diff --git a/policy-f19-base.patch b/policy-f19-base.patch index e8c0f81..ce5354b 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -27655,7 +27655,7 @@ index 24e7804..76da5dd 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..ee26201 100644 +index dd3be8d..5fc4cd6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27895,7 +27895,7 @@ index dd3be8d..ee26201 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +273,186 @@ ifdef(`distro_gentoo',` +@@ -186,29 +273,188 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -27921,6 +27921,8 @@ index dd3be8d..ee26201 100644 + +storage_raw_rw_fixed_disk(init_t) + ++sysnet_read_dhcpc_state(init_t) ++ +optional_policy(` + kdump_read_crash(init_t) +') @@ -28090,7 +28092,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -216,6 +460,27 @@ optional_policy(` +@@ -216,6 +462,27 @@ optional_policy(` ') optional_policy(` @@ -28118,7 +28120,7 @@ index dd3be8d..ee26201 100644 unconfined_domain(init_t) ') -@@ -225,8 +490,9 @@ optional_policy(` +@@ -225,8 +492,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28130,7 +28132,7 @@ index dd3be8d..ee26201 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +523,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28147,7 +28149,7 @@ index dd3be8d..ee26201 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +548,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28190,7 +28192,7 @@ index dd3be8d..ee26201 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +585,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28202,7 +28204,7 @@ index dd3be8d..ee26201 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +597,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28213,7 +28215,7 @@ index dd3be8d..ee26201 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +608,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28223,7 +28225,7 @@ index dd3be8d..ee26201 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +617,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28231,7 +28233,7 @@ index dd3be8d..ee26201 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +624,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28239,7 +28241,7 @@ index dd3be8d..ee26201 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +632,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28257,7 +28259,7 @@ index dd3be8d..ee26201 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +650,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28271,7 +28273,7 @@ index dd3be8d..ee26201 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +665,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28285,7 +28287,7 @@ index dd3be8d..ee26201 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +678,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28293,7 +28295,7 @@ index dd3be8d..ee26201 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +690,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28301,7 +28303,7 @@ index dd3be8d..ee26201 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +709,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28325,7 +28327,7 @@ index dd3be8d..ee26201 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +742,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28333,7 +28335,7 @@ index dd3be8d..ee26201 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +776,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28344,7 +28346,7 @@ index dd3be8d..ee26201 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +800,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +802,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28353,7 +28355,7 @@ index dd3be8d..ee26201 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +815,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +817,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28361,7 +28363,7 @@ index dd3be8d..ee26201 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +836,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +838,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28369,7 +28371,7 @@ index dd3be8d..ee26201 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +846,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +848,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28414,7 +28416,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -558,14 +891,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +893,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28446,7 +28448,7 @@ index dd3be8d..ee26201 100644 ') ') -@@ -576,6 +926,39 @@ ifdef(`distro_suse',` +@@ -576,6 +928,39 @@ ifdef(`distro_suse',` ') ') @@ -28486,7 +28488,7 @@ index dd3be8d..ee26201 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +971,8 @@ optional_policy(` +@@ -588,6 +973,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28495,7 +28497,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -609,6 +994,7 @@ optional_policy(` +@@ -609,6 +996,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28503,7 +28505,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -625,6 +1011,17 @@ optional_policy(` +@@ -625,6 +1013,17 @@ optional_policy(` ') optional_policy(` @@ -28521,7 +28523,7 @@ index dd3be8d..ee26201 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1038,13 @@ optional_policy(` +@@ -641,9 +1040,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28535,7 +28537,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -656,15 +1057,11 @@ optional_policy(` +@@ -656,15 +1059,11 @@ optional_policy(` ') optional_policy(` @@ -28553,7 +28555,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -685,6 +1082,15 @@ optional_policy(` +@@ -685,6 +1084,15 @@ optional_policy(` ') optional_policy(` @@ -28569,7 +28571,7 @@ index dd3be8d..ee26201 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1131,7 @@ optional_policy(` +@@ -725,6 +1133,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28577,7 +28579,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -742,7 +1149,14 @@ optional_policy(` +@@ -742,7 +1151,14 @@ optional_policy(` ') optional_policy(` @@ -28592,7 +28594,7 @@ index dd3be8d..ee26201 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1179,10 @@ optional_policy(` +@@ -765,6 +1181,10 @@ optional_policy(` ') optional_policy(` @@ -28603,7 +28605,7 @@ index dd3be8d..ee26201 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1192,20 @@ optional_policy(` +@@ -774,10 +1194,20 @@ optional_policy(` ') optional_policy(` @@ -28624,7 +28626,7 @@ index dd3be8d..ee26201 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1214,10 @@ optional_policy(` +@@ -786,6 +1216,10 @@ optional_policy(` ') optional_policy(` @@ -28635,7 +28637,7 @@ index dd3be8d..ee26201 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1239,6 @@ optional_policy(` +@@ -807,8 +1241,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28644,7 +28646,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -817,6 +1247,10 @@ optional_policy(` +@@ -817,6 +1249,10 @@ optional_policy(` ') optional_policy(` @@ -28655,7 +28657,7 @@ index dd3be8d..ee26201 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1260,12 @@ optional_policy(` +@@ -826,10 +1262,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -28668,7 +28670,7 @@ index dd3be8d..ee26201 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1292,27 @@ optional_policy(` +@@ -856,12 +1294,27 @@ optional_policy(` ') optional_policy(` @@ -28697,7 +28699,7 @@ index dd3be8d..ee26201 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1322,18 @@ optional_policy(` +@@ -871,6 +1324,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -28716,7 +28718,7 @@ index dd3be8d..ee26201 100644 ') optional_policy(` -@@ -886,6 +1349,10 @@ optional_policy(` +@@ -886,6 +1351,10 @@ optional_policy(` ') optional_policy(` @@ -28727,7 +28729,7 @@ index dd3be8d..ee26201 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1363,196 @@ optional_policy(` +@@ -896,3 +1365,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28925,20 +28927,21 @@ index dd3be8d..ee26201 100644 + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..ef9370d 100644 +index 662e79b..3cbc35d 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,19 @@ +@@ -1,14 +1,21 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) --/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) + -+/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -+/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) + /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) @@ -28951,7 +28954,7 @@ index 662e79b..ef9370d 100644 /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,12 +31,15 @@ +@@ -26,12 +33,15 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -28967,17 +28970,17 @@ index 662e79b..ef9370d 100644 /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) -@@ -39,3 +47,5 @@ +@@ -39,3 +49,5 @@ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..f133407 100644 +index 0d4c8d3..e6ffda3 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if -@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',` +@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',` domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) ') @@ -29015,6 +29018,7 @@ index 0d4c8d3..f133407 100644 + ') + + manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t) ++ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets") +') + +######################################## @@ -29041,7 +29045,7 @@ index 0d4c8d3..f133407 100644 ######################################## ## ## Connect to racoon using a unix domain stream socket. -@@ -120,7 +177,6 @@ interface(`ipsec_exec_mgmt',` +@@ -120,7 +178,6 @@ interface(`ipsec_exec_mgmt',` ## ## # @@ -29049,7 +29053,7 @@ index 0d4c8d3..f133407 100644 interface(`ipsec_signal_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -139,7 +195,6 @@ interface(`ipsec_signal_mgmt',` +@@ -139,7 +196,6 @@ interface(`ipsec_signal_mgmt',` ## ## # @@ -29057,7 +29061,7 @@ index 0d4c8d3..f133407 100644 interface(`ipsec_signull_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -158,7 +213,6 @@ interface(`ipsec_signull_mgmt',` +@@ -158,7 +214,6 @@ interface(`ipsec_signull_mgmt',` ## ## # @@ -29065,7 +29069,7 @@ index 0d4c8d3..f133407 100644 interface(`ipsec_kill_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -167,6 +221,60 @@ interface(`ipsec_kill_mgmt',` +@@ -167,6 +222,60 @@ interface(`ipsec_kill_mgmt',` allow $1 ipsec_mgmt_t:process sigkill; ') @@ -29126,7 +29130,7 @@ index 0d4c8d3..f133407 100644 ###################################### ## ## Send and receive messages from -@@ -225,6 +333,7 @@ interface(`ipsec_match_default_spd',` +@@ -225,6 +334,7 @@ interface(`ipsec_match_default_spd',` allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; @@ -29134,7 +29138,7 @@ index 0d4c8d3..f133407 100644 ') ######################################## -@@ -369,3 +478,26 @@ interface(`ipsec_run_setkey',` +@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -29162,7 +29166,7 @@ index 0d4c8d3..f133407 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..a19c295 100644 +index 9e54bf9..bb933df 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -29419,7 +29423,7 @@ index 9e54bf9..a19c295 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +477,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +477,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -29428,9 +29432,9 @@ index 9e54bf9..a19c295 100644 seutil_read_config(setkey_t) -userdom_use_user_terminals(setkey_t) +- +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) - diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index 1b93eb7..b2532aa 100644 --- a/policy/modules/system/iptables.fc @@ -35009,7 +35013,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..ec17624 100644 +index 6944526..1f23aab 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -35043,7 +35047,15 @@ index 6944526..ec17624 100644 ') ######################################## -@@ -271,6 +290,43 @@ interface(`sysnet_delete_dhcpc_state',` +@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',` + type dhcpc_state_t; + ') + ++ list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) + read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) + ') + +@@ -271,6 +291,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -35087,7 +35099,7 @@ index 6944526..ec17624 100644 ####################################### ## ## Set the attributes of network config files. -@@ -292,6 +348,44 @@ interface(`sysnet_setattr_config',` +@@ -292,6 +349,44 @@ interface(`sysnet_setattr_config',` ####################################### ## @@ -35132,7 +35144,7 @@ index 6944526..ec17624 100644 ## Read network config files. ## ## -@@ -331,6 +425,7 @@ interface(`sysnet_read_config',` +@@ -331,6 +426,7 @@ interface(`sysnet_read_config',` ifdef(`distro_redhat',` allow $1 net_conf_t:dir list_dir_perms; @@ -35140,7 +35152,7 @@ index 6944526..ec17624 100644 read_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -433,6 +528,7 @@ interface(`sysnet_manage_config',` +@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -35148,7 +35160,7 @@ index 6944526..ec17624 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -471,6 +567,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -35156,7 +35168,7 @@ index 6944526..ec17624 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -580,6 +677,25 @@ interface(`sysnet_signull_ifconfig',` +@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -35182,7 +35194,7 @@ index 6944526..ec17624 100644 ## Read the DHCP configuration files. ## ## -@@ -596,6 +712,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -35190,7 +35202,7 @@ index 6944526..ec17624 100644 ') ######################################## -@@ -681,8 +798,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -35199,7 +35211,7 @@ index 6944526..ec17624 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -692,6 +807,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -35208,7 +35220,7 @@ index 6944526..ec17624 100644 sysnet_read_config($1) optional_policy(` -@@ -720,8 +837,6 @@ interface(`sysnet_use_ldap',` +@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -35217,7 +35229,7 @@ index 6944526..ec17624 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -733,6 +848,9 @@ interface(`sysnet_use_ldap',` +@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -35227,7 +35239,7 @@ index 6944526..ec17624 100644 ') ######################################## -@@ -754,7 +872,6 @@ interface(`sysnet_use_portmap',` +@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -35235,7 +35247,7 @@ index 6944526..ec17624 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +883,74 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 735d1d7..9503f2d 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -2017,10 +2017,17 @@ index cda6d20..fbe259e 100644 userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) diff --git a/amanda.fc b/amanda.fc -index 7f4dfbc..4d750fa 100644 +index 7f4dfbc..e5c9f45 100644 --- a/amanda.fc +++ b/amanda.fc -@@ -13,6 +13,8 @@ +@@ -1,5 +1,6 @@ + /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) + /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) ++/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) + /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) + /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) + # empty m4 string so the index macro is not invoked +@@ -13,6 +14,8 @@ /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) @@ -11854,10 +11861,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..a56e579 +index 0000000..1ef78b0 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,296 @@ +@@ -0,0 +1,297 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -12018,6 +12025,7 @@ index 0000000..a56e579 +') + +optional_policy(` ++ rpm_domtrans(cloud_init_t) + unconfined_domain(cloud_init_t) +') + @@ -72503,7 +72511,7 @@ index 3bd6446..8bde316 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..97bb4a0 100644 +index e5212e6..022f7fc 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -72521,7 +72529,7 @@ index e5212e6..97bb4a0 100644 -## generic user temporary content. -##

+##

-+## Allow gssd to read temp directory. For access to kerberos tgt. ++## Allow gssd to list tmp directories and read the kerberos credential cache. +##

## -gen_tunable(allow_gssd_read_tmp, false) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1bdd0c2..e90f9c4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.7%{?dist} +Release: 74.8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 26 2013 Lukas Vrabec 3.12.1-74.8 +- Get labeling right on ipsec.secrets +- Allow systemd to read dhcpc_state +- Allow amanda to write to /etc/amanda/DailySet1 directory +- Fix english on gssd_read_tmp boolean descriptions +- Allow cloud-init to domtrans to rpm +- Allow abrt daemon to manage abrt-watch tmp files +- Allow abrt-upload-watcher to search /var/spool directory +- Fix typo in abrt.te + * Wed Sep 25 2013 Miroslav Grepl 3.12.1-74.7 - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind