 +51272,20 @@ index 3270ff9..8e252e4 100644 allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; -@@ -62,6 +72,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") +manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) + ++manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t) ++files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file }) ++ manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -@@ -83,7 +96,6 @@ kernel_request_load_module(openvpn_t) +@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -51145,7 +51293,7 @@ index 3270ff9..8e252e4 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -105,11 +117,12 @@ corenet_tcp_bind_http_port(openvpn_t) +@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_sendrecv_http_port(openvpn_t) @@ -51159,7 +51307,7 @@ index 3270ff9..8e252e4 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -121,18 +134,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t) auth_use_pam(openvpn_t) @@ -51187,7 +51335,7 @@ index 3270ff9..8e252e4 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -155,3 +174,27 @@ optional_policy(` +@@ -155,3 +180,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -57268,7 +57416,7 @@ index 2e23946..589bbf2 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..5acf87c 100644 +index 191a66f..cddce7d 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -57357,7 +57505,7 @@ index 191a66f..5acf87c 100644 type postfix_data_t; files_type(postfix_data_t) -@@ -102,160 +102,64 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -102,160 +102,61 @@ mta_mailserver_delivery(postfix_virtual_t) ######################################## # @@ -57521,19 +57669,19 @@ index 191a66f..5acf87c 100644 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") - +- -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) - delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") -- + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") - -can_exec(postfix_master_t, postfix_exec_t) ++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) @@ -57543,7 +57691,7 @@ index 191a66f..5acf87c 100644 corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -263,50 +167,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,50 +164,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -57612,7 +57760,7 @@ index 191a66f..5acf87c 100644 optional_policy(` cyrus_stream_connect(postfix_master_t) ') -@@ -316,14 +214,11 @@ optional_policy(` +@@ -316,14 +211,11 @@ optional_policy(` ') optional_policy(` @@ -57628,7 +57776,7 @@ index 191a66f..5acf87c 100644 postgrey_search_spool(postfix_master_t) ') -@@ -333,12 +228,14 @@ optional_policy(` +@@ -333,12 +225,14 @@ optional_policy(` ######################################## # @@ -57645,7 +57793,7 @@ index 191a66f..5acf87c 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -355,37 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -355,37 +249,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -57692,7 +57840,7 @@ index 191a66f..5acf87c 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -393,36 +287,50 @@ optional_policy(` +@@ -393,36 +284,50 @@ optional_policy(` ######################################## # @@ -57752,7 +57900,7 @@ index 191a66f..5acf87c 100644 ') optional_policy(` -@@ -434,6 +342,7 @@ optional_policy(` +@@ -434,6 +339,7 @@ optional_policy(` ') optional_policy(` @@ -57760,7 +57908,7 @@ index 191a66f..5acf87c 100644 mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) mailman_read_log(postfix_local_t) -@@ -444,6 +353,10 @@ optional_policy(` +@@ -444,6 +350,10 @@ optional_policy(` ') optional_policy(` @@ -57771,7 +57919,7 @@ index 191a66f..5acf87c 100644 procmail_domtrans(postfix_local_t) ') -@@ -458,15 +371,17 @@ optional_policy(` +@@ -458,15 +368,17 @@ optional_policy(` ######################################## # @@ -57795,7 +57943,7 @@ index 191a66f..5acf87c 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -476,14 +391,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -57815,7 +57963,7 @@ index 191a66f..5acf87c 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -492,7 +408,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -57823,7 +57971,7 @@ index 191a66f..5acf87c 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -500,21 +415,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -57849,7 +57997,7 @@ index 191a66f..5acf87c 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,16 +440,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,16 +437,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -57869,7 +58017,7 @@ index 191a66f..5acf87c 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +491,26 @@ optional_policy(` +@@ -576,19 +488,26 @@ optional_policy(` ######################################## # @@ -57901,7 +58049,7 @@ index 191a66f..5acf87c 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +525,7 @@ optional_policy(` +@@ -603,10 +522,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -57913,7 +58061,7 @@ index 191a66f..5acf87c 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +540,24 @@ optional_policy(` +@@ -621,17 +537,24 @@ optional_policy(` ####################################### # @@ -57941,7 +58089,7 @@ index 191a66f..5acf87c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +573,77 @@ optional_policy(` +@@ -647,67 +570,77 @@ optional_policy(` ######################################## # @@ -58037,7 +58185,7 @@ index 191a66f..5acf87c 100644 ') optional_policy(` -@@ -720,29 +656,30 @@ optional_policy(` +@@ -720,29 +653,30 @@ optional_policy(` ######################################## # @@ -58076,7 +58224,7 @@ index 191a66f..5acf87c 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +691,7 @@ optional_policy(` +@@ -754,6 +688,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -58084,7 +58232,7 @@ index 191a66f..5acf87c 100644 ') optional_policy(` -@@ -764,31 +702,99 @@ optional_policy(` +@@ -764,31 +699,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -65760,7 +65908,7 @@ index 951db7f..7736755 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..f60c494 100644 +index 2c1730b..1e9ad6b 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; @@ -65812,7 +65960,7 @@ index 2c1730b..f60c494 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +63,25 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +63,26 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -65823,6 +65971,7 @@ index 2c1730b..f60c494 100644 +dev_read_kvm(mdadm_t) +dev_read_nvram(mdadm_t) +dev_read_generic_files(mdadm_t) ++dev_read_generic_usb_dev(mdadm_t) +domain_read_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) @@ -65840,7 +65989,7 @@ index 2c1730b..f60c494 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +90,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -65861,7 +66010,7 @@ index 2c1730b..f60c494 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -97,9 +121,17 @@ optional_policy(` +@@ -97,9 +122,17 @@ optional_policy(` ') optional_policy(` @@ -67533,10 +67682,10 @@ index b418d1c..1ad9c12 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..347ddf7 100644 +index 47de2d6..98a4280 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,80 @@ +@@ -1,31 +1,85 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -67607,6 +67756,7 @@ index 47de2d6..347ddf7 100644 + +/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) +/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) + +/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) @@ -67618,12 +67768,15 @@ index 47de2d6..347ddf7 100644 +/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) + ++/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++ +/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0) +/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) + +/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0) @@ -67640,6 +67793,7 @@ index 47de2d6..347ddf7 100644 +/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if index 56bc01f..4699b1b 100644 --- a/rhcs.if @@ -68347,7 +68501,7 @@ index 56bc01f..4699b1b 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..2a210ef 100644 +index 2c2de9a..a4a6d82 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -68736,6 +68890,15 @@ index 2c2de9a..2a210ef 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) +@@ -182,7 +461,7 @@ optional_policy(` + ') + + optional_policy(` +- corosync_exec(fenced_t) ++ rhcs_exec_cluster(fenced_t) + ') + + optional_policy(` @@ -190,10 +469,6 @@ optional_policy(` ') @@ -68761,12 +68924,15 @@ index 2c2de9a..2a210ef 100644 ####################################### # # foghorn local policy -@@ -223,14 +505,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) +@@ -221,16 +503,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) + corenet_tcp_connect_agentx_port(foghorn_t) + corenet_tcp_sendrecv_agentx_port(foghorn_t) ++corenet_tcp_connect_snmp_port(foghorn_t) ++ dev_read_urand(foghorn_t) -files_read_usr_files(foghorn_t) -+ +logging_send_syslog_msg(foghorn_t) optional_policy(` @@ -68775,7 +68941,6 @@ index 2c2de9a..2a210ef 100644 optional_policy(` - snmp_read_snmp_var_lib_files(foghorn_t) -+ #snmp_manage_var_lib_dirs(foghorn_t) + snmp_manage_var_lib_files(foghorn_t) snmp_stream_connect(foghorn_t) ') @@ -68789,7 +68954,7 @@ index 2c2de9a..2a210ef 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +561,36 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +561,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -68823,12 +68988,15 @@ index 2c2de9a..2a210ef 100644 +corenet_tcp_connect_commplex_main_port(haproxy_t) +corenet_tcp_bind_commplex_main_port(haproxy_t) + ++corenet_tcp_connect_fmpro_internal_port(haproxy_t) ++corenet_tcp_connect_rtp_media_port(haproxy_t) ++ +sysnet_dns_name_resolve(haproxy_t) + ###################################### # # qdiskd local policy -@@ -321,6 +633,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +636,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -77050,7 +77218,7 @@ index 98c9e0a..df51942 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 4a23d84..49c7362 100644 +index 4a23d84..d90604c 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3) @@ -77080,7 +77248,7 @@ index 4a23d84..49c7362 100644 corenet_tcp_sendrecv_generic_if(sblim_domain) corenet_tcp_sendrecv_generic_node(sblim_domain) -@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) +@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) dev_read_sysfs(sblim_domain) @@ -77089,7 +77257,8 @@ index 4a23d84..49c7362 100644 -files_read_etc_files(sblim_domain) - -miscfiles_read_localization(sblim_domain) -- ++auth_read_passwd(sblim_domain) + ######################################## # # Gatherd local policy @@ -77102,7 +77271,7 @@ index 4a23d84..49c7362 100644 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; -@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) +@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) init_read_utmp(sblim_gatherd_t) @@ -77111,7 +77280,7 @@ index 4a23d84..49c7362 100644 sysnet_dns_name_resolve(sblim_gatherd_t) term_getattr_pty_fs(sblim_gatherd_t) -@@ -103,8 +92,9 @@ optional_policy(` +@@ -103,8 +94,9 @@ optional_policy(` ') optional_policy(` @@ -77122,8 +77291,12 @@ index 4a23d84..49c7362 100644 ') optional_policy(` -@@ -119,4 +109,6 @@ optional_policy(` +@@ -117,6 +109,10 @@ optional_policy(` + # Reposd local policy + # ++corenet_tcp_bind_generic_node(sblim_reposd_t) ++ corenet_sendrecv_repository_server_packets(sblim_reposd_t) corenet_tcp_bind_repository_port(sblim_reposd_t) -corenet_tcp_bind_generic_node(sblim_domain) @@ -79292,13 +79465,15 @@ index ca32e89..98278dd 100644 + ') diff --git a/slpd.te b/slpd.te -index 66ac42a..f28fadc 100644 +index 66ac42a..1a4c952 100644 --- a/slpd.te +++ b/slpd.te -@@ -50,6 +50,8 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) +@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) corenet_tcp_bind_svrloc_port(slpd_t) corenet_udp_bind_svrloc_port(slpd_t) ++corenet_udp_bind_dhcpc_port(slpd_t) ++ +dev_read_urand(slpd_t) + auth_use_nsswitch(slpd_t) @@ -82329,7 +82504,7 @@ index a240455..54c5c1f 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 8b537aa..eaa7a83 100644 +index 8b537aa..e9632c3 100644 --- a/sssd.te +++ b/sssd.te @@ -1,4 +1,4 @@ @@ -82418,7 +82593,7 @@ index 8b537aa..eaa7a83 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +105,30 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -82448,6 +82623,7 @@ index 8b537aa..eaa7a83 100644 + +optional_policy(` + ldap_stream_connect(sssd_t) ++ ldap_read_certs(sssd_t) +') + +userdom_home_reader(sssd_t) @@ -83618,7 +83794,7 @@ index c7de0cf..9813503 100644 +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if -index 42946bc..95a9aa3 100644 +index 42946bc..3d30062 100644 --- a/telepathy.if +++ b/telepathy.if @@ -2,45 +2,39 @@ @@ -83698,7 +83874,7 @@ index 42946bc..95a9aa3 100644 type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; -@@ -63,91 +62,61 @@ template(`telepathy_role_template',` +@@ -63,91 +62,79 @@ template(`telepathy_role_template',` type telepathy_mission_control_exec_t, telepathy_salut_exec_t; type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; type telepathy_msn_exec_t; @@ -83712,11 +83888,14 @@ index 42946bc..95a9aa3 100644 - - allow $3 telepathy_domain:process { ptrace signal_perms }; - ps_process_pattern($3, telepathy_domain) -- ++ role $1 types telepathy_domain; + - telepathy_gabble_stream_connect($3) - telepathy_msn_stream_connect($3) - telepathy_salut_stream_connect($3) -- ++ allow $2 telepathy_domain:process signal_perms; ++ ps_process_pattern($2, telepathy_domain) + - dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t) - dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) - dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t) @@ -83726,30 +83905,13 @@ index 42946bc..95a9aa3 100644 - dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t) - dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) - dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t) -- -- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- -- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; -+ role $1 types telepathy_domain; - -- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") -- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") -+ allow $2 telepathy_domain:process signal_perms; -+ ps_process_pattern($2, telepathy_domain) - -- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") -- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") + telepathy_gabble_stream_connect($2) + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) -- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") -- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") -- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; + dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) + dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) + dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) @@ -83760,6 +83922,20 @@ index 42946bc..95a9aa3 100644 + dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) + dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; +- +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") +- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") +- +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") +- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") +- +- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") +- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") +- - userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") - - # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") @@ -83799,8 +83975,7 @@ index 42946bc..95a9aa3 100644 ##

-## Send dbus messages to and from -## gabble. -+## Send DBus messages to and from -+## Telepathy Gabble. ++## Allow Telepathy Gabble to stream connect to a domain. ## ## -## @@ -83810,11 +83985,30 @@ index 42946bc..95a9aa3 100644 ## # -interface(`telepathy_gabble_dbus_chat',` ++interface(`telepathy_gabble_stream_connect_to', ` ++ gen_require(` ++ type telepathy_gabble_t; ++ ') ++ ++ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1) ++') ++ ++######################################## ++## ++## Send DBus messages to and from ++## Telepathy Gabble. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`telepathy_gabble_dbus_chat', ` gen_require(` type telepathy_gabble_t; class dbus send_msg; -@@ -159,10 +128,10 @@ interface(`telepathy_gabble_dbus_chat',` +@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',` ######################################## ## @@ -83827,7 +84021,7 @@ index 42946bc..95a9aa3 100644 ## Domain allowed access. ## ## -@@ -173,15 +142,12 @@ interface(`telepathy_mission_control_read_state',` +@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',` ') kernel_search_proc($1) @@ -83845,7 +84039,7 @@ index 42946bc..95a9aa3 100644 ## ## ## -@@ -189,19 +155,18 @@ interface(`telepathy_mission_control_read_state',` +@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',` ## ## # @@ -83868,7 +84062,7 @@ index 42946bc..95a9aa3 100644 ## ## ## -@@ -209,11 +174,138 @@ interface(`telepathy_msn_stream_connect',` +@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',` ## ## # @@ -85712,7 +85906,7 @@ index 67ca5c5..a1ef2d2 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index a4a949c..e56b59e 100644 +index a4a949c..9ae28c6 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) @@ -85780,13 +85974,12 @@ index a4a949c..e56b59e 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -69,7 +78,20 @@ optional_policy(` +@@ -69,7 +78,19 @@ optional_policy(` ') optional_policy(` - lpd_manage_spool(tmpreaper_t) -+ lpd_list_spool(tmpreaper_t) -+ lpd_read_spool(tmpreaper_t) ++ lpd_manage_spool(tmpreaper_t) +') + +optional_policy(` @@ -89960,7 +90153,7 @@ index 9dec06c..378880d 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..a8d17af 100644 +index 1f22fba..6b715d6 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,97 @@ @@ -91327,7 +91520,7 @@ index 1f22fba..a8d17af 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1041,40 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -91370,13 +91563,12 @@ index 1f22fba..a8d17af 100644 - -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock }; +allow svirt_lxc_domain self:key manage_key_perms; -+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit }; ++allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1082,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -91403,7 +91595,7 @@ index 1f22fba..a8d17af 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1100,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91423,7 +91615,7 @@ index 1f22fba..a8d17af 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1119,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -91450,7 +91642,7 @@ index 1f22fba..a8d17af 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1144,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -91496,11 +91688,12 @@ index 1f22fba..a8d17af 100644 +virt_lxc_domain_template(svirt_lxc_net) -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; -allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; ++allow svirt_lxc_net_t self:process { execstack execmem }; +allow svirt_lxc_net_t self:netlink_socket create_socket_perms; +allow svirt_lxc_net_t self:udp_socket create_socket_perms; +allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms; @@ -95065,7 +95258,7 @@ index 3416401..ef64e73 100644 init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zebra.te b/zebra.te -index b0803c2..13da3cf 100644 +index b0803c2..f1fa5f7 100644 --- a/zebra.te +++ b/zebra.te @@ -1,4 +1,4 @@ @@ -95140,7 +95333,7 @@ index b0803c2..13da3cf 100644 corenet_all_recvfrom_netlabel(zebra_t) corenet_tcp_sendrecv_generic_if(zebra_t) corenet_udp_sendrecv_generic_if(zebra_t) -@@ -79,48 +78,42 @@ corenet_raw_sendrecv_generic_if(zebra_t) +@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t) corenet_tcp_sendrecv_generic_node(zebra_t) corenet_udp_sendrecv_generic_node(zebra_t) corenet_raw_sendrecv_generic_node(zebra_t) @@ -95167,6 +95360,8 @@ index b0803c2..13da3cf 100644 dev_associate_usbfs(zebra_var_run_t) dev_list_all_dev_nodes(zebra_t) ++dev_read_rand(zebra_t) ++dev_read_urand(zebra_t) dev_read_sysfs(zebra_t) dev_rw_zero(zebra_t) @@ -95201,7 +95396,7 @@ index b0803c2..13da3cf 100644 manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) ') -@@ -139,3 +132,7 @@ optional_policy(` +@@ -139,3 +134,7 @@ optional_policy(` optional_policy(` udev_read_db(zebra_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 4118406..100ca13 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 65%{?dist} +Release: 66%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,42 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jul 24 2013 Miroslav Grepl 3.12.1-66 +- Allow systemd-tmpfile to handle tmp content in print spool dir +- Allow systemd-sysctl to send system log messages +- Add support for RTP media ports and fmpro-internal +- Make auditd working if audit is configured to perform SINGLE action on disk error +- Add interfaces to handle systemd units +- Make systemd-notify working if pcsd is used +- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t +- Instead of having all unconfined domains get all of the named transition rules, +- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. +- Add definition for the salt ports +- Allow xdm_t to create link files in xdm_var_run_t +- Dontaudit reads of blk files or chr files leaked into ldconfig_t +- Allow sys_chroot for useradd_t +- Allow net_raw cap for ipsec_t +- Allow sysadm_t to reload services +- Add additional fixes to make strongswan working with a simple conf +- Allow sysadm_t to enable/disable init_t services +- Add additional glusterd perms +- Allow apache to read lnk files in the /mnt directory +- Allow glusterd to ask the kernel to load a module +- Fix description of ftpd_use_fusefs boolean +- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t +- Allow glusterds to request load a kernel module +- Allow boinc to stream connect to xserver_t +- Allow sblim domains to read /etc/passwd +- Allow mdadm to read usb devices +- Allow collectd to use ping plugin +- Make foghorn working with SNMP +- Allow sssd to read ldap certs +- Allow haproxy to connect to RTP media ports +- Add additional trans rules for aide_db +- Add labeling for /usr/lib/pcsd/pcsd +- Add labeling for /var/log/pcsd +- Add support for pcs which is a corosync and pacemaker configuration tool + * Tue Jul 16 2013 Miroslav Grepl 3.12.1-65 - Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1